Legal

Data Processing Agreement

Last updated: April 24, 2026

Our commitments as a data processor under GDPR, Saudi PDPL, UAE PDPL, and Bahrain PDPL.

Important: This page details COMPLYRA's role as a data processor on behalf of its customers (data controllers). To request a formal Data Processing Agreement (DPA), please contact us.

1. Definitions & Roles

Term	Definition
Data Controller	The subscribing organization (client) that determines the purposes and means of processing personal data.
Data Processor	COMPLYRA, which processes personal data on behalf of the controller.
Data Subject	The individual whose personal data is being processed (client employees and registered users).
Sub-processor	A third party engaged by COMPLYRA to perform specific processing services.

2. Subject Matter of Processing

COMPLYRA processes the following personal data on behalf of clients:

User names, email addresses, and job roles.
Questionnaire answers, uploaded documents, and notes.
Activity logs and audit records associated with users.
Contact information and messages exchanged via the platform.

3. Our Obligations as Processor

We process personal data only on documented instructions from the data controller, unless required by applicable law.
All authorized personnel with data access are bound by confidentiality obligations and receive regular data protection training.
We implement appropriate technical and organizational measures per GDPR Article 32, including AES-256 encryption at rest, TLS 1.3 in transit, 2FA, RBAC, and immutable audit logs.
We notify the controller within 48 hours of discovering any personal data breach, providing the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken.
We assist the controller in responding to data subject rights requests within the applicable statutory timeframe (maximum 30 days from receipt, extendable to 60 days for complex requests).
We delete or return all personal data within 30 days of contract termination. Audit logs legally required to be retained longer will be anonymised at the point of account deletion and retained only for the minimum period required by law.
We conduct data protection impact assessments (DPIAs) for new high-risk processing activities and make them available to the controller upon request.

3a. Controller Obligations

As the data controller, the subscribing organization is responsible for:

Determining the lawfulness of all processing instructions given to COMPLYRA.
Obtaining valid consent or establishing a lawful basis for processing data subjects' personal data before using the platform.
Handling data subject rights requests received directly and coordinating with COMPLYRA where platform data access is required.
Notifying the relevant supervisory authority of breaches where required under applicable law.
Ensuring that users granted platform access are authorised to process the personal data within the platform.

3b. Audit Rights

In accordance with GDPR Article 28(3)(h) and equivalent provisions under Saudi PDPL and UAE PDPL, data controllers have the right to:

Request and receive platform audit logs and activity records relating to their organization's data at any time.
Request a copy of COMPLYRA's most recent independent security assessment or penetration test executive summary.
Commission independent audits of the platform with 30 days' prior written notice, at the controller's cost, subject to agreement on scope and timing to avoid disruption to other clients.

Audit rights may be exercised once per calendar year unless a confirmed security incident warrants an additional review.

4. Sub-processors

We engage trusted sub-processors to operate the platform. Clients are given at least 30 days' prior written notice of any addition or replacement of sub-processors. Clients who object on legitimate data protection grounds may terminate the affected services with a pro-rata refund.

Sub-processor	Purpose	Location
Cloud Hosting Provider	Server hosting and data storage	GCC / EU region
Payment Processor	Subscription payment processing	PCI DSS compliant
Email Service Provider	Sending notifications and alerts	GDPR compliant

4a. International Transfers & Standard Contractual Clauses

Where personal data is transferred outside the country of origin, COMPLYRA ensures such transfers are protected by:

EU Standard Contractual Clauses (SCCs) — Module 2 (Controller-to-Processor) approved by the European Commission under Decision 2021/914, incorporated by reference into the formal DPA.
Supplementary technical measures — encryption at rest and in transit, pseudonymisation, and access controls ensuring data is inaccessible to sub-processors in jurisdictions without adequate protection.
Transfer Impact Assessments (TIAs) — conducted for all data destinations to assess local law interference risk per EDPB Recommendations 01/2020.

The formal signed DPA (available upon request) incorporates the EU SCCs as Annex I and maps them to Saudi PDPL and UAE PDPL cross-border transfer requirements.

5. Applicable Regulatory Frameworks

🇸🇦Saudi PDPL 2023

Requires notification to SDAIA within 72 hours of a data breach discovery.

🇦🇪UAE Federal Decree No. 45/2021

Governs processing, storage, and transfer of personal data within the UAE.

🇧🇭Bahrain Law No. 30/2018

Covers data processing principles, controller registration, and breach notification.

🇪🇺EU GDPR

The global reference standard for data protection and the most stringent framework.

6. Request a Formal DPA

Enterprise clients can request a formal Data Processing Agreement. Contact us via our Contact form and we will send the signed DPA within 3 business days.

Need a formal Data Processing Agreement?

Contact our team to receive a signed DPA that meets your organization's compliance requirements.

Request a DPA