Data Protection Addendum

This Data Protection Addendum ("DPA") forms part of the Terms of Service between Gloora AI (F.Z.C.) ("Processor") and the business Partner ("Controller") using our Services.

This DPA sets out the terms for processing personal data in compliance with the EU General Data Protection Regulation (GDPR), UAE Federal Decree-Law No. 45 of 2021, and other applicable data protection laws.

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion)
• Controller: The Partner who determines the purposes and means of processing
• Processor: Gloora AI, which processes data on behalf of the Controller
• Sub-processor: Third parties engaged by Gloora AI to process data

Subject Matter: Provision of the Gloora AI platform services

Duration: For the term of the Agreement plus any legally required retention period

Categories of Data Subjects: Partner's customers, staff, and business contacts

Types of Personal Data: Names, contact information, appointment history, preferences, payment data

Processing Operations: Storage, retrieval, transmission, analysis as necessary to provide the Services

Gloora AI shall:

• Process personal data only on documented instructions from the Controller
• Ensure persons processing data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to data subject requests
• Assist with data protection impact assessments when required
• Delete or return all personal data upon termination
• Make available information necessary to demonstrate compliance
• Notify the Controller of data breaches without undue delay

The Controller authorizes Gloora AI to engage sub-processors for:

• Cloud infrastructure and hosting
• Payment processing
• Email and communication services
• Analytics and monitoring

We maintain a list of current sub-processors and will notify the Controller of changes. The Controller may object to new sub-processors within 30 days.

We and our third-party infrastructure providers implement security measures including:

• Encryption of data in transit (SSL/TLS) and at rest
• Strict access controls and multi-factor authentication
• Regular security testing and audits of our infrastructure
• Incident response procedures
• Employee training on data protection
• Physical security of data centers operated by our sub-processors

While we strive to use commercially acceptable means to protect Personal Data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

Personal data may be transferred outside the EEA or UAE. By using the Services, the Controller acknowledges and agrees that data may be hosted on servers located in the United States or other jurisdictions operated by our sub-processors.

We ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable
• Binding Corporate Rules where applicable

We will assist the Controller in fulfilling data subject rights requests including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object

The Controller may request verification of our compliance with this DPA. Audit rights are limited to:

• Documentation Review: We will provide relevant security certifications, compliance reports, and third-party audit summaries upon reasonable written request (no more than once per year)
• Questionnaires: We will complete reasonable written security questionnaires
• Sub-processor Certifications: We will provide copies of security certifications held by our infrastructure sub-processors (e.g., SOC 2, ISO 27001)

No Physical Access: Due to our use of third-party cloud infrastructure, we cannot provide physical access to data centers or facilities operated by our sub-processors. All audits shall be conducted through documentation and written correspondence only.

The Controller shall bear the costs of any audit activities.

Liability under this DPA is subject to the limitations set forth in the Terms of Service. Each party is liable for damages caused by processing in violation of applicable data protection laws.

For data protection inquiries, contact us at:

Email: legal@gloora.ai