Data Processing Agreement

"Controller" means the Customer who determines the purposes and means of the processing of Personal Data through the use of the Service.

"Processor" means Rawwij, which processes Personal Data on behalf of the Controller in connection with the Service.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Rawwij on behalf of the Customer in connection with the Service.

"Sub-processor" means any third party engaged by Rawwij to assist in the processing of Personal Data on behalf of the Controller.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this Agreement, including GDPR, the UK Data Protection Act 2018, and any national implementing legislation.

This DPA applies to the processing of Personal Data by Rawwij on behalf of the Customer in connection with the provision of the Rawwij social media management platform (the "Service").

The Customer acts as the Controller of Personal Data, determining the purposes and means of processing. Rawwij acts as the Processor, processing Personal Data solely on behalf of and under the documented instructions of the Customer.

The categories of Personal Data processed include: social media account identifiers, profile information, post content and metadata, engagement analytics, audience demographic data, and any other data the Customer submits through the Service.

The categories of Data Subjects include: the Customer's social media followers and audience members, the Customer's employees and team members who use the Service, and any individuals whose data is contained in content managed through the Service.

Rawwij shall process Personal Data only on documented instructions from the Customer, unless required to do so by European Union or Member State law to which Rawwij is subject. In such a case, Rawwij shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Customer's instructions for processing Personal Data are as follows: (a) processing to provide, maintain, and improve the Service; (b) processing to comply with the Customer's other reasonable instructions, provided they are consistent with the terms of the Service agreement.

Rawwij shall immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions.

Rawwij shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

(a) Encryption of Personal Data in transit using TLS 1.2 or higher and at rest using AES-256 encryption; (b) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; (c) The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Rawwij ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

The Service infrastructure is hosted on Supabase (powered by Amazon Web Services), which maintains SOC 2 Type II certification and implements comprehensive security controls. Data is stored in secure data centers with physical access controls, environmental safeguards, and redundant systems.

The Customer provides general authorization for Rawwij to engage Sub-processors to assist with the processing of Personal Data. Rawwij shall maintain an up-to-date list of Sub-processors and shall make this list available to the Customer upon request.

Current Sub-processors include: Supabase Inc. (database hosting and authentication, United States); Vercel Inc. (application hosting, United States); Resend Inc. (transactional email delivery, United States); social media platform APIs (Meta, X Corp, TikTok, LinkedIn, Google, Snap Inc., Telegram) for the purpose of publishing and retrieving content as instructed by the Customer.

Rawwij shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Customer the opportunity to object to such changes. If the Customer objects to a new Sub-processor on reasonable grounds related to data protection, Rawwij shall use commercially reasonable efforts to make available to the Customer a change in the Service or recommend a commercially reasonable change to the Customer's use of the Service to avoid processing of Personal Data by the objected-to new Sub-processor.

Rawwij shall impose on each Sub-processor data protection obligations no less protective than those set out in this DPA by way of a written contract.

Rawwij shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR.

These rights include: the right of access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18), the right to data portability (Article 20), and the right to object (Article 21).

If Rawwij receives a request from a Data Subject directly, Rawwij shall promptly redirect the Data Subject to the Customer and inform the Customer of the request, unless otherwise required by applicable law.

Rawwij shall notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach. Such notification shall include: (a) a description of the nature of the breach including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the name and contact details of Rawwij's data protection contact; (c) a description of the likely consequences of the breach; (d) a description of the measures taken or proposed to be taken to address the breach.

Rawwij shall cooperate with and assist the Customer in relation to any investigation, mitigation, or remediation of such Personal Data breach, and in meeting the Customer's obligations under Articles 33 and 34 of the GDPR.

Where the processing of Personal Data involves the transfer of Personal Data outside the European Economic Area ("EEA"), the United Kingdom, or Switzerland, Rawwij shall ensure that such transfers are made in compliance with applicable data protection law.

For transfers to countries not recognized as providing an adequate level of protection, Rawwij relies on the Standard Contractual Clauses ("SCCs") adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), which are hereby incorporated by reference into this DPA.

Rawwij shall implement supplementary measures where necessary to ensure that the level of protection of Personal Data is not undermined by the transfer, taking into account the laws and practices of the destination country.

Upon termination of the Service agreement, or upon the Customer's written request, Rawwij shall, at the choice of the Customer, delete or return all Personal Data to the Customer, and delete existing copies unless applicable law requires storage of the Personal Data.

The Customer may request the deletion or export of their data at any time through the Service settings or by contacting Rawwij at privacy@rawwij.com. Rawwij shall comply with such requests within 30 days.

Rawwij may retain Personal Data to the extent required by applicable law, and only for the period and purposes required by such law. Any retained data shall continue to be protected in accordance with this DPA.

Rawwij shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

Audit requests must be made with reasonable notice (minimum 30 days) and shall be conducted during normal business hours. The Customer shall bear the costs of any audit unless the audit reveals a material breach of this DPA by Rawwij.

Rawwij shall immediately inform the Customer if, in its opinion, an instruction from the Customer infringes the GDPR or other applicable data protection provisions.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Service agreement, except that neither party's liability for breaches of its data protection obligations shall be limited in a manner that is not permitted under applicable data protection law.

Rawwij shall indemnify the Customer against all claims, costs, damages, and expenses arising from Rawwij's breach of this DPA or applicable data protection law, provided that the Customer gives Rawwij prompt notice of any claim and reasonable cooperation in the defense of such claim.

This DPA shall be governed by the laws of the State of Kuwait, without regard to its conflict of law principles, except where applicable data protection law requires otherwise.

For Data Subjects in the European Economic Area, any disputes arising under this DPA shall be subject to the jurisdiction of the courts of the EU Member State where the Data Subject is habitually resident.

This DPA shall remain in effect for as long as Rawwij processes Personal Data on behalf of the Customer. The obligations of Rawwij under this DPA shall survive any termination or expiration of the Service agreement to the extent necessary to give effect to the provisions of this DPA.