Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Master Services Agreement, Order Form, or Terms of Service (the "Agreement") between Executive Talents Group Ltd. operating as AnooreHR ("Processor", "we", "us") and the customer entity that subscribes to the AnooreHR platform ("Controller", "you", "Customer").

Where the Agreement and this DPA conflict on matters of data protection, this DPA prevails.

Terms not defined here have the meanings given in the Nigeria Data Protection Act 2023 ("NDPA") and Regulation (EU) 2016/679 ("GDPR"), as applicable.

"Personal Data", "Processing", "Data Subject", "Controller", and "Processor" carry the meanings of NDPA s.2 and GDPR Art 4.

"Sub-processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller, including hosting providers, email delivery vendors, payment gateways, error-monitoring services, and AI inference providers.

"Customer Personal Data" means Personal Data uploaded to, generated by, or processed within the AnooreHR platform under the Controller's account.

Subject matter: provision of the AnooreHR HR, payroll, accounting, and operations platform as described in the Agreement.

Duration: for the term of the Agreement plus a 30-day post-termination data-export window, after which Customer Personal Data is deleted in accordance with Section 13 (Term and Termination) unless retention is required by law.

Nature: storage, hosting, computation, transmission, encryption, indexing, backup, and presentation of Customer Personal Data through the AnooreHR application interfaces and APIs.

Purpose: to deliver the contracted service — including employee record management, payroll computation, statutory filings, accounting ledgers, document storage, communications, analytics dashboards, and AI-assisted suggestions limited to the Controller's own data.

We do NOT use Customer Personal Data to train shared machine-learning models. AI features operate on per-tenant data only and are subject to the AI provider terms referenced in Section 8.

Customer's employees, contractors, and prospective hires.

Customer's tenants, landlords, vendors, and customers where the Controller uses the property-management or accounting modules.

Customer's account administrators, finance staff, HR staff, and other authorised users.

Beneficiaries and emergency contacts where the Controller records them as part of an employee profile.

Identity data: full name, date of birth, gender, photograph, national identification numbers (NIN, BVN, tax IDs, pension PIN, NHF and NSITF numbers, equivalents in other jurisdictions).

Contact data: email, phone, physical and postal address, next-of-kin details.

Employment data: job title, department, employment terms, compensation, attendance, leave, performance reviews, training records, disciplinary records, contracts, and offer letters.

Financial data: bank account numbers, payment instructions, payroll history, tax filings, invoices, and reimbursement claims.

Account and usage data: login credentials (hashed), IP address, device fingerprint, audit logs, and feature interaction events.

Special-category data: limited to what the Controller chooses to upload — e.g. medical certificates supporting leave requests, or trade-union membership where recorded for payroll deductions.

The Controller authorises the Processor to engage Sub-processors to deliver the service. A current list of Sub-processors — including category, location, and purpose — is maintained at https://anoorehr.com/subprocessors and updated when material changes occur.

The Processor will notify the Controller at least 30 days before adding or replacing a Sub-processor that processes Customer Personal Data, by email to the account's billing contact and by updating the published list. The Controller may object in writing on reasonable data-protection grounds within that window.

The Processor remains liable for the acts and omissions of its Sub-processors as if they were its own.

Tenant isolation: PostgreSQL row-level security enforces per-Controller segregation on every query, layered behind application-level authorisation.

Encryption in transit: TLS 1.2 or higher on all customer-facing endpoints. HSTS enforced.

Encryption at rest: sensitive identifiers (NIN, BVN, bank account numbers, pension PINs) are encrypted using authenticated symmetric encryption (Fernet, AES-128-CBC + HMAC-SHA-256). Database volumes are encrypted at the host level.

Access control: production access is least-privilege, multi-factor, time-bound, and fully audit-logged. Platform-admin actions are recorded in an immutable audit log.

Software supply chain: dependency scanning on every build; pinned base images; secrets stored in encrypted credential vaults (never in source).

Monitoring: error tracking, structured request logs, and intrusion-detection events with on-call response procedures.

AI processing: prompts and outputs sent to inference providers are scoped to a single Controller's data per call, are not used by the provider to train shared models (under the provider's enterprise terms), and are not retained beyond the provider's stated audit window.

Backups: encrypted daily snapshots retained for at least 30 days, restorable per Section 11.

The Processor will assist the Controller in fulfilling Data Subject requests under the NDPA and GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.

Standard self-service tooling is available in the platform for the Controller's account administrators (export, anonymisation, correction). Requests requiring Processor assistance will be acknowledged within 5 business days and completed within 30 days of receipt.

Where a Data Subject contacts the Processor directly with a request relating to Customer Personal Data, the Processor will forward the request to the Controller without responding to it substantively, unless legally required to do so.

The Processor primarily stores Customer Personal Data within the European Union. Some Sub-processors (e.g. global email delivery, error monitoring, AI inference) may process data in the United States or other jurisdictions.

Where Personal Data is transferred outside the originating jurisdiction, the Processor relies on appropriate safeguards: the European Commission Standard Contractual Clauses (SCCs, 2021/914) for EU-origin data, the UK International Data Transfer Addendum where applicable, and equivalent contractual safeguards consistent with the NDPA s.41 cross-border transfer requirements.

Transfer Impact Assessments are maintained for each material transfer and made available to the Controller on reasonable request.

The Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach affecting Customer Personal Data.

The notification will describe the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, the measures taken or proposed to address it, and contact details for further information.

Notification to a regulator or to Data Subjects remains the Controller's responsibility unless otherwise agreed in writing.

The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, including current third-party audit reports (e.g. SOC 2 Type II, ISO 27001) once available, and the Processor's published security documentation.

On-site audits may be requested once per calendar year, on at least 30 days' notice, at the Controller's expense, scoped to the Processor's handling of Customer Personal Data, and subject to reasonable confidentiality and operational-safety conditions.

This DPA remains in force for the duration of the Agreement.

On termination or expiry, the Processor will, at the Controller's choice exercised within 30 days, return or delete all Customer Personal Data, except where retention is required by applicable law (e.g. statutory tax-record retention).

Backup copies are deleted in accordance with the backup retention cycle (no more than 90 days post-termination).

This DPA is governed by the laws of the Federal Republic of Nigeria, without prejudice to the rights of EU-based Data Subjects under the GDPR, which apply concurrently for processing within scope of the GDPR.

Disputes are subject to the dispute-resolution mechanism in the Agreement. The Lagos State High Court has non-exclusive jurisdiction over claims unrelated to GDPR enforcement.

A PDF copy of this DPA suitable for procurement files is available on request — email dpa@anoorehr.com from the account's billing contact and we will return a counter-signed PDF within 5 business days. A self-service PDF download is on the roadmap.

For procurement questionnaires (SIG-lite, CAIQ, custom), see https://anoorehr.com/security or contact security@anoorehr.com.