Legal

Data Processing Agreement

This Data Processing Agreement governs how PLVN Technologies Ltd processes personal data on behalf of customers acting as data controllers.

PLVN data processing agreement
Effective: 1 June 2026 Governing law: Ghana / NDPA 2023 + GDPR Art. 4 Contact: [email protected]

This Data Processing Agreement ("DPA") is entered into between:

Processor: PLVN Technologies Ltd, a company incorporated in Ghana and headquartered in Accra ("PLVN", "Processor"); and

Controller: the customer or organisation that has accepted the PLVN Terms of Service and is identified in the associated account ("Customer", "Controller").

This DPA forms part of the agreement between the Processor and the Controller (together, "the Parties") and supplements the PLVN Terms of Service. In the event of any conflict between this DPA and the Terms of Service with respect to the processing of personal data, this DPA shall prevail.

By using the PLVN platform in a capacity that involves the processing of personal data on behalf of a business or organisation, the Controller accepts this DPA.

1. Definitions

In this DPA, the following terms have the meanings set out below. Where applicable, terms are defined consistently with the Ghana Data Protection Act 2012 (Act 843), the Ghana National Data Protection Authority framework ("NDPA 2023"), and, where relevant, the General Data Protection Regulation (EU) 2016/679 ("GDPR") Article 4:

  • "Personal Data" means any information relating to an identified or identifiable natural person ("data subject"), as defined in GDPR Art. 4(1) and Act 843 of Ghana.
  • "Processing" means any operation or set of operations performed on personal data, whether automated or manual, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction, as defined in GDPR Art. 4(2).
  • "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, as defined in GDPR Art. 4(7).
  • "Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller, as defined in GDPR Art. 4(8).
  • "Sub-Processor" means any third party engaged by the Processor to process personal data on behalf of the Controller in connection with the PLVN platform.
  • "Data Subject" means the identified or identifiable natural person to whom personal data relates.
  • "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed by the Processor.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission or the Ghana Data Protection Commission, as applicable.

2. Scope of Processing

The Processor processes personal data solely for the purpose of providing the PLVN event management SaaS platform to the Controller. The subject matter, duration, nature, purpose, type of personal data, and categories of data subjects are described in Annex A below.

Annex A — Processing Details

  • Subject matter: Event planning and management services delivered via the PLVN web and mobile platform.
  • Duration: For the term of the agreement between the Parties plus any retention period required by applicable law.
  • Nature of processing: Collection, storage, organisation, retrieval, display, and deletion of personal data for the purpose of operating the platform for the Controller.
  • Purpose of processing: To enable the Controller to plan and manage events, communicate with vendors, manage guest lists, track tasks and budgets, and use all other features of the PLVN platform.
  • Type of personal data: Names, email addresses, phone numbers, event-related data (guest lists, seating arrangements, dietary requirements), payment tokens, and device identifiers.
  • Categories of data subjects: The Controller's end users (planners), guests invited to events, and vendors contacted through the platform.

3. Processor Obligations

3.1 Processing on Instructions Only

The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification on grounds of public interest. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection law.

3.2 Confidentiality

The Processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to personal data is restricted to personnel who require it to perform their duties in connection with providing the platform. The Processor maintains a formal access control policy and conducts regular access reviews.

3.3 Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures to protect personal data against a Security Incident, having regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures include, at minimum:

  • Encryption of personal data at rest using AES-256 and in transit using TLS 1.3.
  • Pseudonymisation and anonymisation of data where appropriate.
  • Ongoing confidentiality, integrity, availability, and resilience of processing systems.
  • The ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational security measures.
  • Rate limiting, JWT-based authentication, bcrypt password hashing, and parameterised queries as described in the PLVN Security page.

4. Sub-Processors

The Controller grants the Processor general written authorisation to engage the sub-processors listed in Annex B below. The Processor shall impose data protection obligations on each sub-processor, by way of a contract or other legal act, that are no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations.

The Processor shall notify the Controller of any intended changes to the list of sub-processors, including additions or replacements, with at least 14 days' notice. The Controller may object to a new sub-processor on reasonable data protection grounds by emailing [email protected] within 14 days of notification. If the Processor is unable to accommodate the objection, the Controller may terminate the affected services on written notice.

Annex B — Authorised Sub-Processors

The following sub-processors are engaged by PLVN as at the effective date of this DPA. Each is bound by a written data processing agreement on terms no less protective than this DPA, and where applicable by Standard Contractual Clauses for international transfers. The list is reviewed on every release and republished here; planners and vendors with an active subscription may also request the current list at [email protected].

Sub-processor Country Purpose DPA reference
Railway Corp. United States Primary compute, networking, storage, and deployment infrastructure. All application data, including the PLVN Postgres database, runs on Railway. SOC 2 Type II. railway.app/legal/dpa
Stripe, Inc. United States Card and bank-account payment processing. PCI DSS Level 1. Stripe acts as a data controller for payment-instrument data under its own privacy policy. stripe.com/legal/dpa
Cloudflare, Inc. United States CDN, R2 object storage (audit-log archive, off-Railway dumps, user-uploaded media), Workers edge compute, DDoS mitigation, and WAF. cloudflare.com/cloudflare-customer-dpa
Firebase (Google LLC) United States / European Union Authentication (email, phone, OAuth), App Check abuse signals, and Crashlytics crash reporting on the mobile app. firebase.google.com/terms/data-processing-terms
Twilio Inc. United States SMS one-time passcodes, transactional SMS, and the WhatsApp Business adapter used for paid invitation sends. twilio.com/legal/data-protection-addendum
Paystack Ltd (a Stripe Inc. company) Nigeria / United States Card payments, mobile money (MTN MoMo, Vodafone Cash, AirtelTigo), bank transfers, and recurring authorisations across PLVN's African markets. paystack.com/terms
OneSignal Inc. United States Mobile push notifications (event reminders, RSVP changes, vendor messages, day-of coordination). onesignal.com/dpa
Coinbase Commerce United States Optional crypto deposit on-ramp, surfaced only in markets and tiers where crypto payments are explicitly enabled by the operator. commerce.coinbase.com/legal
OpenSanctions GmbH Germany KYC sanctions and PEP screening for KYC-gated wallet and vendor-payout flows. Queries carry the name and date of birth supplied by the user; responses are stored in the KYC audit log. opensanctions.org/terms
Backblaze Inc. United States Encrypted off-Railway backup mirror for the weekly Postgres dump and the daily admin audit-log archive (defence-in-depth against a single-provider outage). backblaze.com/company/dpa
OpenAI, NVIDIA NIM, Z.ai United States / varies Hosted large-language-model providers used for the in-app AI assistant, retrieval-augmented event intelligence, and admin-approved cultural recommendations. Provider routing and fallbacks are configured by the operator; data sent is the planner's prompt plus retrieved knowledge-base snippets only. Per-provider — see OpenAI DPA, NVIDIA, Z.ai legal.

Where a sub-processor is itself based outside Ghana or the European Economic Area, transfers are protected by Standard Contractual Clauses (or an equivalent transfer mechanism recognised by the receiving jurisdiction) as set out in Section 9. Material changes to this list are notified in accordance with Section 4.

5. Data Subject Rights Assistance

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests from data subjects exercising their rights under applicable data protection law. These rights include the right of access, rectification, erasure, restriction of processing, data portability, and the right to object.

The Processor shall, without undue delay, forward to the Controller any data subject request it receives that relates to the Controller's data. The Processor shall not respond directly to data subject requests on behalf of the Controller without the Controller's prior authorisation, except as required by applicable law.

The Processor shall also assist the Controller in ensuring compliance with obligations relating to the security of processing, the notification of Security Incidents to supervisory authorities and data subjects, data protection impact assessments, and prior consultation, taking into account the nature of processing and information available to the Processor.

6. Security Incident Notification

The Processor shall notify the Controller of a Security Incident without undue delay and, where feasible, no later than 72 hours after becoming aware of it. This timeline is designed to enable the Controller to meet its own notification obligations to the Ghana Data Protection Commission and, where applicable, to data subjects.

The Security Incident notification shall, to the extent the information is available at the time of notification, include:

  • A description of the nature of the Security Incident, including the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
  • The name and contact details of the data protection contact point where more information can be obtained.
  • A description of the likely consequences of the Security Incident.
  • A description of the measures taken or proposed to be taken by the Processor to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.

Where not all information is available at the time of initial notification, the Processor shall provide the information in phases without undue further delay.

Security Incident notifications shall be directed to the Controller's registered account email address and, simultaneously, to any security contact designated by the Controller in writing. The Processor shall also notify the Controller of any near-miss events or suspected incidents that could indicate a systemic security risk, even if they did not result in a confirmed breach.

7. Data Deletion on Termination

Upon termination or expiry of the agreement between the Parties for any reason, the Processor shall, at the choice of the Controller expressed in writing:

  • Delete all personal data processed on behalf of the Controller, including all existing copies held by the Processor or its sub-processors; or
  • Return all personal data to the Controller in a structured, commonly used, and machine-readable format (JSON or CSV export) and thereafter delete all existing copies.

The Controller must submit its deletion or return request within 30 days of termination. The Processor will complete the return or deletion within 90 days of receiving the request. After that 90-day period, any remaining personal data will be deleted automatically. The Processor shall certify in writing that deletion has been completed upon request.

Notwithstanding the foregoing, the Processor may retain personal data for a longer period to the extent and for as long as required by applicable law (for example, financial records required to be retained by Ghanaian tax law), provided that such retained data is isolated, access-controlled, and deleted as soon as the legal retention requirement expires.

8. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

The Controller shall provide the Processor with reasonable written notice of at least 30 days before conducting an audit (except where an audit is triggered by a Security Incident, in which case 5 business days' notice is sufficient). Audits shall be conducted during normal business hours, shall not unreasonably disrupt the Processor's operations, and shall be limited in scope to the processing activities covered by this DPA.

The Processor may satisfy its audit obligations, in whole or in part, by providing the Controller with copies of relevant third-party audit reports (such as SOC 2 reports from Railway) or security certifications, provided that these reports cover the processing activities and time period in question.

Audit costs are borne by the Controller unless the audit reveals a material non-compliance by the Processor, in which case the Processor shall bear reasonable audit costs.

9. International Transfers

Some sub-processors listed in Annex B are located in the United States, which is a country outside Ghana and outside the European Economic Area. Personal data may be transferred to these sub-processors in the course of providing the platform.

The Processor relies on the following safeguards for international transfers:

  • Standard Contractual Clauses (SCCs). Where required by applicable data protection law, the Processor enters into Standard Contractual Clauses with sub-processors located in third countries. These clauses impose obligations on the sub-processor equivalent to those in this DPA and provide enforceable rights for data subjects.
  • Sub-processor contracts. Each sub-processor is bound by a data processing agreement with the Processor that requires the sub-processor to implement appropriate safeguards for data transferred to it.
  • Transfer Impact Assessments. The Processor conducts transfer impact assessments when transferring personal data to third countries and implements supplementary measures where necessary to ensure an essentially equivalent level of protection.

The Controller acknowledges that the use of the PLVN platform necessarily involves the transfer of personal data to the sub-processors listed in Annex B. Where the Controller requires additional safeguards or documentation for international transfers (for example, signed SCCs), they should contact [email protected].

10. Governing Law

This DPA is governed by and construed in accordance with the laws of the Republic of Ghana. The Data Protection Commission of Ghana is the competent supervisory authority for the purposes of this DPA.

Any dispute arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions of the PLVN Terms of Service — that is, through good-faith negotiation and, failing that, the courts of Accra, Ghana.

Nothing in this DPA prevents either Party from seeking injunctive or other equitable relief from a court of competent jurisdiction.

For questions about this DPA, signed copies for enterprise customers, or to submit a written instruction under this DPA, contact:

PLVN Technologies Ltd
Accra, Ghana
[email protected]