← Leadora

Draft for legal review. This document is a starting template and is not legal advice. Placeholders in [brackets] must be completed and the text reviewed by a UAE‑qualified lawyer before use.

Effective 13 July 2026

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between [Company Legal Name] ("Processor", "we") and the customer organisation ("Controller", "you") for the Leadora platform (the "Service"). It applies where we process personal data on your behalf and is designed to align with the UAE Federal Decree‑Law No. 45 of 2021 (the "PDPL").

Where this DPA conflicts with the Terms of Service on the subject of data protection, this DPA prevails.

1. Roles

You are the controller of the personal data you and your users submit to the Service ("Customer Personal Data"). We act as your processor, processing Customer Personal Data only to provide the Service and only on your documented instructions (including as configured through the Service).

2. Subject matter, nature and purpose

  • Subject matter: processing of Customer Personal Data to provide the CRM Service.
  • Nature and purpose: hosting, storage, organisation, retrieval, transmission (including via integrations you configure), and deletion of Customer Personal Data to enable lead management, communication, scheduling, and reporting.
  • Duration: for the term of your subscription and any agreed post‑termination export period.

3. Categories of data subjects and personal data

  • Data subjects: your leads, prospects, clients, contacts, and your own staff/users.
  • Personal data: typically names, phone numbers, email addresses, enquiry details, property preferences, budget, communication history (messages, calls, notes), tasks, and deal information. You control what you enter and should avoid submitting special‑category data unless necessary and lawful.

4. Our obligations as processor

We will:

  1. process Customer Personal Data only on your documented instructions, unless required otherwise by law (in which case we will inform you where legally permitted);
  2. ensure personnel authorised to process the data are bound by confidentiality;
  3. implement appropriate technical and organisational security measures (Annex A);
  4. respect the conditions in Section 5 for engaging sub‑processors;
  5. taking into account the nature of processing, assist you with responding to data‑subject requests;
  6. assist you with security, breach notification, and data‑protection impact assessments where relevant;
  7. notify you without undue delay after becoming aware of a personal‑data breach affecting Customer Personal Data;
  8. at your choice, delete or return Customer Personal Data at the end of the services, and delete existing copies unless retention is required by law; and
  9. make available information reasonably necessary to demonstrate compliance and allow for audits as set out in Section 7.

5. Sub‑processors

You grant general authorisation for us to engage sub‑processors to provide the Service (for example, hosting/infrastructure and the integration providers you connect). We will:

  • impose data‑protection obligations on each sub‑processor no less protective than this DPA; and
  • remain responsible for their performance.

A current list of sub‑processors is available on request. We will give reasonable notice of intended changes so you may object on reasonable data‑protection grounds.

6. International transfers

Where providing the Service involves transferring Customer Personal Data outside the UAE, we will ensure an adequate level of protection consistent with the PDPL, including appropriate contractual safeguards. Data‑residency options may be available on request.

7. Audit

On reasonable prior written notice, and no more than once per year (unless required by a regulator or following a breach), we will make available information reasonably necessary to demonstrate compliance with this DPA, which may take the form of up‑to‑date certifications, summaries of controls, or responses to a reasonable security questionnaire.

8. Data‑subject requests

If we receive a request from a data subject relating to Customer Personal Data, we will, where legally permitted, direct them to you and not respond directly except on your instruction.

9. Breach notification

On becoming aware of a personal‑data breach affecting Customer Personal Data, we will notify you without undue delay and provide information reasonably available to help you meet your obligations under the PDPL, including the nature of the breach, likely consequences, and measures taken.

10. Return and deletion

On termination or expiry, we will, at your choice, return or delete Customer Personal Data within a reasonable period, and delete existing copies except to the extent retention is required by applicable law.

11. Liability and governing law

Liability under this DPA is subject to the limitations in the Terms of Service. This DPA is governed by the laws of the UAE as applied in the [Emirate of \_\_\_\_\_\_].


Annex A — Security measures (summary)

  • Encryption of integration credentials at rest and encryption of data in transit (TLS).
  • Logical tenant isolation so each customer's data is segregated and access‑scoped.
  • Role‑based access control and least‑privilege administrative access.
  • Audit logging of security‑relevant actions.
  • Regular encrypted backups with tested restoration.
  • Access controls, secrets management, and monitoring.
  • Personnel confidentiality obligations.

*(This Annex summarises current measures and may be updated to reflect improvements, provided protection is not materially reduced.)*