DATA PROTECTION ADDENDUM (DPA)

This Data Protection Addendum (“DPA”) forms part of and supplements any agreement, contract, Statement of Work (SOW), or service agreement (“Agreement”) between Cybranytech (“Processor”) and the Client (“Controller”).

This DPA applies where Cybranytech processes Personal Data on behalf of the Client.

1. Definitions

For the purposes of this DPA:

  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” means any operation performed on Personal Data, including collection, storage, access, analysis, transmission, or deletion.
  • “Controller” means the entity determining the purposes and means of processing Personal Data.
  • “Processor” means the entity processing Personal Data on behalf of the Controller.
  • “Applicable Data Protection Laws” means UAE Federal Decree-Law No. 45 of 2021 (PDPL) and any related implementing regulations.

2. Scope and Roles

For the purposes of the Agreement:

  • The Client acts as the Data Controller.
  • Cybranytech acts as the Data Processor, except where explicitly stated otherwise.

Cybranytech shall process Personal Data only on documented instructions from the Client unless required to do so by law.

3. Nature and Purpose of Processing

Processing activities may include:

  • Security monitoring
  • Log analysis
  • Incident detection and response
  • Threat intelligence
  • Risk assessments
  • Vulnerability management
  • Compliance reporting

The purpose of processing is to provide cybersecurity services as defined in the Agreement.

4. Categories of Data Subjects

Depending on the Client’s business, Personal Data may relate to:

  • Employees
  • Contractors
  • Customers
  • Vendors
  • Website users
  • End users of Client systems

5. Categories of Personal Data

Data processed may include:

  • Names
  • Contact information
  • IP addresses
  • Device identifiers
  • Authentication logs
  • System activity records
  • Security event data

Cybranytech does not intentionally process special categories of sensitive data unless expressly agreed in writing.

6. Processor Obligations

Cybranytech shall:

  1. Process Personal Data only in accordance with documented instructions.
  2. Ensure persons authorized to process data are subject to confidentiality obligations.
  3. Implement appropriate technical and organizational security measures.
  4. Assist the Client in fulfilling data subject rights requests.
  5. Notify the Client without undue delay in case of a Personal Data breach.
  6. Delete or return Personal Data upon termination of services (unless legally required to retain it).

7. Security Measures

Cybranytech implements appropriate safeguards including:

  • Encryption (at rest and in transit)
  • Access control mechanisms
  • Role-based access management
  • Multi-factor authentication
  • Continuous monitoring systems
  • Secure data centers
  • Incident response procedures
  • Regular vulnerability assessments

Security measures are regularly reviewed and updated.

8. Sub-Processors

Cybranytech may engage sub-processors for:

  • Cloud hosting
  • Security tools
  • Analytics services
  • Infrastructure support

Cybranytech shall:

  • Conduct due diligence before appointing sub-processors
  • Ensure sub-processors are bound by equivalent data protection obligations
  • Remain responsible for their compliance

A list of sub-processors may be provided upon request.

9. International Transfers

If Personal Data is transferred outside the UAE:

  • Adequate safeguards shall be implemented
  • Transfers shall comply with Applicable Data Protection Laws
  • Contractual protections shall be enforced

10. Data Subject Rights Assistance

Cybranytech shall assist the Client, where reasonably possible, in responding to:

  • Access requests
  • Rectification requests
  • Erasure requests
  • Objection to processing
  • Data portability requests

The Client remains responsible for responding to such requests.

11. Personal Data Breach Notification

In the event of a confirmed Personal Data breach, Cybranytech shall:

  • Notify the Client without undue delay
  • Provide details of the nature of the breach
  • Describe likely consequences
  • Outline mitigation measures taken

Notification does not constitute admission of liability.

12. Audits

Upon reasonable notice, the Client may request information necessary to demonstrate compliance with this DPA.

Where appropriate, audit rights may be exercised:

  • No more than once per year
  • During normal business hours
  • Subject to confidentiality obligations

13. Data Retention and Deletion

Upon termination of the Agreement:

  • Personal Data shall be securely deleted or returned
  • Backup systems shall be overwritten in accordance with retention cycles
  • Legal retention obligations shall be respected

14. Liability

Liability under this DPA shall be subject to the limitation of liability provisions set forth in the main Agreement.

15. Governing Law

This DPA shall be governed by the laws of the United Arab Emirates.

Any disputes shall fall under the jurisdiction of the courts of Dubai, unless otherwise agreed in writing.

16. Order of Precedence

In the event of conflict between this DPA and the main Agreement, this DPA shall prevail with respect to data protection matters.