Data Processing Agreement (DPA)
Effective date: 24 Jan 2024
This Data Processing Agreement ("Agreement" or "DPA") is entered into between the Client ("Data Controller") and Incorpify AI Holdings Ltd, a company incorporated in the Abu Dhabi Global Market (ADGM), acting as the Data Processor ("Incorpify").
This DPA forms an integral part of the Terms & Conditions, and applies when Incorpify processes Personal Data on behalf of the Client as part of the services.
This DPA forms an integral part of the Terms & Conditions, and applies when Incorpify processes Personal Data on behalf of the Client as part of the services.
1. Purpose and Scope
This DPA outlines the obligations of both parties regarding the processing of Personal Data in accordance with the ADGM Data Protection Regulations 2021 and the EU General Data Protection Regulation (GDPR), where applicable. Incorpify processes Personal Data solely to deliver services including incorporation, licensing, tax registration, visa processing, document generation, and related business support.
2. Roles and Responsibilities
- Data Controller: The Client (individual or business user) who determines the purpose and means of processing.
- Data Processor: Incorpify, who processes data on behalf of the Controller as per documented instructions.
3. Categories of Data and Subjects
Data Subjects:
- Client users and authorized representatives
- Business associates and UBOs
- Employees and family members (for visa or payroll services)
Data Types:
- Identity documents and contact information
- Company data, filings, and uploaded documents
- Financial identifiers
- Sensitive personal data (e.g., medical, biometric, family status) where submitted
- Interaction and usage logs
4. Sub-Processing
Incorpify uses authorized Sub-Processors to perform aspects of the service, including:
- Microsoft Azure (hosting, document storage, AI orchestration)
- Auth0 (authentication)
- Google Analytics, Hotjar (performance monitoring)
- Third-party service providers under confidentiality agreements
Incorpify maintains responsibility for Sub-Processor compliance and will notify users of material changes as required.
5. International Transfers
Personal Data may be transferred outside of the UAE/ADGM, subject to adequacy decisions, EU Standard Contractual Clauses (SCCs), or equivalent safeguards.
6. Security Measures
- AES-256 encryption at rest
- TLS encryption in transit
- Role-based access, audit logging, and 2FA
- Secure file scanning and daily backups
7. Data Subject Rights
Incorpify will assist the Client in responding to access, correction, deletion, restriction, objection, or portability requests. Contact: privacy@incorpify.ai
8. Data Retention and Deletion
- Company data retained for 10 years (UAE/KSA law)
- Non-regulatory personal data deleted/anonymized on account termination
- Chatbot logs anonymized for training purposes
9. Breach Notification
In case of a confirmed Personal Data Breach, Incorpify will notify the Controller within 72 hours, detailing all relevant information and mitigation actions.
10. Audit Rights
The Client may request compliance documentation. Incorpify allows reasonable inspections subject to confidentiality and operational constraints.
11. Liability
Each party is responsible for its own obligations and indemnifies the other for DPA breaches. Incorpify is not liable for the legality or accuracy of submitted data.
12. Governing Law
This Agreement is governed by ADGM law and disputes will be handled exclusively in ADGM courts.
Acceptance
By registering an account, submitting payment, or using the Platform, the Client agrees to be bound by this DPA.