Izzi Manager
Log in

Legal

Data Processing Agreement

For B2B customers · Last updated: 14 May 2026

This DPA forms part of our Terms of Service for customers acting as Data Controller. By signing up you accept this DPA. If your organisation requires a signed counterpart, request one from legal@izzimanager.com.

1. Roles

You are the Data Controller for personal data you upload (customer, supplier, employee records). Izzikart Limited is the Data Processor, acting on your instructions as set out in our Terms.

2. Processing details

  • Subject matter: providing the Izzi Manager SaaS service.
  • Duration: for the term of your subscription + 30-day post-cancellation grace.
  • Nature: storage, retrieval, transmission, deletion of personal data.
  • Data subjects: your customers, suppliers, employees, contacts.
  • Categories: identifiers (name, email, phone), business records (invoices, payments, payroll).

3. Sub-processors

We engage the sub-processors listed in our Privacy Policy. We'll notify you 30 days before adding a new sub-processor; you may terminate if you object.

4. Security measures

  • Encryption at rest (AES-256-GCM) for PII.
  • Encryption in transit (TLS 1.2+).
  • Role-based access control + tenant isolation via Row-Level Security.
  • Audit logging of every access to personal data.
  • Daily backups with 30-day retention.
  • 2FA required for privileged roles.
  • Regular penetration testing.

5. Data subject rights

If a data subject contacts you with an access / correction / deletion request, we'll help you fulfil it within the time limits set by Ghana's Data Protection Act.

6. Data breaches

We will notify you of any confirmed personal-data breach affecting your data within 72 hours, with details of what happened, the data involved, and our remediation steps.

7. Audits

Enterprise customers may audit our practices once per year with 30 days' notice. We provide SOC-style reports on request.

8. Return / deletion

On termination, you have 30 days to export all data. After that we permanently delete it from our production systems within 7 days, and from backups within 90 days.

9. Cross-border transfers

Our infrastructure is hosted in the EU (eu-central-1). If you require Ghana-only hosting, contact sales — available on the Enterprise plan.