Data Processing Agreement

Last updated: March 2, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Node Works Ltd ("Data Processor", "we", "us"), a company registered in the Republic of Kenya under registration number PVT-MKULZYM, and you ("Data Controller", "you", "your") for the provision of the TailHQ platform (the "Service").

This DPA applies where and only to the extent that we process Personal Data on your behalf in the course of providing the Service, and such Personal Data is subject to data protection laws of the applicable jurisdiction, including but not limited to the EU General Data Protection Regulation (GDPR), the UK GDPR, the Kenya Data Protection Act 2019, and other applicable data protection legislation.

1. Definitions

Unless otherwise defined herein, capitalised terms shall have the meaning given to them in the main Terms of Service and Privacy Policy. In this DPA:

• "Customer Data" means any Personal Data that you submit to the Service for processing on your behalf, including data relating to your end users, clients, patients, and other individuals.
• "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR, UK GDPR, Kenya Data Protection Act 2019, and any other applicable national data protection laws.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• "Sub-processor" means any third party appointed by us to process Customer Data on your behalf.
• "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data.

2. Scope and Roles

You are the Data Controller and we are the Data Processor of Customer Data. We will only process Customer Data on your documented instructions and for the purposes of providing the Service as described in the Terms of Service, unless required to do so by applicable law, in which case we will inform you of that legal requirement before processing (unless the law prohibits such notification).

3. Types of Data Processed

The categories of Personal Data processed under this DPA may include:

• Contact information (names, email addresses, phone numbers, addresses)
• Patient and animal records (as input by you into the Service)
• Appointment and scheduling data
• Billing and payment information
• Communication records between you and your clients
• Any other data you choose to input into the Service

The categories of data subjects may include:

• Your employees and staff members
• Your clients and pet owners
• Your suppliers and business contacts
• Any other individuals whose data you input into the Service

4. Our Obligations as Data Processor

We shall:

• Process Customer Data only on your documented instructions, including with regard to transfers of Personal Data to a third country, unless required by applicable law;
• Ensure that persons authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• Implement appropriate technical and organisational security measures as described in Section 6;
• Not engage another processor (Sub-processor) without your prior general or specific written authorisation. In the case of general written authorisation, we shall inform you of any intended changes concerning the addition or replacement of Sub-processors, giving you the opportunity to object;
• Assist you, taking into account the nature of processing, by appropriate technical and organisational measures, in fulfilling your obligation to respond to data subject requests;
• Assist you in ensuring compliance with your obligations regarding security of processing, notification of data breaches, data protection impact assessments, and prior consultation with supervisory authorities;
• At your choice, delete or return all Customer Data to you after the end of the provision of the Service, and delete existing copies unless applicable law requires storage of the data;
• Make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.

5. Your Obligations as Data Controller

You shall:

• Ensure that you have obtained all necessary consents and authorisations required under applicable Data Protection Laws to transfer Customer Data to us for processing;
• Ensure that your instructions to us regarding the processing of Customer Data comply with applicable Data Protection Laws;
• Be solely responsible for the accuracy, quality, and legality of Customer Data and the means by which you acquired it;
• Comply with your obligations as a Data Controller under applicable Data Protection Laws, including providing any required notices to, and obtaining any required consents from, data subjects.

6. Security Measures

We implement and maintain appropriate technical and organisational measures to protect Customer Data against Security Incidents, including but not limited to:

• Encryption of data in transit using TLS/SSL
• Encryption of data at rest where technically feasible
• Role-based access controls and authentication mechanisms
• Regular security assessments and vulnerability testing
• Secure software development practices
• Employee access limited to a need-to-know basis
• Regular backups and disaster recovery procedures
• Logging and monitoring of access to Customer Data

7. Sub-processors

You provide general authorisation for us to engage Sub-processors to assist in providing the Service. A current list of our Sub-processors is available on our Sub-processors page. We will update this list prior to engaging any new Sub-processor and will notify you of such changes, giving you the opportunity to object.

Where we engage a Sub-processor, we shall impose on that Sub-processor the same data protection obligations as set out in this DPA by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. We shall remain fully liable to you for the performance of each Sub-processor's obligations.

8. Data Breach Notification

We shall notify you without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting Customer Data. Such notification shall include:

• A description of the nature of the Security Incident, including the categories and approximate number of data subjects and records concerned;
• The name and contact details of a point of contact from whom more information can be obtained;
• A description of the likely consequences of the Security Incident;
• A description of the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects.

9. International Data Transfers

Customer Data is stored and processed on servers located in the United States of America. Node Works Ltd is incorporated in Kenya. Where the transfer of Customer Data to the United States (or any other country) constitutes an international transfer under applicable Data Protection Laws, we will ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission, where required for transfers from the EEA;
• The International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, where required for transfers from the UK;
• Any other transfer mechanism approved under applicable Data Protection Laws.

10. Data Subject Rights

We shall assist you in responding to requests from data subjects to exercise their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection). If we receive a request directly from a data subject, we shall promptly forward such request to you unless prohibited by law.

11. Data Deletion and Return

Upon termination of the Service, we will make your Customer Data available for export for a period of not less than 30 days. After this period, we shall securely delete or anonymise all Customer Data in our possession, including any copies, unless applicable law requires further storage. We will certify deletion upon your written request.

12. Audits

Upon reasonable request and subject to reasonable confidentiality obligations, we will make available to you information necessary to demonstrate our compliance with this DPA. You may conduct an audit (or appoint a qualified third-party auditor) no more than once per year, with reasonable advance notice of at least 30 days, during normal business hours, and in a manner that does not unreasonably disrupt our operations.

13. Duration and Termination

This DPA shall remain in effect for the duration of the provision of the Service. The obligations placed upon us under this DPA shall survive for as long as we process Customer Data on your behalf, including any period after the termination of the Service during which we retain Customer Data.

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Republic of Kenya, without prejudice to any mandatory data protection laws that may apply to the processing of Customer Data. Where a conflict arises between this DPA and the Terms of Service, the provisions of this DPA shall prevail with respect to data protection matters.

Contact Us

If you have any questions about this Data Processing Agreement, please contact us:

Node Works Ltd

Company Registration: PVT-MKULZYM

Republic of Kenya

Email: hi@tailhq.com