Data Processing Agreement

• Controller — the business entity that subscribes to Tadhkir and determines the purposes and means of processing its customers' personal data.
• Processor — Istibqa Ltd, operator of Tadhkir (tadhkirapp.com), which processes personal data on behalf of the Controller.
• Data Subject — the end customer of the Controller whose personal data is processed via Tadhkir.
• Personal Data — any information relating to an identified or identifiable natural person, as defined under UK GDPR Article 4(1).
• Processing — any operation performed on personal data, including collection, storage, use, transmission, and deletion.
• Sub-Processor — any third party engaged by the Processor to process personal data on behalf of the Controller.

Subject matter: Operation of a WhatsApp customer retention and reminder platform on behalf of the Controller.

Duration: For the term of the Controller's subscription to Tadhkir, plus any retention periods required by law.

Nature and purpose: Storing customer contact records and sending WhatsApp reminder messages on the Controller's instruction.

Categories of personal data:

• Full name
• WhatsApp phone number
• Last visit date, birthday, anniversary (where collected)
• Opt-in source, consent timestamp, and opt-out status
• Message delivery records and engagement logs

Categories of Data Subjects: Customers of the Controller who have opted in to receive WhatsApp reminders.

The Processor shall:

• Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organisation, unless required to do so by applicable law.
• Ensure that persons authorised to process the personal data have committed themselves to confidentiality.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: row-level security (RLS) on all database tables; encryption in transit (TLS/HTTPS) and at rest; access controls restricting production access to authorised personnel only.
• Not engage sub-processors without prior written authorisation from the Controller (general authorisation is granted for the sub-processors listed in Section 5).
• Assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection law.
• Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation.
• Delete or return all personal data to the Controller upon termination of the services, and delete existing copies unless applicable law requires storage.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA.

The Controller warrants and represents that:

• It has obtained all necessary consents, permissions, and lawful bases for processing Data Subjects' personal data, including consent to receive WhatsApp messages.
• It will comply with all applicable data protection laws in its jurisdiction, including UK GDPR, EU GDPR, Saudi PDPL, and any other applicable regional frameworks.
• It will not instruct the Processor to process personal data in a manner that would violate applicable law or Meta's WhatsApp Business Terms of Service.
• It will ensure Data Subjects are informed of their rights and how to exercise them, including the right to opt out by replying STOP.
• It will notify the Processor promptly of any data subject requests relating to data processed via Tadhkir.

The Controller grants general authorisation to the Processor to engage the following sub-processors. The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object:

• Supabase Inc (USA) — database hosting and authentication. Transfers covered by Standard Contractual Clauses (SCCs).
• Stripe Inc (USA) — payment processing. PCI-DSS Level 1 certified. SCCs in place.
• Meta Platforms Inc / WhatsApp (USA) — message delivery via WhatsApp Business API. Subject to Meta's Data Processing Terms.
• Netlify Inc (USA) — application hosting and CDN. SCCs in place.
• Anthropic PBC (USA) — AI features where enabled. No customer personal data (name, phone) is transmitted to Anthropic.

All sub-processors listed in Section 5 operate under appropriate transfer mechanisms, including Standard Contractual Clauses (SCCs) approved by the UK ICO or the European Commission, or adequacy decisions where applicable. The Processor will not transfer personal data to any country without ensuring an adequate level of protection.

The Processor has implemented the following technical and organisational measures:

• Row-Level Security (RLS) on all database tables — each Controller can only access its own data
• All data in transit encrypted via HTTPS/TLS 1.2+
• All data at rest encrypted by Supabase (AES-256)
• Service role keys stored as environment secrets, never exposed client-side
• Production access restricted to authorised Istibqa Ltd personnel only
• HSTS enforced (max-age=31536000; includeSubDomains)
• Regular security reviews and dependency updates

In the event of a personal data breach involving data processed on the Controller's behalf, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, providing:

• A description of the nature of the breach, including categories and approximate number of Data Subjects and personal data records concerned.
• The name and contact details of the data protection contact point.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to address the breach.

The Controller is responsible for notifying the relevant supervisory authority (e.g. the UK ICO) and affected Data Subjects where required by applicable law.

• Customer data (names, phone numbers, visit records): retained for the duration of the Controller's subscription and deleted within 30 days of account closure upon written request.
• Message delivery logs: retained for up to 12 months for operational purposes.
• Opt-in and opt-out records: retained for 6 years for compliance and audit purposes.
• Payment records: retained for 7 years as required by UK law.

This DPA is governed by the laws of England and Wales. Any dispute arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

This DPA supplements and forms part of the Tadhkir Terms of Service. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail in respect of data processing matters.

For DPA-related enquiries, to exercise Controller rights, or to request a signed copy of this DPA:

Istibqa Ltd
27 West Park Terrace, Bradford, BD8 9SQ, United Kingdom
Email: [email protected]
Tel: +44 7760 979458
Company No. 17089113 · Registered in England and Wales