# Data Processing Addendum (DPA) — Template

> **Status:** Template. This DPA forms part of the Master Services
> Agreement (MSA) between Vigilant Entities ("Processor") and the
> Customer ("Controller"). Defined terms not used here have the meaning
> ascribed in the MSA. **Version 1.0 — effective on countersignature.**

---

## 1. Subject Matter & Duration
1.1 **Subject matter.** Processing of Customer Personal Data by Vigilant
Entities for the sole purpose of providing the Amwāl OS / Vigilant
Entities platform (the "Services").
1.2 **Duration.** This DPA remains in effect for the duration of the
underlying MSA plus any post-termination data return / deletion period
required by Section 11.

## 2. Nature & Purpose of Processing
| Item | Description |
|------|-------------|
| **Nature** | Hosting, storage, transmission, redaction, and analytical processing of Controller data through the Services. |
| **Purpose** | Provision of the Services as described in the Order Form / MSA. |
| **Categories of Data Subjects** | Controller's employees, contractors, customers, prospects, founders, investors, partners, and authorised end-users. |
| **Categories of Personal Data** | Identification (name, email, phone, role), authentication data (hashed), business records (deals, valuations, narratives), IP / device metadata, audit-log evidence. |
| **Special Categories** | None unless explicitly uploaded by Controller (Controller responsibility). |

## 3. Controller & Processor Obligations
3.1 **Controller** warrants that it has a lawful basis for the
Processing of Personal Data and that any instructions to Processor
comply with Data Protection Laws.
3.2 **Processor** shall:
  • Process Personal Data only on documented instructions from the
    Controller (the MSA, this DPA, configuration in the Services).
  • Ensure that personnel authorised to Process Personal Data are
    bound by appropriate confidentiality obligations.
  • Implement the technical and organisational measures set out in
    Annex II ("Security Measures").
  • Assist Controller in fulfilling its obligations to respond to Data
    Subject requests (Articles 12–22 GDPR).
  • Assist Controller with its obligations under Articles 32–36 GDPR
    (security, breach notification, DPIA, prior consultation).

## 4. Sub-processors
4.1 Controller grants general written authorisation for Processor to
engage Sub-processors listed in Annex III ("Sub-processor Register").
4.2 Processor shall notify Controller of any intended addition or
replacement of Sub-processors at least **thirty (30) days** in
advance, by updating the Sub-processor Register at
`https://vigilantentities.com/trust`.
4.3 Controller may object on reasonable grounds within fifteen (15)
days; Processor shall use commercially reasonable efforts to
accommodate the objection, failing which Controller may terminate the
affected portion of the Services for cause without penalty.

## 5. Cross-Border Transfers
5.1 Personal Data is stored in **GCC region data centres** by default.
EU / UK Personal Data, if any, is processed under the **2021 Standard
Contractual Clauses** (Module 2 — Controller-to-Processor), which are
incorporated by reference into this DPA. The UK IDTA addendum applies
to UK transfers.

## 6. Data Subject Rights
6.1 Processor shall, to the extent legally permitted, promptly notify
Controller if it receives a request from a Data Subject.
6.2 Processor shall provide self-service tooling in the Services (the
"Privacy Center") allowing Controller to export, rectify, restrict,
and erase Personal Data without Processor intervention.

## 7. Personal Data Breaches
7.1 Processor shall notify Controller without undue delay, and in any
event within **forty-eight (48) hours**, of becoming aware of a Personal
Data Breach. Notice shall describe (a) the nature of the breach, (b)
likely consequences, (c) measures taken or proposed, (d) the point of
contact.
7.2 Processor shall maintain a contemporaneous record of the breach,
its containment, eradication, and recovery in the audit chain.

## 8. Audits & Inspections
8.1 Processor makes available all information necessary to demonstrate
compliance with Article 28 GDPR, in the form of:
  • the Security Overview, Threat Model, RBAC Matrix, Incident Response
    Playbook, Backup & Restore Runbook, Vendor Risk Register, and
    Dependency Audit (all downloadable from `/trust`);
  • CycloneDX SBOM for backend and frontend;
  • Live audit-chain verifier at `/api/trust/verify`.
8.2 On reasonable notice and at Controller's expense, Processor will
permit one (1) audit per twelve-month period by a mutually agreed
independent auditor bound by confidentiality.

## 9. Confidentiality
9.1 Each party shall protect Personal Data and Confidential Information
with at least the same degree of care it uses to protect its own
Confidential Information, but in no event less than reasonable care.

## 10. Liability & Indemnification
Liability under this DPA is governed by the limitation of liability
clause in the MSA, except where Data Protection Laws explicitly forbid
limitation.

## 11. Return & Deletion
11.1 On termination of the MSA, Processor shall, at Controller's
choice, return or securely delete all Personal Data within **thirty
(30) days**, except where retention is required by law. Cryptographic
audit-log entries necessary to evidence integrity may be retained for
the period mandated by applicable record-keeping obligations.

## 12. Governing Law
This DPA is governed by the laws stipulated in the MSA. To the extent
this DPA conflicts with the MSA in respect of Personal Data, this DPA
prevails.

---

## ANNEX I — Parties

**Controller**
- Legal name: _______________________________________
- Address: __________________________________________
- Authorised signatory: _____________________________
- Title: ____________________________________________
- Email (DPO / privacy lead): ________________________

**Processor**
- Legal name: Vigilant Entities (operating Amwāl OS)
- Authorised signatory: Syed Amer
- Title: Founder & Maker
- Email: security@vigilantentities.com
- DPA contact: privacy@vigilantentities.com

## ANNEX II — Security Measures

| Domain | Control |
|--------|---------|
| Encryption in transit | TLS 1.2+ (HSTS preload), ECDHE, modern ciphers |
| Encryption at rest | Storage-level AES-256 (managed DB), per-tenant logical isolation |
| Access control | RBAC (system_admin / holding_admin / founder / investor / incubator_admin) enforced server-side |
| Authentication | bcrypt password hashes, magic-link sign-in, JWT with per-JTI revocation, brute-force lockouts |
| Audit logging | Hash-chained (`audit_chain.py`), publicly verifiable at `/api/trust/verify` |
| Device management | First-seen / last-seen / surgical per-device logout; suspicious sign-in alert emails |
| Network | Rate limiting, security headers (CSP, HSTS, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) |
| Vulnerability mgmt | Quarterly dep-audit (pip-audit + yarn audit), CVE-driven SLA |
| Backups | Snapshot-based, encryption-at-rest preserved, tabletop drill log in `BACKUP_RUNBOOK.md` |
| Incident response | Documented playbook (`INCIDENT_RESPONSE.md`), 48-hour breach notification |

## ANNEX III — Sub-processors (as of issue date)

| Vendor | Purpose | Data Categories | Region |
|--------|---------|-----------------|--------|
| MongoDB Atlas (or self-hosted) | Primary application database | All Customer Personal Data | GCC / configurable |
| Resend | Transactional email delivery (magic links, alerts, wrap-ups) | Email address, message metadata | EU / US |
| Stripe | Payment processing (subscriptions) | Billing contact, payment metadata (no card data) | US (PCI Level 1) |
| AWS (Bedrock + STS) | Internal AI inference (redacted) | Redacted, non-identifying tokens only | Configurable |
| OpenAI / Anthropic / Google (LLM inference) | LLM inference for redacted prompts | Redacted text only — never raw PII | US |

> Always-current list: `https://vigilantentities.com/trust` → Vendor Risk
> Register.

---

*This template was generated from `/app/DPA_TEMPLATE.md`. Replace
placeholder fields, countersign, and store the executed copy in your
contract management system. For questions, contact*
**privacy@vigilantentities.com**.
