This Data Processing Agreement (the "DPA") is entered into between Effivity Technologies Private Limited, an Indian company having its registered office at A-4, Narsinhdham Society, Near Mother School, Gotri Road, Vadodara 390021, Gujarat, India ("Effivity"), and the customer identified in the relevant services agreement, order form, subscription, or accepted terms ("Customer").

This DPA forms part of and supplements the parties' underlying commercial agreement for the Effivity software and related services (the "Agreement"). It applies only to the extent that Effivity Processes Personal Data on behalf of the Customer in connection with the Services.

The parties intend this DPA to address the processor-agreement requirements of the Saudi Personal Data Protection Law and its Implementing Regulations. For Saudi Personal Data, the Saudi PDPL is the primary privacy framework for the interpretation of this DPA. If, and only to the extent, particular Processing is independently subject to GDPR or another non-Saudi data protection law and the parties have separately adopted a relevant addendum for that law, that separate addendum shall apply according to its terms without enlarging Effivity's obligations under this DPA beyond what is expressly stated herein or required by mandatory law.

1. Definitions

1.1 Agreement. The master services agreement, subscription agreement, order form, terms of use, or other binding commercial terms under which the Customer receives the Services from Effivity.

1.2 Competent Authority. The Saudi Data & AI Authority (SDAIA) or any other authority that is legally competent to supervise or enforce the Saudi PDPL from time to time.

1.3 Controller. The Customer, to the extent it determines the purposes and means of Processing Personal Data.

1.4 Customer Personal Data. Any Personal Data submitted to, stored in, made available through, or otherwise Processed by Effivity on behalf of the Customer in connection with the Services.

1.5 Data Subject. An identified or identifiable natural person to whom Personal Data relates.

1.6 Documented Instructions. The written or otherwise documented instructions issued by the Customer to Effivity, including this DPA, the Agreement, Customer configurations within the Services, support requests, and administrative settings selected by the Customer.

1.7 GDPR. Regulation (EU) 2016/679, solely to the extent it independently applies to specific Processing activities.

1.8 Personal Data. Any information relating to an identified or identifiable natural person, as defined by the Saudi PDPL.

1.9 Personal Data Breach. Any breach of security leading to accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure of, or access to Customer Personal Data.

1.10 Processing / Process. Any operation or set of operations performed on Personal Data, whether by automated means or otherwise, including collection, storage, organization, structuring, retrieval, consultation, use, disclosure, transmission, deletion, destruction, hosting, support, and remote access.

1.11 Processor. Effivity, to the extent it Processes Customer Personal Data on behalf of the Customer.

1.12 Restricted Data. Sensitive Personal Data, credit data, biometric data, health data, government identifier data, children's data, criminal-record data, or any other category of Personal Data subject to heightened legal or sector-specific restrictions.

1.13 Saudi Personal Data. Customer Personal Data that relates to individuals in the Kingdom of Saudi Arabia or is otherwise subject to the Saudi PDPL.

1.14 Sensitive Personal Data. Personal Data classified as sensitive under the Saudi PDPL or applicable regulations.

1.15 Services. The Effivity software-as-a-service platform, related software, support, implementation, maintenance, hosting, security, and ancillary services made available by Effivity under the Agreement.

1.16 Sub-Processor. Any third party engaged by Effivity to Process Customer Personal Data on Effivity's behalf in connection with the Services.

2. Scope, roles, and interpretation

2.1 The Customer acts as Controller and Effivity acts as Processor in relation to Saudi Personal Data Processed under this DPA, except to the limited extent Effivity acts as an independent controller for its own direct relationship data, such as billing, contract administration, service subscription records, abuse-prevention records, and direct legal compliance records that are not processed on behalf of the Customer.

2.2 Effivity shall Process Saudi Personal Data only on the Customer's Documented Instructions and only to the extent reasonably necessary to provide, secure, maintain, support, back up, restore, troubleshoot, and lawfully operate the Services, or as otherwise required by applicable law.

2.3 If Effivity reasonably believes that an instruction breaches this DPA, the Saudi PDPL, another law applicable in the Kingdom, or Effivity's legitimate security or resilience obligations, Effivity shall notify the Customer without undue delay and may decline or suspend the affected Processing until the issue is resolved.

2.4 If Effivity Processes Saudi Personal Data outside the Customer's lawful Documented Instructions or otherwise determines the purposes or means of Processing in violation of this DPA or the Saudi PDPL, Effivity shall be deemed a controller only to that limited extent and shall bear the corresponding responsibility under applicable law.

2.5 For Saudi Personal Data, this DPA is intended as a PDPL-first processor agreement. Separate GDPR or other non-Saudi data-processing terms, if any, shall apply only where separately adopted and independently triggered by law.

2.6 If there is any conflict between this DPA and the Agreement in relation to Saudi Personal Data, this DPA shall prevail to the extent of that conflict. In all other respects, the Agreement continues to govern.

3. Customer instructions and Controller responsibilities

3.1 The Customer is solely responsible for determining the lawful basis, purposes, scope, necessity, proportionality, and permissibility of Processing Saudi Personal Data, including any required privacy notices, consents, permissions, registrations, filings, transfer assessments, approvals, impact assessments, retention rules, or sector-specific authorizations.

3.2 The Customer shall ensure that Saudi Personal Data made available to Effivity has been collected, used, and disclosed lawfully, that the Customer has the right to provide it to Effivity, and that the Customer's instructions are specific, documented, and consistent with applicable law. Effivity may rely on those representations and has no obligation to independently investigate the lawfulness, accuracy, or adequacy of the Customer's instructions or source data.

3.3 The Customer remains responsible for data accuracy, data minimization, defining retention periods, handling Data Subject rights requests, assessing whether Restricted Data may lawfully be Processed, and determining whether the Services are suitable for the Customer's particular regulatory environment or internal policies.

3.4 Unless expressly agreed in writing, the Customer shall not require Effivity to collect Personal Data directly from Data Subjects, contact Data Subjects on the Customer's behalf, or Process Restricted Data beyond what is reasonably necessary for the Services.

3.5 The Customer remains responsible for any controller obligations connected to transfers outside the Kingdom, including determining whether remote access, hosting, support access, or Sub-Processor involvement outside the Kingdom is permissible and whether any additional transfer instrument or approval is required.

3.6 The Customer shall ensure that its privacy notice is adapted to its own legal entity, lawful basis, retention periods, recipients, transfer wording, and Data Subject rights-handling channels. Effivity’s own privacy notice does not replace the Customer’s controller notice at the point of collection. Where the Effivity tenant processing such data is hosted within the Kingdom of Saudi Arabia via approved KSA-based infrastructure, the Customer’s privacy notice shall reflect that the data is processed within the Kingdom and may also be accessed from India or other approved processing locations, including Ireland, Singapore, and the United States, for support, security, backup, and operational purposes. The Customer, as Controller, remains responsible for ensuring that its notice accurately describes the applicable processing locations.

3.7 Effivity provides technology and related support services; it does not provide the Customer with legal advice, regulatory filing services, or a guarantee that the Customer will achieve compliance merely by using the Services.

4. Effivity obligations as Processor

4.1 Effivity shall ensure that persons authorized to Process Saudi Personal Data are bound by confidentiality obligations and receive appropriate training regarding information security and personal-data handling.

4.2 Effivity shall implement and maintain appropriate organizational, administrative, and technical measures to protect Saudi Personal Data, taking into account the nature of the data, the risks involved, the requirements of the Saudi PDPL, and the state of the relevant Services. A summary of Effivity's baseline technical and organizational measures is set out in Annex 2. Effivity may update those measures from time to time, provided that the overall level of protection is not materially reduced.

4.3 Effivity shall use Customer Personal Data only as necessary to provide and support the Services, maintain service security and resilience, prevent fraud or abuse, perform backup and recovery operations, carry out debugging and troubleshooting, and comply with applicable law or lawful orders directed to Effivity.

4.4 Effivity shall provide reasonable assistance, taking into account the nature of the Processing and the information available to Effivity, to support the Customer's compliance obligations relating to Data Subject requests, records of processing, incident response, risk assessments, and regulator inquiries. Effivity shall also provide reasonable cooperation in connection with regulator inquiries or requests to the extent such inquiries relate to Processing carried out by Effivity and where required under applicable law. Such assistance and cooperation shall be limited to information, systems, and capabilities reasonably available to Effivity in the normal course of providing the Services. Non-standard or materially burdensome assistance may be subject to reasonable fees, provided Effivity gives advance notice where practicable.

4.5 Effivity shall make available to the Customer such information as is reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, legal, and third-party restrictions.

4.6 Effivity shall not sell Saudi Personal Data, shall not Process Customer Personal Data for its own advertising or independent marketing purposes, and shall not otherwise use Customer Personal Data except as permitted by this DPA, the Agreement, or applicable law.

4.7 Nothing in this DPA restricts Effivity from generating or using aggregated, anonymized, or de-identified information that no longer identifies any Data Subject and is not Personal Data under applicable law.

4.8 Effivity shall not interact directly with Data Subjects regarding Saudi Personal Data unless authorized by the Customer or required by applicable law.

5. Security measures and Personal Data Breach management

5.1 Effivity shall maintain the security controls described in Annex 2 or materially equivalent controls and shall review them periodically in light of changes in risk, technology, and the Services.

5.2 In the event of a confirmed Personal Data Breach affecting Saudi Personal Data, Effivity shall notify the Customer without undue delay after becoming aware of the breach and, where reasonably practicable, within forty-eight (48) hours of such awareness. The notice may be phased if full details are not yet available and shall include the information reasonably known at the time.

5.2A Where a Personal Data Breach originates from or affects Processing carried out by a KSA-located Sub-Processor, Effivity's obligations in relation to that breach shall be limited to the following:

(i) Notification to Customer: Effivity shall notify the Customer in accordance with Section 5.2 of this DPA upon becoming aware of a confirmed Personal Data Breach. Where the breach originates with a Sub-Processor, Effivity's awareness is dependent on the Sub-Processor's notification to Effivity, and the notification timeline runs from the point Effivity itself becomes aware, not from the point the breach occurred at the Sub-Processor level.

(ii) Reasonable information sharing: Effivity shall provide the Customer with such information as is reasonably available to Effivity regarding the nature of the breach, to the extent not restricted by confidentiality obligations, legal privilege, security concerns, or third-party restrictions applicable to Effivity's relationship with the Sub-Processor.

(iii) No direct SDAIA notification obligation: The Customer, as Controller, is solely responsible for determining whether and when notification to SDAIA or any other competent authority is required, for preparing and submitting any such notification, and for meeting all applicable regulatory deadlines under the Saudi PDPL and Implementing Regulations. Effivity has no direct obligation to notify SDAIA on the Customer's behalf unless expressly required by applicable law as a direct obligation on Effivity as Processor.

(iv) Limitation of cooperation scope: Effivity's cooperation obligations under this clause are limited to sharing reasonably available information through normal support and communication channels. Non-standard, burdensome, or legally complex assistance - including forensic investigation, regulatory representation, or legal submissions - is outside the scope of this clause and may be subject to reasonable fees with advance notice.

(v) No admission of liability: Any notification, information sharing, or cooperation provided by Effivity under this clause does not constitute an admission of fault, negligence, or legal responsibility on the part of Effivity or any Sub-Processor.

5.3 Effivity shall promptly investigate the incident, take reasonable steps to contain, mitigate, and remediate its effects, preserve relevant evidence as appropriate, and provide reasonably requested follow-up information needed for the Customer's own notification and response obligations.

5.4 Any breach notification or cooperation provided by Effivity under this DPA does not constitute an admission of fault, liability, or legal wrongdoing.

5.5 Unless applicable law imposes a direct duty on Effivity, the Customer remains responsible for determining whether the Competent Authority, Data Subjects, or other parties must be notified of the incident.

6. Data Subject requests and customer assistance

6.1 The Customer remains responsible for responding to requests made by Data Subjects under the Saudi PDPL, including requests to be informed, access, receive a copy, correct, destroy, or otherwise exercise rights relating to Saudi Personal Data.

6.2 Effivity shall provide reasonable assistance through the Services, support channels, and reasonable efforts to enable the Customer to respond to such requests, taking into account the Customer's statutory response obligations and the information available to Effivity.

6.3 If Effivity receives a request directly from a Data Subject relating to Saudi Personal Data, Effivity shall promptly forward the request to the Customer and shall not respond directly unless authorized by the Customer or required by applicable law.

6.4 If a request requires non-standard work, complex extraction, restoration, customization, legal review, or other materially burdensome effort beyond standard product functionality and ordinary support, Effivity may charge reasonable fees for that additional assistance unless prohibited by applicable law.

6.5 Effivity is not required to provide information or take action where doing so would compromise the security of the Services, disclose another customer's confidential information, expose trade secrets, violate law, or materially impair the rights of others.

7. Monitoring, audit, and compliance information

7.1 In line with the Saudi PDPL framework, the Customer is responsible for periodically assessing Effivity's compliance with applicable processor obligations. The Customer may perform this assessment itself or appoint an independent third party bound by confidentiality obligations to do so on its behalf.

7.2 Before any on-site inspection is requested, the parties shall first seek to satisfy the Customer's assessment needs through documentation, certifications, audit summaries, security whitepapers, policy extracts, penetration-test summaries, questionnaires, or written responses reasonably made available by Effivity.

7.3 If the Customer reasonably demonstrates that a further audit is legally required or cannot reasonably be satisfied through the materials described above, Effivity shall permit a reasonable audit of relevant controls no more than once per twelve (12) months, except where a Competent Authority requires more frequent review or a material Personal Data Breach makes additional verification reasonably necessary.

7.4 Any audit shall be subject to reasonable advance notice, confidentiality undertakings, business-hour scheduling, security and site-access rules, non-disruption requirements, and protection of other customers' data and confidential information. Auditors may not be Effivity competitors. No audit right under this DPA authorizes access to source code, live penetration-test tooling, security secrets, or data belonging to other customers.

7.5 No vulnerability scanning, penetration testing, or other active security testing against Effivity systems may be performed under this DPA without Effivity's separate prior written approval.

7.6 The Customer shall bear its own internal costs of compliance and shall reimburse Effivity for any material, non-standard assistance or audit effort that goes beyond customary documentation and reasonable cooperation, provided Effivity informs the Customer in advance where practicable.

8. Sub-Processors

8.1 The Customer authorizes the Sub-Processors listed in Annex 3 as updated from time to time in accordance with this Section 8, for use in connection with the Services, subject to this Section 8. For Customers provisioned into the Oracle Cloud Infrastructure region in the Kingdom of Saudi Arabia, Oracle Cloud Infrastructure (OCI) shall act as a Sub‑Processor solely for infrastructure hosting and related managed services within the Kingdom.

8.1A. KSA-located Sub-Processors - Where a Sub-Processor (including Oracle Cloud Infrastructure or its affiliates) processes Customer Personal Data within the Kingdom of Saudi Arabia, Effivity shall:

(a) ensure such Sub-Processor is contractually bound to comply with all applicable obligations under the Saudi PDPL and its Implementing Regulations, including data security, confidentiality, breach notification, data minimization, and purpose limitation;

(b) verify that the Sub-Processor operates in compliance with SDAIA's technical and operational security requirements applicable to cloud service providers in the Kingdom;

(c) maintain documentary evidence of the Sub-Processor's PDPL compliance, including any applicable certifications, audit reports, or assessments, and make relevant excerpts available to the Customer on reasonable request.

8.2 Effivity shall engage only Sub-Processors that provide sufficient guarantees for the protection of Customer Personal Data and shall bind each Sub-Processor by a written agreement imposing data-protection and confidentiality obligations that are no less protective than those applicable to Effivity under this DPA, taking into account the nature of the subcontracted services.

8.3 Before appointing a new Sub-Processor or replacing an existing one for Processing Saudi Personal Data, Effivity shall provide prior written notice to the Customer, including the identity of the proposed Sub-Processor, a summary of its role, and its relevant processing location(s). Unless urgent security, resilience, legal, or operational reasons require a shorter period, Effivity shall aim to provide at least fifteen (15) days' prior notice.

8.4 The Customer may object on reasonable, documented data-protection grounds within ten (10) business days after receiving notice. If the Customer does not object during that period, the new Sub-Processor shall be deemed accepted.

8.5 If the Customer timely objects, the parties shall work in good faith to address the objection. If the objection cannot reasonably be resolved, Effivity may elect not to use the proposed Sub-Processor for the Customer where reasonably feasible, or may suspend or terminate the affected Service or Processing. In that event, the Customer's sole remedy shall be the right to stop using or terminate the affected Service or Processing in accordance with the Agreement.

8.6 As between the parties, Effivity remains responsible for the acts and omissions of its Sub-Processors in relation to the Processing of Saudi Personal Data to the same extent as for its own, subject always to the Agreement's liability limitations.

8.7 Effivity shall maintain an up-to-date internal record of its Sub-Processors, their general processing role, and their processing locations, and shall make relevant information available to the Customer on reasonable request.

8.8 Sub-Processor due diligence for KSA-located Sub-Processors

(a) Scope of obligation: Effivity shall apply a risk-based approach to due diligence on KSA-located Sub-Processors. This obligation is limited to reviewing information that is reasonably and commercially available to Effivity in the ordinary course of its vendor management processes and does not require Effivity to conduct independent audits, commission third-party assessments, or obtain information that the Sub-Processor is unwilling or contractually unable to share.

(b) Initial assessment: Prior to engaging a KSA-located Sub-Processor for the Processing of Saudi Personal Data, Effivity shall make reasonable efforts to review such publicly available or contractually accessible information as the Sub-Processor makes available, which may include but is not limited to publicly listed security certifications (such as ISO 27001, CSA STAR, or equivalent), the Sub-Processor's standard security documentation, or its data processing terms. Effivity makes no representation that any such certification or documentation guarantees the Sub-Processor's compliance with the Saudi PDPL.

(c) Ongoing review: Effivity shall review its KSA-located Sub-Processors' compliance posture as part of its general vendor management programme, at a frequency and depth determined by Effivity in its reasonable discretion based on the risk profile of the services provided. This does not obligate Effivity to conduct formal audits or periodic reassessments on any fixed schedule.

(d) Information sharing with Customer: Upon the Customer's written request, Effivity shall provide a summary description of the due diligence approach applied to the relevant KSA-located Sub-Processor, to the extent such information is not subject to confidentiality obligations owed to the Sub-Processor, legal privilege, security restrictions, or Effivity's internal confidentiality policies. Effivity is under no obligation to share raw audit outputs, third-party assessment reports, contractual terms with Sub-Processors, or any information that Effivity does not have the right to disclose.

(e) No compliance guarantee: Effivity's due diligence obligations under this clause are process obligations only. Effivity does not warrant or guarantee that any KSA-located Sub-Processor is or will remain compliant with the Saudi PDPL, SDAIA requirements, or any other applicable law. The Customer, as Controller, remains responsible for independently satisfying itself as to whether the Sub-Processor arrangements are appropriate for its regulatory obligations.

(f) Frequency of requests: The Customer may submit a written request for due diligence information under clause 8.8(d) no more than once per calendar year, unless a confirmed Personal Data Breach directly involving the relevant Sub-Processor makes an additional request reasonably necessary. 

8.9 Independent Contractors and Specialist Service Providers

(a) Scope: This clause applies where Effivity engages individual independent contractors, freelancers, or specialist third-party service providers who may, in the course of providing services to Effivity, have incidental access to Customer Personal Data, including Saudi Personal Data.

(b) Access limitation: Effivity shall ensure that independent contractors and specialist service providers are granted access to Customer Personal Data only to the minimum extent strictly necessary for the specific task or service being performed. Access shall be role-based, time-limited, and revoked promptly upon completion of the engagement or earlier where no longer required.

(c) Contractual obligations - best efforts: Effivity shall use reasonable commercial efforts to bind independent contractors and specialist service providers to written confidentiality and data-protection obligations before granting access to Customer Personal Data. Where contractors operate under Effivity's standard contractor agreement, satisfaction of that agreement's data-protection and confidentiality provisions shall be deemed sufficient compliance with this clause, without requiring bespoke or customer-specific contractual terms.

(d) No guarantee of contractor compliance: Effivity does not warrant or guarantee the conduct of independent contractors or specialist service providers beyond the contractual obligations Effivity imposes on them. Where a contractor breaches their obligations, Effivity's liability to the Customer shall be limited to taking reasonable remedial steps upon becoming aware of the breach, subject always to the liability limitations in Section 13 of this DPA.

(e) Processing locations: Independent contractors and specialist service providers may access or process Customer Personal Data from locations listed in Annex 3 or otherwise approved by Effivity's internal vendor management process. Effivity does not guarantee that all contractor access will occur exclusively from within the Kingdom of Saudi Arabia and the Customer acknowledges this as part of the Services delivery model.

(f) No onward sub-contracting: Effivity shall use reasonable efforts to prohibit independent contractors from further sub-contracting or delegating any task involving access to Customer Personal Data without Effivity's prior written approval.

(g) Personnel security: Effivity shall apply its standard onboarding controls to independent contractors with access to Customer Personal Data, which may include confidentiality undertakings, access provisioning controls, and role-based training appropriate to the nature of the engagement. Effivity does not warrant that all contractors will have undergone formal background screening, as this depends on the nature, jurisdiction, and duration of the engagement.

(h) Offboarding and access revocation: Effivity shall maintain procedures for revoking contractor access to Customer Personal Data promptly upon termination or expiry of the relevant engagement, or earlier where access is no longer required.

(i) Customer acknowledgment: The Customer acknowledges that the use of independent contractors and specialist service providers is inherent to Effivity's service delivery model and that Effivity's obligations under this clause are process obligations only, limited to reasonable internal controls. The Customer remains responsible as Controller for assessing whether Effivity's contractor management practices are suitable for its own regulatory environment.

9. Processing locations, cross-border transfers, and foreign-law exposure

9.1 The Customer acknowledges that Effivity is established in India and that Effivity may Process or permit access to Saudi Personal Data from India and the processing locations identified in Annex 3, solely as necessary to provide and support the Services. Unless expressly agreed in writing, the Services are not offered on a Saudi-data-localization-only basis. Where the Customer and Effivity have agreed in a signed order form or addendum that Saudi Personal Data shall be hosted within the Kingdom using a KSA-located Sub-Processor (currently Oracle Cloud Infrastructure, KSA), Effivity shall ensure that the relevant data is stored and processed within the Kingdom for so long as that arrangement remains in effect and agreed in writing. This does not restrict Effivity's ability to access or process such data from India or other locations for support, security, backup, or operational purposes unless separately restricted in writing.

9.2 The Customer remains responsible, in its role as Controller, for determining whether any transfer, disclosure, storage, hosting, remote access, or other Processing of Saudi Personal Data outside the Kingdom is lawful and permissible under Article 29 of the Saudi PDPL, the Implementing Regulations, and the Regulation on Personal Data Transfer Outside the Kingdom.

9.3 Without limiting Section 9.2, the Customer is responsible for determining whether any adequacy assessment, risk assessment, standard contractual clauses, binding common rules, accreditation-based safeguard, filing, approval, notification, consent, or other compliance step is required in connection with any Processing of Saudi Personal Data outside the Kingdom.

9.4 Effivity shall, to the extent required by applicable law and taking into account the nature of the Processing and the information reasonably available to it, implement and maintain appropriate safeguards for any transfer or remote access involving Saudi Personal Data carried out by Effivity or its Sub-Processors in connection with the Services, including such safeguards as may be required under the Saudi PDPL, its Implementing Regulations, and the Regulation on Personal Data Transfer Outside the Kingdom.

9.5 Effivity shall, upon reasonable request, provide the Customer with commercially reasonable cooperation and information reasonably available to it regarding relevant processing locations, Sub-Processors, transfer arrangements, technical and organizational measures, and any transfer safeguard used by Effivity, solely to the extent necessary to support the Customer’s transfer assessments, filings, approvals, documentation, or compliance obligations under applicable law.

9.6 If Effivity relies on any transfer mechanism, safeguard, certification, contractual measure, or other arrangement in connection with transfers of Saudi Personal Data outside the Kingdom, Effivity shall maintain such measure in effect for so long as relevant Processing continues, to the extent required by applicable law and within Effivity’s control.

9.7 Effivity shall notify the Customer, without undue delay where practicable, if it becomes aware that: (a) a transfer safeguard used by Effivity is no longer valid or sufficient under applicable law; (b) a Competent Authority objects to or restricts a relevant transfer arrangement; or (c) a material change in Effivity’s processing locations, Sub-Processors, or legal exposure may reasonably affect the Customer’s transfer-compliance assessment.

9.8 Effivity shall provide reasonable cooperation in connection with inquiries, requests, inspections, or information demands from SDAIA or another competent authority, to the extent such inquiry relates to Processing of Saudi Personal Data carried out by Effivity on behalf of the Customer and to the extent required by applicable law. Such cooperation shall be limited to information, records, systems, and capabilities reasonably available to Effivity and shall remain subject to confidentiality, legal privilege, security restrictions, and the protection of other customers’ information.

9.9 Onward transfers from KSA-located Sub-Processors : Where a KSA-located Sub-Processor (including Oracle Cloud Infrastructure or its affiliates) operates infrastructure within the Kingdom of Saudi Arabia, the Customer acknowledges that such Sub-Processor may, as part of its standard global cloud operations, replicate, back up, or permit remote access to data across multiple regions for resilience, support, or operational purposes. Effivity does not control the internal architecture or data-residency configurations of third-party infrastructure Sub-Processors.

Effivity shall, to the extent within its reasonable control and as contractually available under its agreement with the relevant Sub-Processor:

(i) request that the Sub-Processor process Saudi Personal Data within the Kingdom to the extent technically feasible and agreed in the applicable Sub-Processor agreement;

(ii) include contractual obligations in its Sub-Processor agreement requiring the Sub-Processor to maintain appropriate transfer safeguards for any processing outside the Kingdom, consistent with Article 29 of the Saudi PDPL; and

(iii) notify the Customer where Effivity becomes aware of a material change to the Sub-Processor's processing locations that may reasonably affect the Customer's transfer-compliance position.

The Customer, as Controller, remains solely responsible for assessing whether the Sub-Processor's processing arrangements are permissible under applicable Saudi law, conducting any required transfer impact assessment, and obtaining any necessary approvals or authorizations from SDAIA or other competent authorities. Effivity's obligations under this clause are limited to reasonable contractual efforts and do not extend to guaranteeing Sub-Processor compliance, enforcing technical configurations beyond Effivity's control, or indemnifying the Customer for any transfer-related regulatory exposure.

10. Restricted Data and heightened-risk Processing

10.1 The Customer shall not require Effivity to Process Restricted Data unless such Processing is necessary for the Services, clearly identified in advance, and lawfully permitted under the Saudi PDPL and any applicable sector-specific requirements.

10.2 Where Restricted Data is Processed, the Customer remains responsible for obtaining any explicit consent or other lawful basis required by law and for carrying out any impact assessment, transfer assessment, internal authorization, or regulator-facing step required under applicable law.

10.3 Effivity shall apply enhanced safeguards appropriate to the nature, sensitivity, and risk of such data, including role-based access limitation, confidentiality controls, secure transmission and storage protections, and heightened incident handling, to the extent relevant to the Services.

10.4 If Effivity reasonably concludes that an instruction concerning Restricted Data presents a material legal, contractual, or security risk, Effivity may decline or suspend the relevant Processing until the parties agree on appropriate safeguards, limitations, or clarifications.

10.5 Unless expressly agreed in writing, the Services are not designed or contracted as a bespoke compliance environment for large-scale Processing of biometric templates, genetic data, criminal-record data, or other categories requiring specialized or regulated hosting arrangements beyond the controls ordinarily maintained for the Services.

11. Return, deletion, retention, and suspension

11.1 Upon termination or expiry of the Agreement, or earlier upon the Customer's written instruction, Effivity shall return or delete Saudi Personal Data in its possession or control, unless continued retention is required by applicable law or is technically necessary for a limited period as part of secure backup retention cycles, dispute preservation, fraud prevention, or service-security logging.

11.2 Where deletion is requested, Effivity shall delete Saudi Personal Data from active systems within a reasonable period and shall protect any remaining backup copies until they are overwritten or securely deleted in the ordinary course, unless a longer retention period is legally required.

11.3 Effivity may retain minimal archival or log information reasonably necessary to comply with law, maintain security, investigate abuse or incidents, establish or defend legal claims, or demonstrate contractual compliance, provided such retained data remains protected in accordance with this DPA.

11.4 Upon reasonable request, Effivity shall provide written confirmation that return or deletion has been completed in accordance with this Section 11, subject to the limitations stated herein.

11.5 Effivity may suspend access to or Processing of Customer Personal Data to the extent reasonably necessary to prevent unlawful instructions, address a material security risk, comply with applicable law, protect the Services, or protect other customers, and shall provide notice where practicable.

12. Mandatory disclosures and requests from authorities

12.1 If Effivity receives a legally binding request, order, or compulsory demand from a public authority, regulator, court, or other body, or is otherwise required by applicable law to disclose Saudi Personal Data, Effivity shall, unless legally prohibited, notify the Customer without undue delay and provide such available details as are reasonably necessary for the Customer to assess the request.

12.2 Effivity shall disclose only the minimum amount of Saudi Personal Data that is legally required and shall, where lawful and reasonably appropriate, seek to challenge, narrow, or clarify overbroad disclosure demands.

12.3 In accordance with the Saudi Implementing Regulations, nothing in this DPA requires Effivity to obtain the Data Subject's or Customer's prior consent for a mandatory disclosure of Personal Data under applicable laws in the Kingdom, provided that Effivity notifies the Customer of such disclosure unless prohibited from doing so.

12.4 Effivity may respond directly to requests or instructions lawfully addressed to Effivity by a competent authority where applicable law requires it. Unless the law places the obligation directly on Effivity, the Customer remains responsible for any controller-side regulatory notifications, filings, or responses.

13. Term, liability, and miscellaneous

13.1 This DPA takes effect on the date on which the Customer becomes bound by the Agreement and remains in force for as long as Effivity Processes Saudi Personal Data on the Customer's behalf.

13.2 For Saudi Personal Data, the parties shall interpret and perform this DPA first in light of the mandatory requirements of the Saudi PDPL and its Implementing Regulations. Except to the extent a mandatory provision of Saudi law requires otherwise, the governing-law, venue, dispute-resolution, and general-contract provisions of the Agreement shall govern the contractual interpretation and enforcement of this DPA.

13.3 Except to the extent prohibited by mandatory law, nothing in this DPA increases or expands Effivity's liability beyond the limitations, exclusions, and liability cap set out in the Agreement. If the Agreement contains no express liability cap, Effivity's aggregate liability arising out of or relating to this DPA shall not exceed the fees paid or payable by the Customer under the Agreement during the twelve (12) months preceding the event giving rise to the claim.

13.4 The Customer shall remain responsible for and shall defend, indemnify, and hold harmless Effivity, its affiliates, and their personnel from third-party claims, regulatory actions, damages, fines, penalties, costs, and expenses to the extent arising from the Customer's unlawful instructions, lack of lawful basis, failure to provide notices or obtain consents, permissions, approvals, or transfer authorizations, or other breach of the Customer's controller obligations, except to the extent finally determined to have been caused by Effivity's breach of this DPA.

13.5 No amendment to this DPA shall be effective unless made in writing, including by electronic amendment, written acceptance, or replacement published or executed in accordance with the Agreement.

13.6 If any provision of this DPA is held invalid or unenforceable, the remainder shall remain in full force and effect, and the invalid provision shall be interpreted or replaced to best achieve its intended lawful effect.

13.7 This DPA may be executed or accepted electronically and in counterparts, each of which shall be deemed an original.

14. Signatures

The parties have caused this DPA to be executed by their duly authorized representatives or otherwise accepted in accordance with the Agreement.

Annex 1 - Details of Processing

This Annex describes the subject matter, nature, purpose, and context of the Processing covered by this DPA.

 

Annex 2 - Technical and organizational measures

Effivity shall maintain appropriate organizational, administrative, and technical measures designed to protect Customer Personal Data. The measures below describe Effivity's baseline control areas and may be updated over time, provided that the overall level of protection is not materially reduced.

• Governance and policies: Documented information-security and privacy policies; defined internal responsibilities; confidentiality undertakings; and periodic review of relevant procedures.

• Access management: Role-based access controls, least-privilege principles, approval workflows for elevated access, strong authentication controls, password-management practices, and multi-factor authentication where supported or appropriate.

• Data segregation and environment control: Logical controls designed to separate customer environments and limit unauthorized cross-customer access; change-management controls for production systems; and administrative controls around privileged activity.

• Encryption and secure transmission: Use of secure transmission protocols such as TLS/SSL for electronic transmission of Personal Data; and encryption or equivalent protective controls for data at rest where supported by the relevant service component or infrastructure.

• Network and infrastructure security: Firewalls, endpoint protection, secure-configuration baselines, vulnerability-remediation processes, and reasonable network-security controls designed to reduce unauthorized access and service disruption.

• Logging and monitoring: System and security logging for relevant events; monitoring of production environments and administrative access; and retention of logs in line with operational and security needs.

• Business continuity and backups: Backup and recovery processes, resilience measures, and reasonable disaster-recovery/business-continuity procedures designed to support service availability and restoration.

• Incident response: Documented incident-management procedures for identifying, triaging, investigating, containing, remediating, and reporting security incidents and Personal Data Breaches.

• Vendor and Sub-Processor management: Due diligence and contractual controls for Sub-Processors, including confidentiality and security obligations, together with oversight appropriate to the service risk.

• Personnel security and training: Background and onboarding controls where appropriate, role-based training, awareness activities, and procedures for timely revocation of access when roles change or personnel depart.

• Retention and deletion controls: Procedures to return, delete, or destroy Customer Personal Data when no longer required, including management of active environments and backup cycles, subject to legal retention requirements.

• Physical and environmental security: Use of infrastructure providers that maintain physical access controls, monitoring, and environmental safeguards appropriate to the systems hosting Personal Data. Where Customer Personal Data is hosted within the Kingdom of Saudi Arabia via a KSA-located Sub-Processor, Effivity shall rely on that Sub-Processor's own physical and environmental security controls, as described in the Sub-Processor's publicly available documentation, standard security certifications, and applicable terms of service. Effivity has no independent ability to inspect, audit, modify, or guarantee the physical infrastructure of third-party cloud Sub-Processors and assumes no liability for the adequacy or continued validity of such controls.

    • Independent contractors and specialist service providers with access to Customer Personal Data are subject to Effivity's access provisioning controls, including role-based and time-limited access grants, revocation procedures upon engagement termination, and confidentiality undertakings consistent with Effivity's standard contractor management programme.

Annex 3 - Authorized Sub-Processors and processing locations

The following Sub-Processors are currently authorized for use in connection with the Services, based on the information available from Effivity's current service stack and prior contract materials. The list may be updated in accordance with Section 8 of this DPA.

Processor-location note. Effivity itself is established in India and may access or Process Customer Personal Data from India as part of service delivery, support, security, administration, and contract performance.