Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between InterseQt Ltd ("Data Processor", "we", "us") and the customer organisation that has accepted this agreement through the OmniSense admin portal ("Data Controller", "you"). This DPA forms part of, and is incorporated into, the OmniSense Master Service Agreement or Order Form between the parties.

1. Definitions

• Personal Data means any information relating to an identified or identifiable natural person, as defined under applicable data protection law.
• Processing means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• Data Controller means the customer organisation that determines the purposes and means of Processing.
• Data Processor means InterseQt Ltd, which Processes Personal Data on behalf of the Data Controller.
• Sub-processor means any third party engaged by InterseQt to Process Personal Data.
• Applicable Law means the data protection laws applicable to the Processing, including UAE PDPL (Federal Decree-Law No. 45 of 2021), KSA PDPL, EU GDPR (Regulation 2016/679), Bahrain PDPDP, and Thailand PDPA, as relevant to the jurisdiction of the Data Controller.

2. Scope and Purpose of Processing

InterseQt processes Personal Data solely to provide the OmniSense AI Intelligence Platform services as described in the Order Form. The categories of data processed are limited to:

• Customer contact information (name, phone number) used for loyalty recognition and personalisation
• Transaction data (order history, spend patterns) used for demand forecasting and recommendations
• Staff identifiers (anonymised) used for operational analytics
• Device and session tokens used for push notification delivery

InterseQt will not Process Personal Data for any purpose other than those specified in this DPA and the accompanying Order Form, unless required by law.

3. Data Controller Obligations

The Data Controller warrants that:

• It has a lawful basis for sharing Personal Data with InterseQt under Applicable Law
• It has provided all required notices to data subjects and obtained any necessary consents
• It will promptly notify InterseQt of any changes to the categories or volumes of Personal Data being processed
• It will ensure that its instructions to InterseQt comply with Applicable Law

4. Data Processor Obligations

InterseQt commits to:

• Process Personal Data only on documented instructions from the Data Controller
• Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures (see Section 7)
• Assist the Data Controller in fulfilling data subject rights requests (access, rectification, erasure, portability) within 30 days
• Notify the Data Controller of a Personal Data breach within 72 hours of becoming aware
• Make available all information reasonably necessary to demonstrate compliance with this DPA
• Delete or return all Personal Data upon termination of the service, unless retention is required by law

5. Sub-processors

The Data Controller grants general authorisation for InterseQt to engage sub-processors. Current sub-processors include:

Sub-processor	Purpose	Data Location
Amazon Web Services (AWS)	Infrastructure, database, storage	Middle East (UAE), EU West (Ireland)
OpenAI	AI recommendation generation (anonymised context only)	United States
Anthropic	Conversational AI assistant (anonymised context only)	United States
SendGrid (Twilio)	Transactional email delivery	United States
Meta (WhatsApp Business API)	Operational alert delivery to managers	United States / EU
Google Firebase	Push notification delivery	United States

InterseQt will notify the Data Controller at least 14 days before adding or replacing a sub-processor. The Data Controller may object in writing within 10 days; if no resolution is reached, either party may terminate the affected services.

6. International Data Transfers

Where Personal Data is transferred outside the Data Controller's jurisdiction (e.g., to sub-processors in the United States), InterseQt ensures appropriate safeguards are in place, including Standard Contractual Clauses (EU SCCs), binding corporate rules, or equivalent mechanisms as required by Applicable Law. Data residency preferences (Middle East, Europe, Asia Pacific) are configurable at the organisation level upon request.

7. Security Measures

InterseQt implements the following technical and organisational measures:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
• Schema-level data isolation: each customer organisation's data resides in a dedicated PostgreSQL schema
• Role-based access controls with least-privilege enforcement
• Multi-factor authentication for all internal system access
• Automated vulnerability scanning and annual penetration testing
• Incident response procedures with 72-hour breach notification capability
• Regular staff training on data protection obligations

8. Data Subject Rights

Upon receiving a data subject request forwarded by the Data Controller, InterseQt will:

• Acknowledge receipt within 5 business days
• Provide a full Personal Data export (DSAR) within 30 days
• Execute erasure requests (right to be forgotten) within 30 days, subject to legal retention obligations
• Rectify inaccurate Personal Data within 14 days of confirmed instruction

9. Data Retention and Deletion

Personal Data is retained for as long as the service agreement is active and for any minimum retention period required by Applicable Law (e.g., 7 years for financial transaction records). Upon termination:

• Customer Personal Data will be deleted from active systems within 30 days
• Backup copies will be purged within 90 days
• A deletion certificate is available upon request

10. Audit Rights

The Data Controller may, upon 30 days written notice, conduct or commission an audit of InterseQt's data processing activities relevant to this DPA, no more than once per calendar year. InterseQt may propose an equivalent third-party audit report (e.g., SOC 2 Type II) in lieu of a direct audit.

11. Liability

Each party's liability under this DPA is subject to the limitations set out in the Master Service Agreement. InterseQt's total liability for breaches of this DPA shall not exceed the amounts paid by the Data Controller in the 12 months preceding the event giving rise to the claim, unless caused by gross negligence or wilful misconduct.

12. Term and Termination

This DPA remains in effect for the duration of the Master Service Agreement. It terminates automatically upon termination of the Master Service Agreement, subject to any post-termination obligations regarding data deletion set out in Section 9.

13. Governing Law

This DPA is governed by the laws of the Kingdom of Saudi Arabia, with disputes subject to the jurisdiction of the competent courts in Riyadh, unless the Data Controller is domiciled in the European Union, in which case the laws of Ireland apply.

14. Acceptance and Record of Consent

Acceptance of this DPA is recorded electronically through the OmniSense admin portal. The record includes the accepting user's identity, timestamp, and IP address. Electronic acceptance constitutes a valid, legally binding agreement under applicable e-signature and contract formation laws.