Data Processing Agreement
Last updated: June 3, 2026 · Version 0.1
This Data Processing Agreement ("DPA") forms part of the PausePOS Terms of Service. It is required by Article 15 of the UAE Personal Data Protection Law ("PDPL") whenever PausePOS processes personal data on behalf of a Customer.
The Customer ("Controller", "you") — the legal entity that registered the PausePOS Account and determines the purposes and means of processing Personal Data.
PausePOS ("Processor", "we") — the UAE-registered company that processes Personal Data on the Controller's behalf to provide the Service.
1. Roles
The Customer is the Controller for personal data of its own customers, staff, suppliers, and end users submitted to the Service. PausePOS is the Processor for that data.
2. Subject matter, duration, nature, and purpose
| Subject matter | Cloud POS, loyalty, e-invoicing, and related business functions. |
| Duration | Term of the Agreement + plan-based post-termination retention (30–365 days). |
| Nature | SaaS hosting, automated processing, storage, retrieval, transmission, deletion. |
| Purpose | Providing and supporting the Service; security; legal compliance. |
3. Documented instructions
PausePOS will process Personal Data only on the Controller's documented instructions, including with regard to cross-border transfers. The Agreement (including this DPA) constitutes the Controller's complete and final instructions.
4. Confidentiality
Persons authorised to process Personal Data are bound by appropriate confidentiality obligations. Our staff with access to Customer Data sign NDAs as part of employment.
5. Security
We implement appropriate technical and organisational measures — encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access control, MFA, audit logging, daily backups, vendor due diligence, and incident response. See the full TOMs in Annex II of the full DPA.
Summary of Technical and Organisational Measures (TOMs)
- AES-256 encryption at rest; TLS 1.2+ in transit
- Role-based access control with least privilege
- MFA for all administrator accounts
- Quarterly access reviews; automated off-boarding
- SHA-256 hash-chained audit log (10-year retention)
- Daily automated backups with encrypted storage
- Documented incident response plan; 72h breach notification
- Annual third-party penetration testing
- Bug bounty programme
- Sub-processor security due diligence before engagement
- Mandatory annual data protection and security training
6. Sub-processors
We engage the following sub-processors (full list maintained in Annex III):
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| Contabo GmbH | Cloud hosting, VPS, database | All Customer Data | Germany (Munich) |
| Azure Communication Services | Transactional email (welcome, password reset, notifications) | Email, message content | UAE |
| Stripe | Online payments for PausePOS Plans | Card, billing details | USA / EU / Singapore |
| PayBy | In-person card and wallet payments | Transaction data | UAE |
| ClearTax / Flick | E-invoice ASP submission (PINT-AE) | Invoice XML | UAE / India |
| Sentry | Error and crash monitoring | De-identified error logs | USA / EU |
7. International transfers
Default infrastructure is hosted on Contabo in Germany (EU). Some sub-processors (Stripe, Sentry) may process data outside the UAE. We rely on the EU Standard Contractual Clauses (Module 2/3) as a recognised safeguard. Enterprise Customers can request UAE-only data residency at additional cost.
8. Data subject rights
The Service includes in-app self-service tools (data export, anonymisation, consent management) for the most common PDPL requests. Where these are insufficient, we will assist the Controller within 30 days.
9. Personal data breach
We will notify the Controller of a Personal Data Breach without undue delay, and in any event within 72 hours of becoming aware, by email to the Account administrator.
10. Records of processing (PDPL Art. 14)
We maintain tamper-proof records of processing activities using a SHA-256 hash-chained audit log with 10-year retention.
11. Return or deletion
On termination, the Controller may export all Personal Data in JSON/CSV during the plan-based retention window (Trial: 30d, Starter: 90d, Growth: 180d, Enterprise: per contract). After that, data is permanently deleted from production.
12. Audit rights
The Controller may conduct an on-site audit once per 12 months, on 30 days' notice, at its own cost. We may satisfy this requirement by providing current third-party certifications (ISO 27001, SOC 2 — in progress).
13. Liability
Liability is governed by Section 12 of the Terms of Service, except that each party is liable for direct damages caused by its breach of this DPA, and we are liable for the acts and omissions of our sub-processors.
14. Governing law
This DPA is governed by the laws of the United Arab Emirates, with exclusive jurisdiction of the courts of Dubai, UAE.
Sign or request signature
By signing up for a paid PausePOS plan, the Customer agrees to this DPA. Enterprise customers may request a counter-signed PDF copy by emailing [email protected].
[email protected]