Data Processing Agreement (DPA)

1. Agreement Structure

This Data Processing Agreement ("DPA") forms part of the Testing Agreement between:

• "Data Controller" or "You": The Regulatory Sandbox participant
• "Data Processor" or "Lancr": The Namibia Regulatory Sandbox platform

This DPA supplements our Terms of Service andPrivacy Policy, and reflects the parties' agreement to comply with:

• EU General Data Protection Regulation (GDPR)
• South African Protection of Personal Information Act (POPIA)
• Namibian Data Protection Act (Act No. 10 of 2019)
• Bank of Namibia and NAMFISA data protection requirements

2. Definitions

"Personal Data"

Any information relating to an identified or identifiable natural person processed through the Platform.

"Processing"

Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Data Controller"

The entity that determines the purposes and means of processing Personal Data (the Sandbox Participant).

"Data Processor"

The entity that processes Personal Data on behalf of the Data Controller (Lancr).

"Sub-Processor"

A third party engaged by Lancr to process Personal Data on behalf of the Data Controller.

"Data Subject"

An identified or identifiable natural person whose Personal Data is being processed.

"Data Protection Laws"

All applicable data protection and privacy laws, including GDPR, POPIA, and Namibian Data Protection Act.

3. Scope and Processing Details

3.1 Subject Matter and Duration

• Subject Matter: Provision of regulatory sandbox testing platform and services
• Duration: Duration of the Testing Agreement
• Purpose: Enable controlled testing of financial innovations under regulatory supervision

3.2 Nature of Processing

Lancr processes Personal Data to:

• Provide platform infrastructure and testing environments
• Monitor compliance with sandbox conditions
• Generate reports for regulatory authorities
• Provide technical and regulatory support
• Maintain security and prevent fraud

3.3 Categories of Data Subjects

The Personal Data processed may relate to:

• Consumers participating in sandbox testing
• Employees and representatives of the Data Controller
• Business contacts and partners
• Other individuals whose data is necessary for testing

3.4 Types of Personal Data

3.5 Special Categories of Personal Data

Processing of special category data (sensitive personal information) requires explicit consent or specific legal basis. This may include:

• Biometric data (for authentication)
• Health data (for insurance or credit products)
• Criminal records (for credit checks or compliance)

4. Data Processor Obligations

Lancr, as Data Processor, agrees to:

4.1 Processing Instructions

• Process Personal Data only on documented instructions from the Data Controller
• Not process Personal Data for any other purpose
• Inform the Data Controller if instructions violate Data Protection Laws

4.2 Confidentiality

• Ensure that personnel processing Personal Data are bound by confidentiality obligations
• Provide appropriate training on data protection
• Limit access to Personal Data to authorized personnel only

4.3 Security

• Implement appropriate technical and organizational security measures
• Regularly test, assess, and evaluate the effectiveness of security measures
• Maintain security certifications (ISO 27001, SOC 2)

4.4 Sub-Processors

• Only engage Sub-Processors with prior written authorization
• Ensure Sub-Processors are bound by equivalent data protection obligations
• Remain liable for Sub-Processor actions

4.5 Data Subject Rights

• Assist the Data Controller in responding to data subject requests
• Implement technical measures to facilitate data subject rights
• Respond to requests within agreed timeframes

4.6 Breach Notification

• Notify the Data Controller of any Personal Data breach without undue delay
• Provide sufficient information to meet breach notification requirements
• Cooperate with breach investigation and remediation

4.7 Data Protection Impact Assessments

• Assist with Data Protection Impact Assessments (DPIAs) when required
• Provide necessary information about processing activities
• Support prior consultation with supervisory authorities if needed

4.8 Deletion or Return

• Delete or return Personal Data upon termination of services
• Comply with Data Controller instructions regarding data retention
• Provide certification of deletion when requested

4.9 Audit and Inspection

• Allow audits and inspections by the Data Controller or appointed auditors
• Provide information necessary to demonstrate compliance
• Cooperate with regulatory inspections

5. Processing Instructions

5.1 Documented Instructions

The Data Controller's instructions for processing Personal Data are documented in:

• This Data Processing Agreement
• The Testing Agreement
• Platform documentation and user guides
• Written instructions provided via the platform or email

5.2 Additional Instructions

The Data Controller may issue additional processing instructions by:

• Submitting a written request through the platform
• Emailing dpo@sandbox.lancr.org

Lancr will acknowledge receipt within 5 business days and implement instructions within a reasonable timeframe.

5.3 Unlawful Instructions

If Lancr believes an instruction violates Data Protection Laws, Lancr will:

• Immediately inform the Data Controller
• Suspend processing until the instruction is modified or withdrawn
• Document the instruction and response for compliance records

6. Security Measures

6.1 Technical Measures

• Encryption: AES-256 encryption at rest, TLS 1.3 in transit
• Access Control: Role-based access control (RBAC), multi-factor authentication
• Network Security: Firewalls, intrusion detection/prevention systems
• Monitoring: 24/7 security monitoring and logging
• Backup: Daily encrypted backups with geographic redundancy
• Vulnerability Management: Regular security scanning and patch management

6.2 Organizational Measures

• Policies: Information security policy, incident response plan
• Training: Annual security and privacy training for all staff
• Access Management: Least privilege principle, regular access reviews
• Vendor Management: Security assessments of Sub-Processors
• Physical Security: Secure data centers with access controls

6.3 Certifications and Audits

• ISO 27001 certified (Information Security Management)
• SOC 2 Type II compliance
• Annual third-party security audits
• Penetration testing at least annually

7. Sub-Processors

7.1 Current Sub-Processors

The Data Controller authorizes the use of the following Sub-Processors:

7.2 Notification of Changes

Lancr will notify the Data Controller of any intended changes to Sub-Processors:

• Notice Period: 30 days before engaging a new Sub-Processor
• Notification Method: Email to registered contact
• Information Provided: Sub-Processor name, services, location, safeguards

7.3 Objection Rights

The Data Controller may object to a new Sub-Processor within 14 days if:

• The Sub-Processor does not provide adequate data protection guarantees
• The location poses data transfer risks
• The services conflict with regulatory requirements

If an objection cannot be resolved, the Data Controller may terminate the affected services without penalty.

8. Data Subject Rights

8.1 Assistance with Requests

Lancr will assist the Data Controller in responding to data subject requests for:

• Access: Provide copies of Personal Data
• Rectification: Correct inaccurate data
• Erasure: Delete data ("right to be forgotten")
• Restriction: Limit processing in certain circumstances
• Portability: Export data in machine-readable format
• Objection: Stop processing for specific purposes

8.2 Response Timeframe

• Acknowledge data subject requests within 48 hours
• Provide necessary information within 10 business days
• Assist with meeting the 30-day response deadline

8.3 Technical Measures

Lancr maintains technical capabilities to facilitate data subject rights:

• Self-service data export tools
• Automated data deletion workflows
• API endpoints for programmatic access
• Audit logs of all data access and modifications

9. Data Breach Notification

9.1 Notification Requirement

In the event of a Personal Data breach, Lancr will:

• Notify the Data Controller without undue delay (within 24 hours of discovery)
• Provide sufficient information to meet GDPR Article 33 requirements
• Provide ongoing updates as the investigation progresses

9.2 Breach Information

The breach notification will include:

• Nature of the breach (unauthorized access, loss, disclosure)
• Categories and approximate number of data subjects affected
• Categories and approximate number of data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact details for the Data Protection Officer

9.3 Cooperation

Lancr will:

• Cooperate with breach investigation and forensic analysis
• Preserve evidence and logs
• Assist with notifications to supervisory authorities and data subjects
• Implement remedial measures to prevent recurrence

10. Audit Rights

10.1 Audit Frequency

• The Data Controller may conduct audits once per year
• Additional audits may be conducted for cause (e.g., after a breach)
• Regulatory authorities may conduct audits at any time

10.2 Audit Procedure

1. Data Controller provides 30 days' written notice
2. Parties agree on audit scope and schedule
3. Audit conducted during business hours to minimize disruption
4. Lancr provides access to relevant records and personnel
5. Audit findings documented in written report
6. Remediation plan agreed for any findings

10.3 Audit Costs

• First annual audit: Borne by Data Controller
• Audits for cause (breach, non-compliance): Borne by Lancr
• Regulatory audits: Costs shared as legally required

10.4 Third-Party Audits

The Data Controller may use independent third-party auditors who:

• Sign confidentiality agreements
• Have appropriate professional qualifications
• Do not compete with Lancr's business

11. International Data Transfers

11.1 Transfer Mechanisms

When Personal Data is transferred outside Namibia or the EEA, Lancr ensures adequate safeguards through:

• Standard Contractual Clauses (SCCs): EU-approved SCCs with Sub-Processors
• Adequacy Decisions: Transfers to countries with adequacy decisions
• Binding Corporate Rules: For intra-group transfers
• Additional Safeguards: Encryption, access controls, contractual protections

11.2 Transfer Impact Assessment

Lancr has conducted Transfer Impact Assessments (TIAs) for transfers to:

• United States (post-Schrems II analysis)
• Other third countries without adequacy decisions

11.3 Government Access

In the event of government or law enforcement requests for Personal Data, Lancr will:

• Notify the Data Controller unless legally prohibited
• Challenge overly broad or unlawful requests
• Provide only the minimum data necessary
• Document all requests and responses

12. Data Deletion and Return

12.1 Upon Termination

Upon termination or expiration of the Testing Agreement, Lancr will:

• Delete or return all Personal Data within 30 days
• Comply with Data Controller's choice of deletion or return
• Delete all copies, including backups (subject to legal retention)
• Provide written certification of deletion

12.2 Legal Retention

Lancr may retain Personal Data to the extent required by:

• Namibian financial services regulations (typically 7-10 years)
• Tax and accounting laws
• Regulatory reporting requirements
• Pending litigation or investigations

Retained data will remain subject to this DPA and be securely isolated.

12.3 Data Export Format

If the Data Controller requests return of data, Lancr will provide:

• CSV or JSON format (structured data)
• Encrypted archives
• Secure file transfer mechanism
• Documentation of data schema

13. Liability and Indemnification

13.1 Data Controller Responsibilities

The Data Controller is responsible for:

• Ensuring lawful basis for processing
• Obtaining necessary consents
• Providing accurate processing instructions
• Complying with data subject requests
• Maintaining records of processing activities

13.2 Data Processor Responsibilities

Lancr is responsible for:

• Processing only on documented instructions
• Implementing appropriate security measures
• Notifying breaches promptly
• Cooperating with audits
• Ensuring Sub-Processor compliance

13.3 Liability Cap

Subject to Data Protection Laws, liability under this DPA is governed by the limitation of liability provisions in the Testing Agreement.

13.4 Indemnification

Each party will indemnify the other for claims arising from:

• Breach of this DPA
• Violation of Data Protection Laws
• Negligence or willful misconduct

14. Term and Termination

14.1 Term

This DPA commences on the Testing Agreement start date and continues until:

• Termination or expiration of the Testing Agreement
• Completion of data deletion obligations
• Earlier termination as provided herein

14.2 Termination for Breach

Either party may terminate this DPA if:

• The other party materially breaches this DPA
• The breach is not remedied within 30 days of written notice
• The breach cannot be remedied

14.3 Effect of Termination

Upon termination:

• Lancr will cease processing Personal Data
• Data deletion or return obligations apply
• Provisions that should survive (liability, confidentiality) remain in effect

15. Contact Information

For questions about this Data Processing Agreement: