This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (the merchant, acting as “data controller”) and Loyal Sikka (acting as “data processor”). Where the Terms and this DPA conflict on data-protection matters, this DPA prevails.
1. Definitions
- Personal data — any information that identifies a natural person, including phone numbers, names, geo coordinates, and loyalty activity.
- Sub-processor — a third-party service we engage to process personal data on our behalf.
2. Scope and roles
You are the controller of the personal data you collect via the platform (your customers' phones, names, transactions). We are your processor and process personal data only on your documented instructions, which are reflected by your use of the platform.
3. Our obligations
- Process personal data only for the purpose of providing the service.
- Keep access to personal data limited to authorised personnel under confidentiality obligations.
- Apply appropriate technical and organisational security measures — encryption in transit (TLS 1.2+), encryption at rest, audited admin access, signed scan payloads, and regular backups.
- Notify you within 72 hours of becoming aware of a personal data breach affecting your customers.
- Assist you in responding to data-subject requests (access, correction, deletion) at no additional cost for typical volumes.
4. Sub-processors
We engage the following sub-processors. We are responsible for their compliance with this DPA. We'll notify you 30 days before adding a new sub-processor; you may object via privacy@loyalsikka.com.
- Supabase (database, auth, storage) — Singapore
- Vercel (web hosting) — global edge network
- Cloudflare (DNS, CDN) — global edge network
- Firebase Cloud Messaging (push notifications to Sikka Wallet) — global
- Branded SMS aggregator (Jazz / Telenor — transactional only) — Pakistan
- Sentry (error monitoring) — United States
- SafePay / NayaPay (payments) — Pakistan
5. Data location and transfers
Primary storage and backups are in Singapore (ap-southeast-1). Some sub-processors operate in other jurisdictions. We rely on contractual safeguards (standard contractual clauses) where transfers are made.
6. Audits
Once per calendar year, on at least 30 days' written notice, you may request a copy of our most recent SOC 2 / ISO 27001 reports from our underlying sub-processors. We do not host on-premise audits given the SaaS nature of the platform.
7. Return or deletion
On termination, we delete personal data within 90 days, except where retention is required by law. You may export your data via the merchant panel or by request to privacy@loyalsikka.com for 30 days after termination.
8. Liability
Each party's liability under this DPA is subject to the limitation of liability set out in the Terms of Service.
9. Jurisdiction
This DPA is governed by the laws of the Islamic Republic of Pakistan. Disputes are subject to the exclusive jurisdiction of the courts of Lahore.
