Skip to main content

Data Processing Addendum

Last Updated: October 23, 2025

1. Introduction

This Data Processing Addendum ("DPA") forms part of the agreement between SMERP TEK ("Processor") and the business customer ("Controller") for the provision of ERP and business automation services. This DPA ensures compliance with the UAE Personal Data Protection Law (PDPL) and establishes the terms under which SMERP TEK processes personal data on behalf of the Controller.

2. Definitions

Personal Data:
Any information relating to an identified or identifiable natural person.
Processing:
Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
Controller:
The business customer that determines the purposes and means of processing personal data.
Processor:
SMERP TEK, which processes personal data on behalf of the Controller.

3. Scope of Processing

3.1 Nature and Purpose

SMERP TEK processes personal data solely for the purpose of providing ERP, workforce management, analytics, and automation services as specified in the service agreement.

3.2 Types of Personal Data

  • Employee data (names, contact information, employment records)
  • Student data (for EDU product users)
  • Business contact information
  • Operational and analytics data
  • System usage logs

3.3 Data Subjects

  • Controller's employees
  • Controller's customers
  • Students (where applicable)
  • Business contacts

4. Processor Obligations

4.1 Process personal data only on documented instructions from the Controller.

4.2 Ensure that persons authorized to process personal data have committed to confidentiality.

4.3 Implement appropriate technical and organizational measures to ensure data security.

4.4 Assist the Controller in responding to data subject requests.

4.5 Notify the Controller of any personal data breach within 72 hours of discovery.

4.6 Delete or return all personal data upon termination of services.

4.7 Make available all information necessary to demonstrate compliance.

5. Security Measures

5.1 Technical Measures

  • Encryption of data in transit (TLS 1.3)
  • Encryption of data at rest (AES-256)
  • Multi-factor authentication for system access
  • Regular security updates and patching
  • Intrusion detection and prevention systems

5.2 Organizational Measures

  • Access controls based on role and need-to-know
  • Staff training on data protection
  • Incident response procedures
  • Regular security audits
  • Data protection impact assessments

6. Sub-Processing

The Controller authorizes SMERP TEK to engage sub-processors for specific processing activities. Current sub-processors include:

  • Cloud hosting providers (UAE-based data centers)
  • Email service providers
  • Analytics services (privacy-respecting only)

SMERP TEK will notify the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.

7. Data Subject Rights

SMERP TEK will assist the Controller in fulfilling data subject requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object

8. Data Breach Notification

In the event of a personal data breach, SMERP TEK will:

  1. Notify the Controller within 72 hours of becoming aware of the breach
  2. Provide details of the nature of the breach, categories and approximate number of affected data subjects
  3. Describe the likely consequences of the breach
  4. Outline measures taken or proposed to address the breach
  5. Provide contact information for further inquiries

9. Data Location and Transfers

9.1 Data Residency: All personal data is stored in UAE-based data centers, ensuring compliance with PDPL requirements for data localization where applicable.

9.2 International Transfers: Any transfer of personal data outside the UAE will only occur with the Controller's prior written consent and with appropriate safeguards in place.

10. Data Retention and Deletion

10.1 Retention: Personal data will be retained only for as long as necessary to provide the services or as required by law.

10.2 Deletion: Upon termination of services, SMERP TEK will:

  • Delete all personal data within 30 days, or
  • Return all personal data to the Controller in a commonly used format, or
  • Retain data only as required by applicable law

11. Audit Rights

The Controller has the right to audit SMERP TEK's compliance with this DPA, subject to reasonable notice and confidentiality obligations. SMERP TEK will provide all necessary cooperation and access to relevant information.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the main service agreement. SMERP TEK shall be liable only for damages caused by failure to comply with its obligations under this DPA.

13. Term and Termination

This DPA remains in effect for the duration of the service agreement and will automatically terminate upon termination of the service agreement, subject to the data retention and deletion obligations outlined above.

14. Governing Law

This DPA is governed by the laws of the United Arab Emirates and the UAE Personal Data Protection Law (PDPL).

15. Contact Information

Data Protection Contact:

SMERP TEK

Email: privacy@smerptek.com

Website: smerptek.com/contact

This Data Processing Addendum is compliant with the UAE Personal Data Protection Law (PDPL) and follows international best practices for business-to-business data processing agreements.