1. Purpose and Applicability
This Data Processing Agreement ("DPA") is an addendum to the Terms of Service between DXBMARK LLC ("Processor") and Customer ("Controller"). It applies where:
- Customer engages DXBMARK to process personal data on Customer's behalf
- Processing is undertaken through DXBMARK services including SaaS products, hosting, managed infrastructure, integrations, automation, custom development, or consulting
- Processing is subject to data protection laws including GDPR, UK GDPR, CCPA, or similar applicable regulations
This DPA supplements but does not replace the Terms of Service. In case of conflict, this DPA takes precedence regarding data protection matters.
This DPA applies only where DXBMARK processes personal data on behalf of a B2B customer as a processor under the customer's documented instructions. It does not apply to DXBMARK's own controller activities, such as receiving enquiries, managing leads, billing customers, processing payments for DXBMARK services, responding to support requests, operating DXBMARK's website, or maintaining DXBMARK's internal business records.
Controller Activities Excluded
This DPA applies only where DXBMARK processes personal data on behalf of Customer as a processor under Customer's documented instructions.
This DPA does not apply where DXBMARK processes personal data as an independent controller, including:
- Account administration
- Customer onboarding and account management
- Billing and invoicing
- Payment processing and payment reconciliation
- Tax, accounting, and financial records
- Legal compliance and regulatory obligations
- Fraud prevention and security monitoring
- Website analytics and service improvement
- Marketing communications
- Supplier and vendor management
- Direct business communications
- Internal business administration
- Establishing, exercising, or defending legal claims
Those controller activities are governed by DXBMARK's Privacy Policy and applicable terms.
If the same engagement involves both controller and processor activities, this DPA applies only to the processing activities performed by DXBMARK on behalf of Customer as processor.
2. Definitions
- Personal Data: Information that identifies or can identify a natural person, as defined in applicable data protection laws
- Controller: Customer, who determines the purposes and means of processing
- Processor: DXBMARK LLC, which processes personal data on behalf of Controller under documented instructions
- Sub-processor: A third party engaged by Processor to process personal data
- Processing: Any operation performed on personal data (collection, storage, use, sharing, deletion, etc.)
- Data Subject: The individual to whom personal data relates
- Personal Data Breach: Unauthorized or accidental access, disclosure, loss, destruction, alteration, or misuse of personal data
- Special Categories: Sensitive personal data requiring enhanced protection (health, race, religious beliefs, etc.)
- Data Protection Laws: GDPR, UK GDPR, CCPA, and other applicable data protection regulations
- Documented Instructions: Customer's written instructions as provided through the agreement, statement of work, service configuration, support requests, project tickets, written emails, and authorised account actions
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council
- UK GDPR: UK General Data Protection Regulation as retained in UK law
3. Subject Matter, Duration, Nature, and Purpose
The following describes the processing covered by this DPA:
| Aspect | Details |
|---|---|
| Subject Matter | Processing of customer-provided personal data through the DXBMARK service(s) specified in the relevant agreement, proposal, or statement of work |
| Duration | Active service period plus applicable retention period as specified in this DPA or the underlying agreement |
| Nature of Processing | Storage, use, backup, support, delivery, technical analysis, integration, and related operations as necessary to provide the service |
| Purpose of Processing | Service delivery, technical support, security, compliance with legal obligations, and activities expressly instructed by Customer |
| Categories of Data Subjects | As specified per service schedule in Annex A |
| Types of Personal Data | As provided by Customer and as specified per service schedule in Annex A |
4. Controller Obligations
Customer (as Controller) shall:
- Determine the purposes, scope, nature, and means of processing personal data
- Maintain a lawful basis for processing (consent, contract, legal obligation, legitimate interest, etc.)
- Obtain all necessary consents and authorisations from Data Subjects where required
- Ensure compliance with applicable data protection laws in Customer's jurisdiction and in jurisdictions where Customer operates
- Maintain a record of processing activities where required by applicable law
- Respond to Data Subject rights requests within required legal timeframes
- Conduct Data Protection Impact Assessments (DPIAs) where required
- Notify DXBMARK of any changes to processing purposes, scope, or relevant legal obligations
- Not provide special category data, children's data, government ID data, full payment card data, health data, biometric data, or other highly sensitive data unless expressly agreed in writing and appropriate safeguards are confirmed
5. Processor Obligations
DXBMARK (as Processor) shall:
- Process personal data only on documented instructions from Customer, except where required by applicable law
- Notify Customer if DXBMARK believes an instruction infringes applicable data protection laws, before processing unless prohibited by law
- Ensure that persons authorised to process personal data are subject to binding confidentiality obligations
- Implement and maintain appropriate technical and organizational security measures as described in Section 9
- Assist Customer in responding to Data Subject rights requests to the extent technically feasible and agreed
- Assist Customer with Data Protection Impact Assessments (DPIAs) where required and where DXBMARK's assistance is necessary
- Assist Customer in fulfilling obligations to supervisory authorities and regulators where applicable
- Notify Customer of confirmed or suspected personal data breaches in accordance with Section 11
- Not process personal data for DXBMARK's own purposes beyond what is permitted in this DPA or required by law
- Engage Sub-processors only under the terms of Section 7
- Upon termination of services, return or delete personal data as specified in Section 12, unless retention is required by law
6. Processing Instructions
Customer provides documented instructions through:
- The underlying agreement, proposal, or statement of work
- Service invoices and order confirmations
- Configuration and settings within DXBMARK services
- Support tickets, project tasks, and written emails
- Authorised account actions taken within DXBMARK platforms
DXBMARK may refuse or suspend processing instructions that it reasonably believes are:
- Unlawful or in violation of applicable data protection laws
- Outside the agreed service scope
- Technically impractical or unsafe
- Likely to cause harm to Data Subjects or third parties
Where DXBMARK identifies a legal concern with instructions, it will notify Customer in writing and may suspend processing of the relevant instructions pending Customer's clarification.
7. Sub-processors
7.1 Current Sub-processors
DXBMARK maintains a Subprocessor List as Annex B to this DPA or as a separate downloadable or web-based document. The Subprocessor List identifies material third-party providers used to support DXBMARK services, including provider name, service category, purpose, data categories, role, location or transfer notes, legal or privacy documentation links where available, and status.
Material subprocessors may include, depending on the applicable service, Zoho, Stripe, PayPal, Cookiebot by Usercentrics, Tawk.to, Calendly, Google Meet, Cloudflare, Vercel, GitHub, MWHEBA LTD / MWHEBA Creative Agency, Google services, and other hosting, infrastructure, communications, payment, support, analytics, deployment, or business service providers used from time to time.
7.2 Sub-processor Changes
DXBMARK may update the Subprocessor List from time to time. For active B2B customers where DXBMARK acts as processor and where required by applicable law or written agreement, DXBMARK will provide reasonable notice of material new subprocessors or material changes to subprocessors.
Customer may object to a new material subprocessor on reasonable data protection grounds within the objection period stated in the applicable agreement or notice. If DXBMARK cannot reasonably resolve the objection, DXBMARK may provide a reasonable alternative, limit the affected service, or allow termination of the affected service where required by applicable law or agreement.
7.3 Objection to Sub-processors
If Customer objects to a new material subprocessor on reasonable data protection grounds:
- Customer must notify DXBMARK in writing within the objection period stated in the applicable agreement or notice
- DXBMARK will discuss the concern with Customer and attempt to resolve it
- If resolution is not possible and the subprocessor is material to the service, DXBMARK may provide a reasonable alternative, limit the affected service, or allow termination of the affected service where required by applicable law or agreement
8. Data Subject Rights Assistance
8.1 Types of Rights Covered
DXBMARK will assist Customer in responding to requests from Data Subjects exercising rights under applicable law, including:
- Right of access (Subject Access Request)
- Right to rectification
- Right to erasure (right to be forgotten)
- Right to restrict processing
- Right to data portability
- Right to object to processing
- Right to withdraw consent
- Rights related to automated decision-making and profiling
Standard technical assistance available through the service interface or normal support process is included where technically feasible and commercially reasonable. Extended assistance, custom exports, custom deletion work, detailed compliance questionnaires, audits, DPIA support, regulator correspondence support, or work outside the normal service scope may be subject to additional fees at DXBMARK's then-current professional service rates, unless prohibited by applicable law or agreed otherwise in writing.
8.2 DXBMARK's Assistance
DXBMARK will:
- Notify Customer promptly (within 5 business days) if DXBMARK receives a data subject request directly relating to Customer's data
- Provide technical assistance and available tools to facilitate Customer's response
- Mark data for restriction or deletion upon Customer's written instruction
- Provide necessary data exports to support portability requests
8.3 Customer Responsibility
Customer is responsible for:
- Receiving, authenticating, and verifying Data Subject requests
- Determining the appropriate response under applicable law
- Responding to Data Subjects within legally required timeframes
- Assessing whether compliance may conflict with overriding legitimate interests or legal obligations
9. Technical and Organizational Security Measures
DXBMARK implements and maintains the following technical and organizational measures:
9.1 Technical Measures
- Encryption of personal data in transit using TLS/SSL
- Encryption of sensitive data at rest
- Secure backup and disaster recovery procedures
- Access controls, authentication systems, and role-based permissions
- Intrusion detection and security monitoring
- Regular security patches and system updates
- Firewalls and network segmentation
- Data segregation between customers where applicable
- Secure credential management practices
9.2 Organizational Measures
- Data protection training for staff handling personal data
- Binding confidentiality obligations for employees and contractors
- Access controls based on role and need-to-know (least-privilege principle)
- Data handling policies and procedures
- Incident response and breach notification procedures
- Vendor security assessments for material sub-processors
- Regular review of security measures and practices
10. Audit and Information Rights
10.1 Information Provision
DXBMARK will provide Customer with information reasonably necessary to demonstrate compliance with this DPA upon written request.
10.2 Audit Rights
Customer may conduct audits or inspections of DXBMARK's data processing activities, subject to the following conditions:
- Audits must be requested in writing with reasonable advance notice (minimum 30 days)
- Audits may be conducted no more than once per calendar year, unless a confirmed material security incident requires an additional audit
- Audits must be conducted during normal business hours and must not unduly disrupt DXBMARK's operations
- Auditors must sign confidentiality agreements acceptable to DXBMARK
- Audit scope must not compromise the security, availability, or confidentiality of DXBMARK systems or other customers' data
- Costs of the audit are borne by Customer unless the audit reveals a material breach by DXBMARK
DXBMARK may provide third-party audit reports or security certifications in lieu of direct audits where appropriate.
DXBMARK may satisfy reasonable audit and information requests by providing security documentation, completed security questionnaires, policy summaries, subprocessor information, vendor documentation, or other available compliance materials. Direct audits are subject to reasonable notice, confidentiality requirements, scope limitations, security restrictions, and DXBMARK's operational availability. DXBMARK is not required to provide access that would compromise the security, confidentiality, availability, or privacy of DXBMARK systems, other customers, vendors, or infrastructure providers.
11. Data Breach Notification
11.1 Notification by DXBMARK
Upon becoming aware of a confirmed or reasonably suspected personal data breach affecting Customer's data, DXBMARK will:
- Notify Customer without undue delay and in any case within 72 hours of becoming aware of the breach (where feasible)
- Provide, to the extent known: description of the breach, categories and approximate number of data subjects and records affected, likely consequences of the breach, and measures taken or proposed to address the breach
- Cooperate with Customer to investigate, contain, and remediate the breach
11.2 Customer Notification Responsibilities
Customer is responsible for:
- Determining whether notification to data protection authorities is required under applicable law
- Notifying regulators within legally required timeframes (typically 72 hours under GDPR)
- Communicating with affected Data Subjects where required
- Making decisions about the appropriate regulatory and communication response
12. Data Retention and Deletion
12.1 During the Service
DXBMARK retains personal data in accordance with:
- Customer's documented retention instructions
- Service terms and applicable data retention policies
- Applicable legal obligations and business records requirements
12.2 End of Service
Upon termination or expiration of the relevant DXBMARK service:
- DXBMARK will provide Customer with a reasonable period (typically 30 days, unless otherwise agreed) to export or extract personal data
- DXBMARK will, at Customer's instruction, delete all personal data (except where retention is required by law)
- DXBMARK will confirm deletion in writing upon completion
- Customers are responsible for requesting and performing their data export before access ends
12.3 Legally Mandated Retention
DXBMARK may retain personal data beyond the end of service where:
- Retention is required by applicable law, regulation, or court order
- Retention is necessary to defend or establish legal claims
- Required by tax, accounting, or regulatory obligations
DXBMARK will document such retained data and notify Customer where permitted.
13. Confidentiality
DXBMARK shall:
- Keep all personal data processed under this DPA confidential
- Restrict access to persons with a demonstrated need-to-know basis
- Require binding confidentiality obligations from employees and contractors processing personal data
- Not disclose personal data to third parties except as authorised by Customer, required by law, or permitted under this DPA
14. International Transfers
Where processing requires transfer of personal data from the EU, UK, or other jurisdictions with data transfer restrictions to countries not covered by an adequacy decision, DXBMARK will implement appropriate transfer mechanisms including:
- Standard Contractual Clauses (SCCs): EU SCCs (2021) or UK International Data Transfer Agreements (IDTAs) as applicable
- Adequacy Decisions: Where applicable
- Supplementary Measures: Such as encryption and access controls, where required by applicable guidance
DXBMARK will inform Customer of applicable transfer mechanisms upon request.
15. Sensitive Data Restriction
Customer must not provide the following types of data through DXBMARK services unless expressly agreed in a separate written addendum with appropriate safeguards:
- Special category data (health, racial/ethnic origin, religious beliefs, biometric data, genetic data, sex life, sexual orientation, criminal records, trade union membership)
- Children's data (data of individuals under 18 years of age)
- Full payment card data outside of approved and PCI-compliant payment processors
- Government-issued identity document numbers (national ID, passport numbers, etc.) in bulk
- Full Social Security Numbers or equivalent national identifiers in bulk
- Highly sensitive personal data whose breach would be likely to cause significant harm
16. Liability
16.1 Data Protection Liability
Each party is liable for damages caused by its own breach of this DPA in accordance with applicable data protection laws. Liability is subject to the limitation of liability provisions in the underlying Terms of Service, except:
- Liability for violations of mandatory data protection rights cannot be excluded
- Liability for willful misconduct or gross negligence cannot be limited
- Liability for core confidentiality or security obligations cannot be limited below the cap in the Terms of Service
16.2 Customer Indemnification
Customer indemnifies DXBMARK against claims arising from:
- Customer's use of personal data in violation of applicable law
- Customer-provided data that infringes third-party rights
- Customer's breach of its obligations under this DPA
- Customer's use of DXBMARK services without lawful authority or adequate legal basis
17. Amendment and Updates
17.1 Changes to This DPA
DXBMARK may amend this DPA to comply with changes in applicable law, regulatory guidance, or significant changes in processing activities. DXBMARK will provide written notice of material changes with at least 30 days' advance notice.
17.2 Regulatory Updates
If new data protection regulations require changes to this DPA, the parties will cooperate to amend it and maintain compliance.
18. Governing Law
19. Entire Agreement on Data Processing
This DPA, together with the Terms of Service and any specific written proposal or service agreement, constitutes the complete data processing agreement between DXBMARK and Customer regarding personal data processing.
20. Severability
If any provision of this DPA is found unenforceable, that provision shall be modified to the minimum extent necessary to make it enforceable, and the remainder shall remain in full effect.
Annex A: Service-Specific Processing Schedules
The following schedules describe processing activities per service type.
Schedule 1: Custom Software, Website, and WordPress Development
| Aspect | Details |
|---|---|
| Data Subjects | Customer staff, end users, website users, test users, business contacts provided by Customer |
| Data Types | Account data, website content, WordPress data, project documents, technical specifications, test data, user records provided by Customer, screenshots, logs, technical diagnostics |
| Processing Activities | Development, testing, deployment, configuration, support, debugging, migration, plugin setup, website maintenance |
| Retention | Duration of engagement plus 5 years (project records) |
Schedule 2: Hosting and Managed Infrastructure
| Aspect | Details |
|---|---|
| Data Subjects | Customer's users, website visitors, application users |
| Data Types | IP addresses, server logs, hosted content and applications, backups, monitoring data, access credentials, configuration data |
| Processing Activities | Hosting, monitoring, security, backup, incident response, performance management |
| Retention | Duration of service plus 12 months post-termination (unless Customer instructs earlier deletion) |
Schedule 3: Automation and Integrations
| Aspect | Details |
|---|---|
| Data Subjects | Customer's contacts, employees, users, vendors, prospects as processed through integrated workflows |
| Data Types | Workflow data, CRM records, email metadata, API payloads, operational and transactional records |
| Processing Activities | Integration setup, data synchronisation, workflow automation, reporting, API operations |
| Retention | Duration of service plus reasonable retention for integration records |
Schedule 4: CRM, Dashboard, and Portal Projects
| Aspect | Details |
|---|---|
| Data Subjects | Customer staff, portal users, customers, vendors, business contacts, dashboard users |
| Data Types | Account data, CRM records, dashboard records, portal content, operational data, user-generated content, access logs, reporting data |
| Processing Activities | System configuration, dashboard development, portal delivery, reporting, data import/export, support, maintenance |
| Retention | Duration of engagement plus applicable export and retention period stated in the agreement |
Schedule 5: Support, Chat, Ticketing, and Maintenance
| Aspect | Details |
|---|---|
| Data Subjects | Customer contacts, support users, website visitors using chat, account users |
| Data Types | Names, email addresses, company data, support messages, chat transcripts, ticket data, attachments, technical metadata, support history |
| Processing Activities | Support ticket management, live chat, chatbot routing, troubleshooting, maintenance, issue resolution, customer communication |
| Retention | 3 years from support resolution unless a longer period is required by law or agreement |
Schedule 6: SaaS Products
| Aspect | Details |
|---|---|
| Data Subjects | Account users, workspace members, Customer-managed records within the SaaS product |
| Data Types | Account data, workspace data, user-generated content, usage logs, feature activity, product configurations |
| Processing Activities | Service delivery, support, security monitoring, product improvement (anonymised or aggregated where possible), access management |
| Retention | Duration of subscription plus export period of 30 days post-cancellation |
Schedule 7: Billing, Support, and Account Management
| Aspect | Details |
|---|---|
| Data Subjects | Customer contacts, billing contacts, support contacts |
| Data Types | Names, email addresses, company data, invoice records, support messages, payment metadata (not full card data), dispute records |
| Processing Activities | Billing, invoicing, support ticket management, account administration, dispute resolution |
| Retention | 7 years from invoice date (financial and tax obligations); 3 years from support resolution |
Annex B: Subprocessor List
DXBMARK's Subprocessor List may be maintained as Subprocessor List, as an annex to this DPA, or as a separate downloadable or web-based reference. The Subprocessor List identifies material third-party providers used to support DXBMARK services, including service category, purpose, data categories, role, location or transfer notes, legal or privacy documentation links where available, and status.
Annex C: Security Measures
DXBMARK's expanded technical and organizational security measures may be maintained in Security Statement or a separate Security Statement. A summary of core measures is provided below.
- Encryption in transit (TLS 1.2 or higher)
- Encryption at rest for sensitive data
- Role-based access controls (least privilege)
- Two-factor authentication where supported
- Regular security patch management
- Intrusion detection and security event logging
- Automated backup procedures
- Incident response and escalation procedures
- Staff confidentiality obligations and data protection training
- Vendor security assessments for material sub-processors
- Secure credential storage and management
- Network segmentation and firewall controls
End of Data Processing Agreement
Privacy Contact: privacy@dxbmark.com Legal Contact: legal@dxbmark.com