• “Controller” means the Tenant organization that determines the purposes and means of personal data processing
• “Processor” means LineUp, which processes personal data on behalf of the Controller
• “Personal Data” means any information relating to an identified or identifiable natural person
• “Data Subject” means the individual whose personal data is being processed
• “Processing” has the meaning given under applicable data protection law
• “Security Incident” means any unauthorized or unlawful access, loss, alteration, or disclosure of Personal Data
• “Subprocessor” means any third party engaged by LineUp to process Personal Data on behalf of the Controller

LineUp processes Personal Data submitted by the Controller solely for the purpose of providing the LineUp queue management platform in accordance with the Terms of Service, Commercial Agreement, and the Controller's documented instructions. LineUp shall not process Personal Data for any purpose beyond what is necessary to operate, maintain, and support the Platform.

Categories of Data Subjects:

• End customers and queue participants of the Controller
• Staff members and administrators employed by the Controller

Categories of Personal Data:

• Queue participation data: ticket numbers, timestamps, wait times
• Optional customer contact data: name, phone number, email address
• Staff identity data: names, email addresses, roles
• Authentication data: hashed passwords, MFA configuration, session records
• Audit data: action logs, IP addresses, device/browser information
• Communication data: SMS and email content related to queue notifications

The Controller represents and warrants that:

• It has an appropriate legal basis for processing Personal Data under applicable law
• It has provided all required notices to Data Subjects and obtained any required consents
• Its instructions to LineUp comply with applicable data protection law
• It will only instruct LineUp to process Personal Data for lawful purposes

LineUp agrees to:

• Process Personal Data only on the documented instructions of the Controller
• Ensure that personnel authorized to process Personal Data are subject to confidentiality obligations
• Implement and maintain the technical and organizational security measures described in Section 6
• Assist the Controller, where technically feasible, in fulfilling Data Subject rights requests
• Assist the Controller in meeting its obligations regarding security, breach notification, and data protection impact assessments
• Delete or return all Personal Data upon termination of the agreement, as set out in Section 10
• Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA

LineUp maintains the following technical and organizational measures to protect Personal Data:

• Role-Based Access Control (RBAC) limiting access to authorized personnel scoped by organizational role
• Multi-Factor Authentication (MFA) for all Staff accounts
• Encryption of Personal Data in transit using TLS 1.2 or higher
• Encryption of Personal Data at rest
• Logical multi-tenant isolation ensuring no cross-Tenant data access is possible
• Comprehensive audit logging of all access and modification events
• Session management with automatic expiry controls
• Access reviews and internal security policies governing Platform Owner administrative access

For a full description of these measures, see the Security & Trust Overview.

7.1 The Controller grants LineUp general authorization to engage subprocessors for the purposes of providing the Platform, including cloud infrastructure providers, SMS delivery providers (e.g., Twilio), email delivery providers (e.g., Resend), and payment processors.

7.2 LineUp shall enter into data processing agreements with all subprocessors imposing obligations no less protective than those in this DPA.

7.3 LineUp shall notify the Controller of any intended changes to subprocessors with at least fourteen (14) days' written notice prior to the change taking effect, giving the Controller the opportunity to object. If the Controller objects and the parties cannot resolve the matter, the Controller may terminate the agreement. The current subprocessor list is available at any time upon written request to privacy@cybersafehills.com.

Upon receiving a Data Subject rights request relating to Tenant-controlled data, LineUp shall notify the Controller without undue delay. LineUp will provide reasonable technical assistance to the Controller to fulfil the request, where such assistance is within LineUp's control. The Controller remains responsible for responding to Data Subjects.

In the event LineUp becomes aware of a Security Incident affecting Personal Data processed on behalf of the Controller, LineUp shall:

• Notify the Controller without undue delay and in any event within 72 hours of becoming aware
• Provide a description of the nature of the incident, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the incident
• Cooperate with the Controller to investigate, mitigate, and remediate the incident

Notification by LineUp does not constitute an acknowledgment of fault or liability.

Upon termination or expiration of the agreement, LineUp shall, at the Controller's election:

• Upon expiry or termination, provide a 5-day grace period during which the Controller retains limited access for data export. Fully suspend access on Day 5 and retain all Personal Data for a further 60 days from the date of suspension. Permanently and irreversibly delete all Personal Data on Day 65 from the expiry or termination date.
• Return a structured data export to the Controller prior to deletion, upon written request submitted before the grace period expires

LineUp may retain Personal Data beyond this period only to the extent required by applicable law, in which case LineUp shall notify the Controller and continue to protect such data.

LineUp shall treat all Personal Data processed under this DPA as confidential. LineUp shall ensure that all personnel with access to Personal Data are bound by appropriate confidentiality obligations. This obligation survives termination of the agreement.

This DPA remains in force for the duration of the Terms of Service and Commercial Agreement, and terminates automatically upon expiry or termination of those agreements, subject to obligations that survive termination (including Sections 10 and 11).

This DPA is governed by the laws of the Republic of Rwanda. Any disputes shall be subject to the jurisdiction of the courts of Kigali, Rwanda.

For privacy inquiries: privacy@cybersafehills.com · CyberSafeHills & Partners Ltd, Kk 15 Rd, Kigali, Rwanda