Data Processing Agreement

• Applicable Data Protection Law — GDPR, UK GDPR, NDPA (Nigeria), POPIA (South Africa), Kenya Data Protection Act, Ghana DPA, and any other privacy law applicable to the Processing.
• Personal Data — any information relating to an identified or identifiable natural person Processed by Washly on behalf of the Controller.
• Processing, Controller, Processor, Sub-processor, Data Subject — as defined in Applicable Data Protection Law.

The Controller determines the purposes and means of Processing. Washly Processes Personal Data only on documented instructions from the Controller (the Service configuration, support requests, and these Terms constitute such instructions), and only as necessary to provide the Service.

• Subject matter: provision of the Washly laundry operating system.
• Duration: for the term of the subscription, plus the retention period in the Privacy Policy.
• Nature and purpose: hosting, storing, transmitting, and displaying Personal Data to deliver the Service.
• Categories of Data Subjects: the Controller's customers, staff, suppliers, and end-users.
• Categories of Personal Data: names, contact details, addresses, order and transaction history, payment metadata, photos uploaded by the Controller.
• Special categories: none expected. The Controller must not upload special-category data without prior agreement.

• Process Personal Data only on the Controller's documented instructions.
• Ensure personnel authorised to Process Personal Data are bound by confidentiality.
• Implement the technical and organisational measures described on our Security page.
• Assist the Controller in fulfilling requests from Data Subjects and obligations under Articles 32–36 GDPR (or equivalent).
• Notify the Controller without undue delay, and in any case within 72 hours, after becoming aware of a Personal Data breach.
• Make available all information necessary to demonstrate compliance and contribute to audits, subject to confidentiality and reasonable notice.

• Ensure a lawful basis exists for the Processing instructed.
• Provide required notices and obtain required consents from Data Subjects.
• Configure the Service appropriately (roles, retention, integrations).
• Not instruct Washly to Process Personal Data in violation of Applicable Data Protection Law.

The Controller authorises Washly to engage the following sub-processors:

• Amazon Web Services — cloud hosting (EU / US regions).
• Cloudflare — CDN, WAF, and edge compute.
• Postmark — transactional email.
• Twilio / Termii — SMS and WhatsApp messaging.
• Paystack, Flutterwave, Stripe, Moniepoint — payment processing.
• Plausible — privacy-friendly product analytics.
• Sentry — error monitoring.

We give the Controller at least 30 days' notice before adding or replacing a sub-processor. The Controller may object on reasonable data-protection grounds; if the parties cannot resolve the objection, the Controller may terminate the affected portion of the Service.

Where Personal Data is transferred outside the EEA, UK, Nigeria, South Africa, or Kenya, Washly relies on an appropriate transfer mechanism: an adequacy decision, the EU Standard Contractual Clauses (SCCs) including Module 2 or 3, the UK International Data Transfer Addendum, or equivalent safeguards. The SCCs are incorporated by reference and apply automatically where required.

Washly provides self-service tools to help the Controller respond to access, correction, deletion, restriction, and portability requests. Where additional assistance is required, the Controller can contact privacy@washly.app.

Washly maintains the technical and organisational measures described on the Security page and updates them as needed to maintain an appropriate level of security. In the event of a Personal Data breach, Washly will notify the Controller without undue delay (and within 72 hours of confirmation) with the information required by Applicable Data Protection Law.

On reasonable notice, and no more than once per year (unless required by a regulator or following a breach), the Controller may audit Washly's compliance with this DPA. Washly may satisfy audit obligations by providing third-party audit reports (e.g. SOC 2) where available. The Controller bears its own audit costs and must conduct audits during business hours without disrupting the Service.

Upon termination of the Service, Washly will, at the Controller's choice, return or delete all Personal Data within 90 days, except where retention is required by law. Backups are purged within 35 days thereafter.

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits a party's liability to Data Subjects under Applicable Data Protection Law.

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the Processing of Personal Data. In the event of a conflict between this DPA and the SCCs, the SCCs prevail.

We may update this DPA from time to time to reflect changes in law or our sub-processors. Material changes will be notified at least 30 days in advance.

Data Protection Officer · Washly Technologies Ltd
Email: privacy@washly.app
Postal: 12 Admiralty Way, Lekki Phase 1, Lagos, Nigeria