Data Processing Agreement

Effective Date: December 6, 2023

Last Updated: February 2, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller" or "Customer") and Tawteen Tech ("Data Processor" or "Processor") and governs the processing of personal data by Tawteen Tech on your behalf in connection with the provision of our services.

This DPA applies where and only to the extent that Tawteen Tech processes personal data on behalf of the Customer in the course of providing services, and such personal data is subject to applicable data protection laws including, but not limited to, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Egyptian data protection laws.

1. Definitions

For the purposes of this DPA:

"Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.
"Processing" means any operation or set of operations performed on personal data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Data Subject" means an identified or identifiable natural person whose personal data is processed.
"Sub-processor" means any third party engaged by Tawteen Tech to process personal data on behalf of the Customer.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
"Applicable Data Protection Laws" means all laws and regulations applicable to the processing of personal data under this DPA, including GDPR, CCPA, and Egyptian data protection laws.

2. Scope and Purpose of Processing

2.1 Tawteen Tech shall process personal data only on behalf of and in accordance with the documented instructions of the Customer, unless required to do so by applicable law. In such a case, Tawteen Tech shall inform the Customer of that legal requirement before processing, unless prohibited by law.

2.2 The purpose of processing is limited to providing the services described in the Terms of Service, including:

Facilitating video conferencing, voice communications, and messaging.
Providing virtual classroom and telemedicine platform functionality.
Managing user accounts, authentication, and access control.
Processing payments and managing subscriptions.
Providing customer support and technical assistance.
Generating usage analytics and service performance reports.

2.3 The categories of personal data processed may include:

Contact information (name, email address, phone number).
Account credentials and authentication data.
Communication content (messages, files, recordings where applicable).
Usage and log data (IP addresses, device information, access logs).
Payment and billing information.

2.4 The categories of data subjects may include:

Customer's employees and staff.
End users of the Customer's account.
Meeting participants and attendees.

3. Obligations of Tawteen Tech

Tawteen Tech shall:

3.1 Process personal data only in accordance with the Customer's documented instructions and the terms of this DPA, unless required by applicable law.

3.2 Ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of personal data in transit using SSL/TLS 1.2/1.3.
Encryption of personal data at rest using AES-256.
End-to-end encryption for communications where applicable.
Access controls based on the principle of least privilege.
Regular security assessments and penetration testing.
Incident detection and response capabilities.
Business continuity and disaster recovery measures.

3.4 Not engage another processor (sub-processor) without prior specific or general written authorization of the Customer. In the case of general written authorization, Tawteen Tech shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object to such changes.

3.5 Ensure that any sub-processor engaged is bound by data protection obligations no less protective than those set out in this DPA.

3.6 Taking into account the nature of the processing, assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising data subject rights under applicable data protection laws.

3.7 Assist the Customer in ensuring compliance with its obligations regarding security of processing, notification of data breaches, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to Tawteen Tech.

3.8 At the choice of the Customer, delete or return all personal data to the Customer after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data.

3.9 Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

4. Obligations of the Customer

The Customer shall:

4.1 Ensure that it has a lawful basis for the processing of personal data and that all necessary consents have been obtained from data subjects.

4.2 Provide documented instructions to Tawteen Tech regarding the processing of personal data.

4.3 Ensure that its use of Tawteen Tech's services complies with applicable data protection laws.

4.4 Promptly notify Tawteen Tech of any changes to applicable data protection requirements that may affect Tawteen Tech's processing obligations.

5. Sub-processors

5.1 The Customer provides general authorization for Tawteen Tech to engage sub-processors for the purpose of providing the services. Tawteen Tech maintains a list of current sub-processors, which shall be made available to the Customer upon request.

5.2 Tawteen Tech shall notify the Customer of any intended changes to its sub-processors at least 14 days in advance, giving the Customer the opportunity to object.

5.3 If the Customer reasonably objects to a new sub-processor on data protection grounds, Tawteen Tech shall use commercially reasonable efforts to make available an alternative arrangement. If no alternative is available, either party may terminate the affected services.

5.4 Tawteen Tech shall ensure that each sub-processor is bound by contractual obligations that provide a level of data protection equivalent to that provided in this DPA.

6. Data Breach Notification

6.1 Tawteen Tech shall notify the Customer without undue delay upon becoming aware of a data breach affecting personal data processed on behalf of the Customer.

6.2 Such notification shall include, to the extent available:

A description of the nature of the data breach, including the categories and approximate number of data subjects and personal data records concerned.
The name and contact details of the point of contact for further information.
A description of the likely consequences of the data breach.
A description of the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects.

6.3 Tawteen Tech shall cooperate with the Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the data breach.

7. International Data Transfers

7.1 Tawteen Tech shall not transfer personal data to a country outside the jurisdiction of the Customer without ensuring that appropriate safeguards are in place, as required by applicable data protection laws.

7.2 Where transfers are necessary for the provision of services, Tawteen Tech shall ensure compliance through one or more of the following mechanisms:

Standard Contractual Clauses approved by relevant authorities.
Binding Corporate Rules where applicable.
Any other transfer mechanism recognized under applicable data protection laws.

8. Data Subject Rights

8.1 Tawteen Tech shall, taking into account the nature of the processing, assist the Customer by implementing appropriate technical and organizational measures to respond to requests from data subjects exercising their rights under applicable data protection laws, including:

Right of access.
Right to rectification.
Right to erasure.
Right to restriction of processing.
Right to data portability.
Right to object.

8.2 If Tawteen Tech receives a request from a data subject directly, Tawteen Tech shall promptly redirect the data subject to the Customer and notify the Customer of the request, unless otherwise required by applicable law.

9. Audits and Inspections

9.1 Tawteen Tech shall make available to the Customer information reasonably necessary to demonstrate compliance with the obligations set out in this DPA.

9.2 The Customer may conduct audits, including inspections, of Tawteen Tech's data processing activities, subject to the following conditions:

Reasonable advance notice of at least 30 days.
Audits shall be conducted during normal business hours.
The Customer shall bear the cost of such audits.
Audits shall not unreasonably interfere with Tawteen Tech's business operations.
Audit results and findings shall be treated as confidential information.

9.3 Tawteen Tech may satisfy audit requests by providing relevant certifications, audit reports (such as SOC 2 reports), or other evidence of compliance.

10. Term and Termination

10.1 This DPA shall remain in effect for the duration of Tawteen Tech's processing of personal data on behalf of the Customer.

10.2 Upon termination of the services or upon the Customer's request, Tawteen Tech shall, at the Customer's choice:

Return all personal data to the Customer in a commonly used format; or
Delete all personal data and certify such deletion in writing.

10.3 Tawteen Tech may retain personal data to the extent required by applicable law, provided that such data shall continue to be subject to the confidentiality and security obligations of this DPA.

Data Protection Officer: dpo@qriib.com
Legal Affairs: support@qriib.com
Website: ../contact