Data Processing Agreement
Effective date: January 1, 2025
This Data Processing Agreement ("DPA") is entered into between AMANA Technologies LLC ("Processor") and the customer entity that has agreed to the Terms of Service ("Controller"). This DPA supplements and forms part of the Terms of Service.
1. Scope and Purpose
The Processor will process personal data on behalf of the Controller solely for the purpose of providing the AMANA ERP Service as described in the Terms of Service. Personal data processed includes employee records, customer data, and any other personal data submitted by the Controller to the Service.
2. Controller's Obligations
The Controller warrants and represents that:
- It has a lawful basis for processing all personal data submitted to the Service.
- It has provided appropriate notices to data subjects whose data is processed.
- It is authorised to instruct the Processor to process personal data on its behalf.
- It will comply with applicable data protection laws in its jurisdiction.
3. Processor's Obligations
The Processor agrees to:
- Process personal data only on the documented instructions of the Controller.
- Ensure personnel authorised to process data are bound by confidentiality obligations.
- Implement appropriate technical and organisational security measures.
- Not engage sub-processors without prior authorisation from the Controller.
- Assist the Controller in fulfilling data subject rights requests within 10 business days.
- Delete or return all personal data upon termination of the Service.
- Provide all information necessary to demonstrate compliance with this DPA.
4. Sub-processors
The Controller authorises the use of the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure and data storage | Bahrain (me-south-1) |
| Stripe Inc. | Payment processing | United States |
| Resend Inc. | Transactional email delivery | United States |
The Processor will notify the Controller of any intended changes to sub-processors by email at least 14 days in advance.
5. Security Measures
The Processor implements and maintains the following security measures:
- AES-256 encryption of data at rest.
- TLS 1.2+ encryption of data in transit.
- Role-based access controls limiting access to authorised personnel.
- Multi-factor authentication for administrative access.
- Regular automated database backups with encrypted storage.
- Comprehensive audit logging of all data access and modifications.
- Annual security reviews and penetration testing.
6. Data Breach Notification
In the event of a personal data breach, the Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address it.
7. Term and Termination
This DPA remains in effect for the duration of the Terms of Service. Upon termination, the Processor will delete all personal data within 30 days unless retention is required by law.
8. Governing Law
This DPA is governed by the laws of the United Arab Emirates and shall be construed in accordance with the principles of UAE Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data.