1.Definitions

For the purposes of this Data Processing Agreement ("DPA"), the following terms shall have the meanings set out below:

•Controller: The entity that determines the purposes and means of the processing of Personal Data. In this DPA, the Controller is the Customer who has entered into a subscription agreement with Qawaid.

•Processor: The entity that processes Personal Data on behalf of the Controller. In this DPA, the Processor is Qawaid ("Qawaid", "we", "us", or "our").

•Sub-processor: Any third-party entity engaged by the Processor to assist in the processing of Personal Data on behalf of the Controller.

•Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject"), as defined by applicable data protection laws including GDPR Article 4(1).

2.Scope & Purpose

This DPA applies to all processing of Personal Data by Qawaid on behalf of the Customer in connection with the provision of the Qawaid Engine platform and related services.

The purpose of this DPA is to ensure that Personal Data is processed in compliance with applicable data protection legislation, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK Data Protection Act 2018, and other applicable data protection laws.

This DPA forms part of and supplements the Terms of Service agreed between Qawaid and the Customer. In the event of any conflict between this DPA and the Terms of Service regarding data protection matters, this DPA shall prevail.

3.Data Processing Details

The following details describe the scope of processing activities carried out by Qawaid on behalf of the Customer:

•Types of Personal Data: Account information (name, email, job title), usage data (API calls, rule evaluations, logs), technical data (IP addresses, browser information, device identifiers), and any Personal Data contained within rule configurations or decision tables created by the Customer.

•Categories of Data Subjects: Customer employees and authorized users of the Qawaid platform, end users whose data may be processed through rule evaluations, and Customer contacts for billing and communication purposes.

•Purpose of Processing: To provide, maintain, and improve the Qawaid platform; to execute rule evaluations and decision table lookups as configured by the Customer; to generate analytics and usage reports; and to provide customer support.

•Duration of Processing: Personal Data will be processed for the duration of the subscription agreement between Qawaid and the Customer, plus any applicable retention period as described in Section 8 of this DPA.

4.Processor Obligations

Qawaid, as the Processor, shall comply with the following obligations:

•Security Measures: Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit (TLS 1.3) and at rest (AES-256), access controls, regular security assessments, and intrusion detection systems.

•Confidentiality: Ensure that all personnel authorized to process Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is restricted on a need-to-know basis.

•Sub-processor Management: Not engage any Sub-processor without prior specific or general written authorization of the Controller. Where general authorization is given, Qawaid shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object.

•Assistance to Controller: Assist the Controller in fulfilling its obligations to respond to Data Subject requests for exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction, portability, and objection.

•Data Deletion and Return: Upon termination of the services or upon request, delete or return all Personal Data to the Controller and delete existing copies, unless storage is required by applicable law. Details of the deletion process are described in Section 8.

•Audit Rights: Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audits shall be conducted with reasonable notice and during normal business hours.

•Breach Notification: Notify the Controller without undue delay after becoming aware of a Personal Data breach. The notification process and content requirements are described in Section 7.

5.Sub-Processors

Qawaid currently engages the following Sub-processors to assist in the provision of its services. Each Sub-processor has been vetted and is bound by data processing agreements ensuring an equivalent level of data protection:

•Stripe (Stripe, Inc.): Payment processing and billing management. Data processed: billing information, payment method details, transaction history. Location: United States (Privacy Shield certified, SCCs in place).

•SendGrid (Twilio Inc.): Transactional and marketing email delivery. Data processed: email addresses, names, email content. Location: United States (SCCs in place).

•Seq (Datalust Pty Ltd): Structured log management and application monitoring. Data processed: application logs which may contain user identifiers, IP addresses, and request metadata. Location: Self-hosted within Qawaid infrastructure.

•Keycloak (Self-hosted / Red Hat): Identity and access management for authentication and authorization. Data processed: user credentials, authentication tokens, session data. Location: hosted within Qawaid infrastructure.

The Customer may subscribe to notifications of Sub-processor changes by contacting dpa@qawaid.ai. Qawaid will provide at least 30 days notice before engaging any new Sub-processor, allowing the Customer to raise objections.

6.Data Subject Rights

Qawaid shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws:

•Right of Access: Data Subjects may request access to their Personal Data. Qawaid will provide the Controller with the necessary tools and information to fulfill such requests within the platform.

•Right to Rectification: Data Subjects may request correction of inaccurate Personal Data. The Controller can update user data directly through the Qawaid admin dashboard.

•Right to Erasure: Data Subjects may request deletion of their Personal Data. Qawaid provides data deletion capabilities through the platform and API.

•Right to Restrict Processing: Data Subjects may request restriction of processing. Qawaid will implement technical measures to support such restrictions when instructed by the Controller.

•Right to Data Portability: Data Subjects may request their data in a structured, machine-readable format. Qawaid supports data export in JSON and CSV formats.

•Right to Object: Data Subjects may object to processing based on legitimate interests. The Controller is responsible for evaluating such objections and instructing Qawaid accordingly.

Qawaid will respond to Controller requests regarding Data Subject rights without undue delay and within the timeframes required by applicable law.

7.Security Measures

Qawaid implements and maintains comprehensive technical and organizational security measures, including but not limited to:

•Encryption: All data encrypted in transit using TLS 1.3 and at rest using AES-256. Database connections use encrypted channels. API keys and secrets are stored in encrypted vaults.

•Access Controls: Role-based access control (RBAC) with principle of least privilege. Multi-factor authentication (MFA) for administrative access. Regular access reviews and revocation of unnecessary privileges.

•Network Security: Web application firewall (WAF), DDoS protection, network segmentation, and intrusion detection/prevention systems (IDS/IPS).

•Application Security: Regular vulnerability assessments and penetration testing. Secure development lifecycle (SDLC) practices. Dependency scanning and security code reviews.

•Physical Security: Data centers with 24/7 physical security, biometric access controls, CCTV monitoring, and environmental controls.

•Business Continuity: Regular backups with tested restoration procedures. Disaster recovery plan with defined RPO and RTO objectives. Geographic redundancy for critical systems.

•Monitoring and Logging: Centralized security monitoring via Seq. Real-time alerting for security events. Comprehensive audit logging with tamper-evident storage.

8.Data Breach Notification

In the event of a Personal Data breach, Qawaid shall comply with the following notification requirements:

•72-Hour Notification: Qawaid shall notify the Controller without undue delay, and in any event no later than 72 hours after becoming aware of a Personal Data breach. Notification shall be made to the Controller's designated contact via email and, where applicable, through the Qawaid admin dashboard.

•Content of Notification: The breach notification shall include: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned; (b) the name and contact details of Qawaid's data protection officer; (c) a description of the likely consequences of the breach; (d) a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

•Ongoing Communication: Qawaid shall provide timely updates as additional information becomes available, cooperate fully with the Controller's investigation, and assist the Controller in fulfilling its own notification obligations to supervisory authorities and Data Subjects.

•Documentation: Qawaid shall document all Personal Data breaches, including the facts relating to the breach, its effects, and the remedial actions taken. This documentation shall be made available to the Controller and supervisory authorities upon request.

9.Data Deletion

Upon termination or expiration of the subscription agreement, or upon the Controller's request, Qawaid shall handle Personal Data as follows:

•30-Day Export Period: The Controller shall have a period of 30 days from the date of termination to export all Personal Data from the Qawaid platform. During this period, the Controller will retain full read access to their data, including rule configurations, decision tables, evaluation logs, and account information.

•Permanent Deletion: Following the expiration of the 30-day export period, Qawaid shall permanently and irreversibly delete all Personal Data from its production systems, backup systems, and disaster recovery environments. Deletion shall be completed within 90 days of the end of the export period.

•Certification of Deletion: Upon completion of the deletion process, Qawaid shall provide the Controller with a written certification confirming that all Personal Data has been securely deleted in accordance with this DPA. The certification shall specify the date of deletion and the methods used.

•Exceptions: Certain data may be retained beyond the deletion timeline where required by applicable law, regulation, or a legally binding order. In such cases, Qawaid shall inform the Controller of the retention requirement and the specific data affected, and shall ensure continued protection of such data.

10.International Data Transfers

Where Personal Data is transferred outside of the European Economic Area (EEA), the United Kingdom, or other jurisdictions with data transfer restrictions, Qawaid ensures that appropriate safeguards are in place:

•Standard Contractual Clauses (SCCs): Qawaid incorporates the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) into its agreements with Sub-processors located outside the EEA. The latest version of SCCs adopted under Commission Implementing Decision (EU) 2021/914 shall apply.

•Adequacy Decisions: Where available, transfers may rely on adequacy decisions issued by the European Commission recognizing the destination country as providing an adequate level of data protection.

•Additional Safeguards: Where required by the Schrems II ruling, Qawaid implements supplementary measures including encryption, pseudonymization, and contractual commitments to challenge government access requests.

•Transfer Impact Assessments: Qawaid conducts transfer impact assessments for each Sub-processor to evaluate the legal framework of the destination country and the effectiveness of the safeguards in place.

11.Term & Termination

This DPA shall remain in effect for the duration of the subscription agreement between Qawaid and the Customer:

•Commencement: This DPA shall take effect on the date the Customer first accesses or uses the Qawaid platform under a valid subscription agreement.

•Duration: This DPA shall continue in force for as long as Qawaid processes Personal Data on behalf of the Customer. Obligations relating to confidentiality and data deletion shall survive termination.

•Termination for Breach: Either party may terminate this DPA immediately upon written notice if the other party materially breaches any provision of this DPA and fails to cure such breach within 30 days of receiving written notice.

•Effect of Termination: Upon termination of this DPA, the data deletion provisions of Section 9 shall apply. Qawaid shall cease all processing of Personal Data on behalf of the Controller, except as required by applicable law.

12.Contact Information

For any questions, concerns, or requests related to this Data Processing Agreement, please contact us through the following channels:

•DPA Inquiries: dpa@qawaid.ai

•Data Protection Officer: dpo@qawaid.ai

•Security Team: security@qawaid.ai

•Mailing Address: Qawaid, Legal Department, Dubai, United Arab Emirates.

To request a signed copy of this DPA or to report a data breach, please contact dpa@qawaid.ai with the subject line "DPA Request" or "Data Breach Report" respectively.

Data Processing Agreement

Table of Contents