Data Processing Addendum

This addendum explains how Inventorygram processes personal data on behalf of customers and partners.

Updated: May 20, 2026

Data Processing Addendum

This comprehensive Data Processing Addendum defines the terms under which Inventorygram processes personal data on behalf of customers as a data processor under applicable data protection laws including GDPR, UK GDPR, and Swiss privacy legislation.

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person, as defined under GDPR and applicable data protection legislation.

Processing: Any operation performed on personal data, such as collection, recording, organization, storage, adaptation, retrieval, use, disclosure, restriction, erasure, or destruction.

Controller: The natural or legal person, public authority, agency, or other body that alone or jointly with others determines the purposes and means of processing.

Processor: The natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

Subprocessor: A processor engaged by Inventorygram to perform specific processing activities on behalf of the customer.

Data Subject: Any individual to whom personal data relates.

Competent Authority: Any regulatory authority with jurisdiction over data protection matters in the relevant jurisdiction.

2. Relationship of the Parties

The Customer (you) is the data controller responsible for determining the purposes and means of processing personal data through Inventorygram. Inventorygram is a data processor acting on documented instructions from the Customer.

This Data Processing Addendum supplements the Master Service Agreement and other agreements between the parties. In the event of conflict, this DPA prevails on data protection matters.

The Customer is responsible for ensuring that processing complies with all applicable data protection laws and that all legal bases for processing are established before submitting personal data to Inventorygram.

3. Customer Obligations

The Customer shall:

  • Determine the lawful basis for collecting and processing personal data through Inventorygram
  • Provide necessary privacy notices to data subjects regarding collection, use, and sharing of their data
  • Obtain all required consents or authorizations before submitting personal data
  • Ensure that instructions provided to Inventorygram for processing comply with applicable law
  • Notify Inventorygram immediately of any data subject rights requests, complaints, or breaches
  • Maintain security of credentials and access controls for the Customer's account
  • Conduct due diligence and risk assessments before transmitting sensitive personal data
  • Provide Inventorygram with accurate contact information for legal and compliance matters

4. Inventorygram's Obligations as a Processor

Inventorygram shall:

  • Process personal data only on documented instructions from the Customer
  • Ensure that personnel authorized to process personal data are committed to confidentiality
  • Implement and maintain appropriate technical and organizational security measures
  • Assist the Customer in responding to data subject rights requests within reasonable timelines
  • Cooperate with competent authorities and regulatory investigations as legally required
  • Provide information to the Customer regarding our processing activities and compliance
  • Notify the Customer without undue delay upon discovering a personal data breach
  • Delete or return personal data after termination of services unless legally required to retain
  • Maintain records of all processing activities and make them available to the Customer

5. Use of Subprocessors

Inventorygram may engage third-party subprocessors to perform specific functions necessary to deliver the service. The current list of authorized subprocessors is available at our Subprocessors page.

Notification of Changes: Inventorygram will notify the Customer of any addition or replacement of subprocessors at least 30 days in advance. If the Customer objects to the use of a new subprocessor, the Customer may terminate the affected services without penalty.

Subprocessor Obligations: All subprocessors are contractually bound to process personal data only on Inventorygram's instructions and must implement security measures equivalent to those in this DPA.

Liability: Inventorygram remains fully liable to the Customer for the performance of subprocessor obligations.

6. Audit Rights

The Customer has the right to:

  • Request reasonable evidence of Inventorygram's compliance with this DPA
  • Conduct audits of Inventorygram's processing activities upon reasonable notice
  • Engage independent auditors or assessors to verify compliance on the Customer's behalf
  • Request security certifications or compliance reports from Inventorygram

Inventorygram will cooperate with audit requests, subject to reasonable limitations to protect trade secrets and confidential information. Audits shall occur no more than once per calendar year unless required by law or in response to a data protection incident.

7. Transfers Outside EEA, UK, and Switzerland

Inventorygram processes data in the Federal Republic of Nigeria and other jurisdictions as necessary to deliver services. If personal data originating from the European Economic Area, United Kingdom, or Switzerland is transferred to jurisdictions without an adequacy decision, Inventorygram uses appropriate safeguards, including:

  • Standard Contractual Clauses approved by competent authorities
  • Binding Corporate Rules where applicable
  • Adequacy decisions where available
  • Other lawful transfer mechanisms recognized under applicable law

The Customer acknowledges that transfers outside the EEA, UK, or Switzerland may involve different levels of data protection. By submitting personal data, the Customer authorizes such transfers under the approved safeguards.

8. Jurisdiction Specific Terms

A. European Union and EEA Compliance

For processing of EU residents' personal data, Inventorygram complies with GDPR and acts as a processor under Article 28 of the GDPR. The Customer is responsible for establishing a lawful basis for processing and providing data subject rights notices.

B. United Kingdom Compliance

For processing of UK residents' personal data, Inventorygram complies with the UK Data Protection Act 2018 and UK GDPR. This DPA incorporates the International Data Transfer Agreement as required by UK law.

C. Swiss Privacy Law Compliance

For processing of Swiss residents' personal data, Inventorygram complies with the Swiss Federal Act on Data Protection (FADP). Inventorygram acknowledges the rights of data subjects under Swiss law and will cooperate with Swiss authorities as required.

D. Nigerian Data Protection

For processing in Nigeria, Inventorygram complies with the Nigeria Data Protection Regulation (NDPR). Processing is conducted in accordance with NDPR requirements and principles of data minimization, purpose limitation, and security.

9. Obligations Post-Termination

Upon termination of services:

  • Inventorygram will cease processing personal data, except as required by law
  • The Customer may request deletion of personal data or return of data in a portable format
  • Inventorygram will delete personal data within 90 days unless legally required to retain
  • Backup copies will be retained only as required by applicable law or system backup policies
  • Inventorygram will cooperate with the Customer to ensure continuity of data subject rights

10. Limitation of Liability

Each party's liability under this DPA is limited to direct damages caused by a proven breach. Liability is further limited to the fees paid by the Customer during the 12 months preceding the incident.

Neither party is liable for indirect, incidental, consequential, or punitive damages, including lost profits or data loss, except to the extent prohibited by applicable law.

These limitations do not apply to either party's liability for data protection violations, breaches of confidentiality, or breaches of security obligations.

11. Severability

If any provision of this DPA is found to be invalid, illegal, or unenforceable by a competent authority, the provision will be modified to the minimum extent necessary to make it enforceable while preserving intent, or if necessary, severed from this DPA.

All other provisions remain in full force and effect. If severing a provision materially alters the parties' intended relationship, the parties will negotiate in good faith to reach a replacement provision.

12. Updates to this Addendum

Inventorygram may update this Data Processing Addendum to reflect changes in legal requirements, security practices, or service offerings. Material changes will be communicated to the Customer with at least 30 days' notice.

The Customer may object to changes by providing written notice within 30 days. If the Customer objects to changes that significantly reduce data protection, the Customer may terminate affected services without penalty.

Continued use of Inventorygram after the notice period constitutes acceptance of updated terms.

Technical and Organisational Measures

Inventorygram implements a comprehensive information security program including:

  • Encryption: TLS/SSL for data in transit; AES-256 for data at rest
  • Access Control: Role-based access control with principle of least privilege
  • Authentication: Multi-factor authentication for administrative access
  • Monitoring: Continuous security monitoring and intrusion detection
  • Incident Response: 24/7 incident response procedures and breach notification
  • Regular Updates: Timely patching and vulnerability management
  • Backup and Recovery: Redundant systems and disaster recovery capabilities
  • Personnel Security: Background checks and confidentiality agreements for all staff
  • Audit and Compliance: Regular security assessments and compliance certifications

Cross Border Data Transfers

Inventorygram acknowledges that transferring personal data from the EEA, UK, or Switzerland to Nigeria or other jurisdictions requires appropriate legal safeguards. Inventorygram executes Standard Contractual Clauses with all parties involved in cross-border processing.

The Customer acknowledges that jurisdictions outside the EEA, UK, and Switzerland may not provide equivalent data protection. By submitting personal data to Inventorygram, the Customer consents to transfers under this DPA's approved mechanisms.

UK International Data Transfer Agreement

For customers in the United Kingdom, Inventorygram complies with the International Data Transfer Agreement (IDTA) as required under the UK GDPR. This DPA incorporates the terms of the IDTA and establishes appropriate safeguards for transfers outside the UK.

Inventorygram will provide the Customer with copies of transfer documentation and cooperate with UK Information Commissioner's Office inquiries regarding transfer mechanisms.

Contact for Data Processing Inquiries

For questions about this Data Processing Addendum, data processing practices, or to exercise data subject rights, please contact:

Last Updated: May 20, 2026

This Data Processing Addendum is effective as of the date of the Customer's first use of Inventorygram and remains in effect until termination of services.