Data Processing Addendum

1. Roles and scope

For personal data inside the content you and your applications upload, you (or your customer) are the controller and Tuzzle is the processor. This addendum reflects the requirements of the Nigeria Data Protection Act (NDPA), the GDPR, and similar laws.

It applies automatically to every account as part of the Terms of Service; you do not need to sign anything to be covered. For the account data Tuzzle collects about you directly, we are the controller and the Privacy Policy applies instead.

2. Details of the processing

The processing this addendum covers:

• Subject matter: storage, transformation, caching, and delivery of media assets.
• Duration: the life of your subscription, plus the deletion windows described below.
• Nature and purpose: providing the service according to your configuration, API calls, and transform requests.
• Data subjects: your end users and any people who appear in or are described by uploaded media.
• Categories of data: whatever your assets and their metadata contain. You determine this; we do not inspect content beyond what delivery and the features you invoke require.

3. Your instructions

We process content only on your documented instructions: your account configuration, your API calls, and the transform parameters in your requests. We will tell you if we believe an instruction breaks data-protection law. We never use your content for our own purposes, including training AI models.

4. Confidentiality

Access to customer content inside Tuzzle is limited to staff who need it to operate or support the service, under confidentiality obligations and least-privilege access controls.

5. Security

We protect content with encryption in transit and at rest, signed URLs, per-asset access types, isolated multi-tenant spaces, scoped API keys, logging, and backups. The Security page describes these measures in detail.

6. Sub-processors

We use a small set of vetted sub-processors to run the service: object storage and edge delivery, face-detection processing, transactional email, payment processing, and hosting. We remain responsible for their performance under this addendum.

We will give you notice before adding or replacing a sub-processor that handles your content. If you object on reasonable data-protection grounds and we cannot resolve the objection, you may cancel with a pro-rata refund of prepaid fees. Email [email protected] for the current list.

7. Data subject requests

Your dashboard and API give you the tools to find, export, and delete content, so most requests from your users can be handled by you directly. If a request from one of your users reaches us instead, we will redirect it to you and let you know it happened.

8. Personal data breaches

If we become aware of a breach affecting your content, we will notify you without undue delay with what we know: the nature of the breach, the data affected, and the measures we are taking. We will keep you updated as the picture becomes clearer, so you can meet your own notification obligations.

9. Assistance and audits

We will reasonably assist you with data protection impact assessments, regulator consultations, and security questionnaires, and we will make available the information needed to demonstrate compliance with this addendum. Audits can be arranged with reasonable notice and scope.

10. International transfers

Tuzzle delivers from a global edge network, so content crosses borders by design. Where transfer rules apply, we rely on recognised mechanisms such as standard contractual clauses and the NDPA's transfer provisions.

11. Return and deletion

You can export your content at any time through the API. When you delete content or close your account, we delete it, subject to the trash window, expiring edge caches and backups, and records we are legally required to keep.

12. Liability and precedence

This addendum is subject to the limitation of liability in the Terms of Service. If this addendum conflicts with the Terms on a data-protection matter, this addendum prevails.

13. Contact

Email [email protected] for a countersigned copy of this addendum, the current sub-processor list, or anything else in it.