Data Processing Agreement

Last updated: February 2026

This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service or other written agreement (the "Principal Agreement") between Oris AI, a company incorporated under the laws of the United Arab Emirates with its principal place of business in Dubai ("Processor" or "Oris AI"), and the entity agreeing to these terms ("Controller" or "Customer"). This DPA governs the processing of personal data by Oris AI on behalf of the Customer in connection with the provision of Services under the Principal Agreement. This DPA is entered into to ensure compliance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL"), DIFC Data Protection Law No. 5 of 2020 where applicable, and any other relevant data protection legislation.

1. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given to them in the Principal Agreement or the PDPL.

• "Personal Data" means any data relating to an identified or identifiable natural person that is processed by Oris AI on behalf of the Customer in connection with the Services.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Sub-processor" means any third party engaged by Oris AI to process Personal Data on behalf of the Customer.
• "Personal Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• "UAE Data Office" means the competent authority established under the PDPL for the supervision and enforcement of data protection in the United Arab Emirates.

2. Scope and Nature of Processing

The Customer (as Controller) instructs Oris AI (as Processor) to process Personal Data solely for the purpose of providing the Services described in the Principal Agreement. The nature of processing includes:

• Receiving, storing, and transmitting customer support messages across WhatsApp, voice, and web chat channels
• Processing conversation content through AI models to generate automated responses
• Embedding and indexing document content in vector databases for retrieval-augmented generation
• Performing language detection, sentiment analysis, and intent classification on message content
• Generating analytics, reports, and aggregated insights from conversation data
• Detecting and redacting personally identifiable information where configured by the Customer

The categories of Data Subjects include the Customer's end consumers, customer support agents, and authorized account users. The types of Personal Data processed may include names, phone numbers, email addresses, WhatsApp identifiers, message content, voice recordings, transaction references, and any other personal data contained within conversations or uploaded documents.

3. Obligations of the Processor

Oris AI shall:

• Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data outside the UAE, unless required to do so by UAE law. In such case, Oris AI shall inform the Customer of that legal requirement before processing, unless prohibited by law from doing so.
• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain the technical and organizational security measures described in Section 6 of this DPA.
• Not engage another processor (Sub-processor) without prior specific or general written authorization of the Customer, as described in Section 5 of this DPA.
• Taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under the PDPL.
• Assist the Customer in ensuring compliance with the obligations relating to the security of processing, notification of Personal Data Breaches to the UAE Data Office, communication of such breaches to Data Subjects, and data protection impact assessments, taking into account the nature of processing and the information available to Oris AI.
• At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of Services, and delete existing copies unless UAE law requires storage of the Personal Data.
• Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

4. Obligations of the Controller

The Customer shall:

• Ensure that it has a valid legal basis under the PDPL for the collection and processing of Personal Data, and that all necessary consents have been obtained from Data Subjects where consent is the legal basis for processing.
• Provide documented processing instructions to Oris AI and ensure that such instructions comply with applicable data protection laws.
• Be responsible for the accuracy, quality, and legality of the Personal Data provided to Oris AI and the means by which it was acquired.
• Promptly notify Oris AI of any changes to applicable data protection laws or regulations that may affect the performance of this DPA.
• Inform its End Users about the processing of their Personal Data through an appropriate privacy notice that meets the transparency requirements of the PDPL.

5. Sub-processors

The Customer provides general written authorization for Oris AI to engage Sub-processors to assist in providing the Services. The current list of Sub-processors is as follows:

• Anthropic (United States): AI model inference for response generation
• Cohere (Canada): Text embedding for semantic search and retrieval
• Supabase (United States): Cloud database hosting and vector storage
• Vercel (United States): Application hosting and edge functions
• Twilio (United States): Voice and messaging infrastructure
• Meta Platforms (United States): WhatsApp Business API
• Clerk (United States): User authentication and identity management
• Cartesia (United States): Text-to-speech voice synthesis

Oris AI shall notify the Customer in writing at least thirty (30) days before adding or replacing any Sub-processor, giving the Customer the opportunity to object to such changes. If the Customer reasonably objects to a new Sub-processor on data protection grounds, Oris AI shall use commercially reasonable efforts to make available an alternative arrangement. If no alternative is feasible, the Customer may terminate the affected Services without penalty upon written notice to Oris AI.

When engaging a Sub-processor, Oris AI shall impose on the Sub-processor, by way of a contract, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees that appropriate technical and organizational measures are implemented. Oris AI shall remain liable for the acts and omissions of its Sub-processors.

6. Technical and Organizational Security Measures

Oris AI implements and maintains the following technical and organizational measures to ensure a level of security appropriate to the risk of processing:

• Encryption: All Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
• Access Controls: Role-based access control (RBAC) with least-privilege principles. Multi-factor authentication is required for all administrative access. API keys and credentials are stored in encrypted environment variables.
• Multi-tenant Isolation: Each Customer's data is logically isolated through tenant-specific database partitioning. Queries are scoped to the authenticated tenant at the application layer.
• PII Redaction: Automated detection and redaction of personally identifiable information including phone numbers, email addresses, national ID numbers, passport numbers, credit card numbers, and IBAN codes.
• Monitoring and Logging: Application error monitoring via Sentry. Audit logs record all significant actions (data access, modifications, deletions) with timestamps and user identifiers.
• Incident Response: Documented incident response procedures for detecting, containing, and resolving security incidents. Health check endpoints monitor system components continuously.
• Network Security: SSRF protection blocking private IP ranges, cloud metadata endpoints, and internal network addresses. Input validation and sanitization on all API endpoints.
• Prompt Security: Protection against prompt injection attacks on AI model inputs, including XML delimiters and input truncation for untrusted content.

7. Personal Data Breach Notification

In the event of a Personal Data Breach, Oris AI shall notify the Customer without undue delay, and in any event within forty-eight (48) hours of becoming aware of the breach. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected
• The name and contact details of the Oris AI point of contact from whom more information can be obtained
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects

Oris AI shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach. The Customer is responsible for notifying the UAE Data Office and affected Data Subjects in accordance with Articles 9 and 10 of the PDPL where required.

8. International Data Transfers

The Customer acknowledges that certain Sub-processors listed in Section 5 are located outside the UAE. Oris AI shall ensure that any transfer of Personal Data to a jurisdiction outside the UAE is made in compliance with Article 22 of the PDPL and the regulations and decisions issued by the UAE Data Office regarding cross-border data transfers. Appropriate safeguards for international transfers include:

• Data processing agreements with Sub-processors incorporating standard contractual clauses approved by the UAE Data Office or equivalent recognized authority
• Assessment that the receiving jurisdiction provides an adequate level of data protection, as determined by the UAE Data Office
• Implementation of supplementary technical measures, including encryption and pseudonymization, where the adequacy of the receiving jurisdiction has not been confirmed

Where DIFC Data Protection Law No. 5 of 2020 applies, international transfers shall additionally comply with the requirements of Part 7 of that law, including any adequacy determinations or appropriate safeguards recognized by the Commissioner of Data Protection.

9. Data Subject Rights

Oris AI shall, taking into account the nature of the processing, assist the Customer in responding to requests from Data Subjects exercising their rights under the PDPL, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object. Where Oris AI receives a request directly from a Data Subject, it shall promptly redirect the request to the Customer, unless otherwise instructed. Oris AI shall not respond to a Data Subject request directly without the Customer's prior written authorization, unless required by applicable law. The Customer may use the Oris AI dashboard to export, modify, or delete End User data in response to valid Data Subject requests.

10. Audits and Compliance

Upon reasonable written request (no more than once per calendar year, unless a Personal Data Breach has occurred), Oris AI shall make available to the Customer information necessary to demonstrate compliance with this DPA. The Customer, or an independent third-party auditor appointed by the Customer and approved by Oris AI (such approval not to be unreasonably withheld), may conduct an audit of Oris AI's processing activities and security measures. The Customer shall provide at least thirty (30) days written notice before any audit and shall conduct the audit in a manner that minimizes disruption to Oris AI's operations. Audit findings and all information obtained during the audit shall be treated as confidential information of Oris AI. If an audit reveals a material non-compliance, Oris AI shall promptly remediate the finding at its own expense.

11. Data Retention and Deletion

Upon termination or expiry of the Principal Agreement, or upon the Customer's written request, Oris AI shall, at the Customer's election, either return all Personal Data to the Customer in a structured, commonly used, and machine-readable format, or securely delete all Personal Data within thirty (30) days. Oris AI shall confirm deletion in writing upon the Customer's request. Oris AI may retain Personal Data to the extent required by applicable UAE law, provided that such retention is limited to the minimum data and duration necessary to satisfy the legal requirement. Any retained data shall continue to be protected in accordance with this DPA.

12. Term, Termination, and Survival

This DPA shall take effect on the date the Customer first accesses or uses the Services and shall remain in effect for as long as Oris AI processes Personal Data on behalf of the Customer. Termination of the Principal Agreement shall automatically trigger the data return or deletion procedures described in Section 11. The provisions of this DPA that by their nature should survive termination shall continue in effect, including Sections 6 (Security Measures), 7 (Breach Notification), 8 (International Transfers), 10 (Audits), and 11 (Retention and Deletion).

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the United Arab Emirates, as applicable in the Emirate of Dubai, consistent with the governing law provision of the Principal Agreement. Any dispute arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution mechanism set out in the Principal Agreement.

Enterprise customers requiring a signed copy of this DPA or wishing to discuss specific data processing requirements can contact legal@getoris.ai