Data Processing Agreement

This Data Processing Agreement ("Agreement") forms part of the Terms and Conditions ("Principal Agreement") between:

  • The Client (the "Data Controller")
  • Textintel FZE (the "Data Processor")

(Collectively referred to as the “Parties”).

1. Background

1.1 The Client acts as a Data Controller and wishes to subcontract certain services involving the processing of personal data to the Data Processor.

1.2 The Parties seek to implement a data processing agreement that complies with applicable data protection laws, including:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and the free movement of such data (General Data Protection Regulation, GDPR).
  • Any other applicable data protection or privacy laws governing the processing of personal data.

1.3 This Agreement sets forth the rights and obligations of the Parties regarding data protection and privacy.

2. Definitions & Interpretation

2.1 Unless otherwise defined, capitalized terms in this Agreement shall have the following meanings:

  • "Agreement" – This Data Processing Agreement, including all appendices and schedules.
  • "Client Personal Data" – Any personal data processed by the Data Processor on behalf of the Client under the Principal Agreement.
  • "Data Protection Laws" – All applicable privacy and data protection laws, including GDPR and any national laws supplementing or implementing GDPR.
  • "Processing" – Any operation performed on personal data, such as collection, storage, transmission, or deletion.
  • "Subprocessor" – Any third party authorized by the Data Processor to process personal data on behalf of the Client.

2.2 Any terms used in this Agreement that are not defined shall have the meaning ascribed to them under GDPR.

3. Scope of Data Processing

3.1 The Client instructs the Data Processor to process Client Personal Data strictly in accordance with:

  • The Client’s documented instructions.
  • The Principal Agreement and this DPA.
  • Applicable Data Protection Laws.

3.2 The Data Processor shall not process Client Personal Data for any purposes other than those specified in this Agreement and the Principal Agreement.

4. Responsibilities of the Data Processor

4.1 The Data Processor shall:

  • Ensure compliance with applicable Data Protection Laws.
  • Process data securely, following industry best practices.
  • Restrict access to authorized personnel only.
  • Ensure all personnel handling Client Personal Data are subject to confidentiality obligations.

5. Security Measures

5.1 The Data Processor shall implement appropriate technical and organizational measures to ensure the security of Client Personal Data, considering:

  • The state of the art of security technologies.
  • The nature, scope, and context of data processing.
  • Potential risks, including unauthorized access, data breaches, and loss.

5.2 Security measures shall include, where applicable:

  • Encryption of data in transit and at rest.
  • Access controls and authentication mechanisms.
  • Regular security audits and risk assessments.

6. Subprocessing

6.1 The Data Processor shall not engage any Subprocessor without the Client’s prior written approval.

6.2 The Client acknowledges and authorizes the Data Processor to use the following approved Subprocessors:

  • Amazon Web Services
  • Meta
  • Google
  • Amplitude
  • Firebase Analytics
  • Stripe

6.3 The Data Processor shall ensure that any Subprocessor complies with the same obligations under this Agreement.

7. Data Subject Rights

7.1 The Data Processor shall assist the Client in fulfilling obligations regarding Data Subject Rights, including:

  • Access to personal data.
  • Rectification or deletion of inaccurate data.
  • Data portability requests.

7.2 If the Data Processor receives a request from a Data Subject, it shall:

  • Promptly notify the Client.
  • Not respond unless authorized by the Client.

8. Data Breach Notification

8.1 In the event of a Personal Data Breach, the Data Processor shall:

  • Notify the Client without undue delay.
  • Provide all necessary details to allow the Client to comply with legal reporting obligations.
  • Take reasonable measures to mitigate and remedy the breach.

9. Data Transfers

9.1 The Data Processor shall not transfer Client Personal Data outside the EU/EEA unless:

  • The Client has provided prior written consent.
  • Appropriate safeguards, such as Standard Contractual Clauses (SCCs), are in place.

10. Data Retention & Deletion

10.1 Upon termination of the Principal Agreement, the Client may request:

  • Deletion of all Client Personal Data within 10 business days.
  • A certificate of deletion confirming compliance.

11. Audit Rights

11.1 The Client has the right to:

  • Request information to demonstrate compliance.
  • Conduct audits and inspections on the Data Processor.

12. Confidentiality

12.1 Each party shall maintain the confidentiality of all shared information under this Agreement and shall not disclose it without the other party’s written consent, except where:

  • Disclosure is legally required.
  • The information is already publicly available.

13. Governing Law & Jurisdiction

13.1 This Agreement is governed by the laws of Dubai, United Arab Emirates.

13.2 Any disputes arising from this Agreement shall be resolved in the courts of Dubai.