Data Processing Agreement

1. Scope

This DPA applies where Kartib processes Personal Data on behalf of the subscribing organisation (“Controller”) under the Enterprise plan.

2. Definitions

Standard GDPR/DPDPA definitions apply. “Business Data” means all data entered across 37 modules. “Personal Data” means information within Business Data relating to identifiable persons.

3. Processing Obligations

• •Process only on documented instructions from Controller
• •Ensure confidentiality of all personnel with data access
• •Implement appropriate technical and organisational security measures
• •Comply with sub-processor rules and provide advance notice
• •Assist with data subject rights requests
• •Delete or return data on termination
• •Demonstrate compliance upon request

4. Security Measures

• •Supabase PostgreSQL with row-level security (RLS)
• •AES-256 encryption at rest; TLS 1.3 in transit
• •OAuth 2.0 via Supabase Auth; RBAC for role management
• •Automated backups with point-in-time recovery
• •Regular penetration testing and vulnerability scans
• •Incident detection and response; employee security training

5. Sub-Processors

Current sub-processors: Supabase (database/auth), Vercel (hosting/CDN), Stripe (payments), and email delivery services.

30-day advance notice for changes. Controller may object within 14 days.

6. Breach Notification

Within 48 hours of confirmed breach, with details on nature, scope, consequences, and mitigation measures taken.

7. Data Subject Rights

Kartib assists Controller with rights requests. Does not respond directly to data subjects unless instructed by Controller.

8. International Transfers

Standard Contractual Clauses (SCCs) and appropriate safeguards for all cross-border data transfers.

9. Audit Rights

Annual audit with 30 days' notice. SOC 2 Type II reports available upon request.