Data Processing Agreement (DPA)

For personal data the Customer submits to the service, the Customer acts as the data controller and ARISE acts as the data processor, processing personal data only on documented instructions from the Customer.

For data ARISE processes to operate its own business (such as Customer account and billing data), ARISE acts as an independent controller, governed by the ARISE Privacy Policy.

ARISE processes personal data solely to provide, secure, maintain, and support the service as described in the agreement, and as further instructed by the Customer through their authorised use of the service.

The subject matter is the provision of the ARISE platform. The duration of processing matches the term of the agreement, plus any limited retention period described below.

Data subjects may include the Customer’s authorised users and any individuals whose personal data is contained in the content the Customer submits to the service.

Categories of personal data may include account identifiers, contact details, and any personal data contained within prompts, files, and other content the Customer chooses to process through the service.

ARISE will process personal data only on the Customer’s documented instructions, including with regard to transfers, unless required to act otherwise by applicable law. The agreement and the Customer’s configured use of the service constitute the complete and final instructions.

ARISE will inform the Customer if, in its opinion, an instruction infringes the PDPL or other applicable data-protection law.

ARISE ensures that personnel authorised to process personal data are bound by appropriate obligations of confidentiality and have received appropriate data-protection training.

ARISE implements and maintains appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

The Customer authorises ARISE to engage sub-processors to support the provision of the service. ARISE imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA.

A current list of sub-processor categories is maintained at /legal/sub-processors. ARISE will provide a mechanism to be notified of intended changes to sub-processors and to object on reasonable data-protection grounds.

Taking into account the nature of processing, ARISE will assist the Customer, by appropriate measures, in responding to data-subject requests and in meeting the Customer’s obligations regarding security, breach notification, and impact assessments under the PDPL.

ARISE will notify the Customer without undue delay after becoming aware of a personal-data breach affecting the Customer’s personal data, and will provide information reasonably available to assist the Customer in meeting its notification obligations to the competent authority and affected data subjects.

Where ARISE transfers or processes personal data outside the Kingdom of Saudi Arabia, it does so only in accordance with the PDPL and the regulations on transferring personal data outside the Kingdom, applying appropriate safeguards. ARISE aims to host Saudi customer data within the Kingdom or an approved jurisdiction.

Upon termination or expiry of the service, ARISE will, at the Customer’s choice, delete or return the personal data processed on the Customer’s behalf, and delete existing copies unless retention is required by applicable law.

ARISE will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable confidentiality, security, and frequency limits.

This DPA is subject to the limitations of liability set out in the agreement. It remains in effect for as long as ARISE processes personal data on the Customer’s behalf. Where this DPA conflicts with the agreement on the subject of data processing, this DPA prevails.

For DPA execution or data-protection questions, contact privacy@arise.sa.