Data processing addendum

1. Subject matter and scope

This DPA governs the processing by Qeyda (the “Processor”) of personal data on behalf of the Customer (the “Controller”) in the course of providing the Qeyda services. It is intended to align with the Egyptian Personal Data Protection Law (Law 151 of 2020) and, where applicable, the EU General Data Protection Regulation (GDPR).

2. Definitions

“Personal data”, “processing”, “controller”, “processor”, and “data subject” have the meanings given to them under applicable data-protection law.

3. Nature and purpose of processing

Qeyda processes personal data only to the extent necessary to provide the contracted services, which include receiving bank-feed data, reading receipts, producing financial reports, and providing the customer interface and support around those activities.

4. Categories of data and data subjects

• Data subjects: the Customer's employees, contractors, and any counterparties referenced on the Customer's receipts and bank transactions.
• Categories of data: identification data (names, business contact details), financial transaction data (amounts, dates, counterparties), and any additional content the Customer chooses to upload.

5. Processor obligations

• Process personal data only on documented instructions from the Controller.
• Ensure that personnel authorised to process the data are bound by confidentiality.
• Implement appropriate technical and organisational security measures.
• Assist the Controller in responding to data-subject requests.
• Notify the Controller of any personal-data breach without undue delay.
• Make available the information necessary to demonstrate compliance with this DPA.

6. Sub-processors

The Customer authorises Qeyda to engage sub-processors to provide infrastructure, email, analytics, and error-monitoring services. Qeyda maintains a current list of sub-processors and will provide it on request. Where Qeyda intends to add or replace a sub-processor, the Customer will be notified and may object on reasonable data-protection grounds.

7. International transfers

Where personal data is transferred outside Egypt, Qeyda will comply with the licensing, adequacy, and consent requirements of the Egyptian Personal Data Protection Law and, where the GDPR applies, use appropriate safeguards such as Standard Contractual Clauses or rely on permitted exceptions.

8. Security

Qeyda implements measures designed to ensure a level of security appropriate to the risk, including encryption in transit and at rest, strict access controls, segmented environments, vulnerability monitoring, and logging.

9. Data subject rights

Qeyda will assist the Controller, by appropriate technical and organisational measures, to respond to requests from data subjects exercising their rights of access, rectification, erasure, restriction, objection, and portability.

10. Audits

The Controller may, no more than once per year and on reasonable prior notice, request a written summary of Qeyda's compliance with this DPA, or audit reports from Qeyda's sub-processors where available. On-site audits will be considered case by case where required by applicable law.

11. Return and deletion of data

On termination of the services, Qeyda will return or delete all personal data processed on behalf of the Controller, except where retention is required by applicable law.

12. Liability

The liability of the parties under this DPA is subject to any limitations of liability set out in the Qeyda subscription terms accepted by the Customer.

13. Contact

For DPA-related queries, including sub-processor lists and security documentation, email [email protected].