Data Processing Agreement

This Data Processing Agreement (hereinafter — the Data Processing Agreement) is an integral part of the Terms of Service (hereinafter — the Agreement) with the User and applies to the processing of personal data (hereinafter — the Personal Data) when the User uses the Platform.

The Administration provides the User with the Platform, which can be used by the User to process Personal Data.

Processing and storage of the Personal Data processed (including collected, stored and published) by the Users on websites created by them using the Platform shall be carried out legally, for a period determined by the User themselves and shall be carried out by the Administration on the basis of this Data Processing Agreement, which is a legal basis for processing the Personal Data by the Administration.

If you do not agree with the terms of the Data Processing Agreement, you may not use the Platform to work with the Personal Data. The fact of using the Platform to work with Personal Data is recognized as consent to the terms and conditions of the Data Processing Agreement.

This document consists of the following sections:
Terms and Definitions
Subject of the Data Processing Agreement
Representations and Warranties of the Controller
Rights, Obligations and Responsibilities of the Processor
Rights, Obligations and Responsibilities of the Controller
Privacy and Security
Information Security Breach
Applicable Law and Dispute Resolution

Terms and Definitions

For the purposes of this Data Processing Agreement, the terms shall be used in the meaning specified below:

Controller is the User, as defined in the Agreement, a person who is a Personal Data Controller in terms of UAE Federal Decree Law No. 45/2021 on the Protection of Personal Data or Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) (hereinafter collectively — the Law).
Processor is the Administration, as defined in the Agreement, processing Personal Data on behalf of the Controller and being a Processor in terms of the Law.
Personal Data subject is an individual to whom the Personal Data relates, as defined in the Law.
Personal Data is any data relating to an identified individual or an individual who can be identified directly or indirectly by linking the data by reference to an identifier such as his/her name, voice, image, identification number, electronic identifier, geographic location or one or more physical, physiological, cultural or social characteristics as defined in the Law and processed by the Controller using the Platform.
User Data is the information that may contain Personal Data, downloaded or processed by the Controller using the Platform.
Sensitive Personal Data is any information that directly or indirectly discloses the race, ethnicity, political or philosophical opinions, religious beliefs, criminal record, biometric data or any data relating to the health of such individual, such as his or her physical, psychological, mental, bodily, genetic or sexual condition, including any information relating to the provision of health care services to such individual that discloses his or her health status as defined in the Law.
Biometric Personal Data is any Personal Data obtained as a result of special technical processing relating to the physical, physiological or behavioural characteristics of the Personal Data Subject that identifies or confirms the unique identification of the Personal Data Subject, such as facial image or fingerprint data as defined in the Law.

The Data Processing Agreement may use other terms not defined above, that will be interpreted in accordance with the Agreement and the Law.

1. Subject of the Data Processing Agreement

1.1. The Controller instructs, and the Processor assumes the obligation to carry out actions to process the Personal Data of clients (visitors of the Websites) of the Controller, which are processed or will be processed by the Controller using the Platform.

1.2. Basic provisions regarding Personal Data processing:

Personal Data; The content, list and volume of Personal Data shall be determined by the Controller and is not controlled by the Processor. At the same time, the Processor shall not process sensitive and biometric Personal Data Grounds for processing of Personal Data;Processing shall be carried out as part of fulfillment of contractual obligations, on behalf of the Controller Types of processing of Personal Data; Structuring and storage (in this case, the Processor does not provide hosting services, structuring and storage of Personal Data is carried out on facilities leased by the Processor). Transfer (Carried out by the Platform by transmitting data entered by visitors to the Websites through web forms on the Websites into data collection tools connected by the Controller to the Websites (including into the Platform Forms subsystem and/or into Tilda CRM). To ensure reliability during such transfer and handle cases of unavailability of receiving services, data can be cached on the Platform servers with subsequent clearing of the cache after successful transfer. Moreover, in this case, the Platform and/or the Processor shall not record, systematize, store, change and use the Personal Data using Personal Data databases, but only perform the function of transmitting data from web forms into which visitors of the Websites enter it, to data collection tools connected to them by the Controller. The default data caching period shall be 30 days and can be configured by the Controller independently. Distribution (Carried out by the Controller independently by publishing the Personal Data on the Websites, in this case fulfilling the requirements of the Law in terms of obtaining the necessary consents of Personal Data subjects shall be the responsibility of the Controller). Providing access to Personal Data shall be carried out by the Controller through the use of the functions and settings of the Platform (Providing access to third parties shall be carried out and managed by the Controller independently using the"Collaborators" function of the Platform, in this case ensuring the existence of legal grounds for such access shall be the responsibility of the Controller). Processing shall be carried out by placing the Platform on facilities rented by the Processor in data processing centers provided by partners with which agreements have been concluded guaranteeing the security of the Personal Data processed by them: Hetzner and GCore Retention period for Personal Data; Personal Data shall be stored for the period specified by the Controller, but not longer than the validity period of the Agreement, unless otherwise provided by the requirements of United Arab Emirates legislation Deletion of Personal Data; Shall be carried out by the Controller independently during the validity period of the United Arab Emirates, and after its expiration it shall be carried out by the Processor upon achieving the goals of Personal Data processing and fulfilling the requirements of United Arab Emirates legislation Duration of the Data Processing Agreement; During the entire period of the Controller’s use of the Platform in accordance with the Agreement, including the period of blocking the Account

Personal Data; Email (collection shall be configured by the User, processed if collected by the User), phone (collection shall be configured by the User, processed if collected by the User), name (collection shall be configured by the User, processed if collected by the User), other data that the Platform Controller wants to collect (except for Sensitive and Biometric Personal Data) Grounds for processing of Personal Data; Processing shall be carried out as part of fulfillment of contractual obligations, on behalf of the Controller Types of processing of Personal Data; Collection takes place on the Website created on the Platform, through data transmission to connected data collection services. Structuring (in this case, the Processor does not provide hosting services, structuring and storage of Personal Data shall be carried out on facilities leased by the Processor, the "Forms" subsystem of the Platform shall be used to organize storage). The Personal Data shall be used by the Controller in the Controller’s personal account at (if the Controller enables the "Forms" subsystem as the service for data collection). Data distribution (transmission) shall be carried out to third-party services enabled by the Controller in the Personal Account. Transfer (access) shall be carried out by the Controller through the use of the functions and settings of the Platform (Providing access to third parties shall be carried out and managed by the Controller independently using the "Collaborators" function of the Platform, in this case ensuring the existence of legal grounds for such access shall be the responsibility of the Controller) Retention period for Personal Data; Personal Data shall be stored for the period specified by the Controller, but not longer than 30 days and the validity period of the Agreement, unless otherwise provided by the requirements of United Arab Emirates legislation Deletion of Personal Data; Personal Data can be deleted by the Controller or automatically within the period established by the Controller, but not later than 30 days from the date of receipt of the data, unless otherwise provided by the requirements of United Arab Emirates legislation Duration of the Data Processing Agreement; During the entire period of the Controller’s use of the Platform in accordance with the Agreement, including the period of blocking the Account

Personal Data; Processed before delivery payment: email (collection shall be configured by the User, processed if collected by the User), phone (collection shall be configured by the User, processed if collected by the User), name (collection shall be configured by the User, processed if collected by the User), other data that the Controller wants to collect (except for sensitive and biometric Personal Data). Processed if delivery required: address (if the goods need to be delivered) Processed if payment required: other data that the Controller wants to collect (except for sensitive and biometric Personal Data), last 4 digits of the card, card expiry date Grounds for processing of Personal Data; Processing shall be carried out as part of fulfillment of contractual obligations, and on behalf of the Controller Types of processing of Personal Data; Collection takes place on the Website created on the Platform (if the Controller enables the "Forms" subsystem as a service for data collection). Structuring, storage - takes place on the "Forms", "Catalog" and "Delivery" subsystems of the Platform (if the Controller enables these subsystems). The Personal Data shall be used by the Controller in the Controller’s personal account in the "Leads" section (if the Controller enables the "Forms" subsystem as the service for data collection). Use (viewing) of anonymized Personal Data shall be available in the Administrative Panel to resolve issues from the Controller’s Clients. Data distribution (transmission) shall be carried out to third-party services enabled by the Controller in the Personal Account, as well as to services enabled in the "Catalog" subsystem. Distribution (access provision) shall be carried out by the Controller through the use of the functions and settings of the Platform (Providing access to third parties shall be carried out and managed by the Controller independently using the "Collaborators" function of the Platform, in this case ensuring the existence of legal grounds for such access shall be the responsibility of the Controller) Retention period for Personal Data; Personal Data shall be stored for the entire duration of the agreement/for the periods established by the current United Arab Emirates legislation, except for the "Forms" subsystem, where Personal Data shall be stored for no longer than 30 days, unless otherwise provided for by the requirements of United Arab Emirates legislation Deletion of Personal Data; Personal Data shall be deleted by the Controller upon achievement of the processing purposes, unless otherwise provided for by the requirements of United Arab Emirates legislation. Deletion of data from the "Forms" subsystem occurs automatically within the period established by the Controller, but no later than 30 days from the date of receipt of the data. Deletion from the "Delivery" and "Catalog" subsystems occurs upon expiration of the agreement and deletion of the Account Duration of the Data Processing Agreement; During the entire period of the Controller’s use of the Platform in accordance with the Agreement, including the period of blocking the Account

2. Representations and Warranties of the Controller

2.1. The Controller represents and warrants that it:
1) Received Personal Data by legal means;
2) Has legal grounds for processing Personal Data (including the consent of the subjects of Personal Data or other legal basis for transfer of Personal Data, including cross-border), entrusting processing of Personal Data to the Processor and its partners (including those located outside the United Arab Emirates) and distribution of Personal Data using the Platform, if such distribution is carried out);
c) Complies with the principles and rules for processing Personal Data provided for by United Arab Emirates legislation;
d) Does not use and will not use the Platform for processing sensitive and biometric Personal Data.

2.2. The Controller guarantees that any person authorized by the Controller and processing Personal Data using the Platform acts on behalf of the Controller and in accordance with its instructions. In this case, the Controller shall be liable to the Processor if the specified person violates the terms of the Data Processing Agreement.

2.3. Representations and guarantees of the Controller specified in clause 2.1 shall be reliable at any time/period of Personal Data processing within the framework of the Data Processing Agreement.

2.4. The Controller acknowledges and understands the fact of processing Personal Data when using the Platform.

3. Rights, Duties and Responsibilities of the Processor

3.1. The Processor undertakes to comply with the purpose and limitations of Personal Data processing specified in the Data Processing Agreement.

3.2. The Processor undertakes to execute the Data Processing Agreement independently, as well as with the involvement of third parties specified on the Processor’s website in the Privacy Policy, remaining responsible to the Controller for the fulfillment of its obligations under the Data Processing Agreement.

3.3. The Processor shall be obliged to maintain confidentiality and ensure security of Personal Data in accordance with the requirements of the applicable law.

3.4. The Processor undertakes to cooperate in good faith with the Controller and provide it with reasonable assistance in considering and resolving requests (complaints, demands) regarding the Data Processing Agreement. In particular, the Processor, having received such a request, shall be obliged to notify the Controller thereof within five (5) business days from the occurrence of the specified event by sending a corresponding notification to the email address specified by the Controller when registering in the Personal Account.

3.5. The Processor shall be liable to the Controller for execution of the Data Processing Agreement, including for the actions (inaction) of its employees who gained access to the Personal Data processed under the Controller’s Data Processing Agreement, which resulted in the disclosure of such Personal Data, within the amount of actual damage confirmed by documents, but in any case, total property liability of the Administration to the Controller cannot exceed the amount of the cost of the Tariff paid by the Controller and valid during the period of occurrence of events that are the basis for the occurrence of property liability of the Administration.

4. Rights, Obligation and Responsibility of the Controller

4.1. The Controller shall be responsible to the Personal Data subject for the actions performed by the Processor when executing the Data Processing Agreement.

4.2. The Controller shall make its own decision and be responsible for determining whether the Platform is suitable for processing Personal Data in accordance with United Arab Emirates law, as well as for using the Platform in accordance with the Controller’s legal obligations.

4.3. The Controller shall, independently and at its own expense, develop and place on the Websites it uses all documents required by the applicable law regarding the collection and processing of Personal Data by the Controller, and shall be responsible for their correctness and completeness.

4.4. The Controller shall independently select service providers and data collection systems and services enabled by the Controller to the fields of web forms on the Websites and used by the Controller to collect Personal Data, and shall also be independently responsible for fulfilling the requirements of the Law when organizing the collection of Personal Data using such systems and services.

4.5. The Controller shall be entitled, no more than once a year, to request from the Processor documents and other information confirming the adoption of measures and compliance with the requirements established in the Data Processing Agreement for the purpose of executing the Controller’s Data Processing Agreement.

4.6. The Controller shall be responsible for the security of the means of protection of access to the Platform he/she has chosen, and also independently ensure their confidentiality.

4.7. The Controller shall be responsible for all actions, as well as their consequences, when using the Platform, while all actions performed in the Account shall be considered to have been carried out by the Controller themselves.

4.8. The Controller shall be responsible for responding to requests from Personal Data subjects and third parties regarding the Controller’s use of the Platform for the purpose of Personal Data processing.

4.9. The Controller shall be responsible for considering requests from Personal Data subjects related to the exercise of their rights, including in cases where the use of the Platform by the Controller affects the rights of these persons.

4.10. The Controller undertakes to provide the Processor with confirmation of the existence of legal grounds for processing Personal Data and the fact of proper notification of the Personal Data subject about their transfer, within five (5) calendar days from the date of receipt of the corresponding request from the Processor.

4.11. In the event that the Processor is presented with claims and demands from third parties, including from Personal Data subjects and authorized bodies, in connection with the execution of the Data Processing Agreement, including in the event of a claim about the unlawfulness of the Processor’s processing of Personal Data processed by the Controller using the Platform, the Controller shall be obliged to settle independently such claims on its own and at its own expense, to protect the Processor from possible losses and participation in the consideration of claims, demands and possible litigation. If it becomes necessary for the Processor to participate in resolving the above-mentioned claims and/or demands, the Processor shall be entitled to demand from the Controller compensation for losses and expenses incurred in connection with such participation, including, but not limited to, the costs of a representative, negotiations and other expenses.

4.12. In the event of claims being made against the Processor from third parties, including from Personal Data subjects and authorized bodies, in connection with the execution of the Data Processing Agreement, including in the event of a claim about the unlawfulness of the Processor’s processing of Personal Data processed by the Controller using the Platform, which will result in a court order on the collection of funds from the Processor, which has entered into legal force, the latter shall be entitled to demand from the Controller compensation to the Processor for expenses incurred in the process of resolving a legal dispute and in execution of a court decision, as well as all legal costs and losses incurred by the Processor in full.

4.13. The Controller shall bear the risk of being unable to use the Website and/or Platform arising as a result of the Processor’s fulfilling the obligation to stop processing the Personal Data on the basis of the Controller’s Data Processing Agreement.

5. Confidentiality and Security

5.1. The Controller undertakes to establish requirements for the protection of the processed Personal Data in accordance with the Law, upon that, this obligation applies exclusively to the Controller and should not be interpreted as establishing requirements for protection of the processed Personal Data determined by the Controller to the Processor.

5.2. The Processor shall take the necessary confidentiality and security measures when executing the Data Processing Agreement using automation tools in accordance with the requirements specified in the Law. More detailed information is provided in the Privacy Policy.

6. Information Security Breach

6.1. The Controller shall take necessary and sufficient measures, including monitoring and managing access to the Platform, in order to prevent breaches of information security when processing Personal Data using the Platform. Responsibility for choosing the necessary protection and safety measures, the sufficiency and reliability of these measures lies with the Controller. In the event of an Information Security Breach due to the actions or inaction of the Controller, the latter undertakes to immediately, but no later than forty-eight (48) hours from the date of detection of the event, notify the Processor, and the Processor shall be relieved of responsibility for the security and confidentiality of the data processed within the framework of the Data Processing Agreement.

6.2. If the Processor becomes aware of any security breach that leads to accidental or illegal transfer (provision, distribution, access) of Personal Data (hereinafter referred to as "Information Security Breach") and carries risks of privacy, confidentiality and security of Personal Data Subjects, whose Personal Data has been affected by a security breach (as defined in Article 34 of the Law), the Processor shall immediately upon becoming aware of it (1) notify the Controller of the Information Security Breach and (2) take reasonable measures to mitigate the consequences and minimize any or damage resulting from the Information Security Breach.

6.3. The Processor shall provide the Controller with necessary and sufficient information and support related to such an event that the Controller may need to fulfill its obligations under the Law, as well as to reduce the negative consequences that may arise as a result of such an event.

6.4. The Processor's obligation to report or respond to such Information Security Breach in accordance with this section shall not constitute an admission on the part of Processor of any fault or liability in connection with the Information Security Breach.

7. Applicable Law and Dispute Resolution

7.1. This Agreement shall be governed by and subject to interpretation in accordance with the law of the United Arab Emirates.

7.2. All disputes that may arise between the Parties in the course of execution of the Agreement shall be resolved through negotiations.

7.3. The Processor reserves the right to unilaterally amend and/or supplement the terms and conditions of the Data Processing Agreement by posting the amended text on the Internet at the following link: https://tilda.cc/dpa/. With each actual use of the Platform for processing of Personal Data, the Controller confirms its agreement with the terms and conditions of the Data Processing Agreement in the version in force at the time of actual use of the Platform for processing of Personal Data.

The current version of the Data Processing Agreement is dated 31.05.2024