Customer Data Processing Agreement

Last updated April 2025

Contents:

  1. Introduction
  2. Scope
  3. Definitions
  4. Responsibilities as a Data Processor
  5. Details of Processing
  6. End User Data
  7. Compliance with Laws
  8. PCI Compliance
  9. Limitations of Liability
  10. Conflict
  11. Appendix – Authorised Sub-Processors

Introduction

This Data Processing Agreement (“DPA”) is entered into between the Customer, including any of its Affiliates, and Dexta.io, and forms part of the Agreement governing the provision of Dexta.io’s services (the “Services”) to the Customer. This DPA reflects the parties’ agreement with respect to the processing of Customer Personal Data in accordance with:

  • The General Data Protection Regulation (EU) 2016/679 (GDPR),
  • The Saudi Personal Data Protection Law (PDPL) enacted by Royal Decree M/19 of 2021 and its implementing regulations,
  • And any other applicable data protection laws and regulations.

Scope

This DPA applies to the processing of Customer Personal Data by Dexta.io acting as a processor on behalf of the Customer. It governs all End User Data processed by Dexta.io in connection with the Services, whether such data is processed in the European Economic Area (EEA), the Kingdom of Saudi Arabia (KSA), or elsewhere.

Definitions

Unless otherwise defined herein, terms shall have the meanings set forth in the Agreement or under applicable Data Protection Laws, including GDPR and PDPL.

  • Agreement: Dexta.io’s Terms of Service or other master agreement between the parties.
  • Data Protection Laws: GDPR, PDPL, and any applicable laws and regulations relating to the processing of personal data.
  • Customer Personal Data: Personal data processed by Dexta.io on behalf of the Customer, including but not limited to logs, telemetry, user data, IP addresses, active directory details, uploaded test data, and candidate evaluations.
  • GDPR: General Data Protection Regulation (EU) 2016/679.
  • PDPL: The Personal Data Protection Law of the Kingdom of Saudi Arabia issued by Royal Decree M/19.
  • Supervisory Authority:
    • Under GDPR: A supervisory authority established under Article 51 of the GDPR.
    • Under PDPL: The Saudi Data and Artificial Intelligence Authority (SDAIA) or any successor regulator.
  • Security Incident / Personal Data Breach: Any unauthorised or unlawful access, loss, disclosure, or alteration of Customer Personal Data.
  • Information Security Measures: The technical and organisational measures implemented by Dexta.io to ensure a level of security appropriate to the risk.

Standard Contractual Clauses (SCCs): The clauses adopted by the European Commission on 4 June 2021 pursuant to Article 46(2)(c) of the GDPR.

Responsibilities as a Data Processor

4.1 Instructions

Dexta.io shall process Customer Personal Data only on documented instructions from the Customer, unless otherwise required by applicable law.

4.2 Processing Required by Law

If Dexta.io is required to process data under applicable law, including EU or KSA law, it will notify the Customer unless legally prohibited from doing so.

4.3 Compliance

Dexta.io shall comply with all obligations imposed on data processors under GDPR Article 28 and PDPL Articles 20–30, including maintaining records of processing and implementing safeguards.

4.4 Data Subject Rights

Dexta.io will assist the Customer in fulfilling obligations to respond to data subjects' requests under:

  • GDPR Articles 12–23, including access, rectification, erasure, and objection, and
  • PDPL Articles 4–8, which grant similar rights under Saudi law.

4.5 Data Protection Impact Assessments

Dexta.io shall assist the Customer in conducting impact assessments and prior consultations with Supervisory Authorities, pursuant to GDPR Article 35 and PDPL Article 30.

4.6 Confidentiality

All personnel authorised to process Customer Personal Data are subject to confidentiality obligations in accordance with GDPR Article 28(3)(b) and PDPL Article 20.

4.7 Sub-Processors

The Customer authorises Dexta.io to engage sub-processors listed in Appendix 1. Dexta.io will:

  • Notify the Customer at least 15 days in advance of new sub-processors.
  • Ensure sub-processors are contractually bound to data protection terms equivalent to this DPA.
  • Remain liable for their compliance.

4.8 Cross-Border Transfers

Under GDPR, Dexta.io will implement SCCs and, where appropriate, additional technical and contractual safeguards following Schrems II.

Under PDPL, Dexta.io shall not transfer personal data originating in Saudi Arabia outside the Kingdom except where:

  • Required to fulfill contractual obligations;
  • It has notified or obtained approval from SDAIA;
  • There are adequate protections in place.

4.9 Security Measures

Dexta.io has implemented appropriate technical and organisational measures (e.g., encryption, access controls, recovery plans) per GDPR Article 32 and PDPL Article 20.

4.10 Security Incidents

In the event of a Personal Data Breach, Dexta.io will:

  • Notify the Customer without undue delay;
  • Provide details of the breach and mitigation actions;
  • Assist the Customer in complying with notification obligations under GDPR Articles 33–34 and PDPL Article 22.

4.11 Audit Rights

Upon request, Dexta.io shall provide the Customer with relevant documentation and certifications (e.g., ISO 27001, SOC 2) and allow audits under reasonable conditions.

4.12 Retention and Deletion

Upon termination of the Agreement, Dexta.io shall:

  • Delete or return all Customer Personal Data unless retention is required by law (e.g., PDPL Article 30 or financial recordkeeping rules).
  • Provide a certificate of deletion upon request.

Details of Processing

5.1 Subject Matter

Processing of Customer Personal Data in connection with Dexta.io’s Services.

5.2 Duration

For the duration of the Agreement or as required by law.

5.3 Purpose

To enable Dexta.io to provide Services to the Customer.

5.4 Nature of Processing

Includes but is not limited to collection, analysis, storage, transmission, access, retrieval, and deletion.

5.5 Categories of Data Subjects

  • Customer’s employees, contractors, or other personnel;
  • End users and candidates evaluated via the platform.

5.6 Categories of Data

  • Name, contact info, job title, role, test results;
  • System identifiers, logs, telemetry, online behavior;
  • Security data, including file uploads and IP addresses.

5.7 Sensitive Data

Sensitive data (e.g., racial/ethnic data, biometrics) will only be processed where:

  • Explicitly provided by Customer,
  • Permitted under GDPR Article 9 or PDPL Article 6.

5.8 Frequency

Processing occurs continuously as necessary to deliver the Services.

End User Data

Customer agrees and acknowledges that Dexta.io may process certain anonymised or pseudonymised user-level telemetry and event data for legitimate interests such as improving Services, and ensuring platform security, consistent with GDPR Article 6(1)(f) and PDPL Article 4(3).

Compliance with Laws

Each party shall comply with all applicable Data Protection Laws. The Customer affirms that it has obtained all necessary consents and has a valid legal basis for transferring personal data to Dexta.io.

PCI Compliance

While not a payment processor, Dexta.io follows PCI DSS-aligned security controls, where payment data may be incidentally processed.

Limitations of Liability

This DPA does not expand or restrict liability provisions in the Agreement unless explicitly required by applicable Data Protection Laws.

Conflict

In the event of a conflict between this DPA and other contractual documents, this DPA shall govern with respect to personal data processing.

Appendix – Authorised Sub-Processors