Parties: 

• ZENDATA Cybersecurity (the “Processor”) 

• Client Organization (the “Controller”) 

Purpose and Scope

This Data Processing Agreement (“DPA”) forms part of the service agreement between ZENDATA Cybersecurity and the Client (the “Agreement”) and governs the processing of personal data by ZENDATA on behalf of the Client in the course of providing managed cybersecurity services, including but not limited to: 

• 24/7 SOC Monitoring (ZEN360) 

• Threat Intelligence 

• Incident Response 

• Vulnerability Management 

• Compliance Support 

• vCISO Advisory 

• Mobile Device Management (MDM/MTD) 

• Code Review and Penetration Testing 

This DPA ensures compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and applicable data protection laws in the Middle East and Asia, including but not limited to the UAE PDPL, Bahrain PDPL, Singapore PDPA, and India DPDP Act. 

Definitions

• Controller: The entity that determines the purposes and means of processing personal data. 

• Processor: ZENDATA Cybersecurity, which processes personal data on behalf of the Controller. 

• Data Subject: An identified or identifiable natural person. 

• Personal Data: Any information relating to a Data Subject. 

• Processing: Any operation performed on personal data, whether automated or not. 

• Sub-Processor: A third party engaged by the Processor to process personal data. 

Roles and Responsibilities

• The Client is the Data Controller. 

• ZENDATA Cybersecurity acts as the Data Processor. 

• ZENDATA shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country. 

Categories of Data and Data Subjects

Categories of Data Subjects: 

• Client employees 

• Contractors 

• End users 

• Third-party vendors (where applicable) 

Categories of Personal Data: 

• Names, email addresses, phone numbers 

• IP addresses, device identifiers 

• User credentials and access logs 

• Security event metadata 

• Any other data types as defined in the service scope 

ZENDATA does not process special categories of data unless explicitly instructed and contractually agreed. 

Processing Activities

ZENDATA processes personal data for the following purposes: 

• Monitoring and detecting cybersecurity threats 

• Incident response and forensic analysis 

• Threat intelligence correlation 

• Compliance reporting and audit support 

• Security log management and vulnerability scanning 

All processing is conducted in accordance with the Agreement and this DPA. 

Security Measures

ZENDATA implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: 

• ISO 27001-certified Information Security Management System (ISMS) 

• CREST-certified SOC operations (Bahrain and global) 

• Role-based access control (RBAC) and multi-factor authentication (MFA) 

• Data encryption in transit and at rest 

• Real-time monitoring and anomaly detection 

• Incident response SLAs (e.g., 30-minute response for critical alerts) 

• Regular penetration testing and vulnerability assessments 

• Secure log collection and retention policies 

Sub-Processing

ZENDATA may engage Sub-Processors for specific services (e.g., cloud hosting, analytics). A current list of Sub-Processors is available upon request. 

• ZENDATA shall ensure Sub-Processors are bound by data protection obligations equivalent to those in this DPA. 

• The Controller will be notified of any intended changes concerning the addition or replacement of Sub-Processors. 

International Data Transfers

ZENDATA may transfer personal data outside the EEA, Middle East, or Asia only: 

• To countries with an adequacy decision by the European Commission, or 

• Under appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) 

All transfers are documented and subject to risk assessments. 

Data Subject Rights

ZENDATA shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under applicable laws, including: 

• Access, rectification, and erasure 

• Restriction of processing 

• Data portability 

• Objection to processing 

Requests received directly by ZENDATA will be forwarded to the Controller without undue delay. 

Personal Data Breach Notification

In the event of a personal data breach, ZENDATA shall: 

• Notify the Controller without undue delay (within 24 hours of detection) 

• Provide details of the breach, including scope, impact, and mitigation steps 

• Cooperate fully with the Controller and relevant authorities 

Data Retention and Deletion

Upon termination of the Agreement or upon request, ZENDATA shall: 

• Return all personal data to the Controller, or 

• Securely delete all personal data, unless retention is required by law 

ZENDATA will provide a certificate of deletion upon request. 

Audits and Inspections

ZENDATA shall make available all information necessary to demonstrate compliance with this DPA and allow for audits or inspections by the Controller or a mutually agreed third-party auditor, subject to confidentiality obligations. 

Liability and Indemnity

Each party shall be liable for its own acts and omissions under this DPA. ZENDATA’s liability is limited as per the terms of the main Agreement, except where prohibited by applicable law. 

Governing Law and Jurisdiction

This DPA shall be governed by the laws of the United Arab Emirates, unless otherwise agreed in the main Agreement. Any disputes shall be subject to the exclusive jurisdiction of the competent courts in the UAE. 

Contact

In case of any questions or to obtain complementary information, please contact us at the following email address: info@zendata.security.