Legal

Data Processing Agreement

Last updated: April 2026 · This DPA forms part of the Master Service Agreement between [NAME] and the Customer.

1. Scope

This Data Processing Agreement ("DPA") applies to the processing of Customer Data by [NAME] FZ-LLC ("Processor") on behalf of the Customer ("Controller") in connection with the provision of the [NAME] platform services.

2. Processing Details

Subject matter: Provision of enterprise data intelligence services including AI-powered query, data unification, lineage, and quality management.

Duration: For the term of the Master Service Agreement.

Nature and purpose: Processing Customer Data to deliver contracted platform services.

Categories of data subjects: Customer's employees, customers, counterparties, and other persons whose data is held in Customer's connected systems.

3. [NAME]'s Obligations as Processor

• Process Customer Data only on documented instructions from the Customer
• Ensure all [NAME] personnel with access to Customer Data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures (see Security Policy)
• Not engage sub-processors without prior Customer consent (current sub-processor list available on request)
• Assist the Customer in responding to data subject requests
• Delete or return all Customer Data upon termination and provide deletion certification
• Provide all information necessary to demonstrate compliance with this DPA

4. Data Residency

All Customer Data is processed and stored exclusively within UAE sovereign cloud infrastructure (Google Cloud me-central1 region). No Customer Data is transferred outside UAE territory. This applies to data at rest, data in transit, and data processed during AI inference operations.

5. Security Measures

Technical and organisational measures are detailed in the Security Policy. Key measures include: tenant isolation, encryption at rest (AES-256) and in transit (TLS 1.3+), customer-managed encryption keys (Enterprise tier), access logging, and regular penetration testing.

6. Audit Rights

The Customer may request audit evidence of [NAME]'s compliance with this DPA. As our certification programme matures, [NAME] will provide SOC 2 and ISO 27001 artefacts under NDA when available, along with penetration test summaries and responses to security questionnaires. On-site audits may be arranged subject to reasonable notice and confidentiality requirements.

7. Sub-processors

Current infrastructure sub-processors include Google Cloud (UAE region only). The full sub-processor list is available on request. Customers will be notified of any changes to sub-processors with 30 days' advance notice.

8. Data Breach Notification

[NAME] will notify the Customer of any personal data breach affecting Customer Data within 72 hours of becoming aware of the breach, including all information required for regulatory notification obligations.

9. Signed DPA

Enterprise customers requiring a countersigned DPA should contact us. We can accommodate customer-provided DPA templates for regulated institutions with specific requirements.