1. When the DPA applies
The DPA applies when Biojet Nigeria Limited processes personal data on behalf of an enterprise customer — for example, where a customer imports its own analyst seats, dispatches its team to the research assistant, or has us produce a bespoke advisory output.
For individual subscribers (Free / Pro), Biojet Nigeria Limited is the data controller; the Privacy Policy is the governing document and a separate DPA is not required.
2. How to obtain the full DPA
Email hello@biojetnode.com with the subject line “DPA request”. Include your legal entity name and the address for signature. We will send a countersigned copy as a PDF within five business days.
3. Summary of the principal terms
- Scope. Biojet Nigeria Limited processes customer personal data only on the customer’s documented instructions.
- Confidentiality. All personnel with access are bound by confidentiality obligations.
- Security. TLS in transit, encryption at rest (Supabase managed), principle-of-least-privilege access, audit logging on production systems.
- Sub-processors. We use the sub-processors listed below. We give 30 days’ notice before adding a new sub-processor and you may object on reasonable grounds.
- International transfers. Where personal data leaves the EU, UK, or Nigeria, we rely on the European Commission’s standard contractual clauses, the UK International Data Transfer Addendum, and the safeguards required by the Nigeria Data Protection Act 2023 (NDPA).
- Data subject requests. We assist you in responding to access, deletion, portability, and objection requests from individuals whose data we process on your behalf.
- Breach notification. We notify you without undue delay (and within 72 hours) of any confirmed personal data breach affecting customer data.
- Audit. You may audit our compliance on reasonable notice once per year, or as required by a supervisory authority.
- Deletion. On termination we delete or return customer personal data within 90 days, subject to retention required by law (for example, tax records).
4. Sub-processor list
The following processors may handle customer personal data. Each is bound by a written agreement with terms no less protective than this DPA, including standard contractual clauses where applicable.
| Sub-processor | Purpose | Location | Data categories |
|---|---|---|---|
| Vercel Inc. | Application hosting, edge delivery, analytics | United States | IP address, request metadata, page views |
| Supabase Inc. | Database, authentication storage, vector embeddings | United States | Account records, application content |
| Clerk Inc. | User authentication and session management | United States | Email, name, login metadata |
| Stripe, Inc. | Subscription billing and payment processing | United States | Billing details, payment method (tokenized) |
| OpenAI, L.L.C. | Language model inference, text embeddings | United States | Prompt content submitted to the assistant |
| Anthropic, PBC | Language model inference (fallback / specialised tasks) | United States | Prompt content submitted to the assistant |
| Resend / Yahoo SMTP | Transactional email and newsletter delivery | United States | Email address, display name, send/open events |
5. Standard Contractual Clauses
For transfers of personal data from the European Economic Area or the United Kingdom to the United States (or any other third country), we incorporate the European Commission’s standard contractual clauses (Commission Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum by reference. The relevant modules and the names of the parties are set out in the full DPA.
6. Contact
Biojet Nigeria Limited · hello@biojetnode.com