Tokra — Data Processing Addendum (DPA)

Data Processing Addendum (DPA)

Contract terms for processing Customer Personal Data under PDPL/GDPR and comparable laws.

Effective: 28 Aug 2025 Last Updated: 28 Aug 2025 Privacy Contact

1) Introduction & Scope

  • 1.1This DPA forms part of the master agreement, terms of use, order form or other contract between the parties (the Service Agreement). If there is a conflict between this DPA and the Service Agreement regarding processing of Customer Personal Data, this DPA controls to the extent of that conflict.
  • 1.2When the Customer uses the Service to process personal data, the parties act as follows: Customer is the Controller; Tokra is the Processor for Customer Personal Data.
  • 1.3Processing by Tokra of Customer’s account/billing/support data as an independent Controller is outside the scope of this DPA and is covered by Tokra’s Privacy Policy and the Service Agreement.
  • 1.4This DPA takes into account recent updates to the Saudi PDPL executive regulations (2025) issued by SDAIA and comparable global standards, in addition to GDPR Article 28 requirements.

2) Definitions

Applicable Data Protection Laws: all data protection laws applicable to the processing (e.g., Saudi PDPL and executive regulations, GDPR/UK GDPR, and other national/state laws as applicable).

Customer Personal Data: personal data provided to the Service by or on behalf of Customer, or to which Tokra is given access, for processing under the Service Agreement.

Personal Data Breach: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

Subprocessor: a third-party processor engaged by Tokra to process Customer Personal Data.

Special Categories of Personal Data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; genetic/biometric data; data concerning health or sex life/sexual orientation; and criminal records or offences.

3) Purpose, Legal Basis & Instructions

  • 3.1Purpose. Tokra processes Customer Personal Data solely to provide, maintain, secure, and support the Service, and to comply with Applicable Data Protection Laws (including supporting Customer notifications to competent authorities such as SDAIA when required).
  • 3.2Instructions. Tokra will process Customer Personal Data only on documented instructions from Customer as set out in the Service Agreement, this DPA, the authorized use of the Service, and Customer’s written directions. If Tokra believes an instruction infringes Applicable Data Protection Laws, it will notify Customer (unless legally prohibited).
  • 3.3No secondary use. Tokra will not use Customer Personal Data to train generalized models or for marketing without Customer’s prior written consent.
  • 3.4Customer responsibilities. Customer is responsible for determining and documenting a lawful basis for processing (e.g., consent where required by law, including explicit consent for certain automated processing under PDPL contexts), configuring the Service appropriately, and providing legally sufficient notices to data subjects.

4) Confidentiality & Personnel

  • 4.1Tokra ensures that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations and receive regular privacy/security training.
  • 4.2Access follows least-privilege and “need-to-know” principles.

5) Security Measures

  • 5.1Tokra maintains appropriate technical and organizational measures (TOMs) as described in Annex II, including (without limitation): access controls, MFA, encryption in transit and at rest where feasible, environment segregation, vulnerability management, logging/audit, backups, and business continuity/disaster recovery.
  • 5.2Tokra’s security program is designed with reference to recognized frameworks (e.g., ISO/IEC 27001 and NIST CSF) and includes periodic independent penetration testing.
  • 5.3Tokra reviews and updates TOMs regularly to address evolving risks.

6) Personal Data Breach Notification

  • 6.1Tokra will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide available information to assist Customer’s assessment and response (nature of the incident, categories of data/subjects, likely consequences, measures taken/proposed, and a contact point).
  • 6.2Where PDPL applies, Tokra will assist Customer in making any required notification to SDAIA within 72 hours of awareness, and in notifying affected individuals where required.

7) Assistance with Data Subject Requests & DPIAs

  • 7.1Tokra will provide reasonable assistance to Customer in responding to data subject requests (access, copy, rectification, deletion, restriction, objection, portability, withdrawal of consent), taking into account the nature of processing. If Tokra receives a request directly, it will redirect it to Customer unless otherwise legally required.
  • 7.2Tokra will provide reasonable cooperation for Customer’s privacy impact assessments and consultations with supervisory authorities related to the Service.

8) Records & Audit

  • 8.1Tokra maintains records of relevant processing activities and responses to lawful authority requests, including (where applicable) SDAIA or other competent authorities.
  • 8.2Upon reasonable prior notice (not more than once per 12 months unless there is a justified reason), Tokra will make available independent reports/attestations and complete security questionnaires. Where necessary, and subject to confidentiality, security, and scheduling constraints, Customer may conduct an on-site or virtual audit by an independent auditor, focused on systems processing Customer Personal Data. Audits must avoid undue disruption and protect other customers and Tokra IP.

9) Subprocessors

  • 9.1Authorization. Customer authorizes Tokra to use Subprocessors to provide the Service.
  • 9.2Flow-down. Tokra will enter into written data-processing terms with Subprocessors imposing protections no less protective than this DPA.
  • 9.3List & notice. Tokra maintains an up-to-date list of Subprocessor categories at /legal/subprocessors (or another reasonable channel) and will notify Customer of material additions.
  • 9.4Objection. Customer may object on reasonable privacy/security grounds within 10 business days of notice. Tokra will work in good faith to propose an alternative or mitigation. If no reasonable alternative exists, Customer may terminate the affected portion of the Service without penalty for prepaid unused fees.

10) International Transfers & Data Residency

  • 10.1Tokra may transfer/process Customer Personal Data globally for Service delivery. Tokra will implement appropriate transfer safeguards (e.g., EU SCCs (Module 2/3), UK IDTA/Addendum, or BCRs, as applicable) and conduct Transfer Impact Assessments where appropriate, while applying data minimization.
  • 10.2Sovereign Mode. Data residency/localization obligations apply only where the parties later execute a product-specific Sovereign Addendum in writing. When in effect, that addendum prevails for its defined scope.

11) Retention, Return & Deletion

  • 11.1Tokra retains Customer Personal Data only for the minimum period necessary to provide and secure the Service or to meet legal obligations.
  • 11.2Upon termination or upon Customer’s written request, Tokra will provide commercially reasonable assistance to export Customer Personal Data in a standard format within a reasonable transition window, then delete or anonymize it.
  • 11.3Data in disaster-recovery or backup systems will be deleted by overwriting on scheduled rotation; Tokra may retain limited logs and records as required by law or for the establishment, exercise, or defense of legal claims.

12) Government & Regulatory Requests

  • 12.1If Tokra receives a legally binding request from a governmental or regulatory authority for access to Customer Personal Data, Tokra will review the scope and lawfulness, disclose the minimum necessary, and notify Customer prior to disclosure where permitted. Tokra will challenge unlawful or overbroad requests where reasonable.
  • 12.2Tokra will document requests and disclosures to support Customer compliance.

13) Liability & Indemnity

  • 13.1Liability allocation and caps follow the Service Agreement. If the Service Agreement does not specify, Tokra’s total aggregate liability arising out of or relating to this DPA in any 12-month period is limited to the fees paid by Customer for the affected Service during that period, to the maximum extent permitted by law.
  • 13.2Nothing in this DPA excludes or limits liability that cannot be excluded under Applicable Data Protection Laws (including, where mandated, compensation for material or moral harm).

14) Term & Termination

  • 14.1This DPA remains in effect for the term of the Service Agreement and any reasonable transition period thereafter.
  • 14.2Upon termination, Section 11 (Return & Deletion) applies.

15) Precedence & Changes

  • 15.1In case of conflict, the more specific document prevails for its subject matter (e.g., a product-specific Sovereign Addendum prevails for that product).
  • 15.2Tokra may update this DPA to reflect legal or technical changes with reasonable notice; material adverse changes require Customer’s written agreement or will apply upon renewal.

16) Governing Law & Venue

Unless otherwise specified in the Service Agreement, this DPA is governed by the laws of the State of Delaware, USA (excluding conflict-of-laws rules). Courts in Delaware have exclusive jurisdiction to the extent not prohibited by law.

17) Electronic Execution

This DPA may be executed electronically, including by reference in an order or click-through, and electronic copies are equivalent to originals.

Annex I — Details of Processing (Article 28 GDPR & PDPL)

ItemDescription
Subject MatterProvision, maintenance, security, and support of the Tokra Service.
NatureCollection, storage, retrieval, use, transmission, and deletion; support interactions; API-based processing and model orchestration as configured by Customer.
PurposeDeliver the Service, ensure security/fraud prevention, provide support, comply with legal obligations (including assistance with authority notifications).
DurationFor the term of the Service Agreement and any reasonable transition period thereafter.
Data SubjectsEnd users/customers of Customer; Customer personnel and representatives; other individuals whose data is submitted by Customer.
Categories of DataAccount/contact identifiers; usage and security logs; device/IP identifiers; tokens and API metadata; content submitted by Customer; support diagnostics.
Special CategoriesNot processed unless expressly identified by Customer and permitted by law with appropriate safeguards.
Customer Instructions (Initial)Use of the Service in accordance with Tokra documentation, the Service Agreement, and this DPA; additional written instructions as mutually agreed.
Processing LocationsGlobal, as needed for operations with approved transfer safeguards; or as restricted by a later-executed Sovereign Addendum.
Retention OverviewMinimum necessary. Illustratively: operational logs retained for up to 12 months after account termination unless law requires longer; billing/financial records retained as legally required; backups overwritten on rotation.

Annex II — Technical & Organizational Measures (Summary)

Governance & Roles

  • Documented security/privacy policies
  • Designated security leadership
  • Mandatory training

Access Control

  • Identity management, MFA, least privilege
  • Periodic reviews & automatic lockouts

Encryption & Keys

  • TLS in transit
  • Encryption at rest where feasible
  • Managed keys & rotation

Network Security

  • Segmentation, firewalls/WAF
  • DDoS protections
  • Secure remote access

Secure SDLC

  • Code reviews, secrets management
  • SAST/DAST, supply-chain controls
  • Change management

Vuln Management

  • Scheduled scans & risk ranking
  • Patch SLAs
  • 3rd-party penetration tests

Logging & Monitoring

  • Centralized logging & anomaly detection
  • Audit trails; time-bounded retention

Backups & Recovery

  • Encrypted backups & restore testing
  • BCP/DR plans

Data Isolation

  • Tenant separation
  • Controlled handling in lower envs
  • Masking/fictionalization

Vendor Management

  • Subprocessor due diligence
  • Contractual safeguards
  • Periodic reviews

Incident Response

  • Runbooks; on-call teams
  • Breach comms; post-incident reviews

Privacy by Design/Default

  • Minimization; pseudonymization
  • Precise retention schedules

Individual Rights Handling

  • Authenticated workflows
  • Standardized SLAs; auditable logs

Endpoint Security

  • Managed devices; anti-malware
  • Disk encryption; timely updates

Testing & Assurance

  • Internal/external assessments
  • Remediation tracking; exec oversight

Annex III — Subprocessors

Tokra maintains an updated list of Subprocessors by category (e.g., hosting, email/transactional, performance monitoring, anti-fraud, analytics) at /legal/subprocessors (or another reasonable channel).

Tokra will provide notice of material changes and honor Customer objection rights under Section 9.4.

Processor (Service Provider): Tokra, LLC (United States)
Privacy Contact: privacy@tokra.ai

Email Privacy