Data Processing Agreement

1.1. This Data Processing Agreement ("DPA") forms part of the Terms and Conditions and Privacy Policy of Esinako Investments CC ("LinkNamibia," "we," "us," or "our"), a company registered under the laws of the Republic of Namibia.

1.2. This DPA governs the processing of personal data by LinkNamibia when it acts as a Data Processor on behalf of Users ("Data Controllers") in connection with the operation of the LinkNamibia marketplace platform ("Platform").

1.3. The purpose of this DPA is to ensure that the processing of personal data is carried out in compliance with applicable Namibian law, including the Electronic Transactions Act (No. 4 of 2019), and to define the respective obligations and rights of the Data Controller and Data Processor.

1.4. This DPA applies to all processing of personal data performed by LinkNamibia on behalf of Users in connection with the services provided through the Platform.

2.1. In this DPA, the following terms shall have the meanings set out below:

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), including but not limited to a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, economic, cultural, or social identity of that natural person.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Data Controller" means the natural or legal person that determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the Data Controller is the User on whose behalf LinkNamibia processes Personal Data.
• "Data Processor" means the natural or legal person that processes Personal Data on behalf of the Data Controller. For the purposes of this DPA, the Data Processor is Esinako Investments CC.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Sub-processor" means any third party engaged by the Data Processor to carry out specific Processing activities on behalf of the Data Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.

3.1. Types of Personal Data Processed

LinkNamibia processes the following categories of Personal Data on behalf of Data Controllers:

• Identity data (full name, identification numbers);
• Contact data (email address, telephone number, city);
• Profile data (biographical description, skills, experience, hourly rate);
• Verification data (identity documents, trade certificates, professional licenses);
• Communication data (messages exchanged through the Platform);
• Technical data (IP address, device type, browser type, usage logs).

3.2. Categories of Data Subjects

The Data Subjects whose Personal Data may be processed under this DPA include:

• Customers who use the Platform to seek the services of Artisans;
• Artisans who use the Platform to offer their professional services;
• Other individuals whose Personal Data may be incidentally processed in connection with the use of the Platform (e.g., individuals referenced in communications between Users).

3.3. Purpose of Processing

Personal Data is processed for the following purposes:

• Provisioning and maintenance of user accounts on the Platform;
• Facilitating connections between Customers and Artisans;
• Verifying the identity and qualifications of Artisans;
• Delivering notifications and communications related to Platform activity;
• Preventing fraud, ensuring safety, and maintaining Platform integrity;
• Complying with applicable legal obligations under Namibian law.

3.4. Duration of Processing

Personal Data shall be processed for the duration of the Data Controller's use of the Platform and thereafter in accordance with the data retention periods specified in our Privacy Policy.

4.1. Processing on documented instructions: LinkNamibia shall process Personal Data only in accordance with the documented instructions of the Data Controller, as set out in this DPA, the Terms and Conditions, and the Privacy Policy, unless required to do otherwise by applicable Namibian law. In such a case, LinkNamibia shall inform the Data Controller of that legal requirement before processing, unless the law prohibits such notification on grounds of public interest.

4.2. Confidentiality of personnel: LinkNamibia shall ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data shall be limited to those personnel who require such access to fulfill their duties in connection with the services provided through the Platform.

4.3. Technical and organizational security measures: LinkNamibia shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing, as further described in Section 6 of this DPA.

4.4. Assistance with Data Subject requests: LinkNamibia shall, taking into account the nature of the Processing, assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Data Controller's obligation to respond to requests from Data Subjects to exercise their rights, including rights of access, rectification, erasure, restriction, data portability, and objection.

4.5. Deletion or return of data: Upon termination of the services provided through the Platform or upon the Data Controller's written request, LinkNamibia shall, at the choice of the Data Controller, delete or return all Personal Data to the Data Controller, and delete existing copies unless applicable Namibian law requires the retention of such Personal Data. Where retention is required by law, LinkNamibia shall inform the Data Controller of such requirement.

4.6. Audit and compliance information: LinkNamibia shall make available to the Data Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA. LinkNamibia shall allow for and contribute to audits, including inspections, conducted by the Data Controller or an auditor mandated by the Data Controller, subject to reasonable notice and confidentiality obligations. Such audits shall be conducted no more than once per calendar year unless required by a regulatory authority or in response to a Data Breach.

5.1. The Data Controller hereby provides general written authorization for LinkNamibia to engage Sub-processors to carry out specific Processing activities on behalf of the Data Controller. LinkNamibia shall inform the Data Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Data Controller the opportunity to object to such changes.

5.2. As of the date of this DPA, LinkNamibia engages the following Sub-processors:

5.3. Where LinkNamibia engages a Sub-processor for carrying out specific Processing activities on behalf of the Data Controller, the same data protection obligations as set out in this DPA shall be imposed on that Sub-processor by way of a contract or other legal act, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.

5.4. LinkNamibia shall remain fully liable to the Data Controller for the performance of each Sub-processor's obligations. Where a Sub-processor fails to fulfill its data protection obligations, LinkNamibia shall be liable to the Data Controller for the acts and omissions of such Sub-processor.

6.1. LinkNamibia shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage. These measures include, but are not limited to:

6.1.1. Encryption at rest and in transit: All Personal Data stored in our databases is encrypted at rest using industry-standard encryption algorithms (AES-256 or equivalent). All data transmitted between systems is encrypted using Transport Layer Security (TLS 1.2 or higher).

6.1.2. Access controls and authentication: Access to systems containing Personal Data is restricted through role-based access controls (RBAC). All personnel with access to Personal Data are required to authenticate using strong credentials. Row-level security (RLS) policies are implemented at the database level to enforce data isolation between Users.

6.1.3. Regular security assessments: LinkNamibia conducts periodic security assessments and reviews of its systems, infrastructure, and processes to identify and remediate potential vulnerabilities. This includes code reviews, dependency audits, and infrastructure configuration reviews.

6.1.4. Incident response procedures: LinkNamibia maintains documented incident response procedures for detecting, reporting, and responding to Data Breaches and other security incidents. These procedures include roles and responsibilities, escalation paths, containment and remediation steps, and communication protocols.

6.1.5. Backup and recovery: Regular automated backups of Personal Data are maintained to ensure data availability and recoverability in the event of a system failure or Data Breach.

6.2. LinkNamibia shall regularly evaluate and, where necessary, update these security measures to ensure ongoing effectiveness in light of current risks and technological developments.

7.1. In the event of a Data Breach affecting Personal Data processed on behalf of the Data Controller, LinkNamibia shall notify the Data Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach.

7.2. The notification to the Data Controller shall include, to the extent available at the time of notification:

7.2.1. A description of the nature of the Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;

7.2.2. The name and contact details of LinkNamibia's contact point from whom further information about the breach may be obtained;

7.2.3. A description of the likely consequences of the Data Breach;

7.2.4. A description of the measures taken or proposed to be taken by LinkNamibia to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7.3. Where it is not possible to provide all required information at the time of the initial notification, the information may be provided in phases without undue further delay.

7.4. LinkNamibia shall cooperate with the Data Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

7.5. LinkNamibia shall document all Data Breaches, including the facts surrounding the breach, its effects, and the remedial actions taken, and shall make this documentation available to the Data Controller upon request.

8.1. The Data Controller acknowledges and agrees that, in connection with the provision of services through the Platform, Personal Data may be transferred to, stored in, and processed in jurisdictions outside the Republic of Namibia, including the United States and Singapore.

8.2. LinkNamibia shall ensure that any cross-border transfer of Personal Data is subject to appropriate safeguards, including:

8.2.1. Binding contractual obligations on Sub-processors and recipients of Personal Data to maintain appropriate levels of data protection consistent with Namibian law;

8.2.2. Technical safeguards, including encryption of Personal Data during transfer and at rest, to protect against unauthorized access;

8.2.3. Due diligence assessments of the data protection practices and legal frameworks of the jurisdictions to which Personal Data is transferred;

8.2.4. Selection of Sub-processors that adhere to recognized international data protection standards and maintain robust security practices.

8.3. LinkNamibia shall inform the Data Controller promptly if it becomes aware that the laws or practices of a jurisdiction to which Personal Data has been transferred may prevent it from fulfilling its obligations under this DPA.

9.1. This DPA shall come into effect on the date the Data Controller first accesses or uses the Platform and shall remain in force for as long as LinkNamibia processes Personal Data on behalf of the Data Controller.

9.2. This DPA is co-terminus with the Terms and Conditions governing the Data Controller's use of the Platform. Upon termination of the Terms and Conditions, this DPA shall automatically terminate, subject to Section 9.3.

9.3. Notwithstanding termination of this DPA, the obligations set out herein shall continue to apply to any Personal Data that LinkNamibia retains following termination, in accordance with the data retention periods specified in our Privacy Policy and as required by applicable Namibian law.

9.4. Upon termination, LinkNamibia shall comply with its obligations under Section 4.5 regarding the deletion or return of Personal Data.

10.1. This DPA shall be governed by and construed in accordance with the laws of the Republic of Namibia, including the Electronic Transactions Act (No. 4 of 2019) and any other applicable data protection legislation.

10.2. Any dispute arising out of or in connection with this DPA, including any question regarding its existence, validity, or termination, shall be subject to the exclusive jurisdiction of the courts of the Republic of Namibia, sitting in Windhoek.

10.3. In the event of any conflict between this DPA and the Terms and Conditions, the provisions of this DPA shall prevail insofar as they relate to the Processing of Personal Data.

10.4. If any provision of this DPA is found by a court of competent jurisdiction to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable, and the remaining provisions shall continue in full force and effect.