Data Processing Agreement

Data Controller: The Customer (agency or broker) identified in the Service Agreement.

Data Processor: in5 Tech DDA Free Zone LLC ("DealPilot"), Knowledge Building, Dubai Silicon Oasis, Dubai, UAE.

This Agreement governs DealPilot's processing of personal data on behalf of the Data Controller for the purpose of delivering DealPilot platform services, including: lead management, deal management, compliance, and content generation.

• Process personal data only on documented instructions from the Controller
• Ensure authorized personnel are bound by confidentiality
• Implement appropriate security measures per GDPR Article 32
• Assist the Controller in fulfilling data subject rights requests
• Notify the Controller immediately of any government requests for data access

The Controller authorizes DealPilot to use the sub-processors listed in the Privacy Policy. DealPilot will notify the Controller 30 days before adding any new sub-processor.

• AES-256-GCM encryption for PII at rest
• TLS 1.3 for all data in transit
• Multi-factor authentication for all administrative access
• Annual third-party penetration testing
• Vulnerability management program

DealPilot will notify the Controller within 72 hours of discovering any personal data breach, in accordance with GDPR and UAE PDPL requirements.

DealPilot will assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability) within 30 days.

Any transfer of data outside the UAE is subject to appropriate safeguards, including Standard Contractual Clauses with sub-processors in the USA and EU.

Upon termination, DealPilot will delete or return all personal data within 30 days, subject to legal retention requirements (e.g., AML records).

The Controller may conduct one annual audit with 30 days' prior notice. This may be satisfied by SOC 2 or ISO 27001 reports when available.

Each party's liability under this Agreement is subject to the liability caps set out in the Master Service Agreement.