Data Processing Agreement (DPA)

Last updated: 16 August 2025

This Data Processing Agreement (“DPA“) forms part of any proposal, statement of work (“SOW“), or master agreement between Toop Digital (“Processor“, “we”, “us”) and the client named in the SOW (“Controller“, “you”). It sets the rules for how we process personal data on your instructions.

1) Parties and contacts

Controller: As identified in the SOW
Processor: Toop Digital, www.toop.digital
Office: Western Heights, 8th Floor, Skyrise Business Centre, along Karuna Road, behind Sarit Centre, Nairobi, Kenya
Email: hello@toop.digital
WhatsApp / Phone: +254115661135
Data Protection Lead (DPO/POC): Elvis Warutumo — hello@elvisw.online

2) Purpose and scope

We process personal data only to deliver the services in your SOW (e.g., SEO, Social Media Management, Social Media Marketing/Ads, SEM/PPC, analytics, landing pages, and related support). We do not process personal data for our own purposes.

3) Definitions

KDPA: Kenya Data Protection Act, 2019 and regulations.
GDPR/UK GDPR: EU/UK data protection laws where applicable.
Personal Data: Any information about an identified or identifiable person.
Process/Processing: Anything done with Personal Data.
Sub‑processor: A third party engaged by us to process Personal Data for you.

4) Controller instructions

We will process Personal Data only on your documented instructions, including with respect to international transfers, unless the law requires otherwise. If an instruction appears unlawful or unclear, we will notify you and pause the processing (where legally permitted) for clarification.

5) Confidentiality

We ensure all personnel who access Personal Data are bound by confidentiality obligations and receive data protection training appropriate to their role.

6) Security

We implement appropriate technical and organisational measures to protect Personal Data, including access controls, encryption in transit, least‑privilege access, MFA for admin tools, monitoring and logging, secure development and change control, vulnerability management, endpoint protection, and tested backups. More detail is in Annex B (Security Measures).

7) Use of Sub‑processors

We have your general authorisation to use Sub‑processors. We remain responsible for their work. We will:
(a) place Sub‑processors under written terms providing no less protection than this DPA;
(b) keep an up‑to‑date list in Annex C or at a URL we provide; and
(c) notify you of changes to Sub‑processors and give you a reasonable opportunity to object on reasonable grounds. If you object, we will discuss alternatives in good faith.

8) International transfers

If Personal Data is transferred outside Kenya (or, for EEA/UK data subjects, outside the EEA/UK), we will implement appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and, where relevant, the UK IDTA/Addendum, plus additional measures as needed. See Annex D.

9) Assistance to the Controller

We will reasonably assist you to:

respond to data subject requests (access, correction, deletion, objection);
conduct DPIAs and consult with regulators where required; and
demonstrate compliance with KDPA/GDPR obligations relevant to our role.

10) Personal data breach

If we become aware of a personal data breach, we will notify you without undue delay and within 48 hours, providing details as they become available (nature of the breach, categories/volume of data, likely consequences, measures taken or proposed). We will cooperate with your investigation and remediation efforts.

11) Audits and reviews

We will make available information necessary to demonstrate compliance and allow for reasonable audits (remote reviews or on‑site) no more than once per year, with at least 10 business days’ notice, during normal business hours, and subject to confidentiality and safety rules. Where feasible, we will satisfy audits via independent reports or questionnaires.

12) Records of processing

We maintain records of processing activities we carry out for you and will provide them to the Office of the Data Protection Commissioner (ODPC) or other regulators upon lawful request.

13) Deletion or return of data

Upon termination or completion of services, at your choice, we will delete or return Personal Data and delete existing copies within 30 days, unless the law requires we keep some data. If deletion is not feasible, we will securely isolate and protect the data.

14) Data accuracy and minimisation

We process only the data necessary for the stated purposes and will follow your reasonable instructions to update or correct Personal Data we hold on your behalf.

15) Liability and indemnity

Each party’s liability under this DPA is subject to the limitations in the main agreement/SOW, except that nothing limits liability for intentional misconduct or where the law does not allow limits. If this DPA conflicts with the main agreement on data protection matters, this DPA controls.

16) Term and termination

This DPA starts on the SOW effective date and lasts as long as we process Personal Data for you. Sections that need to survive (confidentiality, liability, audits, deletion/return) will continue after termination.

17) Governing law and forum

This DPA is governed by the laws of Kenya. Disputes will be resolved by good‑faith negotiation, then the courts of Nairobi, Kenya. For SCCs or other transfer addenda, the governing law stated in those documents applies to the transfer terms only.

18) Contact for privacy matters

Primary contact: hello@toop.digital
Data Protection Lead (DPO/POC): Elvis Warutumo — hello@elvisw.online

19) Order of precedence

If there is a conflict between this DPA and any other terms between us, this DPA takes precedence only for data protection and privacy matters.

Annex A — Details of Processing

Nature and purpose: Delivery of growth marketing services (SEO, social content and management, paid ads, analytics, landing pages/CRO), account administration, and support.
Processing activities: Collection, recording, organisation, storage, retrieval, consultation, use, disclosure by transmission (to Sub‑processors or platforms), alignment, restriction, deletion.
Types of Personal Data: Contact details (name, email, phone), role/company, identifiers (cookie IDs, IP addresses, device data), marketing preferences, lead form content, purchase/enrolment info where relevant, support messages. No special categories are expected.
Data subjects: Website visitors, leads/prospects, customers, client staff/users.
Duration: For the SOW term and retention periods agreed with Controller; then deleted or returned per Section 13.
Frequency: Continuous as required to deliver services.
Subject‑matter and instructions: As set out in the SOW and this DPA.
Location of processing: Kenya and other locations of Sub‑processors as listed in Annex C or our current list.

Annex B — Security Measures (summary)

Governance & training: Data protection policies; role‑based training; confidentiality agreements.
Access control: Least privilege; role‑based permissions; MFA for admin tools; timely user off‑boarding.
Encryption: TLS for data in transit; industry‑standard encryption at rest where supported by vendors.
Network & endpoints: Firewalling; endpoint protection; patching and vulnerability management.
Application security: Change control; code reviews for custom work; dependency monitoring.
Data minimisation: Collect the minimum data necessary; pseudonymise/anonymise where feasible.
Backups & continuity: Regular backups for core systems; restoration tests; incident response plan.
Logging & monitoring: Security logs for key systems; alerting on suspicious activity.
Vendor management: Risk assessment of Sub‑processors; contractual safeguards; periodic reviews.
Physical security: Provider data centres with access controls and CCTV; office access controls.

Annex C — Sub‑processors

General authorisation model. We currently use or may use service providers in these categories (examples):

Hosting & infrastructure: managed hosting/cloud providers.
Productivity & email: business email, document storage, project management.
Analytics: web analytics and product analytics tools.
Advertising platforms: Google, Meta, LinkedIn, TikTok and similar (often in Controller‑owned accounts).
CRM & support: CRM, ticketing, form, and chat tools.
Payments (if applicable): payment gateways and invoicing tools.

On request, we will provide the current, more specific list (with locations and roles) and notify you of material changes in advance. You may object on reasonable grounds; we will work in good faith on alternatives.

Annex D — International Transfers & SCCs

Where we transfer Personal Data internationally:

EEA/UK data: We will execute the appropriate EU SCCs (Module 2: Controller → Processor) and, if needed, the UK IDTA or UK Addendum, with Annex I/II completed using Annex A/B of this DPA.
Additional measures: We will assess transfer risks and apply supplementary measures (e.g., encryption, access limitations) where appropriate.
Kenya KDPA: We will comply with KDPA cross‑border transfer requirements and any ODPC guidance.

Annex E — Signatures

For Controller
Name: ______________________________
Title: ______________________________
Company: ___________________________
Signature: __________________________
Date: ______________________________

For Processor — Toop Digital
Name: ______________________________
Title: ______________________________
Signature: __________________________
Date: ______________________________
Office: Western Heights, 8th Floor, Skyrise Business Centre, along Karuna Road, behind Sarit Centre, Nairobi, Kenya
Contact: hello@toop.digital | +254115661135 | DPO/POC: Elvis Warutumo (hello@elvisw.online)