moraCommerce← Home

Data Processing Addendum

Last updated: 18 June 2026

This DPA supplements our Terms of Service and Privacy Policy.

1. Introduction and parties

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you, the store owner ("Customer", the data controller), and DaboLinux Technologies (Business Reg. No. BN3238495), No. 03 Ummita Plaza, Sharada, Jaen, Kano State, Nigeria, operating moraCommerce ("Processor"). It applies where moraCommerce processes personal data on the Customer’s behalf (the Customer’s shoppers/customers and staff — "Customer Personal Data") and reflects the parties’ obligations under the Nigeria Data Protection Act 2023 / NDPR and, where applicable, the GDPR ("Applicable Data Protection Law").

2. Definitions

Terms such as "controller", "processor", "personal data", "data subject", "processing", and "personal data breach" have the meanings given in Applicable Data Protection Law. "Sub-processor" means a third party engaged by the Processor to process Customer Personal Data.

3. Roles and scope

The Customer is the controller and moraCommerce is the processor of Customer Personal Data. The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects are set out in Annex 1. moraCommerce processes account, billing, and its own marketing data as a controller — that processing is governed by the Privacy Policy, not this DPA.

4. Processor obligations

  • Process Customer Personal Data only on the Customer’s documented instructions (including the Terms and use of the platform’s features), unless required by law.
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (Annex 2).
  • Assist the Customer, taking into account the nature of processing, in responding to data-subject requests and in meeting its security, breach-notification, and data-protection-impact-assessment obligations.
  • Notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.
  • Make available information necessary to demonstrate compliance with this DPA.

5. Sub-processors

The Customer provides general authorisation for moraCommerce to engage the sub-processors listed in Annex 3 to deliver the service. moraCommerce imposes data-protection obligations on each sub-processor no less protective than those in this DPA and remains responsible for their performance. We will give notice of intended changes to sub-processors so the Customer can object on reasonable data-protection grounds.

6. International transfers

Where a sub-processor processes Customer Personal Data outside Nigeria or the EEA, moraCommerce ensures an appropriate transfer mechanism is in place, such as an adequacy decision or standard contractual clauses.

7. Data subject rights

Taking into account the nature of the processing, moraCommerce will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests by data subjects exercising their rights under Applicable Data Protection Law. The platform’s features (export, edit, delete) are the primary means by which the Customer fulfils such requests.

8. Personal data breaches

moraCommerce will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, with information reasonably available to assist the Customer in meeting its own notification obligations to authorities and data subjects.

9. Audits

moraCommerce will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable confidentiality and security conditions.

10. Return and deletion

On termination of the service, and at the Customer’s choice, moraCommerce will return or delete Customer Personal Data within a reasonable period and delete existing copies, unless retention is required by law. Export tooling is available for the Customer prior to deletion.

Annex 1 — Details of processing

  • Subject matter: provision of the moraCommerce ecommerce platform to the Customer.
  • Duration: for the term of the Customer’s use of the service.
  • Nature and purpose: hosting, storing, and processing Customer Personal Data to operate the Customer’s storefront, orders, payments, fulfilment, and communications.
  • Types of personal data: names, contact details (email, phone), addresses, order history, and limited account data of the Customer’s shoppers and staff.
  • Categories of data subjects: the Customer’s shoppers/customers and the Customer’s staff users.

Annex 2 — Technical and organisational measures

  • Encryption of data in transit (TLS).
  • Hashed credentials and role-based access control.
  • Per-tenant data isolation enforced at the database layer.
  • Access controls, logging, and monitoring of platform systems.
  • Regular backups and a documented recovery process.
  • [Add any further measures as your security program matures.]

Annex 3 — Sub-processors

  • Paystack — payment processing.
  • Flutterwave — payment processing.
  • Resend — transactional and notification email delivery.
  • Google Cloud — application hosting.
  • Cloudflare — file and media storage.

Contact

Questions about this DPA: privacy@dabolinux.com. Postal: DaboLinux Technologies, No. 03 Ummita Plaza, Sharada, Jaen, Kano State, Nigeria.