Data Processing Agreement (DPA)
This Data Processing Agreement ("Agreement") forms part of the contract between My Centre Office Ltd ("Processor") and the customer organisation ("Controller") using the My Centre Office (MyCo) service. By using MyCo, the Controller agrees to the terms of this Agreement.
1. Definitions
  • Controller: The entity that determines the purposes and means of processing personal data. This refers to the business or individual using MyCo to manage their own clients and contacts.
  • Processor: My Centre Office Ltd, which processes personal data on behalf of the Controller to deliver the MyCo service.
  • Personal Data: Any information relating to an identified or identifiable individual, including names, email addresses, phone numbers, and payment details.
  • Processing: Any operation performed on personal data, including collecting, storing, using, transferring, or deleting.
  • Sub-Processor: Any third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.
  • Data Breach: A security incident leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data.
2. Subject Matter and Duration

The Processor will process Personal Data as necessary to provide the MyCo service to the Controller. This Agreement remains in effect for the duration of the Controller's subscription and ceases upon termination of that subscription, subject to any legal retention obligations.

3. Scope and Purpose of Processing

The Processor will process Personal Data solely to the extent required to deliver the contracted services and strictly in accordance with the documented instructions of the Controller. The Processor will not process Personal Data for any other purpose without the Controller's explicit authorisation, except where required by applicable law.

4. Processor Obligations

The Processor agrees to:

  • Process Personal Data only on documented instructions from the Controller.
  • Implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage.
  • Ensure that all personnel authorised to process Personal Data are bound by confidentiality obligations.
  • Assist the Controller in complying with data subject rights requests, data breach notifications, and data protection impact assessments where applicable.
  • Notify the Controller without undue delay — and no later than 72 hours — upon becoming aware of a Personal Data breach.
  • Delete or return all Personal Data upon termination of this Agreement, unless otherwise required by law.
  • Maintain records of all processing activities carried out on behalf of the Controller.
5. Controller Obligations

The Controller agrees to:

  • Provide clear and lawful instructions for the processing of Personal Data.
  • Ensure there is a valid lawful basis for processing and inform data subjects as required under applicable law.
  • Ensure that Personal Data provided to the Processor is accurate and up to date.
  • Cooperate with the Processor to comply with applicable data protection laws, including UK GDPR and the Nigeria Data Protection Act 2023 where applicable.
  • Notify the Processor promptly of any changes in instructions that may affect the processing of Personal Data.
6. Sub-Processors

The Controller provides general authorisation for the Processor to engage the following sub-processors in connection with the delivery of the MyCo service. The Processor will ensure all sub-processors are bound by data protection obligations equivalent to those in this Agreement.

Sub-Processor Location Purpose
Sendgrid United States Email delivery
Voodoo SMS United Kingdom SMS delivery (UK)
Kudisms Nigeria SMS delivery (Nigeria)
Stripe United States Payment processing
Paystack Nigeria Payment processing
Flutterwave Nigeria Payment processing
Korapay Nigeria Payment processing
Webhosting UK United Kingdom Server hosting

The Processor will notify the Controller of any intended changes to this list of sub-processors, giving the Controller the opportunity to object before such changes take effect.

7. International Data Transfers

Some sub-processors are located outside the United Kingdom and the European Economic Area, specifically Sendgrid and Stripe in the United States. Where Personal Data is transferred internationally, the Processor will ensure that appropriate safeguards are in place in accordance with UK GDPR requirements, including Standard Contractual Clauses (SCCs) where applicable. Transfers to Nigeria-based sub-processors are conducted in accordance with the Nigeria Data Protection Act 2023.

8. Data Retention

The Processor will retain Personal Data only for as long as necessary to deliver the contracted services. Upon termination of the Controller's account, Personal Data will be deleted promptly unless retention is required by applicable law. The Controller may request deletion of their data at any time via the MyCo helpdesk.

9. Audit Rights

The Controller has the right to request information demonstrating the Processor's compliance with this Agreement. The Processor will provide reasonable assistance and documentation to support such requests. Where an on-site audit is required, this will be agreed in advance and conducted at the Controller's expense.

10. Data Breach Notification

In the event of a Personal Data breach, the Processor will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include, where available, the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

11. Liability

Each party remains responsible for its own compliance with applicable data protection laws. The Processor is liable for breaches caused by its failure to comply with this Agreement or applicable data protection legislation. The Controller is liable for breaches arising from unlawful instructions or failure to fulfil its own obligations as a Controller.

12. Regulatory Compliance

The Processor is registered with and compliant with the following regulatory bodies:

  • UK Information Commissioner's Office (ICO) — Registered under UK GDPR
  • Nigeria Data Protection Commission (NDPC) — Registered as a Data Controller under the Nigeria Data Protection Act 2023
  • Cyber Essentials — Certified against common cyber threats
13. Governing Law

This Agreement is governed by the laws of the United Kingdom. Where the Controller is based in Nigeria, the provisions of the Nigeria Data Protection Act 2023 also apply. Any disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of the United Kingdom.

Last updated: February 2026