Definitions

The following definitions apply throughout this Data Processing Agreement (DPA) and all Schedules. They are harmonised across EU, UK, US, and GCC legal frameworks.

Roles of the Parties

Naspro and its clients assume specific roles under Data Protection Laws depending on the service in question.

aEmployment & Contractor of Record Services

Each party acts as an independent Controller for Standard and Premium Employment Services and Contractor of Record (CoR) Services. Details are set out in Schedules 1 and 5 respectively.

bPlatform Services (Processor Relationship)

Where you use Payroll Services, HRIS, Contractor Management Services, Mobility as a Service, and/or Perform, Naspro processes Personal Data on your behalf as a Processor (or Service Provider under CCPA), in line with Section 7. Details are in Schedules 2–4, 6, and 7.

cNaspro Recruit

Where you use Naspro Recruit, Naspro acts as a Controller for personal data of candidates registered on our jobs portal. You are responsible as Controller for personal data of candidates who apply to your job postings.

Term and Data Retention

Personal Data is retained only for the period required by the applicable law of the relevant jurisdiction.

• EU / UK : Retained as required by applicable sectoral law and no longer than necessary for the collection purpose.
• United States : Retained in accordance with applicable federal and state law. CCPA/CPRA requires that Personal Information not be retained longer than reasonably necessary for the disclosed purpose. Specific federal sectoral laws (HIPAA, GLBA) impose their own minimum retention periods.
• Saudi Arabia (PDPL Art. 19) : Destroyed or anonymised once the collection purpose is fulfilled, unless a legal basis for continued retention exists. Employment records: typically 2–10 years under Saudi Labour Law.
• UAE : Deleted after the processing purpose is achieved or upon a valid data subject request, subject to regulatory retention requirements.
• Bahrain (PDPL Art. 10) : Retention limited to the period necessary for the specified purpose or as required by law.
• Qatar (PDPPL Art. 10) : Purpose-limitation retention rules apply.

This DPA remains in force for as long as either party retains Personal Data. Naspro will retain Personal Data necessary to enforce legal rights and to comply with applicable legal obligations.

Mutual Cooperation

Each party shall implement appropriate technical and organisational measures to ensure the security of Personal Data and shall provide reasonable cooperation to enable the other party to:

• Comply with obligations under applicable Data Protection Laws across all jurisdictions;
• Respond to investigations or audits by any regulator, including the Dutch DPA (EU), ICO (UK), FTC and State Attorneys General (US), Saudi NDMO, UAE Data Office, Bahrain PDPA-BH, Qatar MOTC, and equivalent GCC/APAC authorities.

Prior to disclosing Personal Data to the other party, the disclosing party shall satisfy all applicable consent, transparency, and notice requirements under Data Protection Laws, including any mandatory pre-collection notices required under GCC laws and US state privacy laws.

Processors & Sub-Processors

Each party warrants and undertakes that it shall comply, and contractually require its agents, service providers, Processors (or Service Providers under CCPA), and sub-contractors to comply, with all applicable Data Protection Laws. Each party remains independently responsible for the processing it carries out as Controller (or Business under CCPA).

International Transfers — EU & UK

This section governs cross-border transfers of Personal Data subject to the EU GDPR or UK GDPR.

1EU-U.S. Data Privacy Framework

To the extent Naspro is certified to the EU-U.S. Data Privacy Framework, Swiss-US Data Privacy Framework, and/or UK Extension to the EU-US Data Privacy Framework, the applicable framework shall govern relevant transfers for so long as Naspro's certification remains valid.

2Standard Contractual Clauses

Where the EU GDPR applies and Personal Data is transferred to a non-Adequate Country (or an entity not covered by the Data Privacy Framework), the EU SCCs (Commission Implementing Decision (EU) 2021/914) shall apply. Clause 7 (Docking): not applicable. Clause 9 (Sub-Processors – Module 2): Option 2, General written authorisation with 14 days to object. Clause 17/18: laws of the Netherlands; courts of the Netherlands.

3UK International Data Transfer Addendum

Where the UK GDPR applies and Personal Data is transferred to a non-adequate country, the EU SCCs shall apply alongside the ICO's International Data Transfer Addendum issued under s.119A(1) of the Data Protection Act 2018.

International Transfers — GCC & Global

As Naspro's client base is primarily GCC-based, this section is central to our data transfer framework. Payroll and related services may involve transfers to and from any jurisdiction globally.

↳Transfer Safeguards

For cross-border transfers involving GCC Personal Data where no adequacy determination applies, Naspro implements one or more of:

• Contractual clauses imposing data protection obligations on the recipient equivalent to applicable GCC law requirements;
• Binding corporate rules (where available and approved);
• Explicit, informed, and documented consent of the data subject; or
• Necessity for performance of a contract to which the data subject is party.

International Transfers — United States

This section governs the processing and transfer of Personal Data subject to US federal and state privacy laws. The US does not have a single federal privacy law; compliance is governed by a patchwork of state laws and federal sectoral regulations.

1Federal Sectoral Laws

• HIPAA : Where Naspro processes Protected Health Information (PHI) on behalf of a Covered Entity or Business Associate, a separate HIPAA-compliant Business Associate Agreement (BAA) is required and available on request.
• GLBA : Where Naspro processes Non-Public Personal Information (NPI) of consumers of financial institutions, it complies with the GLBA Safeguards Rule, maintaining appropriate administrative, technical, and physical safeguards.
• COPPA : Naspro does not knowingly collect Personal Information from children under 13. Contact dpo@naspro.com immediately if you believe such data has been submitted.
• FERPA : Where applicable to educational records, Naspro acts as a school official with legitimate educational interest and will not disclose education records without consent except as permitted by FERPA.

2EU-US Data Privacy Framework

To the extent Naspro is certified to the EU-U.S. Data Privacy Framework and/or UK Extension, this framework governs relevant transfers of EU/UK Personal Data to Naspro in the United States, providing an adequacy-equivalent mechanism under EU GDPR and UK GDPR.

3US Consumer Rights

Where Naspro acts as a Business (Controller) under US privacy laws, individuals in applicable states have the following rights:

To exercise any US consumer privacy right, submit a verifiable request to dpo@naspro.com. Naspro will respond within 45 days (extendable by a further 45 days where reasonably necessary).

Naspro as Processor

Where Naspro acts as Processor (or Service Provider under CCPA) and you act as Controller (or Business), the following additional terms apply across all services.

1Compliance and Instructions

Naspro will process Personal Data only to the extent necessary to perform its obligations pursuant to these Terms and in accordance with your documented instructions. Naspro will inform you promptly if any instruction, in Naspro's opinion, infringes Data Protection Laws of any applicable jurisdiction.

2Sub-Processors

• Naspro will inform you of any intended changes (addition or replacement) by updating the sub-Processor list, giving you 14 days to object;
• Naspro imposes data protection terms on all sub-Processors providing protection equivalent to this DPA and all applicable Data Protection Laws, including GCC and US laws where applicable;
• Naspro will provide an up-to-date sub-Processor list upon written request.

3Security of Processing

Naspro shall implement technical and organisational measures to keep Personal Data secure against unauthorised or unlawful processing and against accidental loss, destruction, or damage, as detailed in Schedule 9.

4Data Subject Rights Assistance

Naspro will assist you in responding to data subject rights requests across all applicable jurisdictions:

5Audit Rights

Unless Naspro carries out an independent compliance audit and shares results with you, you or your independent third-party auditor may audit Naspro's compliance, subject to: a maximum of once per 12 months; 30 days' advance written notice; mutually agreed scope; and each party bearing its own audit costs.

6Termination Obligations

Upon termination, Naspro will, at your choice, delete or return all Personal Data processed on your behalf and delete existing copies, unless retention is required by applicable law. Naspro will confirm compliance with applicable jurisdiction-specific destruction requirements upon request and provide a deletion certificate.

GCC-Specific Obligations

In addition to the general obligations above, the following jurisdiction-specific obligations apply given Naspro's primary GCC client base.

1Consent and Legal Basis

2Privacy Notices

Both parties shall ensure Privacy Notices provided to data subjects in GCC jurisdictions are provided in Arabic (or bilingual Arabic/English), clearly specify the purpose and legal basis for processing, identify categories of recipients and cross-border transfer safeguards, state the applicable retention period, and inform data subjects of their rights and how to exercise them.

3Data Protection Officer

Saudi PDPL (Art. 30) and UAE law require appointment of a DPO for large-scale or systematic Sensitive Personal Data processing. Each party is independently responsible for determining whether DPO appointment is required. Naspro's DPO: dpo@naspro.com.

3Data Localisation

• Saudi Arabia : Government data and certain health data may require local storage per Saudi NDMO classification decisions.
• UAE : Health data and critical infrastructure data may require local storage.
• Qatar : Government and sensitive data may require storage within Qatar's borders.

Naspro will notify you in writing of any localisation requirement affecting the Services and will implement local processing or storage solutions where technically feasible.

5Marketing and Direct Communications

Any use of Personal Data for direct marketing in GCC jurisdictions requires prior explicit opt-in consent, a clear withdrawal mechanism, and compliance with applicable anti-spam laws including Saudi Arabia's Anti-Spam Policy issued by the CST.

Miscellaneous

1Governing Law

To the extent this DPA relates to EU GDPR processing, it is governed by the laws of the Netherlands. To the extent it relates to UK GDPR processing, the laws of England and Wales apply. To the extent it relates to GCC or US jurisdictions, the mandatory provisions of those laws apply regardless of governing law clauses.

2Order of Precedence

This DPA prevails over the main Terms of Service to the extent of any conflict with respect to data protection matters. Mandatory provisions of applicable Data Protection Laws prevail over this DPA to the extent of any conflict.

3Amendments

Naspro may amend this DPA from time to time to reflect changes in applicable Data Protection Laws or regulatory guidance. Naspro will provide at least 30 days' notice of any material amendments. Continued use of the Services after the effective date constitutes acceptance.

Processing Details

The following schedules detail the roles, data categories, purposes, and jurisdiction-specific obligations for each Naspro service.

Technical & Organisational Security Measures

Full certification details are available at trust.naspro.com. Naspro maintains ISO 27001 and SOC 2 Type II certifications. Certificates available upon request.