data processing agreement

Last updated: April 1, 2026

This Data Processing Agreement ("DPA") forms part of the Enterprise EULA between Royex Technologies LLC ("Processor") and the customer ("Controller") to ensure compliance with applicable data protection regulations including UAE PDPL, KSA PDPL, and GDPR where applicable.

1. scope

This DPA applies to all personal data the Controller processes through the Okommerce platform.

2. roles

The Controller determines purposes and means of processing. The Processor (Royex) processes personal data only on documented instructions from the Controller.

3. security

The Processor implements appropriate technical and organizational measures including: encryption in transit and at rest, access controls with role-based permissions, regular security audits, and incident response procedures.

4. sub-processors

The Processor may engage sub-processors only with prior notice. The Controller has the right to object to new sub-processors. Current sub-processors: cloud hosting providers, email delivery services, analytics services.

5. data subject rights

The Processor will assist the Controller in responding to data subject requests for access, rectification, erasure, restriction, portability, and objection.

6. breach notification

The Processor will notify the Controller within 72 hours of becoming aware of any personal data breach.

7. data return / deletion

On termination, the Processor will return or delete all personal data within 30 days unless legally required to retain.

For DPA execution: legal@okommerce.com