Data Processing Agreement

This data processing agreement and its appendix ("DPA") has been entered into between

(1) Ayflot LLC entering into the DPA on its own behalf, ("Controller"), and
(2) Supplier (IT, Development, Support, Server and Hosting services providers) referred to in the main contract ("Processor").
Controller and Processor are referred to individually as "Party" and collectively as "Parties".

1. Background and objective

1. The Parties entered into a contractual relationship that this contract is an extract to (the "Agreement"). Within the scope of its assignment, Processor will/may gain access to and process personal data for which Controller is the data controller. This means that Processor is a data processor for Controller in accordance with the applicable UAE Federal Law No. 45
   of 2021 On Personal Data Protection ("Data Protection Legislation").
2. The objective of the DPA is to comply with the requirements in the UAE Data Protection Legislation for a written/electronic agreement between Controller and Processor.

2. Definitions

1. The terms used in the DPA shall have the same meaning as assigned to them below and in the Data Protection Legislation, which inter alia imply that:
2. The term personal data means any information that, directly or indirectly, can identify a living natural person;
3. The term processing means any operation or set of operations performed with regard to personal data, whether or not performed by automated means, for example collection, recording, organisation, storage, adaptation or alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction;
4. The term data controller means anyone who alone or jointly with others determines the purposes and means of the processing of personal data;
5. The term data processor means a anyone who processes personal data on behalf of the data controller;
6. The term sub-processor means a sub-contractor that is engaged by Processor. The sub-processor processes personal data on behalf of Controller in accordance with the sub-processor's obligation to provide its services to Processor;
7. The term standard data protection clauses adopted by UAE means standard contractual clauses regulating the transfer of personal data to third countries and that have been adopted by the UAE in accordance with Federal Law No. 45 of 2021 On Personal Data Protection or corresponding decision replacing such decision; and
8. The term Data Protection Legislation means applicable data protection legislation based on UAE Federal Law No. 45 of 2021 On Personal Data Protection.

3.Undertaking and instruction

1. Processor undertakes to process the personal data that it has access to under the Agreement on behalf of Controller, for the purpose of fulfilling the Agreement and during the term of the Agreement. Processor further undertakes:
2. To process the personal data in accordance with the Data Protection Legislation, the Agreement and any other documented instructions from Controller. Processor may, however, without instructions process information required by laws of the UAE or national legislation in a member state to which Processor is subject, but shall inform Controller of such requirement prior to processing, provided that Processor is not prohibited to give such information with reference to important grounds of public interest;
3. Not to use or utilize personal data transferred to or transferred by Processor, collected to or collected by Processor, produced to or produced by Processor or any other way processed personal data under this DPA in its business.
4. To keep the personal data confidential and not to disclose the personal data to any third parties or in any other way use the personal data in contradiction with the Agreement and the DPA. Processor shall also ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
5. To assist Controller, taking into account the nature of the processing, by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Controller's obligation to respond to and to fulfil requests from data subjects exercising their rights laid down in UAE Federal Law No. 45 of 2021 On Personal Data Protection; and

1. To assist Controller in ensuring compliance with the obligations pursuant to UAE Federal Law No. 45 of 2021 On Personal Data Protection (implement security measures, manage personal data breaches, conduct data privacy impact assessments and participate in prior consultations with the supervisory authority) taking into account the nature of the processing and the information available to Processor.
   

4. transfer of personal data
Processor may not transfer person data to a non-authorized third country or to an international organization outside UAE (together "Third countries"), unless Controller has specifically requested or approved to do so. Such written/electronic approval should be requested and provided in writing to every entity and/or transmission receiver separately.

5.Information security
Processor implements all appropriate technical and organisational measures necessary in order to ensure a level of security, as required pursuant to the UAE Federal Law No. 45 of 2021 On Personal Data Protection and other measures necessary in order for Processor to comply with the security requirements set out in the Agreement or that are otherwise required by Controller with reference to the DPA);

Processor undertakes to inform Controller of the technical and organisational measures, which it will implement in order to protect the personal data processed on behalf of Controller. In this context, see security instructions described in UAE Federal Law No. 45 of 2021 On Personal Data Protection. If Processor makes changes that could affect the protection of personal data, Controller shall be informed of this well in advance before such changes are implemented.

In the event of data breach or any potential violation of information security, Processor shall notify Controller without delay after becoming aware of the infringement of information security of personal data or any other violation of Data Protection Legislation, this DPA or the instructions of Controller.

As a part of the notification, Processor must inform Controller without delay and in writing all the necessary information about the disturbance and the related measures, especially:

1. a description of the nature of the infringement of information security, including the information of registered groups and estimated amount of registered persons affected by the infringement along with the information required by Data Protection Legislation
2. necessary information regarding to the statutory obligations and fulfillment of the contractual obligations of Controller. These obligations shall be based, inter alia, Data Protection Legislation, agreements made with third parties and/or a request, a guidance and/or a ruling made by the supervisory authority or a tribunal
3. necessary information for preventing similar infringements of the information security and information required for the notifications made for the registered persons and possible third parties.

6.Audit

1. Processor shall grant Controller access to all information required in order to verify that the obligations set out in the DPA are complied with. Processor shall facilitate and participate in audits, including inspections, carried out by Controller or a governmental authority or by a third party authorised by Controller. If Controller uses a third party to carry out the audit, that third party shall not be a competitor of Processor and shall undertake confidentiality in relation to Processor's information.
2. Processor shall immediately inform and consult with Controller in the event that a supervisory authority initiates or takes any action in relation to Processor with regard to the processing of personal data under the Agreement or the DPA.

7.Engaging sub-processors

1. Processor may not engage or replace a sub-processor for the performance of Processor's processing of personal data under the DPA, without obtaining a written/electronic approval from Controller in advance
   

8.Damages and compensation

1. Processor shall, without limitation, hold harmless and indemnify Controller in the event of damage that is attributable to Processor's processing of personal data in breach of the DPA or the Data Protection Legislation. For the avoidance of doubt, administrative fines are imposed on the Party in breach of its obligations and, in consequence, neither party will bear the other Party's administrative fines.
2. Processor's compensation under the Agreement includes compensation for Processor's undertakings under the DPA unless otherwise stated in writing by Parties.

9.Order of validity of contract documents
This DPA is irremovable part of any Agreement. If the terms of the Agreement and terms of this DPA are divergent or otherwise in contradiction, this DPA shall prevail.

10.Term

1. The DPA is effective from its accepting and for as long as Processor processes personal data on Controller's behalf.
2. In the event that Processor is in breach of its obligations under the DPA or Data Protection Legislation, and fails to remedy the deficiency within thirty (30) days of Processor being notified of the breach, or within the time period agreed between the Parties, Controller has the right to terminate the Agreement with immediate effect or the longer period of notice notified by Controller.

When the Agreement expires or terminates, Processor shall, based on Controller's instructions, delete or return to Controller without any additional cost, in a manner acceptable to Controller, all personal data, and delete existing copies unless storage of personal data is required pursuant to UAE Federal Law No. 45 of 2021 On Personal Data Protection. Processor undertakes to actively seek instructions from Controller without delay.

11.Governing law and Dispute resolution

1. The DPA shall be governed by and construed in accordance with UAE law, with the exception of conflict of law rules.
2. Disputes regarding interpretation and application of the DPA shall be settled in accordance with UAE laws.
3. In the absence of provisions regarding dispute resolution in the Agreement, this section shall apply. Disputes arising in connection with the DPA shall be finally settled in arbitration in accordance with the Dubai Courts.

© 2020 Iflot

Ayflot LLC

info@iflot.com