Data processing Agreement (DPA)

Last Updated: 14 September 2025

This Data Processing Agreement ("Agreement") forms part of the contractual relationship between MBIYOGROUP S.A.R.L.U. ( MBIYOPAY as trading name) and its partners, clients, and service providers (the "Partner") where personal data is processed.

Parties

Data Controller / Processor:

MBIYOGROUP S.A.R.L.U.
Registered Address: Av. Petro Congo, Q/Abattoir, C/Masina, V/Kinshasa, P/Kinshasa, Democratic Republic of the Congo

Depending on the nature of the services, each party may act as a Data Controller or Data Processor in accordance with applicable data protection laws.

Purpose of Processing

Personal data is processed solely for the purpose of:

Providing payment, payout, API, and financial technology services;
Customer onboarding (KYC/KYB);
Transaction processing and monitoring;
Fraud prevention and compliance with AML/CFT obligations;
Customer support and dispute resolution.

Categories of Data Subjects

Customers and end-users
Business partners and merchants
Authorized representatives

Categories of Personal Data

Identification data (name, date of birth, nationality)
Contact details (email, phone number, address)
Transaction and payment data
KYC/KYB documentation
Technical data (IP address, device information)

Processing Principles

MBIYOPAY commits to:

Process personal data lawfully, fairly, and transparently;
Collect data only for specified, explicit, and legitimate purposes;
Ensure data is adequate, relevant, and limited to what is necessary;
Maintain accuracy and data integrity;
Retain data only for as long as required by law or contractual obligations.

Data Security Measures

MBIYOPAY implements appropriate technical and organizational measures, including:

Access controls and authentication mechanisms;
Encryption of data in transit and at rest (where applicable);
Secure infrastructure and hosting environments;
Regular monitoring and vulnerability management;
Restricted access based on roles and responsibilities.

Sub-Processing

MBIYOPAY may engage sub-processors (including regulated payment partners, hosting providers, and compliance service providers) solely for service delivery purposes.

All sub-processors are required to maintain data protection standards equivalent to those set out in this Agreement.

Data Breach Notification

In the event of a personal data breach, MBIYOPAY shall:

Notify the affected partner without undue delay;
Provide relevant information regarding the nature and impact of the breach;
Take all reasonable measures to mitigate risks and prevent recurrence.

Data Subject Rights

MBIYOPAY supports the exercise of data subject rights, including:

Right of access
Right to rectification
Right to erasure (where legally permissible)
Right to restriction of processing
Right to data portability

Requests may be submitted via: contact@mbiyopay.com

Data Retention & Deletion

Personal data is retained in accordance with:

Regulatory requirements (AML/KYC retention periods);
Contractual obligations;
Legitimate business needs.

Upon termination of services, data will be deleted or anonymized unless retention is required by law.

International Data Transfers

Where personal data is transferred across borders, MBIYOPAY ensures appropriate safeguards are in place, including contractual and technical protections.

Audit & Compliance

Upon reasonable request, MBIYOPAY may provide information necessary to demonstrate compliance with this Agreement, subject to confidentiality obligations.

Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the Democratic Republic of the Congo, unless otherwise agreed in writing.

Approval

This Data Processing Agreement is approved and adopted by the management of MBIYOPAY S.A.R.L.U.

Approved by:
Mr. Joël Mirimo
Founder & Managing Director
MBIYOGROUP S.A.R.L.U.

This DPA is issued for compliance with data protection regulations, including GDPR-equivalent principles and international best practices.