Data Processing Addendum (DPA) — UAE Only

1. General

This Data Processing Addendum (the "Addendum") forms part of the Agreement, between IHQ and the Client which governs the use of the IHQ Services by the Client and becomes effective on the Effective Date.

2. Definitions

"Adequacy Decision" means any country or territory recognised by the UAE Data Office under PDPL.

"Data Controller" means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

"Data Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.

"Personal Data" means any information relating to the Data Subject.

3. Personal Data Processing

The Client and IHQ agree and acknowledge that, with regards to the processing of Personal Data, the Client is the Data Controller and IHQ is the Data Processor.

The Personal Data will be processed by IHQ on behalf of the Client, following the Client's written instructions, in accordance with the Agreement and the PDPL that apply to IHQ.

In its use of the Services, the Client shall comply with the requirements contained in the data protection laws that apply to it, including those contained in the PDPL, UK GDPR, EU GDPR or, if applicable, CCPA.

6. International Transfers

In order for IHQ to provide the Services to the Client, the Client acknowledges and hereby consents that the personal data processed by IHQ on behalf of the Client may be transferred, stored and processed to locations outside of the UAE. IHQ warrants that it will only undertake international transfers in accordance with the PDPL.

7. Security

IHQ shall implement and maintain appropriate technical and organisational measures against accidental, unauthorised or unlawful Processing, access, copying, modification, reproduction, display or distribution of the Personal Data.

8. Minimum Technical and Organisational Measures

IHQ has implemented and maintains industry recognised security measures and certifications in place, including ISO/IEC 27001, ISO/IEC 27018 and SOC2 Type II.

9. Personal Data Breach Notifications

IHQ will notify the Client as soon as reasonably possible in the event of becoming aware of an incident concerning a Personal Data Breach on the Personal Data that IHQ processes on behalf of the Client.

12. Sub-processors

IHQ may from time to time engage third party sub-processors to process Personal Data on its behalf. IHQ shall (1) maintain a list of its sub-processors in the IHQ Legal Resource Centre (www.intenthq.com/legal) and update such list no less than fourteen (14) days before changing any sub-processor, (2) impose data protection terms on such sub-processors.

14. Termination

This Addendum will remain in full force and effect so long as: (i) the Agreement remains in effect; or (ii) IHQ retains any of the Personal Data related to the Agreement in its possession or control.

Within 30 days after the termination of the Agreement, IHQ will delete the Personal Data, unless required by law.

16. Miscellaneous

If there is a conflict between this Addendum and any provision of the Agreement, this Addendum shall prevail. This Addendum replaces and supersedes all previous written and oral agreements related to the processing of data.