Data Processing Agreement

Effective Date: 14 May 2026

Last Updated: 21 May 2026

This Data Processing Agreement (this “DPA”) governs how Bash processes Personal Data on behalf of Event Organisers and Vendors. It supplements our Privacy Policy and Terms and Conditions.

1. Parties and Background

1.1 This DPA is entered into between:

• (a) Bash Engineering Limited, a company incorporated in Nigeria (“Bash”, “Processor”); and
• (b) the Event Organiser or Vendor identified in the Bash account (the “Customer”, “Controller”),

each a “Party” and together the “Parties”.

1.2 The Customer uses Bash’s ticketing and event management platform (the “Platform”) under Bash’s Terms and Conditions (the “Principal Agreement”). In the course of that use, Bash processes Personal Data relating to the Customer’s attendees, customers and end users on the Customer’s behalf.

1.3 This DPA forms part of the Principal Agreement and governs the Parties’ respective obligations in respect of such Personal Data. In the event of conflict between this DPA and the Principal Agreement in respect of Personal Data processing, this DPA prevails.

2. Definitions

Capitalised terms not defined here have the meanings given in the NDPA, the GDPR (where applicable) or the Principal Agreement.

• “Applicable Data Protection Laws” means: (a) the Nigeria Data Protection Act 2023 and the Nigeria Data Protection Commission General Application and Implementation Directive (together, the “NDPA”); (b) where applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”) and the UK Data Protection Act 2018; and (c) any other data protection or privacy law that applies to the Parties’ processing under this DPA.
• “Customer Personal Data” means Personal Data processed by Bash on behalf of the Customer under the Principal Agreement, as described in Schedule 1.
• “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” and “Sub-Processor” have the meanings given in Applicable Data Protection Laws.
• “Restricted Transfer” means a transfer of Customer Personal Data to a jurisdiction that is not recognised under Applicable Data Protection Laws as providing an adequate level of protection.

3. Roles and Scope

3.1 The Parties acknowledge that, for the purposes of this DPA:

• (a) the Customer is the Controller of Customer Personal Data; and
• (b) Bash is the Processor of Customer Personal Data and processes it on the Customer’s behalf.

3.2 In respect of (i) Bash’s own account, billing, fraud-prevention and Platform-wide records, and (ii) any Personal Data processed by Bash for its own legitimate business purposes (such as service improvement, security and analytics on aggregated or de-identified data), Bash acts as an independent Controller and its processing is governed by its Privacy Policy, not by this DPA.

3.3 The subject matter, duration, nature and purpose of processing, the categories of Personal Data and the categories of Data Subjects are set out in Schedule 1.

4. Customer Obligations

4.1 The Customer warrants that:

• (a) it has a valid lawful basis under Applicable Data Protection Laws to collect Customer Personal Data and to instruct Bash to process it as contemplated by the Principal Agreement;
• (b) it has provided all notices and obtained all consents required by Applicable Data Protection Laws in respect of Data Subjects whose Personal Data it provides to, or has Bash collect through, the Platform; and
• (c) its instructions to Bash will not cause Bash to breach Applicable Data Protection Laws.

4.2 The Customer is responsible for the accuracy and quality of Customer Personal Data it provides to Bash and for the lawfulness of its decisions to collect it.

5. Bash’s Processing Obligations

5.1 Bash shall:

• (a) process Customer Personal Data only on the Customer’s documented instructions, which include the Principal Agreement, this DPA and the Customer’s use of the Platform’s standard features (for example, configuring an event, exporting attendee lists, sending event communications). Bash shall notify the Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws (without obligation to monitor for compliance);
• (b) ensure that personnel authorised to process Customer Personal Data are subject to appropriate confidentiality obligations;
• (c) implement and maintain the technical and organisational measures set out in Schedule 2 to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure;
• (d) taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil the Customer’s obligations to respond to Data Subject requests under Applicable Data Protection Laws;
• (e) assist the Customer in ensuring compliance with its obligations relating to security of processing, Personal Data Breach notification, data protection impact assessments and prior consultation with supervisory authorities, taking into account the nature of the processing and the information available to Bash;
• (f) at the Customer’s choice, delete or return all Customer Personal Data after the end of the provision of services under the Principal Agreement, save where retention is required by Applicable Data Protection Laws (in which case Bash shall continue to protect such Personal Data in accordance with this DPA); and
• (g) make available to the Customer information reasonably necessary to demonstrate compliance with this clause 5, on terms set out in clause 9 (Audit).

5.2 Where Applicable Data Protection Laws permit Bash to process Customer Personal Data without instruction (for example, to comply with a legal obligation), Bash shall inform the Customer of that requirement before processing, unless prohibited by law.

6. Sub-Processors

6.1 The Customer grants Bash general authorisation to engage Sub-Processors to process Customer Personal Data, subject to this clause 6.

6.2 Bash’s current Sub-Processors are listed in Schedule 3.

6.3 Bash shall:

• (a) impose on each Sub-Processor, by written contract, data protection obligations that are no less protective than those in this DPA; and
• (b) remain liable to the Customer for any acts or omissions of its Sub-Processors that cause Bash to breach this DPA.

6.4 Bash shall provide the Customer with at least thirty (30) days’ prior notice of the addition or replacement of any Sub-Processor (including by updating Schedule 3 or by other reasonable means such as in-Platform notification). The Customer may object on reasonable data protection grounds within fifteen (15) days. If the Parties cannot resolve the objection in good faith, the Customer’s sole remedy is to terminate the affected services under the Principal Agreement.

7. International Data Transfers

7.1 The Customer authorises Bash and its Sub-Processors to transfer Customer Personal Data outside Nigeria (and, where the GDPR applies, outside the European Economic Area or United Kingdom) where necessary to provide the services under the Principal Agreement.

7.2 Where a transfer is a Restricted Transfer, Bash shall ensure that an appropriate safeguard is in place, including (as applicable): (a) transfer to a jurisdiction recognised as adequate by the relevant supervisory authority; (b) NDPC-compliant binding contractual clauses; (c) EU/UK Standard Contractual Clauses; or (d) another mechanism permitted by Applicable Data Protection Laws.

8. Personal Data Breach

8.1 Bash shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

8.2 The notification shall, to the extent then known: (a) describe the nature of the breach (including, where possible, the categories and approximate number of Data Subjects and records concerned); (b) identify Bash’s data protection contact; (c) describe the likely consequences; and (d) describe the measures taken or proposed to address the breach.

8.3 Bash shall provide the Customer with reasonable cooperation and information in connection with the Customer’s own obligations to notify supervisory authorities and Data Subjects of the breach.

9. Audit

9.1 Bash shall, on the Customer’s reasonable written request and no more than once in any twelve (12) month period (except where required by a supervisory authority or following a Personal Data Breach), make available information reasonably necessary to demonstrate compliance with this DPA.

9.2 Bash may discharge its obligations under clause 9.1 by providing relevant third-party certifications, audit reports and summaries (for example, SOC 2 reports of its hosting providers, ISO 27001 certifications, or penetration test summaries) where reasonably sufficient.

9.3 If those materials are not reasonably sufficient, the Customer may, at its expense and on at least thirty (30) days’ written notice, conduct an audit through an independent third-party auditor reasonably acceptable to Bash and bound by confidentiality. Audits shall be conducted during business hours, in a manner that does not unreasonably disrupt Bash’s operations, and not more than once per year.

10. Liability and Indemnity

10.1 Each Party (the “Indemnifying Party”) shall indemnify the other (the “Indemnified Party”) against third-party claims (including regulatory fines and reasonable legal costs) to the extent arising from the Indemnifying Party’s material breach of this DPA or Applicable Data Protection Laws.

10.2 The Indemnifying Party’s obligation under clause 10.1 is conditional on the Indemnified Party: (a) giving prompt written notice of the claim; (b) granting the Indemnifying Party sole control of the defence and settlement (provided that no settlement adversely affecting the Indemnified Party shall be made without its consent, not to be unreasonably withheld); and (c) providing reasonable cooperation at the Indemnifying Party’s expense.

10.3 Each Party’s total aggregate liability under or in connection with this DPA (including under clause 10.1) is capped at the greater of: (a) the total fees paid or payable by the Customer to Bash under the Principal Agreement in the twelve (12) months preceding the event giving rise to liability; and (b) ₦50,000 (Fifty Thousand Naira).

10.4 The caps and exclusions of liability in the Principal Agreement otherwise apply to this DPA. Nothing in this DPA excludes or limits liability that cannot be excluded or limited under applicable law (including for death or personal injury caused by negligence, fraud, or wilful misconduct).

11. Term and Termination

11.1 This DPA takes effect on the Effective Date and continues for the term of the Principal Agreement.

11.2 On termination of the Principal Agreement, Bash shall act in accordance with clause 5.1(f).

11.3 Clauses that by their nature should survive termination (including clauses 5.1(f), 8, 10 and 11.3) will survive.

12. General

12.1 Notices. Notices under this DPA shall be in writing and sent to the addresses or email addresses on record for the Parties.

12.2 Order of precedence. In the event of conflict in respect of Personal Data processing: (a) this DPA prevails over the Principal Agreement; and (b) Schedules form part of this DPA but the body prevails over the Schedules.

12.3 Variation. Bash may amend this DPA on at least thirty (30) days’ notice where required to reflect changes in Applicable Data Protection Laws or guidance from a supervisory authority. Any other variation requires the written agreement of both Parties.

12.4 Governing law and jurisdiction. This DPA is governed by the laws of the Federal Republic of Nigeria. The courts of Lagos have exclusive jurisdiction, save that nothing prevents either Party from seeking injunctive relief in any competent court.

12.5 Severability. If any provision of this DPA is held invalid or unenforceable, the remainder shall continue in full force and effect.

Schedule 1 — Description of Processing

• Subject matter: Provision of the Bash ticketing and event management Platform to the Customer.
• Duration: The term of the Principal Agreement and any period during which Bash retains Customer Personal Data in accordance with clause 5.1(f).
• Nature and purpose: Hosting, displaying, processing, transmitting and storing Customer Personal Data to enable the Customer to (a) sell tickets, (b) manage attendees and check-in, (c) handle payments and payouts, (d) communicate with attendees, (e) operate vendor bookings where applicable, and (f) comply with applicable legal obligations.
• Categories of Data Subjects: Customer’s event attendees, ticket buyers, registrants, contacts and end users; and, where the Customer is a Vendor, the Customer’s prospective clients.
• Categories of Personal Data: Identification data (name, email, phone), ticket and registration data, transaction reference data (not card numbers/CVV), check-in/attendance records, communications with the Customer or via the Platform, and any optional fields (e.g. dietary or accessibility information) configured by the Customer.
• Sensitive Personal Data: Only where the Customer configures the Platform to collect it (e.g. accessibility or dietary requirements); the Customer is responsible for the lawful basis.
• Frequency: Continuous for the duration of the Principal Agreement.

Schedule 2 — Technical and Organisational Measures

Bash maintains the following measures to protect Customer Personal Data, which may be updated from time to time provided the overall level of protection is not reduced:

1. Access control. Role-based access control, least-privilege provisioning, mandatory multi-factor authentication for administrative access, and periodic access reviews.
2. Encryption. TLS 1.2+ for data in transit; encryption at rest for production databases and object storage; passwords stored only as salted hashes.
3. Network and infrastructure security. Production workloads hosted with reputable cloud providers; segmented network access; firewalls and security groups configured to deny by default.
4. Secure development. Code review of changes touching production systems; dependency vulnerability scanning; secrets stored in a managed secret store, not in code.
5. Logging and monitoring. Centralised application and access logs; alerting on anomalous activity; error and security monitoring (including Sentry).
6. Backups and recovery. Encrypted backups taken on a regular cadence; periodic recovery testing.
7. Personnel. Confidentiality obligations imposed on personnel with access to Customer Personal Data; data protection training; background screening where lawful and appropriate.
8. Vendor management. Sub-Processors are subject to written contracts imposing data protection obligations no less protective than this DPA.
9. Incident response. Documented Personal Data Breach response process, including investigation, containment, notification and post-incident review.
10. Physical security. Bash does not operate its own data centres; physical security is provided by its cloud and hosting providers under their own certifications.

Schedule 3 — Approved Sub-Processors

• Paystack Payments Limited — payment processing (default for Nigeria). Location: Nigeria / international.
• Flutterwave Technology Solutions Limited — payment processing and identity verification (BVN consent flow via NIBSS). Location: Nigeria / international.
• Sentry — error and performance monitoring. Location: United States / international.
• Cloud hosting provider — application hosting, compute and storage.
• Email delivery provider — transactional and notification email delivery.

Bash will keep this list current as Sub-Processors are added or replaced, in accordance with clause 6.