1. Parties & roles
This DPA forms part of the agreement (“Agreement”) between ENSI Solutions, acting as Processor, and the Client, acting as Controller, for the provision of Services. Capitalised terms have the meanings set out in UAE PDPL (Federal Decree-Law No. 45 of 2021) and its Executive Regulations, and as applicable DIFC/ADGM laws if elected.
2. Subject matter & duration
Processor will process personal data solely to provide the Services described in the Agreement/SOW. This DPA remains in force for the duration of the Services and until personal data is returned or deleted as set out below.
3. Nature & purpose of processing
Consulting, architecture and security assessments; configuration guidance; software engineering and delivery on demand; incident readiness and response playbooks; operational support as agreed in the SOW.
4. Categories of data & data subjects
Business-contact details (names, roles, work emails/phones), limited operational identifiers/logs where necessary for integration/testing, and other data submitted by Controller at its discretion. Data subjects typically include Controller’s employees, contractors, administrators and users.
5. Processor obligations
- Process personal data only on documented instructions from Controller and within the agreed scope;
- Ensure authorised personnel are bound by confidentiality and receive appropriate security/privacy training;
- Implement the technical and organisational measures described in this DPA and the SOW;
- Assist Controller with data protection impact assessments (where required) and consultations with authorities;
- Maintain records of processing as required under PDPL;
- Notify Controller without undue delay of any personal data breach per Section 8.
6. Sub-processors
Controller authorises the use of sub-processors for hosting, tooling and delivery, provided they are bound by written agreements imposing data protection obligations no less protective than this DPA. Processor will maintain a list of sub-processors upon request and notify Controller of material changes, allowing reasonable objections on justified grounds.
7. Security measures
- Least-privilege access and MFA for administrative accounts;
- Segregation of environments and client data; secure software supply-chain (e.g., SBOM/artifact signing where applicable);
- Encryption in transit and at rest where supported by the platform and agreed with Controller;
- Change management and logging for material actions; backup and recovery procedures;
- Personnel confidentiality undertakings and periodic security training.
8. Breach notification
Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting the personal data processed under this DPA and will provide information reasonably available at the time, followed by updates. The parties will cooperate to comply with PDPL and any applicable free-zone notification duties.
9. Data subject requests
Taking into account the nature of processing, Processor will assist Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection, and withdrawal of consent) in accordance with PDPL and applicable free-zone rules.
10. International transfers
Transfers outside the UAE will be made in accordance with PDPL and the Executive Regulations, including to jurisdictions recognised as providing adequate protection by the UAE Data Office, or using contractual safeguards/appropriate mechanisms agreed by the parties, or where necessary to perform the contract at the data subject’s request, or with explicit consent where permissible.
11. Audit & information
Upon reasonable written notice, Processor will make available information necessary to demonstrate compliance with this DPA and, where required, allow audits by Controller or an independent auditor under confidentiality, frequency and time constraints that avoid disruption of Services.
12. Return & deletion
Upon termination or at Controller’s written request, Processor will return or securely delete personal data (at Controller’s option), unless retention is required by law. Deletion includes removal from active systems and scheduled backups in line with retention cycles.
13. Governing law & order of precedence
This DPA is governed by the same law and venue as the Agreement (UAE, or where elected, DIFC/ADGM). If there is a conflict between this DPA and other terms, this DPA prevails for data protection matters.