This Data Processing Addendum ("DPA") supplements the Terms & Conditions and any Statement of Work ("SOW") between ENSI Solutions ("Processor") and the Client ("Controller"). It governs the processing of personal data in the course of delivering the Services.
Terms not defined here have the meanings given in our Terms & Conditions or the UAE Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ("PDPL") and its Executive Regulations (Cabinet Decision No. 44 of 2022).
The Processor will process Personal Data solely on documented instructions from the Controller and only to the extent necessary to perform the Services described in the applicable SOW. The categories of data subjects and types of Personal Data are defined in each SOW.
The Controller is responsible for ensuring that it has a lawful basis to share Personal Data with the Processor. The Controller shall provide only the minimum data necessary for the Services and shall inform the Processor of any special categories of data or heightened sensitivity requirements.
The Processor applies layered security controls consistent with industry standards, including encryption in transit and at rest, access controls based on the least-privilege principle, logging and monitoring, regular security reviews, and secure disposal of data. By default, the Processor does not request direct access to Controller production systems.
The Processor may engage Sub-processors to assist with the Services. The Processor will maintain a list of Sub-processors and notify the Controller of any intended changes. The Processor ensures that Sub-processors are bound by data protection obligations no less protective than those in this DPA.
If Personal Data is transferred outside the UAE, the Processor will ensure compliance with PDPL requirements, including transfers to jurisdictions approved by the UAE Data Office or reliance on appropriate contractual safeguards (such as standard contractual clauses) and/or explicit consent of the data subject where required.
In the event of a Personal Data breach, the Processor will notify the Controller without undue delay and provide sufficient information to enable the Controller to meet its notification obligations under the PDPL. The Processor will cooperate with the Controller in investigating, mitigating and remediating any breach.
The Controller may, upon reasonable notice and during business hours, audit the Processor's compliance with this DPA. The Processor will cooperate with such audits and provide access to relevant records and facilities. Audits shall not unreasonably interfere with the Processor's business operations.
This DPA applies for the duration of the engagement. Upon termination or expiry of all SOWs, the Processor will delete or return all Personal Data within 30 days, unless retention is required by applicable law. The obligations of confidentiality and data protection survive termination.
This DPA is governed by the laws of the UAE. Where the Controller is established in DIFC or ADGM, the parties may elect the corresponding jurisdiction as set out in the Terms & Conditions.
For questions about this DPA or to exercise data subject rights, please contact us at contact@ensi.solutions.