Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between AqlHR Technologies ("Processor," "we," "our") and the organization using our services ("Controller," "you," "your") for the processing of personal data.

This DPA reflects the parties' agreement with regard to the processing of personal data in accordance with the requirements of the Saudi Arabia Personal Data Protection Law (PDPL) and other applicable data protection regulations.

تشكل اتفاقية معالجة البيانات هذه جزءاً من شروط الخدمة بين عقل للموارد البشرية والمنظمة المستخدمة لخدماتنا فيما يتعلق بمعالجة البيانات الشخصية.

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion
• "Data Subject" means the individual to whom Personal Data relates
• "Controller" means the entity that determines the purposes and means of Processing Personal Data
• "Processor" means the entity that Processes Personal Data on behalf of the Controller
• "Sub-processor" means any third party engaged by the Processor to Process Personal Data
• "Security Incident" means any unauthorized access, disclosure, or destruction of Personal Data
• "PDPL" means the Saudi Arabia Personal Data Protection Law

2.1 Categories of Data Subjects

• Employees of the Controller
• Job applicants and candidates
• Contractors and temporary workers
• Dependents and beneficiaries
• Emergency contacts

2.2 Categories of Personal Data

• Identity Data: Name, national ID/Iqama number, passport number, date of birth, nationality
• Contact Data: Address, email, phone number, emergency contacts
• Employment Data: Job title, department, salary, employment history, performance records
• Financial Data: Bank account (IBAN), salary details, tax information
• Government IDs: GOSI number, Qiwa ID, Absher number
• Health Data: Medical leave records, Sehhaty information (where applicable)
• Biometric Data: Attendance records (where applicable)

2.3 Processing Activities

• HR management and administration
• Payroll processing and WPS compliance
• Leave management and attendance tracking
• Performance management and training
• Compliance reporting to government authorities
• Document generation and storage
• AI-powered HR assistance

AqlHR, as the Processor, agrees to:

3.1 Processing Instructions

• Process Personal Data only on documented instructions from the Controller
• Inform the Controller if any instruction infringes applicable data protection law
• Not Process Personal Data for any purpose other than providing the Service

3.2 Confidentiality

• Ensure that all personnel processing Personal Data are bound by confidentiality obligations
• Limit access to Personal Data to authorized personnel only
• Implement appropriate access controls and authentication measures

3.3 Security Measures

• Implement appropriate technical and organizational security measures
• Encrypt Personal Data at rest (AES-256) and in transit (TLS 1.3)
• Maintain audit logs of all data access and modifications
• Conduct regular security assessments and penetration testing
• Implement disaster recovery and business continuity procedures

3.4 Sub-processors

• Not engage Sub-processors without prior written authorization from the Controller
• Ensure Sub-processors are bound by equivalent data protection obligations
• Remain liable for Sub-processor compliance
• Maintain a current list of Sub-processors available upon request

AqlHR will assist the Controller in responding to Data Subject requests, including:

• Access to Personal Data
• Rectification of inaccurate data
• Erasure of Personal Data (subject to legal retention requirements)
• Restriction of Processing
• Data portability
• Objection to Processing

AqlHR will notify the Controller within 48 hours of receiving any Data Subject request and will not respond directly to Data Subjects without Controller authorization.

5.1 Notification

In the event of a Security Incident, AqlHR will:

• Notify the Controller without undue delay, and in any event within 24 hours
• Provide detailed information about the nature and scope of the incident
• Describe the measures taken or proposed to address the incident
• Cooperate with the Controller's investigation and remediation efforts

5.2 Incident Response

AqlHR maintains a comprehensive incident response plan that includes:

• Immediate containment and assessment procedures
• Evidence preservation and forensic analysis
• Communication protocols with affected parties
• Post-incident review and improvement measures

6.1 Data Residency

All Personal Data is stored on servers located within the Kingdom of Saudi Arabia unless otherwise agreed in writing. AqlHR uses data centers that comply with international security standards (ISO 27001, SOC 2).

6.2 International Transfers

AqlHR will not transfer Personal Data outside of Saudi Arabia without:

• Prior written consent from the Controller
• Appropriate safeguards as required by PDPL
• Transfer to jurisdictions with adequate data protection

AqlHR will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

• Audits require 30 days' prior written notice
• Audits will be conducted during normal business hours
• Auditors must sign confidentiality agreements
• Controller bears the cost of audits unless non-compliance is found

8.1 Retention Period

Personal Data will be retained for the duration of the service agreement and for the period required by applicable law (minimum 10 years for employment records under Saudi Labor Law).

8.2 Deletion

Upon termination of the service agreement:

• Controller will have 30 days to export all Personal Data
• AqlHR will delete or return all Personal Data upon written request
• Deletion will be certified in writing upon completion
• Data required for legal compliance may be retained in secure archive

Each party shall be liable for damages caused by Processing that infringes this DPA or applicable data protection law. AqlHR shall indemnify the Controller for any damages arising from AqlHR's breach of this DPA or its obligations under PDPL.

Liability is subject to the limitations set forth in the main Terms of Service.

This DPA shall remain in effect for the duration of the service agreement between the parties. The obligations regarding confidentiality, data deletion, and audit rights shall survive termination.