This DPA forms part of and is supplemental to the InFlow AI Terms of Service or other written agreement between the Parties governing the Processor's provision of services (the "Principal Agreement"). In the event of conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to personal data processing matters.

1. Definitions

In this DPA, unless the context requires otherwise:

• "Applicable Data Protection Law" means the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL") and its implementing regulations, as amended from time to time.
• "Controller" means the natural or legal person that determines the purposes and means of processing Personal Data, as defined in Article 1 of the UAE PDPL.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates (Article 1, UAE PDPL).
• "Personal Data" means any data relating to an identified or identifiable natural person, as defined in Article 1 of the UAE PDPL.
• "Processing" means any operation or set of operations performed on Personal Data, whether automated or manual, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction (Article 1, UAE PDPL).
• "Processor" means the natural or legal person that processes Personal Data on behalf of, and upon the instructions of, the Controller (Article 1, UAE PDPL).
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• "Services" means the accounts receivable communication automation services provided by the Processor under the Principal Agreement.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the Services, which include automated accounts receivable (AR) communication, payment reminder delivery, debtor engagement tracking, and related analytics.

2.2 Categories of Data Subjects

Debtors, customers, and other individuals whose data is uploaded by the Controller to the InFlow AI platform.

2.3 Types of Personal Data

• Full name
• Email address
• Phone number (mobile and/or landline)
• Outstanding debt amount and invoice details
• Payment history and transaction records
• Communication history (messages sent, delivery status, responses)
• WhatsApp identifiers (where applicable)

2.4 Duration

Processing shall continue for the duration of the Principal Agreement and thereafter only as required for data deletion or return obligations under Section 9.

3. Processor Obligations

3.1 Processing on Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including transfers to third countries, unless required by applicable law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the UAE PDPL or other applicable data protection provisions (Article 29, UAE PDPL).

3.2 Confidentiality

The Processor shall ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation shall survive the termination of this DPA.

3.3 Security Measures

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required under Article 28 of the UAE PDPL. Such measures are detailed in Annex A to this DPA and include, without limitation:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls with multi-factor authentication
• Comprehensive audit logging of all data access and modifications
• Regular security assessments and vulnerability testing
• Incident response procedures

3.4 Sub-processors

The Controller hereby provides general written authorisation for the Processor to engage Sub-processors listed in Annex B. The Processor shall:

1. Notify the Controller of any intended changes to Sub-processors at least 14 days in advance;
2. Impose data protection obligations no less protective than those in this DPA on each Sub-processor via a written agreement;
3. Remain fully liable for the acts and omissions of its Sub-processors.

The Controller may object to a new Sub-processor within 14 days of notification. If the objection is not resolved, the Controller may terminate the affected Services.

3.5 Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Data Breach, providing:

1. A description of the nature of the breach, including categories and approximate number of Data Subjects affected;
2. Contact details of the Processor's data protection point of contact;
3. A description of the likely consequences;
4. A description of measures taken or proposed to address the breach and mitigate its effects.

This obligation is consistent with the notification requirements under Articles 34–35 of the UAE PDPL.

3.6 Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under the UAE PDPL (Articles 12–18), including:

• Right of access (Article 12)
• Right to rectification (Article 13)
• Right to erasure (Article 14)
• Right to restrict processing (Article 15)
• Right to data portability (Article 16)
• Right to object to processing (Article 17)

The Processor shall promptly forward to the Controller any Data Subject request received directly.

3.7 Assistance with Compliance

Taking into account the nature of processing and information available, the Processor shall assist the Controller in ensuring compliance with obligations related to data protection impact assessments and prior consultations with the UAE Data Office, where applicable (Articles 30–31, UAE PDPL).

3.8 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, upon 30 days' written notice. Such audits shall be conducted during normal business hours, no more than once per calendar year, and at the Controller's expense.

4. Controller Obligations

The Controller warrants and undertakes that:

1. It has a lawful basis for processing Personal Data under the UAE PDPL, including where applicable, valid consent from Data Subjects (Articles 4–5, UAE PDPL);
2. It has provided all required notices to Data Subjects regarding the processing of their data;
3. All Personal Data provided to the Processor is accurate, complete, and up to date;
4. Its instructions to the Processor shall comply with all applicable laws;
5. It shall respond to Data Subject requests within the timelines prescribed by the UAE PDPL.

5. International Data Transfers

5.1 Primary Hosting

Personal Data is primarily stored within the European Union (Supabase, region eu-central-1, Frankfurt, Germany), which provides an adequate level of data protection.

5.2 Sub-processor Transfers

Certain Sub-processors may process Personal Data outside the UAE. In such cases, the Processor shall ensure that appropriate safeguards are in place in accordance with Article 22 of the UAE PDPL, including:

• Adequacy determinations by the UAE Data Office;
• Standard contractual clauses or equivalent binding agreements;
• Appropriate technical measures to protect data during transfer.

5.3 Controller Consent

By entering into this DPA, the Controller consents to the transfer of Personal Data to the jurisdictions in which the approved Sub-processors operate, as listed in Annex B.

6. Liability and Indemnification

6.1 Liability

Each Party shall be liable for damage caused by processing that infringes the UAE PDPL. The Processor shall be liable only for damage caused by processing not in compliance with this DPA or with the Controller's lawful instructions.

6.2 Indemnification

Each Party shall indemnify the other Party against all claims, damages, losses, costs, and expenses (including reasonable legal fees) arising from or in connection with any breach of this DPA by the indemnifying Party.

6.3 Limitation

The aggregate liability of the Processor under this DPA shall not exceed the total fees paid by the Controller under the Principal Agreement in the 12 months preceding the event giving rise to the claim, except in cases of wilful misconduct or gross negligence.

7. Term and Termination

7.1 Term

This DPA shall commence on the Effective Date and remain in force for the duration of the Principal Agreement.

7.2 Termination

This DPA shall automatically terminate upon expiration or termination of the Principal Agreement.

7.3 Effects of Termination

Upon termination, the Processor shall, at the Controller's election:

1. Return all Personal Data to the Controller in a commonly used, machine-readable format; or
2. Securely delete all Personal Data and certify such deletion in writing.

The Controller must make this election within 30 days of termination. If no election is made, the Processor shall delete all Personal Data within 90 days of termination.

8. UAE PDPL Compliance

This DPA is designed to comply with the requirements of Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) and its implementing regulations. Key provisions addressed include:

• Article 4–5: Lawful basis and consent requirements (Controller obligation)
• Article 12–18: Data Subject rights
• Article 22: Cross-border data transfers
• Article 28: Security of processing
• Article 29: Processor obligations
• Articles 34–35: Data breach notification
• Articles 30–31: Data protection impact assessments

9. General Provisions

9.1 Governing Law

This DPA shall be governed by and construed in accordance with the laws of the United Arab Emirates.

9.2 Dispute Resolution

Any dispute arising out of this DPA shall be resolved in accordance with the dispute resolution mechanism set forth in the Principal Agreement.

9.3 Amendments

This DPA may only be amended in writing signed by both Parties.

9.4 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.

---

Annex A — Technical and Organisational Security Measures

Category	Measure
Encryption in Transit	TLS 1.2 or higher for all API communications and data transfers
Encryption at Rest	AES-256 encryption for all stored Personal Data (Supabase PostgreSQL)
Access Control	Role-based access control (RBAC); principle of least privilege; multi-factor authentication for all administrative access
Authentication	OAuth 2.0 / JWT-based authentication; session management with automatic timeout
Audit Logging	Comprehensive logging of all data access, modifications, and deletions; logs retained for minimum 12 months
Network Security	Firewall protection; DDoS mitigation; API rate limiting
Data Isolation	Logical tenant separation via Row Level Security (RLS) in database
Backup & Recovery	Automated daily backups with point-in-time recovery; encrypted backup storage
Vulnerability Management	Regular dependency updates; automated security scanning
Employee Security	Confidentiality agreements; security awareness training; background checks where applicable
Incident Response	Documented incident response plan with defined escalation procedures; 72-hour breach notification
Physical Security	Managed by cloud infrastructure provider (AWS eu-central-1); SOC 2 Type II certified data centres

Annex B — Approved Sub-processors

Sub-processor	Purpose	Location	Data Processed
Supabase Inc.	Database hosting & authentication	EU (Frankfurt, Germany)	All Personal Data (primary storage)
Resend Inc.	Transactional email delivery	United States	Email addresses, message content
Twilio Inc.	SMS delivery	United States	Phone numbers, message content
Stripe Inc.	Payment processing	United States / EU	Payment-related identifiers (no card data stored by Processor)
Meta Platforms Inc. (WhatsApp Business API)	WhatsApp message delivery	United States / EU	Phone numbers, WhatsApp IDs, message content

---

Signatures