Data Processing Agreement (DPA)

Effective Date: March 12, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Use between Lacesse Ventures ("Lacesse", "Data Processor") and the user/merchant ("Merchant", "Data Controller") who utilizes Lacesse Services, including Lacesse Duka and Lacesse Fikra.

This DPA ensures that personal data processed by Lacesse on behalf of the Merchant is handled securely and in compliance with applicable data protection laws, including the Kenya Data Protection Act (2019) and, where applicable, the General Data Protection Regulation (GDPR).

1. Roles and Definitions

Data Controller: The Merchant operating a Lacesse Duka storefront or utilizing Lacesse Fikra APIs. The Merchant determines the purposes and means of processing their end-customers' personal data.
Data Processor: Lacesse Ventures. We process the personal data solely on behalf of, and based on the instructions of, the Data Controller to provide the platform infrastructure.
End-Customer Data: Any personally identifiable information (e.g., names, emails, shipping addresses) submitted by buyers purchasing from a Merchant's Lacesse Duka store or interacting with a Merchant's AI agents.

2. Obligations of the Data Processor (Lacesse)

Lacesse Ventures agrees and warrants that it will:

Process data strictly on instructions: Process End-Customer Data only to the extent necessary to provide the Services (e.g., hosting the storefront, routing payments, executing API calls) or as otherwise documented by the Merchant's configurations in their dashboard.
Confidentiality: Ensure that any Lacesse personnel authorized to process the data have committed themselves to strict confidentiality.
Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, protecting data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure.

3. Use of Subprocessors

The Merchant grants Lacesse Ventures general authorization to engage third-party infrastructure providers ("Subprocessors") to fulfill our service obligations. These include cloud hosting providers, database managers, and payment gateways.

A full, up-to-date list of our Subprocessors, their functions, and their geographic locations can be found on our Subprocessors & Partners Page. By using Lacesse Services, the Merchant consents to the use of these specific Subprocessors.

4. International Data Transfers

Lacesse Ventures utilizes a global cloud infrastructure. Consequently, End-Customer Data may be routed, processed, or stored outside the Republic of Kenya (specifically in Frankfurt, Germany, and the United States). Lacesse ensures that such cross-border transfers are subject to appropriate safeguards, such as utilizing Subprocessors compliant with GDPR standards or executing Standard Contractual Clauses (SCCs) where legally required.

5. Data Subject Rights

Because the Merchant is the Data Controller, the Merchant is solely responsible for fulfilling requests from their end-customers regarding data rights (e.g., the right to access, delete, or correct personal data). Lacesse will provide the Merchant with the necessary dashboard tools and export features to retrieve or delete End-Customer Data to fulfill these obligations. If Lacesse receives a request directly from an end-customer regarding a Merchant's store, we will promptly forward the request to the relevant Merchant.

6. Personal Data Breach Notification

In the event of a confirmed security breach leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of End-Customer Data on Lacesse servers, Lacesse will:

Notify the affected Merchant(s) without undue delay (and in any event within 48 hours of becoming aware of the breach).
Provide reasonable information regarding the nature of the breach, the data affected, and the mitigation measures taken.

Note: It remains the Merchant's legal responsibility (as the Data Controller) to notify the relevant Data Protection Authorities (e.g., the ODPC) and the affected end-customers if the breach poses a risk to their rights and freedoms.

7. Deletion of Data

Upon termination of the Merchant's account or the expiration of the Terms of Use, Lacesse will, at the choice of the Merchant, delete or return all End-Customer Data to the Merchant, and delete existing copies unless applicable law or financial auditing requirements require the continued storage of the data (e.g., transaction records retained for anti-money laundering compliance).

8. Merchant Obligations (Data Controller)

The Merchant warrants that they have established a lawful basis for collecting their end-customers' data and have provided adequate privacy notices to their customers detailing the use of Lacesse Ventures as a third-party processor.

If you have questions regarding this Data Processing Agreement, please contact our privacy team at [email protected].