Last Updated: 2nd Jan 2025
This Territory Explorers Data Processing Agreement, including its exhibits and appendices (the “Agreement”), applies to any and all Personal Data that Service Provider accesses, receives, processes, and/or obtains from or on behalf of Territory Explorers in connection with the Service Agreement to the extent the Service Agreement incorporates by reference this Agreement or otherwise positions Service Provider as a data processor under Applicable Data Protection Laws.
1. Definitions
For the purpose of interpreting this Agreement, “Territory Explorers” means Territory Explorers and any related entities contracting in the Service Agreement, while “Territory Explorers Personal Data” means any Personal Data processed by or on behalf of Service Provider to provide the Services in accordance with the Service Agreement. The “Service Agreement” refers to any agreement entered into between Territory Explorers and Service Provider for the provision of the Services.
“Applicable Data Protection Laws” means all laws and regulations applicable to the processing of Territory Explorers Personal Data, including but not limited to the Uganda Data Protection and Privacy Act, Kenya Data Protection Act, Tanzania Data Protection Act, and any other applicable East African data protection legislation, as may be amended from time to time. The “Service Provider” means the entity or individual providing services to Territory Explorers under the Service Agreement, while “Services” means the services and activities carried out by or on behalf of Service Provider for Territory Explorers pursuant to the Service Agreement.
“Personal Data” means any information relating to an identified or identifiable natural person as defined under Applicable Data Protection Laws, and “Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction. A “Data Subject” means the identified or identifiable natural person to whom Personal Data relates, while “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. A “Sub-Processor” means any third party appointed by Service Provider to process Territory Explorers Personal Data in connection with the Services.
2. Duration and Scope
This Agreement shall continue for the duration that Territory Explorers Personal Data is processed by Service Provider pursuant to the Service Agreement. The Agreement applies to the processing of all Territory Explorers Personal Data, regardless of country of origin, place of processing, or location of Data Subjects. Processing of data by the Service Provider which does not constitute Personal Data or Territory Explorers Personal Data is outside the scope of this Agreement.
3. Processing of Territory Explorers Personal Data
Territory Explorers acts as a Data Controller and Service Provider acts as a Data Processor in all processing activities covered by this Agreement. Service Provider shall comply with all Applicable Data Protection Laws in the processing of Territory Explorers Personal Data and shall not process Territory Explorers Personal Data other than on Territory Explorers’ documented instructions, unless such processing is required by Applicable Data Protection Laws. Service Provider must immediately inform Territory Explorers if, in Service Provider’s reasonable opinion, a processing instruction may infringe Applicable Data Protection Laws.
Territory Explorers instructs Service Provider to process Territory Explorers Personal Data only as reasonably necessary for the provision of the Services and consistent with the Service Agreement and this Agreement. The details of processing activities, including categories of data subjects, types of personal data processed, purposes of processing, and retention periods, are set out in Exhibit A attached to this Agreement.
4. Service Provider Personnel
Service Provider shall ensure that only reliable personnel who have signed confidentiality agreements may access Territory Explorers Personal Data. Access to Territory Explorers Personal Data must be strictly limited to individuals who need access to fulfill documented processing instructions given by Territory Explorers or to comply with Applicable Data Protection Laws. All personnel with access to Personal Data must be bound by formal confidentiality undertakings that continue to apply after termination of their involvement in providing the Services.
Service Provider must implement appropriate training programs to ensure that personnel understand their obligations regarding the protection of Personal Data and the requirements of this Agreement. Regular training updates must be provided to maintain awareness of evolving data protection requirements and best practices.
5. Security of Processing
Service Provider shall implement and maintain appropriate technical and organizational security measures that ensure a level of security appropriate to the risk of processing. These measures must take into account the state of the art, costs of implementation, and the nature and purposes of processing, as well as the risks presented by the processing activities, particularly those risks related to Personal Data Breaches.
Technical security measures must include encryption of Personal Data in transit and at rest using industry-standard encryption methods, with a minimum of AES-256 for data at rest and TLS 1.2 or higher for data in transit. Service Provider must implement secure authentication procedures including multi-factor authentication where appropriate, maintain regular security updates and patch management, and establish network security measures including firewalls and intrusion detection systems.
Organizational security measures must encompass access control procedures based on need-to-know and least privilege principles, regular security training for personnel, documented incident response procedures, regular security assessments and audits, and reliable data backup and recovery procedures. Detailed technical and organizational measures are set out in Exhibit B attached to this Agreement, which Service Provider must implement and maintain throughout the term of this Agreement.
6. Sub-Processing
Territory Explorers authorizes Service Provider to engage Sub-Processors for the processing of Territory Explorers Personal Data, provided that Service Provider complies with all obligations set forth in this section. Service Provider must provide Territory Explorers with prior written notice of any new Sub-Processors, including detailed information about the processing to be undertaken by the proposed Sub-Processor.
Territory Explorers may object to the appointment of a Sub-Processor within fourteen days of receiving notice of the proposed appointment. If Territory Explorers objects, both parties will work together in good faith for up to thirty days to find a commercially reasonable solution. If no solution can be found, Territory Explorers may terminate the Service Agreement with appropriate notice.
Service Provider must ensure that each Sub-Processor is capable of providing adequate protection for Territory Explorers Personal Data and is bound by written contracts with data protection terms that provide at least equivalent protection to those set forth in this Agreement. Sub-Processors’ access to Personal Data must be limited to what is strictly necessary for providing the Services, and Service Provider remains fully liable to Territory Explorers for Sub-Processors’ compliance with all data protection obligations under this Agreement.
7. Data Subject Rights
Service Provider shall assist Territory Explorers in responding to Data Subject requests by implementing appropriate technical and organizational measures that facilitate the exercise of Data Subject rights under Applicable Data Protection Laws. When Service Provider receives any request from a Data Subject regarding Territory Explorers Personal Data, it shall promptly notify Territory Explorers of the request and shall not respond to the request except on Territory Explorers’ documented instructions or as required by Applicable Data Protection Laws.
Service Provider must provide reasonable assistance to Territory Explorers in fulfilling Data Subject requests, including requests for access, rectification, erasure, restriction of processing, data portability, and objection to processing. This assistance may include providing Territory Explorers with relevant information about the processing activities and implementing technical measures to facilitate the exercise of Data Subject rights.
8. Personal Data Breach
Service Provider must maintain appropriate procedures for detecting, investigating, and responding to Personal Data Breaches affecting Territory Explorers Personal Data. If Service Provider discovers or suspects a Personal Data Breach, it shall immediately implement measures to contain the breach and secure the affected Personal Data, notify Territory Explorers without undue delay and in any event within twenty-four hours of becoming aware of the suspected breach, and provide detailed information about the nature of the breach.
The initial notification must include information about the categories and approximate number of Data Subjects and Personal Data records concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach. Service Provider shall provide regular updates to Territory Explorers as additional information becomes available and shall assist Territory Explorers in meeting any notification obligations to regulatory authorities and Data Subjects as required by Applicable Data Protection Laws.
Service Provider must cooperate fully with Territory Explorers in investigating, mitigating, and preventing recurrence of any Personal Data Breach. If a breach results from Service Provider’s negligence or misconduct, Service Provider shall bear the reasonable costs associated with breach response, notification activities, and any remedial measures required to protect affected Data Subjects.
9. Deletion or Return of Personal Data
Upon cessation of the Services provided under the Service Agreement, Service Provider shall promptly delete or return all Territory Explorers Personal Data in its possession or control, as instructed by Territory Explorers. Service Provider must also ensure that all Sub-Processors delete or return such Personal Data without undue delay. Territory Explorers must specify its preference for deletion or return, and if no preference is specified, Service Provider shall return all Personal Data to Territory Explorers.
Service Provider must provide written confirmation of the deletion or return of Personal Data, including confirmation from any Sub-Processors involved in the processing. This obligation applies to all copies of Personal Data, including backup copies, unless Service Provider is required to retain certain Personal Data under applicable law. Where legal requirements mandate retention, Service Provider must specify the applicable law requiring retention and the retention period, and must securely isolate such Personal Data from any further processing except as required by law.
10. Audit Rights
Territory Explorers may request evidence of Service Provider’s compliance with this Agreement, and Service Provider must provide such evidence in a timely manner. This may include current security certifications such as ISO 27001 or SOC 2 reports, documentation of security policies and procedures, and information about Sub-Processor compliance with data protection requirements.
Territory Explorers may also conduct reasonable audits of Service Provider’s data processing activities related to Territory Explorers Personal Data. Such audits must be conducted with reasonable advance notice during normal business hours and in a manner that does not unduly interfere with Service Provider’s operations. Service Provider must cooperate fully with any such audit and provide access to relevant information, personnel, and facilities as reasonably necessary to verify compliance with this Agreement.
11. East African Jurisdiction Provisions
This Agreement shall comply with all applicable data protection laws of Uganda, Kenya, Tanzania, and other East African Community member states as they apply to the specific processing activities covered by this Agreement. Both parties agree to cooperate with East African data protection authorities and to comply with their requirements, guidance, and enforcement actions related to the processing of Territory Explorers Personal Data.
Where East African laws require data localization, impose restrictions on cross-border data transfers, or establish specific requirements for the processing of Personal Data, Service Provider shall comply with such requirements or obtain necessary approvals from the relevant authorities. Service Provider must notify Territory Explorers of any legal requirements that may impact the processing of Personal Data under this Agreement and work with Territory Explorers to ensure continued compliance with all applicable laws.
12. Limitation of Liability and Indemnification
The liability of each party under this Agreement shall be subject to the exclusions and limitations set out in the Service Agreement, provided that nothing in this Agreement limits either party’s liability for death, personal injury, fraud, or fraudulent misrepresentation. Service Provider shall be fully liable to Territory Explorers for any breach of this Agreement by Sub-Processors as if such breach had been committed directly by Service Provider.
Service Provider agrees to indemnify and hold harmless Territory Explorers against any losses, damages, or costs arising from Service Provider’s breach of this Agreement or applicable data protection laws. This indemnification includes reasonable legal fees and costs associated with regulatory investigations or enforcement actions resulting from Service Provider’s non-compliance with its obligations under this Agreement.
13. General Terms
All notices under this Agreement shall be sent to the contact information specified in the Service Agreement and shall be deemed effective when received by the intended recipient. This Agreement may only be amended in writing and signed by authorized representatives of both parties. No failure or delay by either party in exercising any right or remedy under this Agreement shall constitute a waiver of such right or remedy.
If any provision of this Agreement is found to be invalid or unenforceable, the remainder of the Agreement shall continue in full force and effect, and the invalid provision shall be replaced by a valid provision that most closely achieves the intended purpose of the original provision. This Agreement shall be governed by the laws of Uganda, with disputes subject to the jurisdiction of Ugandan courts, while allowing residents of other East African countries to bring proceedings in their home jurisdiction as provided by applicable law.
Exhibit A: Details of Processing
Territory Explorers may submit Personal Data relating to its clients and travelers, employees of Territory Explorers, community partners and local guides, and service users and website visitors. The Personal Data processed may include names, addresses, dates of birth, nationality, contact information such as phone numbers and email addresses, passport details and travel documentation, dietary requirements and accessibility needs, medical information relevant to travel safety, payment and booking information, and travel preferences and history.
Sensitive Personal Data that may be processed includes health conditions and medical requirements necessary for travel safety, dietary restrictions that may indicate religious beliefs, and accessibility requirements. The processing is conducted for the purposes of providing territorial exploration and travel services, ensuring traveler safety and security, facilitating cultural exchanges and community partnerships, managing bookings and payments, and complying with travel and safety regulations.
Personal Data shall be retained only for the duration necessary to provide the Services and fulfill legal obligations, typically not exceeding seven years after completion of services unless longer retention is required by applicable law or legitimate business needs.
Exhibit B: Technical and Organizational Security Measures
Service Provider must implement comprehensive technical security measures including encryption using AES-256 for data at rest and TLS 1.2 or higher for data in transit. Access controls must be implemented using multi-factor authentication and role-based access principles that limit access to Personal Data based on job responsibilities and the principle of least privilege. Network security must include firewalls, intrusion detection systems, and regular vulnerability assessments to identify and address potential security weaknesses.
Data backup and recovery procedures must ensure that Personal Data can be restored in the event of system failure or data corruption, with all backups encrypted and stored securely. System monitoring must provide continuous oversight for security incidents and unauthorized access attempts, with appropriate alerting mechanisms to ensure rapid response to potential threats.
Organizational security measures must include personnel security procedures such as background checks and confidentiality agreements for staff who may access Personal Data. Regular privacy and security training must be provided to all personnel involved in processing Territory Explorers Personal Data. Documented incident response procedures must be maintained and regularly tested to ensure effective response to security incidents.
Vendor management procedures must include due diligence assessments and contractual safeguards for any third parties involved in processing Personal Data. Physical security controls must protect facilities where Personal Data is processed or stored, with appropriate access controls and environmental protections. A comprehensive information security policy framework must govern all aspects of Personal Data processing and security.
Termination
This Exhibit shall automatically terminate with respect to the Processing of Territory Explorers’ Personal Data transferred in reliance of the Data Protection Laws of Uganda or a competent regulator approves a different transfer mechanism that would be applicable to the Restricted Transfers covered by the Standard Contractual Clauses (and if such mechanism applies only to some of the data transfers, this Exhibit will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in this Exhibit.
Effective Date: 2nd Jan 2025
Territory Explorers
By: ______________________
Name: Desire Ambrose
Title: Founder & CEO
Service Provider
By: _______________________
Name: _____________________
Title: _____________________
