Data Processing Addendum
How Faaz processes personal data as a processor on behalf of enterprise clients.
This page summarises Faaz Technology Solutions Pvt Ltd’s (“Faaz” or “Processor”) standard Data Processing Addendum (“DPA”) for enterprise clients (“Client” or “Controller”). The full DPA is incorporated into client agreements or executed as a separate schedule. It aligns with common enterprise procurement requirements and principles under the Saudi Personal Data Protection Law (PDPL), India’s DPDP Act, and internationally recognised processor obligations.
1. Roles and Scope
When Client uses Faaz products or services to process personal data relating to Client’s employees, customers, vendors, or other individuals, Client is the controller (or equivalent) and Faaz acts as processor, processing data only on documented instructions from Client as set out in the Agreement, SOW, and this DPA.
Processing activities may include hosting, storage, transmission, transformation, display, backup, support, and deletion of personal data within delivered systems.
2. Instructions and Purpose
Faaz will process personal data only to:
- Provide, maintain, and support contracted products and services
- Perform integrations authorised by Client
- Detect and respond to security incidents
- Comply with applicable law, where processing is required and Client cannot lawfully instruct otherwise
Faaz will inform Client if an instruction appears to violate applicable data protection law.
3. Categories of Data and Subjects
Depending on the deployment, processed data may include:
- Subjects: Client employees, contractors, customers, suppliers, and case participants
- Categories: identity and contact data, employment and HR records, financial and invoice data, case files, authentication logs, and operational metadata
- Special categories: only where Client configures systems to process such data and provides lawful instructions
4. Confidentiality
Faaz ensures personnel authorised to process personal data are bound by confidentiality obligations appropriate to enterprise engagements.
5. Security Measures
Faaz implements technical and organisational measures appropriate to risk, including access controls, encryption in transit, secure development practices, logging, and incident response. Details are described in our Security & Compliance overview and may be expanded in security schedules or questionnaires.
6. Subprocessors
Client authorises Faaz to engage subprocessors for infrastructure and operational support (e.g., cloud hosting, email delivery, monitoring, development tooling, and AI APIs where enabled). Faaz:
- Maintains a subprocessor list available to clients on request
- Imposes data protection obligations on subprocessors by contract
- Notifies Client of material subprocessor changes where required by the Agreement, allowing objection within agreed timeframes
Typical categories include cloud infrastructure providers, managed database services, and — where contracted — enterprise LLM API providers configured for inference-only use.
7. International Transfers
Personal data may be processed in India, Saudi Arabia, or other regions depending on deployment architecture and subprocessors. Faaz implements appropriate safeguards such as contractual clauses, access restrictions, encryption, and — where agreed — data residency or local hosting options.
8. Assistance to Client
Faaz will reasonably assist Client with:
- Data subject requests, where Faaz can do so without disproportionate effort
- Security assessments and audit requests as defined in the Agreement
- Data protection impact assessments related to Faaz processing, where applicable
- Notifications to supervisory authorities, to the extent Faaz is involved and as required by contract
9. Breach Notification
Faaz will notify Client without undue delay after becoming aware of a personal data breach affecting Client data, providing information reasonably available to enable Client to meet its notification obligations. Notification target: security@faaztechsolutions.com (Client should also notify their Faaz account contact).
10. Return and Deletion
Upon termination or expiry, Faaz will delete or return personal data as instructed in the Agreement, subject to legal retention requirements and backup cycles. Backup media may persist for a limited period before automatic purge.
11. Audits
Faaz will make available relevant compliance information and, where required by the Agreement, allow audits under reasonable notice, confidentiality, and frequency limits. Faaz may satisfy audit requests through third-party certifications or reports where appropriate.
12. Request the Full DPA
Enterprise clients may request our standard Data Processing Addendum for signature or incorporation into master agreements.