Data Processing Agreement

1. Scope and purpose

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller" or "Customer") and Permito Technologies Ltd ("Processor" or "Permito") regarding the processing of personal data in connection with the Permito platform. This DPA reflects both parties' agreement with regard to the processing of personal data in compliance with the Nigerian Data Protection Regulation (NDPR), General Data Protection Regulation (GDPR) where applicable, and other relevant data protection laws.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to: names, email addresses, job titles, IP addresses, usage logs, permit records linked to named individuals, and digital signatures.

"Processing" means any operation performed on personal data, including collection, storage, use, disclosure and deletion.

"Sub-processor" means any third party engaged by Permito to process personal data on behalf of the Customer.

"Data Subject" means any natural person whose personal data is processed under this agreement, including your employees, contractors and other permitted users.

3. Roles and responsibilities

The Customer is the Controller of personal data relating to its own employees and operations. Permito acts as a Processor, processing such data only on documented instructions from the Customer as set out in this DPA and the main subscription agreement.

Permito will not process personal data for any purpose other than providing the platform services, except where required by applicable law, in which case Permito will inform the Customer unless prohibited by law.

4. Lawful basis for processing

Permito processes personal data under the following lawful bases: (a) contractual necessity — to deliver the platform services described in the subscription agreement; (b) legitimate interests — for security monitoring, fraud prevention and platform improvement using anonymised data; (c) legal obligation — to comply with applicable laws and regulatory requirements; and (d) consent — for optional analytical cookies, where consent is freely given and can be withdrawn at any time.

5. Data categories processed

Permito processes the following categories of personal data on behalf of Customers:

• Identity data: name, employee ID, job title, role • Contact data: work email address, phone number • Authentication data: hashed passwords, session tokens, two-factor authentication settings • Usage data: permit activity logs, approval decisions, digital signatures, timestamps • Device data: IP addresses, browser type, device identifiers (for security monitoring)

Permito does not process special categories of personal data (health data, biometric data, etc.) unless the Customer explicitly inputs such data into permit records.

6. Security measures

Permito implements the following technical and organisational security measures:

• Encryption in transit: TLS 1.3 for all data transfers • Encryption at rest: AES-256 for all stored data • Access controls: role-based access with principle of least privilege; all access is logged • Audit logging: immutable logs of all data access, modifications and permit decisions • Penetration testing: annual third-party penetration testing • Incident response: documented incident response plan with 72-hour notification to Customers of data breaches • Personnel: all Permito personnel with data access are bound by confidentiality obligations and complete annual data protection training

7. Sub-processors

Permito uses the following categories of sub-processors to provide the platform services:

• Cloud infrastructure (data hosting and storage) • Email delivery services (for permit notifications and system emails) • Error monitoring services (processing anonymised error logs only)

Permito will notify Customers of any intended addition or change to sub-processors with at least 14 days' notice. Customers may object to new sub-processors within this period. Permito ensures all sub-processors are bound by data processing agreements providing at least equivalent protections to this DPA.

8. International data transfers

Personal data is primarily stored in data centres within Nigeria. Where data is transferred outside Nigeria, Permito ensures adequate safeguards are in place, including: (a) transfers to countries with an adequacy decision under NDPR or GDPR; (b) standard contractual clauses approved by relevant data protection authorities; or (c) binding corporate rules where applicable. Details of specific transfer mechanisms are available on request.

9. Data subject rights

As Controller, the Customer is responsible for handling Data Subject requests (access, correction, deletion, portability, restriction, objection). Permito provides tools within the platform settings to assist Customers in fulfilling these obligations, including data export and user deletion functions. Where Permito receives a Data Subject request directly, it will forward this to the Customer within 5 business days without responding to the Data Subject directly, unless authorised otherwise.

10. Retention and deletion

Permito retains personal data for the duration of the active subscription, plus 90 days to allow data export after termination. After this period, personal data is securely deleted or anonymised unless a longer retention period is required by applicable law (e.g., regulatory audit obligations). Permit records required for statutory audit purposes may be retained in anonymised or aggregated form for up to 7 years. Customers may request earlier deletion subject to these retention obligations.

11. Audits and compliance

Permito makes available on request its most recent ISO 27001 certification, SOC 2 report summary, and NDPR compliance certificate. Customers with Enterprise plans may request a formal audit with reasonable notice (minimum 30 days) at their own cost, subject to confidentiality obligations. Permito may fulfil an audit request by providing third-party audit reports in lieu of a direct audit where this reasonably satisfies the Customer's compliance requirements.

12. Governing law and contact

This DPA is governed by the laws of the Federal Republic of Nigeria. To execute a formal DPA, request a signed copy, or raise data processing queries, contact: dpa@permito.ng or write to the Data Protection Officer, Permito Technologies Ltd, Victoria Island, Lagos, Nigeria.