Data Processing Agreement

1. Purpose

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between GR IT Services LLC (also known as Ghulam Rasool IT Services LLC), a company registered in Dubai, United Arab Emirates ("Processor" or "GR IT Services"), and the customer entity that has agreed to the Terms of Service ("Controller" or "Customer").

This DPA sets out the terms and conditions under which GR IT Services will process personal data on behalf of the Customer in connection with the provision of the CISGuard compliance automation platform and related services. This DPA is intended to ensure compliance with applicable data protection laws, including but not limited to:

• The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021)
• The EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
• The UK General Data Protection Regulation (UK GDPR)
• Other applicable data protection and privacy laws

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below:

• "Controller" means the entity that determines the purposes and means of the processing of personal data. In the context of this DPA, the Controller is the Customer.
• "Processor" means the entity that processes personal data on behalf of the Controller. In the context of this DPA, the Processor is GR IT Services, but only with respect to the limited personal data described in Section 4.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed under this DPA.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection law.
• "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

3. Roles and Scope

The Customer acts as the Controller of personal data processed in connection with the CISGuard platform. GR IT Services acts as the Processor only with respect to the limited categories of personal data described in Section 4 below.

Important distinction regarding on-premises deployments: CISGuard is deployed on-premises within the Customer's infrastructure. For all compliance scan data, audit logs, agent configurations, credentials, and other data generated by the CISGuard platform within the Customer's environment, GR IT Services is not a Processor. GR IT Services has no access to, and does not process, any data stored in the Customer's on-premises CISGuard deployment.

GR IT Services acts as a Processor only for personal data processed through: (a) website form submissions (demo requests, contact forms); (b) email communications related to support and sales; and (c) any managed support services that require remote access, provided such access is expressly authorized by the Customer in writing.

4. Processing Details

4.1 Nature and Purpose of Processing

GR IT Services processes personal data for the purpose of providing the CISGuard software platform and related support services, including: responding to demo requests and inquiries, providing technical support, managing customer accounts, sending service-related communications (software updates, security advisories, license management), and performing onboarding and deployment assistance.

4.2 Duration of Processing

Personal data will be processed for the duration of the Agreement between the Customer and GR IT Services, plus any retention period required by applicable law or as specified in the Privacy Policy.

4.3 Types of Personal Data

• Contact information (name, email address, phone number, job title)
• Company and organizational information
• Support ticket content and correspondence
• Account registration information
• IP addresses and technical metadata from website interactions

4.4 Categories of Data Subjects

• Customer employees and authorized users
• Customer IT administrators and security personnel
• Prospective customers who submit inquiries or demo requests
• Customer support contacts

5. Processor Obligations

GR IT Services, as Processor, shall:

• Process on documented instructions: Process personal data only on the documented instructions of the Controller, including with respect to transfers of personal data to a third country, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law from doing so).
• Confidentiality: Ensure that all personnel authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security measures: Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 8 of this DPA.
• Sub-processor engagement: Not engage another processor (sub-processor) without prior written authorization of the Controller, subject to the terms set out in Section 6.
• Assist with data subject requests: Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising data subject rights.
• Assist with compliance: Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to the Processor.
• Deletion or return: At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data.
• Audit support: Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or a qualified auditor mandated by the Controller.

6. Sub-processors

The Customer hereby grants GR IT Services general authorization to engage sub-processors, subject to the conditions set out in this section. The following sub-processors are currently engaged:

GR IT Services shall notify the Customer of any intended changes concerning the addition or replacement of sub-processors at least thirty (30) days in advance, providing the Customer with the opportunity to object to such changes.

If the Customer objects to a new sub-processor on reasonable grounds relating to data protection, GR IT Services shall use commercially reasonable efforts to make available to the Customer a change in the Service or recommend a commercially reasonable alternative. If no alternative is available, either party may terminate the affected services without penalty.

GR IT Services shall ensure that any sub-processor is bound by data protection obligations no less protective than those set out in this DPA, and shall remain fully liable to the Customer for the performance of any sub-processor's obligations.

7. International Data Transfers

GR IT Services is headquartered in Dubai, UAE. Personal data processed under this DPA may be transferred to and processed in the UAE.

Where personal data originating from the European Economic Area (EEA), United Kingdom, or Switzerland is transferred to a country that does not provide an adequate level of data protection as determined by the relevant authority, GR IT Services shall ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914), which are hereby incorporated by reference into this DPA.
• The UK International Data Transfer Addendum to the EU SCCs, where applicable.
• Any additional supplementary measures necessary to ensure the level of protection required by applicable law.

Microsoft Corporation, as a sub-processor, processes data in accordance with its own Data Processing Addendum, which includes Standard Contractual Clauses and supplementary measures for international transfers.

8. Security Measures

GR IT Services implements and maintains the following technical and organizational security measures to protect personal data:

• Encryption in transit: All data transmitted between systems is encrypted using TLS 1.2 or higher.
• Encryption at rest: Personal data at rest is protected using industry-standard encryption (AES-256 or equivalent).
• Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis, with role-based access controls and multi-factor authentication.
• Employee training: All personnel with access to personal data receive regular training on data protection and information security.
• Incident response: A documented incident response plan is maintained and tested, with defined procedures for identifying, containing, and remediating security incidents.
• Regular security reviews: Periodic security assessments are conducted to identify and address vulnerabilities.
• Physical security: Physical access to systems processing personal data is controlled and restricted.
• Logging and monitoring: Access to personal data is logged and monitored for unauthorized access or anomalous activity.

9. Data Breach Notification

GR IT Services shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Data Breach affecting personal data processed under this DPA. The notification shall include:

• A description of the nature of the Data Breach, including the categories and approximate number of data subjects and personal data records affected.
• The name and contact details of the data protection point of contact.
• A description of the likely consequences of the Data Breach.
• A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects.

GR IT Services shall cooperate with the Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach. GR IT Services shall provide a written root cause analysis and remediation plan within thirty (30) days of the breach notification.

10. Data Subject Rights

GR IT Services shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures in fulfilling the Customer's obligation to respond to requests from data subjects exercising their rights under applicable data protection law, including rights of:

• Access to personal data
• Rectification of inaccurate personal data
• Erasure of personal data ("right to be forgotten")
• Restriction of processing
• Data portability
• Objection to processing

If GR IT Services receives a request directly from a data subject, it shall promptly notify the Customer and shall not respond to the request without the Customer's prior written instructions, unless required to do so by applicable law.

11. Audit Rights

The Customer (or a qualified third-party auditor appointed by the Customer) may audit GR IT Services' compliance with this DPA, subject to the following conditions:

• The Customer shall provide at least thirty (30) days' prior written notice of any audit request.
• Audits shall be conducted during normal business hours (Sunday through Thursday, 9:00 AM to 6:00 PM GST) and shall not unreasonably interfere with GR IT Services' business operations.
• Audits shall be limited to no more than once per twelve (12) month period, unless a Data Breach has occurred or a supervisory authority requires additional audits.
• The Customer and any third-party auditor shall be bound by confidentiality obligations with respect to any information obtained during the audit.
• The Customer shall bear the costs of any audit, unless the audit reveals a material non-compliance by GR IT Services, in which case GR IT Services shall bear the reasonable costs.

12. Duration and Termination

This DPA shall become effective on the date the Customer agrees to the Terms of Service and shall remain in effect for the duration of the Agreement. This DPA shall automatically terminate upon the termination or expiration of the Agreement.

Upon termination of this DPA, GR IT Services shall, at the Customer's election, either delete or return all personal data processed under this DPA and delete all existing copies, unless applicable law requires the retention of the personal data. GR IT Services shall certify in writing that it has complied with this obligation within thirty (30) days of termination.

The obligations of GR IT Services under this DPA with respect to the confidentiality and security of personal data shall survive termination for as long as GR IT Services retains any personal data processed under this DPA.

13. Contact

For questions or requests related to this Data Processing Agreement, please contact our Data Protection Officer: