Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Daak Harkara LLC ("Daak Harkara", "we", "Processor") and the customer identified in the applicable order or product subscription ("Customer", "Controller"). It governs the processing of Personal Data on behalf of the Customer in connection with our products (the "Services").

This DPA is intended to satisfy the requirements of Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, the Swiss FADP, and equivalent laws (including the California Consumer Privacy Act / CPRA where applicable).

2. Definitions

Capitalized terms not defined here have the meanings given to them in the GDPR or our Terms of Service. "Personal Data" means any information relating to an identified or identifiable natural person processed by us on the Customer's behalf.

3. Subject-Matter and Duration

We process Personal Data only for the duration of the Services and only as required to provide them. The subject-matter, nature, and purpose of processing are described in the Service documentation and the Customer's configuration of the Services.

4. Categories of Data and Data Subjects

Categories of Personal Data typically include: name, email address, billing information, IP address, device and browser metadata, message content provided by Customer, and any other data the Customer chooses to upload or submit through the Services. Data subjects include the Customer's end users, employees, contacts, and recipients.

5. Obligations of Daak Harkara

• Process Personal Data only on documented instructions from the Customer, including with regard to international transfers, except where required by EU or member-state law to which we are subject.
• Ensure that all personnel authorized to process Personal Data are bound by confidentiality.
• Implement appropriate technical and organizational measures consistent with Article 32 of the GDPR (see Section 8 below).
• Assist the Customer, by appropriate technical and organizational measures, in fulfilling their obligations to respond to data-subject requests and to comply with Articles 32–36 of the GDPR.
• Make available to the Customer the information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

6. Sub-Processing

The Customer provides general written authorization for Daak Harkara to engage sub-processors to assist in providing the Services. The current list of sub-processors is published at /subprocessors. We will give the Customer at least 14 days' advance notice of any new or replacement sub-processor and provide a reasonable opportunity to object on legitimate grounds. If we cannot accommodate the objection, the Customer may terminate the affected portion of the Services on written notice.

We impose data-protection terms on each sub-processor that are no less protective than those in this DPA, and remain fully liable for the performance of each sub-processor.

7. International Transfers

Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country not recognized as providing an adequate level of protection, the parties rely on the European Commission's Standard Contractual Clauses (SCCs) (Module Two: Controller to Processor) and equivalent UK and Swiss addenda, which are deemed incorporated by reference and executed by signing this DPA.

8. Security Measures

We implement and maintain appropriate technical and organizational measures, including but not limited to:

• Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3).
• Role-based access control (RBAC) and the principle of least privilege.
• Multi-factor authentication for administrative access.
• Centralized audit logging of administrative actions.
• Regular vulnerability scanning and security patching of all systems.
• Secure software-development practices following OWASP guidelines.
• Regular automated backups and tested disaster-recovery procedures.
• Documented incident-response and breach-notification processes.

Additional details are available on our Security page.

9. Data-Subject Rights

We will assist the Customer in responding to requests from data subjects to exercise their rights under applicable law (access, rectification, erasure, restriction, portability, objection). The Customer remains responsible for responding to such requests directly. Where a data subject contacts us directly, we will (without acting on the request unless instructed) inform the Customer without undue delay.

10. Personal-Data Breach

We will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal-Data Breach affecting the Customer's data, with the information necessary for the Customer to comply with its own notification obligations under Articles 33–34 of the GDPR.

11. Return and Deletion of Data

On termination or expiry of the Services, the Customer may export their Personal Data through the Services for a period of 30 days. After that period, we will delete or anonymize all Personal Data unless retention is required by applicable law. Backup copies are deleted on the normal backup-rotation schedule.

12. Audits

We will respond to reasonable Customer requests for information necessary to demonstrate compliance with this DPA. The Customer may, on reasonable advance notice and not more than once per year, conduct or commission an audit of our processing activities relevant to this DPA. The Customer bears its own audit costs unless the audit reveals material non-compliance, in which case the parties will cooperate to remediate.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the underlying Terms of Service.

14. How to Sign

This DPA takes effect automatically when you accept the Terms of Service, to the extent applicable to your use of the Services. If your organization requires a counter-signed copy, email legal@daakharkara.com with your company name, billing email, and registered address. We will return a signed copy within 5 business days.

15. Contact