Tawqee

Data Processing Agreement

Effective: April 28, 2026 · Version 1.0

This Data Processing Agreement (“DPA”) supplements the Terms of Service between you (the “Customer” / “Controller”) and Tawqee, Inc. (“Tawqee” / “Processor”) and governs Tawqee’s processing of personal data on the Customer’s behalf. It is designed to satisfy Article 28 GDPR, the UK GDPR, the Saudi PDPL, and analogous frameworks.

1. Definitions

Capitalized terms have the meanings given in the GDPR and PDPL (e.g., Personal Data, Processing, Data Subject, Subprocessor). “Customer Content” means any documents, signatures, or related metadata that the Customer or its end users submit to the Service.

2. Subject matter and roles

Customer is the Controller of personal data within Customer Content. Tawqee is the Processor. The duration is the term of the underlying agreement plus the export window.

3. Processing instructions

Tawqee will process Personal Data only on the Customer’s documented instructions, including for international transfers. The Service’s features constitute documented instructions; additional instructions must be agreed in writing.

4. Subprocessors

Customer authorizes Tawqee to engage the subprocessors listed at /legal/subprocessors. Tawqee will notify Customer at least 30 days before adding a new subprocessor and Customer may object on reasonable data-protection grounds.

5. Confidentiality

Tawqee personnel with access to Personal Data are bound by written confidentiality obligations and complete annual security and Part 11 awareness training where applicable.

6. Security measures (Annex II)

  • Encryption: TLS 1.3+ in transit; AES-256 at rest (S3 SSE-KMS); column-level encryption for PII (MRN, national ID, contact info).
  • Access control: SSO + MFA mandatory for admins; least-privilege RBAC; quarterly access reviews.
  • Network: VPC isolation, security groups, WAF, DDoS protection at the edge.
  • Audit: append-only hash-chained audit log; tamper detection via verification API.
  • Monitoring: 24x7 alerting on auth anomalies, data egress, integrity failures.
  • Backups: daily PITR for Postgres; quarterly restore drills; S3 Object Lock (WORM) for audit/ and signed/ buckets.
  • Incident response: 24-hour breach notification to Customer; written runbook; annual tabletop exercise.
  • Vulnerability management: dependency scanning on every build; quarterly pen tests; annual SOC 2 Type II audit (in progress).
  • Personnel: annual training; signed NDAs; background checks for engineers with production access.

7. Data subject rights

Tawqee will, taking into account the nature of processing, assist the Customer to respond to data subject requests for access, correction, erasure, restriction, portability, or objection, within 7 calendar days of a verified request.

8. Personal Data Breach

Tawqee will notify the Customer without undue delay and in any event within 24 hours after becoming aware of a Personal Data Breach affecting Customer Content. The notice will include the nature, scope, likely consequences, and measures taken or proposed.

9. Audits

Tawqee will make available to the Customer the most recent SOC 2 Type II report (when issued), ISO 27001 certificate, and pen-test summary. With reasonable notice and at the Customer’s expense, the Customer may audit Tawqee’s compliance with this DPA once per 12-month period (or more frequently after a confirmed Breach).

10. International transfers

Where required, Tawqee enters into the EU Commission’s Standard Contractual Clauses (Module 2) and the equivalent UK and Saudi cross-border safeguards. The Customer hereby authorizes those measures.

11. Return and deletion

On termination, Customer may export Customer Content for 90 days. After that period Tawqee will delete Customer Content from production systems within 30 days and from backups within 90 days, except for records the Customer has identified as subject to 21 CFR Part 11 retention or other legal hold.

12. Liability

The Limitation of Liability in the underlying agreement applies to this DPA.

13. Governing law

The governing law of the underlying agreement applies.

14. Order of precedence

In case of conflict between this DPA and the Terms, this DPA prevails as to data protection matters.

15. Signing this DPA

Customers on the Business plan are deemed to accept this DPA upon checkout. Enterprise customers may request a signed counterpart via legal@tawqee.com.