1. Roles
The Customer is the Controller of personal data submitted to the Services. DemandSa is the Processor, except where it determines purposes and means independently (account billing, fraud prevention), where it is a Controller.
2. Scope & Duration
DemandSa will process personal data only on documented instructions from the Customer and only for the duration of the underlying agreement plus any retention required by law.
3. Sub-Processors
Current sub-processors are listed at demandsa.com/sub-processors. We will notify Customers of new sub-processors at least 30 days in advance. Customer may object on reasonable grounds.
4. Security Measures
- Encryption in transit (TLS 1.3) and at rest (AES-256).
- Role-based access control with MFA for staff.
- Quarterly third-party penetration tests.
- ISO 27001-aligned ISMS.
5. Personal Data Breach
DemandSa will notify the Customer without undue delay, and within 72 hours, of becoming aware of a personal data breach affecting the Customer's data.
6. Data Subject Requests
DemandSa will assist the Customer in responding to data-subject requests with appropriate technical and organizational measures, at reasonable cost.
7. Audit
The Customer may audit DemandSa's compliance with this DPA once per calendar year, on 30 days' notice, during normal business hours, subject to confidentiality.
8. International Transfers
Where data is processed outside KSA, DemandSa relies on Standard Contractual Clauses approved by SDAIA.
9. Return / Deletion
On termination, the Customer may export data via the API for 90 days. Thereafter DemandSa will delete or anonymize the data within 30 days, except where retention is required by law.
10. Contact
dpa@demandsa.com.