Early Access — This document reflects our current data processing practices and has been prepared with reference to Saudi PDPL requirements. It has not yet been reviewed by external legal counsel. Terms may be updated as the platform evolves.

Data Processing Agreement

Version 1.0 | Last updated: March 2026

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Data Controller") and Imtisal (إمتثال), operating as Bana’i (بنائي) ("Data Processor"), for the provision of the Bana’i compliance management platform ("the Service") at binaey.com. This DPA governs the processing of personal data by the Data Processor on behalf of the Data Controller in connection with the Service, in compliance with the Saudi Personal Data Protection Law (PDPL).

2. Definitions

In this DPA, terms not otherwise defined shall have the meanings given to them in the PDPL and the main service agreement. Key terms include:

"Personal Data" means any data relating to an identified or identifiable natural person, as defined in PDPL Article 2.
"Processing" means any operation performed on personal data, including collection, storage, use, transfer, and deletion.
"Subprocessor" means any third party engaged by the Data Processor to process personal data on behalf of the Data Controller.
"Data Breach" means any unauthorised access, disclosure, alteration, or destruction of personal data.

3. Processor Obligations

The Data Processor shall:

Process personal data only on documented instructions from the Data Controller, unless required by law
Ensure that persons authorised to process personal data are subject to confidentiality obligations
Implement appropriate technical and organisational measures to protect personal data
Assist the Data Controller in responding to data subject rights requests under PDPL
Delete or return all personal data upon termination of the service, at the Data Controller’s choice
Make available all information necessary to demonstrate compliance with this DPA

4. Subprocessors

The Data Processor engages the following subprocessors for the delivery of the Service:

Subprocessor	Details
Supabase Inc.	Supabase Inc. — Database hosting and authentication services. Data location: Frankfurt, Germany (EU). Purpose: primary data storage, user authentication, and real-time data synchronisation.
Hostinger International Ltd.	Hostinger International Ltd. — Application hosting and content delivery. Data location: European data centres. Purpose: web application hosting and static asset delivery.

The Data Processor shall notify the Data Controller at least 30 days in advance of any intended addition or replacement of subprocessors, providing the Data Controller an opportunity to object. The Data Processor shall ensure all subprocessors are bound by data protection obligations no less onerous than those in this DPA.

5. Security Measures

The Data Processor implements the following security measures:

Encryption of data in transit using TLS 1.2 or higher
Encryption of data at rest using AES-256
Row-level security (RLS) policies for multi-tenant data isolation
Regular backups with point-in-time recovery capability
Access controls with role-based permissions and audit logging
Regular vulnerability assessments and penetration testing

6. Data Breach Notification

In the event of a data breach, the Data Processor shall:

Notify the Data Controller without undue delay, and in any event within 72 hours of becoming aware of the breach, as required by PDPL
Provide the Data Controller with sufficient information to enable notification to the Saudi Data & Artificial Intelligence Authority (SDAIA) and affected data subjects where required
The notification shall include: (a) the nature of the breach; (b) categories and approximate number of data subjects affected; (c) likely consequences; (d) measures taken or proposed to mitigate the breach
Cooperate with the Data Controller in investigating and remediating the breach

7. International Data Transfers

Personal data is currently transferred to Frankfurt, Germany (EU) for database hosting via Supabase. The Data Processor discloses this transparently. SDAIA has not yet published a formal list of adequate jurisdictions. The Data Processor implements the following safeguards for cross-border transfers: (a) contractual data protection terms with subprocessors; (b) encryption in transit and at rest; (c) access controls and audit logging. The Data Processor is evaluating options to relocate data hosting within the GCC region and will update this DPA accordingly when infrastructure arrangements change.

8. Audit Rights

The Data Controller has the right to audit the Data Processor’s compliance with this DPA. Audits may be conducted: (a) upon reasonable notice of at least 30 days; (b) during normal business hours; (c) no more than once per year unless a data breach has occurred. The Data Processor shall cooperate with audits and provide access to relevant documentation, systems, and personnel.

9. Duration and Termination

This DPA shall remain in effect for the duration of the main service agreement. Upon termination: (a) the Data Processor shall cease processing personal data; (b) at the Data Controller’s election, delete or return all personal data within 30 days; (c) provide written confirmation of deletion upon request. Obligations relating to confidentiality and data protection shall survive termination.

10. Liability

Each party’s aggregate liability under this DPA shall not exceed the total fees paid by the Data Controller in the twelve (12) months preceding the claim. Neither party shall be liable for indirect, consequential, or punitive damages arising under this DPA.

Contact

For questions about this DPA, contact us at dpa@binaey.com