Data Processing Agreement

For the purposes of this DPA, the following terms have the meanings set out below, unless otherwise defined in the MSA:

• Controller: The client organization that determines the purposes and means of the processing of Personal Data. The Controller is identified in the applicable Statement of Work or MSA.
• Processor: Aliff Solutions FZC, which processes Personal Data on behalf of the Controller in connection with the provision of the platform and services.
• Data Subject: An identified or identifiable natural person whose Personal Data is processed under this DPA. This includes the Controller's employees, authorized users, and any individuals whose data is uploaded to or processed through the platform.
• Personal Data: Any information relating to an identified or identifiable natural person, as defined by Article 4(1) of the GDPR, including but not limited to names, email addresses, job titles, IP addresses, and usage data that can be attributed to a specific individual.
• Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• Sub-processor: Any third party engaged by the Processor to process Personal Data on behalf of the Controller, as detailed in Section 4 and our Subprocessors page.
• Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

Nature and Purpose of Processing: The Processor processes Personal Data for the purpose of providing the Aliff Solutions platform and related services to the Controller, including:

• User authentication and account management
• Platform functionality (pipeline management, opportunity tracking, AI-powered analysis)
• Aliff Copilot conversational AI services
• Billing and subscription management
• Analytics and service improvement
• Customer support and communications

Duration of Processing: Processing commences on the effective date of the MSA or applicable SOW and continues for the duration of the service relationship plus the applicable retention period as defined in our Data Retention Policy.

Categories of Data Subjects: The Controller's employees, contractors, authorized platform users, and any individuals whose data the Controller uploads to or processes through the platform.

Categories of Personal Data:

• Account information (name, email, job title, organization)
• Authentication data (hashed passwords, session tokens)
• Usage data (platform interactions, feature usage, session metadata)
• Communication data (support requests, Aliff Copilot conversations)
• Billing data (processed through Stripe; Processor does not store full payment card details)
• Business data uploaded by the Controller (opportunity data, pipeline information, documents)

Aliff Solutions FZC, as Processor, shall:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless the law prohibits such notification)
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement and maintain appropriate technical and organizational security measures as described in Section 5 of this DPA
• Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller, as described in Section 4
• Assist the Controller by appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under applicable data protection law
• Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of processing and the information available
• At the Controller's choice, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the Personal Data
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller

The Controller provides general written authorization for the Processor to engage sub-processors for the processing of Personal Data. The current list of sub-processors is maintained on our Subprocessors page.

Notification of changes: The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the Controller the opportunity to object to such changes.

Objection right: If the Controller objects to a new sub-processor on reasonable grounds relating to data protection, the parties shall discuss the objection in good faith. If the parties cannot reach a resolution, the Controller may terminate the affected services without penalty by providing written notice within thirty (30) days of the notification.

Sub-processor obligations: Where the Processor engages a sub-processor, the Processor shall impose data protection obligations no less protective than those set out in this DPA on that sub-processor by way of a written contract. The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.

The Processor implements and maintains the following technical and organizational measures to ensure a level of security appropriate to the risk of processing:

• Encryption in transit: All data transmitted between clients and the platform is encrypted using TLS 1.2 or higher
• Encryption at rest: Stored data is encrypted using AES-256 encryption
• Access controls: Role-based access control (RBAC) with principle of least privilege for all staff and system accounts. Multi-tenant isolation using row-level security (RLS) policies ensuring organization-scoped data access
• Authentication: Secure authentication with hashed passwords (bcrypt), JWT-based session management with JWKS validation, and support for multi-factor authentication
• Infrastructure security: Hosted on dedicated VPS infrastructure with firewall rules (UFW), automated security updates, and network isolation
• Monitoring and logging: Comprehensive audit logging of data access and administrative actions, with anomaly detection and alerting
• Incident response: Documented incident response procedures as described in our Security Policy
• Personnel security: All personnel with access to Personal Data are bound by confidentiality obligations and receive appropriate training on data protection

The Processor shall assist the Controller in responding to requests from Data Subjects to exercise their rights under applicable data protection law, including but not limited to:

• Right of access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure / right to be forgotten (Article 17 GDPR)
• Right to restriction of processing (Article 18 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to object (Article 21 GDPR)

If the Processor receives a request directly from a Data Subject, the Processor shall promptly notify the Controller and shall not respond to the request without the Controller's documented instructions, unless required to do so by applicable law.

The Processor shall provide the Controller with self-service tools and API access where feasible to facilitate the retrieval, correction, and deletion of Personal Data. Where automated tools are insufficient, the Processor shall respond to assistance requests within ten (10) business days.

In the event of a Data Breach affecting Personal Data processed under this DPA, the Processor shall:

• Notification timeline: Notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 of the GDPR
• Breach notification content: The notification shall include: (a) a description of the nature of the breach including, where possible, the categories and approximate number of Data Subjects and records concerned; (b) the name and contact details of the Processor's point of contact; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
• Cooperation: Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Data Breach
• Documentation: Document all Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken

For UAE-specific requirements, the Processor shall also notify the Telecommunications and Digital Government Regulatory Authority (TDRA) where required under the UAE PDPL.

Upon termination or expiry of the MSA or applicable SOW:

• Data return: The Controller may request the return of all Personal Data in a structured, commonly used, and machine-readable format within thirty (30) days of termination
• Data deletion: Following the return of data (or upon the Controller's instruction), the Processor shall delete all Personal Data within ninety (90) days, except where applicable law requires further retention
• Certification: Upon request, the Processor shall provide written certification that all Personal Data has been deleted in accordance with this DPA
• Retained data: Where applicable law requires the Processor to retain certain data beyond termination (e.g., billing records for tax compliance), the Processor shall restrict processing to the minimum necessary and continue to apply all security measures described in this DPA

For specific retention periods by data category, refer to our Data Retention Policy.

To request a signed Data Processing Agreement or to inquire about our data protection practices, please contact us.

Entity: Aliff Solutions FZC, Ras Al Khaimah, United Arab Emirates