PIQPassportIQ Back to app

Data Processing Addendum

Last updated: April 18, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between PassportIQ Ltd ("Processor") and the customer ("Controller") and applies whenever PassportIQ processes personal data on the Controller's behalf.

1. Definitions

Terms such as "Personal Data", "Processing", "Controller", "Processor", and "Data Subject" carry the meaning given in the EU General Data Protection Regulation (GDPR) and the Nigeria Data Protection Regulation (NDPR), as applicable.

2. Subject matter & duration

We process personal data only to deliver the Service for the duration of the agreement and for any retention period required by law.

3. Nature & purpose of processing

  • Hosting and storing customer-uploaded documents.
  • Generating visa approval scores and personalized insights.
  • Authenticating users and protecting accounts.
  • Sending transactional notifications related to the Service.

4. Categories of data subjects & data

Data subjects: end users of the Controller. Categories: identifiers, contact details, passport data, financial range, travel history, uploaded documents, usage telemetry.

5. Sub-processors

The Controller authorizes the use of the following sub-processors:

  • Lovable Cloud (managed Supabase) — hosting, database, file storage.
  • Paystack — payment processing.
  • Resend — transactional email.
  • Google Cloud (Gemini) and OpenAI — AI model inference for in-product features.

We will give 30 days' notice of new sub-processors via the in-app changelog and email, allowing reasonable objection.

6. Security measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Row-level security and least-privilege access controls.
  • Mandatory 2FA for all PassportIQ employees with production access.
  • Annual penetration testing and continuous vulnerability scanning.
  • Backup, disaster recovery, and incident response procedures.

7. Data subject rights

We assist the Controller in responding to data subject requests via tooling for export, rectification, and deletion exposed in Settings → Privacy & Data.

8. Data breach notification

We will notify the Controller of any confirmed personal data breach without undue delay and within 72 hours of discovery, with available details and our remediation plan.

9. International transfers

Where personal data is transferred outside the EEA or Nigeria, we rely on Standard Contractual Clauses or equivalent safeguards.

10. Audit & deletion

Upon written request, we will provide reasonable information necessary to demonstrate compliance. Upon termination, we will delete or return personal data within 30 days, except where retention is required by law.

11. Contact

DPA inquiries: dpo@passportiq.app.