1. Overview

This document sets out how personal data is processed within the systems, platforms, and services provided by Tawazy for Information Technology (hereinafter "Tawazy" or "Service Provider"). It applies to all Tawazy products and services in which Tawazy acts as a Data Processor on behalf of its clients, including software-as-a-service platforms, hosted applications, and implementation and support services. It defines the obligations of each party under the Saudi Personal Data Protection Law (PDPL) and its Implementing Regulations.

2. Definitions

• Personal Data: any data, of any form, that may directly or indirectly identify a natural person.
• Sensitive Personal Data: data revealing racial or ethnic origin, religious or political belief, criminal records, biometric or genetic data, health data, or data identifying a person's family relations.
• Processing: any operation performed on personal data, including collection, recording, storage, use, transfer, disclosure, or destruction.
• Data Controller: the party that determines the purpose and means of processing.
• Data Processor: the party that processes personal data on behalf of the Controller.
• Data Subject: the natural person to whom the personal data relates.
• Sub-processor: a third party engaged by the Processor to carry out part of the processing.
• Personal Data Breach: a security incident leading to unauthorized access, disclosure, alteration, destruction, or loss of personal data.

3. Roles

The Client acts as the Data Controller and determines the purposes and means of processing. Tawazy acts as the Data Processor and processes personal data only on the Client's documented instructions. Tawazy does not use personal data for its own purposes, does not sell personal data, and does not combine personal data across clients except for aggregated, non-identifying analytics needed to operate and improve its systems and services.

4. Scope of Processing

Tawazy processes personal data for the duration of the service agreement. Processing covers the operations needed to deliver the contracted systems and services, including hosting, storage, transmission, backup, support, and decommissioning. Any processing outside this scope requires written instructions from the Client.

5. Categories of Personal Data

The categories of personal data processed depend on the systems and services contracted by the Client, and may include:

• Identification data: full name, national ID or Iqama number, passport details, date of birth, nationality, and copies of identity documents.
• Contact data: phone numbers, email addresses, and postal addresses.
• Employment and HR data: job title, employment dates, payroll records, attendance and leave records, performance evaluations, and qualification documents.
• Financial and banking data: banking details, invoice and payment records, and credit information where applicable.
• Commercial data: vendor and customer names, commercial registration numbers, tax identifiers, and authorized signatory details.
• Transactional and account data: account history, communication logs, support tickets, and transaction records.
• Technical and usage data: user identifiers, login records, IP addresses, device information, and audit logs generated by Tawazy systems.

6. Categories of Data Subjects

Employees, contractors, job applicants, customers, prospects, vendors, and any other natural persons whose data is entered into Tawazy systems by the Client.

7. Purposes of Processing

Personal data is processed to deliver, operate, and support the contracted systems and services. This includes the business operations for which the Client uses Tawazy systems, along with hosting, system administration, technical support, billing, security monitoring, and the production of reports and audit trails required by law or by the Client.

8. Lawful Basis

The Client confirms that processing is based on at least one lawful basis under the PDPL: the consent of the data subject, the performance of a contract to which the data subject is a party, compliance with a legal obligation, the protection of vital interests, or the legitimate interests of the Controller where these are not overridden by the rights of the data subject. The Client is responsible for selecting and documenting the applicable basis for each processing activity.

9. Data Subject Rights

Data subjects exercise the rights granted to them under the PDPL by submitting requests to the Client as Controller, with Tawazy's support as Processor.

10. Security Measures

Tawazy applies organizational and technical measures appropriate to the risk, including:

• role-based access control with least-privilege defaults;
• multi-factor authentication for administrative access;
• encryption of data in transit and at rest using industry-standard methods;
• network segmentation between environments;
• centralized logging, retention of audit trails, and monitoring for anomalous activity;
• regular vulnerability scanning and patch management;
• secure software development practices, including code review and dependency scanning;
• backup and tested restore procedures;
• background screening, confidentiality agreements, and security awareness training for personnel with access to personal data.

11. Data Retention

Personal data is retained for the period required to deliver the contracted services and to meet applicable legal, regulatory, accounting, and operational requirements. Tawazy applies retention schedules aligned with Saudi labor, tax, and commercial law and reviews these periodically. At the end of the applicable retention period, personal data is securely deleted or irreversibly anonymized.

12. Sub-processors

Tawazy may engage sub-processors to support hosting, infrastructure, monitoring, and operations. Each sub-processor is bound by written terms that impose data protection obligations equivalent to those in this document. A current list of sub-processors is available to the Client on request. Tawazy notifies the Client in advance of any addition or replacement of sub-processors and gives the Client a reasonable opportunity to object on legitimate data protection grounds.

13. International Data Transfers

Personal data is hosted within the Kingdom of Saudi Arabia by default. Tawazy does not transfer personal data outside the Kingdom unless the transfer is permitted under the PDPL and its Implementing Regulations and any required approvals or safeguards are in place. Where the Client instructs a transfer outside the Kingdom, the Client is responsible for confirming that the transfer is lawful.

14. Incident and Breach Management

Tawazy maintains an incident response process covering detection, containment, investigation, remediation, and post-incident review. On becoming aware of a personal data breach affecting Client data, Tawazy notifies the Client without undue delay. The notification includes:

• a description of the nature of the breach;
• the categories and approximate number of data subjects and records affected;
• the likely consequences;
• the measures taken or proposed to address the breach and mitigate its effects;
• a contact point for further information.

The Client is responsible for any notification to the Competent Authority and to affected data subjects.

15. Data Subject Request Handling

On receipt of a data subject request relating to Client data, Tawazy forwards the request to the Client without delay and provides reasonable assistance. Tawazy does not respond directly to data subjects unless instructed in writing by the Client.

16. Termination and Deletion

On termination of the service agreement or on written request, Tawazy deletes the personal data, unless retention is required by law. Deletion is confirmed in writing on request.

17. Limitation of Liability

To the extent permitted by law, Tawazy is not responsible for:

• the Client's compliance with its own legal obligations as Controller;
• the accuracy, lawfulness, or relevance of personal data provided by the Client;
• decisions made by the Client based on the output of Tawazy systems.

Nothing in this document limits any obligation that cannot be excluded under applicable law.

18. Amendments

Tawazy may update this document to reflect changes in law, service offerings, or security practices. Material changes are communicated to the Client in writing in advance of taking effect.

19. Governing Law

This document is governed by the laws of the Kingdom of Saudi Arabia. Disputes are resolved in accordance with the dispute resolution clause of the underlying service agreement.

20. Cookies

Tawazy systems use only cookies and similar technologies that are strictly necessary to deliver the contracted services. These include cookies for session management, user authentication, security, and load balancing. Tawazy does not deploy tracking, advertising, or analytics cookies. Where the Client integrates third-party tools that introduce additional cookies into the systems, the Client is responsible for any consent or notice required from data subjects.

21. Contact

Privacy queries: [email protected]