Under this DPA, the Controller determines the purposes and means of processing personal information held in the platform, and Emeron processes that information only on the Controller's documented instructions, in accordance with the master services agreement, the order form, and applicable data-protection law. Where Emeron is acting on its own behalf — for example, billing and account administration — Emeron is the Controller for that processing and our privacy notice governs.
| Data subjects | Citizens, residents, applicants, businesses, employees, suppliers, regulated entities, and other categories of person whose information the Controller manages through the platform. |
| Categories of personal data | Identification data, contact data, identifier numbers (national ID, tax ID, license numbers), application content, regulatory submissions, financial information, employment records, and other categories defined in the order form. |
| Special categories | Where the Controller's use case involves special-category data (health, biometrics, criminal records, etc.), this is explicitly recorded in the order form, with additional safeguards as agreed. |
| Duration | For the term of the master services agreement and any contractually agreed return / deletion period thereafter. |
Process personal information only on the Controller's documented instructions, including with regard to international transfers, unless required by applicable law (in which case we will notify the Controller before processing, where lawful).
Ensure that persons authorized to process personal information are bound by confidentiality obligations.
Implement appropriate technical and organizational measures — described in the security annex to the master services agreement — proportionate to the risk presented by the processing.
Engage sub-processors only under written terms imposing equivalent data-protection obligations. Maintain an up-to-date sub-processor list and notify the Controller of additions or changes at least 30 days in advance.
Assist the Controller, taking into account the nature of the processing, in responding to data-subject requests and in fulfilling the Controller's regulatory obligations.
Notify the Controller without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting the Controller's data, together with the information needed for the Controller's regulatory notifications.
At the end of the contractual relationship, at the Controller's choice, either return all personal information to the Controller or delete it (and certify deletion in writing), subject to any retention required by applicable law.
Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for audits — conducted by the Controller or a mandated auditor — on reasonable prior notice.
The location of primary data storage and processing is set in the order form. By default, customer data is held in the jurisdiction agreed at contract — UAE, EU, India, or customer-controlled infrastructure — and is not transferred outside that jurisdiction without the Controller's prior written consent. Where transfers are necessary for technical operations (e.g., remote engineering support), they take place under appropriate safeguards, including Standard Contractual Clauses for GDPR-scope data.
| Encryption | TLS 1.2+ in transit for all platform traffic; AES-256 at rest for sensitive data and backups. |
| Access control | Role-based access control, principle of least privilege, multi-factor authentication for administrative access, periodic access review. |
| Logging & monitoring | Centralized, tamper-resistant audit logging of administrative actions and security-relevant events. Retention per the agreement. |
| Vulnerability management | Documented patch program, periodic third-party penetration testing, public vulnerability-disclosure channel. |
| Personnel | Background screening proportionate to role, signed confidentiality undertakings, mandatory security and privacy training. |
| Continuity | Documented backup, restore, and business-continuity plan. Restore tests at agreed cadence. |
| Incident response | Documented incident-response plan with named roles, communication protocol, and post-incident review process. |
The full security annex is attached to the master services agreement and is subject to NDA where it includes information not appropriate for public release.
The parties' liabilities under this DPA are subject to the limitation of liability stated in the master services agreement, except where applicable law imposes a higher floor. If there is any conflict between this DPA and the master services agreement on data-protection matters, this DPA prevails on those matters.
Customer counter-paper accepted within reason. Legal works directly with your counsel — no procurement middleware.