Data Processing Agreement

1. Definitions

• “Controller” means the Tenant organization that determines the purposes and means of personal data processing
• “Processor” means LineUp, which processes personal data on behalf of the Controller
• “Personal Data” means any information relating to an identified or identifiable natural person
• “Data Subject” means the individual whose personal data is being processed
• “Processing” has the meaning given under applicable data protection law
• “Security Incident” means any unauthorized or unlawful access, loss, alteration, or disclosure of Personal Data

2. Scope and Purpose of Processing

LineUp processes Personal Data submitted by the Controller solely for the purpose of providing the LineUp queue management platform in accordance with the Terms of Service and the Controller's documented instructions. LineUp shall not process Personal Data for any purpose beyond what is necessary to operate, maintain, and support the Platform.

3. Types of Data and Data Subjects

Categories of Data Subjects:

• End customers / queue participants of the Controller
• Staff members and administrators employed by the Controller

Categories of Personal Data:

• Queue participation data: ticket numbers, timestamps, wait times
• Optional customer contact data: name, phone number, email address
• Staff identity data: names, email addresses, roles
• Authentication data: hashed passwords, MFA configuration, session records
• Audit data: action logs, IP addresses, device/browser information
• Communication data: SMS and email content related to queue notifications

4. Controller Obligations

The Controller represents and warrants that:

• It has an appropriate legal basis for processing Personal Data under applicable law
• It has provided all required notices to Data Subjects and obtained any required consents
• Its instructions to LineUp comply with applicable data protection law
• It will only instruct LineUp to process Personal Data for lawful purposes

5. Processor Obligations

LineUp agrees to:

• Process Personal Data only on the documented instructions of the Controller
• Ensure that personnel authorized to process Personal Data are subject to confidentiality obligations
• Implement and maintain the technical and organizational security measures described in Section 6
• Assist the Controller, where technically feasible, in fulfilling Data Subject rights requests
• Assist the Controller in meeting its obligations regarding security, breach notification, and data protection impact assessments
• Delete or return all Personal Data upon termination of the agreement, as set out in Section 10
• Make available to the Controller all information necessary to demonstrate compliance with this DPA

6. Security Measures

LineUp maintains the following technical and organizational measures to protect Personal Data:

• Role-Based Access Control (RBAC) limiting access to authorized personnel and scoped by organizational role
• Multi-Factor Authentication (MFA) for all staff user accounts
• Encryption of Personal Data in transit using TLS 1.2 or higher
• Encryption of Personal Data at rest
• Logical multi-tenant isolation ensuring no cross-Tenant data access is possible
• Comprehensive audit logging of all access and modification events
• Session management with automatic expiry controls
• Access reviews and internal security policies governing Platform Owner administrative access

7. Subprocessors

8. Data Subject Rights

Upon receiving a Data Subject rights request relating to Tenant-controlled data, LineUp shall notify the Controller without undue delay. LineUp will provide reasonable technical assistance to the Controller to fulfil the request, where such assistance is within LineUp's control. The Controller remains responsible for responding to Data Subjects.

9. Breach Notification

In the event LineUp becomes aware of a Security Incident affecting Personal Data processed on behalf of the Controller, LineUp shall:

• Notify the Controller without undue delay and in any event within 72 hours of becoming aware
• Provide a description of the nature of the incident, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the incident
• Cooperate with the Controller to investigate, mitigate, and remediate the incident

Notification by LineUp does not constitute an acknowledgment of fault or liability.

10. Data Deletion and Return

Upon termination or expiration of the agreement, LineUp shall, at the Controller's election:

• Delete all Personal Data from its systems within 30 days of termination
• Return a structured data export to the Controller prior to deletion, upon written request

LineUp may retain Personal Data beyond this period only to the extent required by applicable law, in which case LineUp shall notify the Controller and continue to protect such data.

11. Confidentiality

LineUp shall treat all Personal Data processed under this DPA as confidential. LineUp shall ensure that all personnel with access to Personal Data are bound by appropriate confidentiality obligations. This obligation survives termination of the agreement.

12. Term

This DPA remains in force for the duration of the Terms of Service and terminates automatically upon expiry or termination of those Terms, subject to obligations that survive termination (including Sections 10 and 11).

13. Governing Law

This DPA is governed by the laws of the Republic of Rwanda. Any disputes shall be subject to the jurisdiction of the courts of Kigali, Rwanda.