Legal
Data Processing Agreement
1. Background and Incorporation
This Data Processing Agreement is entered into between Toglelabs LLC, registered in the Sharjah Media City Free Zone in the United Arab Emirates ("Processor," "we," "us"), and the Tenant that has accepted the Typeorg Terms and Conditions ("Controller," "you"), and forms part of, and is incorporated by reference into, those Terms (the "Agreement").
This Agreement applies to the extent that Toglelabs processes personal data on behalf of the Controller in the course of providing the Typeorg Service, specifically personal data the Controller, or its Authorised Users, submits about its End Customers, corporate-client contacts, and Staff, which we refer to as "Controller Personal Data." It does not apply to personal data for which Toglelabs acts as an independent controller, which is addressed instead in our Privacy Policy. Capitalised terms not defined here have the meaning given in the Terms and Conditions or the Privacy Policy.
2. Roles of the Parties
The Controller is the data controller, and Toglelabs is the data processor, with respect to Controller Personal Data, for the purposes of the PDPL and any other applicable data-protection law. The Controller is solely responsible for the accuracy, quality, and legality of Controller Personal Data and the means by which it acquired it, for ensuring it has a valid legal basis and, where required, the consent of the relevant individuals to submit Controller Personal Data into the Service and to instruct Toglelabs to process it as described in this Agreement, and for responding to data subject rights requests as described in Section 7, with Toglelabs' reasonable assistance.
3. Subject Matter, Duration, Nature, and Purpose of Processing
The subject matter of this Agreement is Toglelabs' processing of Controller Personal Data in order to provide the Typeorg Service to the Controller. It applies for the term of the Agreement, and thereafter only as needed to comply with Section 10 on return and deletion, and any legally mandated retention.
The nature of the processing involves the collection, storage, organisation, retrieval, use, transmission, and deletion of Controller Personal Data, as necessary to operate the Service's features, including jobs, tasks, customers, companies, documents, expiry tracking, the End Customer Portal, the staff, attendance, and payroll modules, chat, notifications, and the audit trail. The purpose of the processing is solely to provide, maintain, secure, and support the Service to the Controller in accordance with the Agreement and the Controller's documented instructions.
The categories of data subjects involved are the Controller's End Customers, corporate-client contacts, Staff and Authorised Users, and any other individuals whose personal data the Controller submits into the Service. The categories of personal data involved include identity and contact data, identity-document copies such as passports, Emirates IDs, visas, and trade licences, job and task content and communications, HR data such as attendance, salary, and payroll information for Staff, and feedback data.
4. Controller Instructions
Toglelabs will process Controller Personal Data only on the Controller's documented instructions, which are deemed to include the instructions necessary to provide the Service's functionality as described in the Documentation and the Agreement, and any additional instructions the Controller gives through its use of in-Service configuration options, such as enabling or disabling the customer Portal or configuring permission settings, or in writing. If Toglelabs reasonably believes an instruction from the Controller infringes the PDPL or other applicable data-protection law, Toglelabs will inform the Controller without undue delay and may suspend performance of that instruction pending resolution.
5. Confidentiality of Personnel
Toglelabs will ensure that any personnel authorised to process Controller Personal Data are subject to a binding duty of confidentiality, whether contractual or statutory, and receive appropriate training on the handling of personal data, including the heightened handling requirements described in Section 6 of the Privacy Policy for identity-document data.
6. Security Measures
Toglelabs will implement and maintain appropriate technical and organisational measures to protect Controller Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing. At minimum, these measures currently include tenant-level logical data isolation enforced at the application and database layer for every tenant-scoped query, encryption of data in transit, httpOnly and secure authentication cookies paired with short-lived access tokens and rotating refresh tokens that include reuse detection, and industry-standard password hashing for all Account credentials.
They also include granular, server-enforced role-based access controls, file-upload validation through an extension-and-mimetype allow-list applied to every upload entry point, whether used by staff or through the Portal, rate limiting on authentication and other sensitive endpoints, a comprehensive, append-only audit trail of material actions taken within the Controller's workspace, and a restriction of internal Toglelabs personnel access to production Controller Personal Data to what is necessary to provide support, maintain security, or fulfil a legal obligation. Toglelabs may update these measures over time, provided that no change materially decreases the overall level of protection during the term of the Agreement.
7. Assistance with Data Subject Rights
Taking into account the nature of the processing, Toglelabs will provide the Controller with reasonable technical and organisational assistance, insofar as this is possible, to help the Controller respond to requests from data subjects exercising their rights under the PDPL, such as access, rectification, erasure, or restriction. This includes providing in-Service tools such as record edit, soft-delete, and reactivation functionality, and, where such tools are insufficient, reasonable manual assistance on request through [email protected]. If Toglelabs receives a request directly from a data subject relating to Controller Personal Data, it will inform the Controller without undue delay and will not respond to the request itself, other than to direct the data subject to the Controller, unless legally required to do otherwise.
8. Sub-processors
The Controller provides a general authorisation for Toglelabs to engage Sub-processors to assist in providing the Service, subject to the conditions in this section. As of the effective date of this Agreement, Toglelabs engages two Sub-processors to process Controller Personal Data. The first is Cloudflare, Inc., which provides object storage, through Cloudflare R2, for uploaded documents and file attachments, including identity-document copies, with processing typically taking place on Cloudflare's global network or in a region as configured. The second is Resend, which provides transactional email delivery for password resets, invitations, expiry and renewal reminders, and other notifications, handling the recipient's name, email address, and the relevant email content, with processing taking place on Resend's infrastructure as Resend configures it.
Toglelabs will ensure that each Sub-processor is bound by written contractual terms imposing data-protection obligations substantially consistent with this Agreement, and Toglelabs remains liable to the Controller for each Sub-processor's performance to the same extent Toglelabs would be liable if it performed the relevant processing itself. Toglelabs will provide reasonable advance notice, for example by email to the Tenant Admin or through a dashboard notice, before appointing a new Sub-processor that will process Controller Personal Data. If the Controller has a reasonable, documented data-protection objection to a new Sub-processor, it may raise that objection within fourteen days of notice, and the parties will work in good faith toward a resolution; if none is reached, the Controller's sole remedy is to terminate the affected part of the Service in accordance with the Agreement.
9. Cross-Border Data Transfers
Toglelabs is established in the United Arab Emirates. Processing of Controller Personal Data, including by Sub-processors, may take place outside the country in which the Controller or its data subjects are located, including other GCC countries and other jurisdictions where Sub-processor infrastructure is located. Toglelabs will ensure that any such transfer is carried out in a manner consistent with the cross-border transfer requirements of the PDPL, relying as applicable on a transfer to a jurisdiction recognised as providing an adequate level of data protection, appropriate contractual safeguards with the data importer, the data subject's explicit consent obtained by the Controller, or another applicable statutory derogation. The Controller acknowledges that engaging the Service necessarily involves such transfers as a condition of receiving the Service.
10. Return and Deletion of Data
On termination or expiry of the Agreement, Toglelabs will make Controller Personal Data available for export by the Controller for the thirty-day Retrieval Period described in the Terms and Conditions. Following the Retrieval Period, Toglelabs will delete Controller Personal Data from production systems, except to the extent applicable law requires Toglelabs to retain some or all of it, in which case Toglelabs will isolate and protect that data from further processing except as required by that law, and subject to residual copies in routine backups, which will be deleted or overwritten in the ordinary course of Toglelabs' backup-rotation schedule.
11. Audits and Compliance Information
Toglelabs will make available to the Controller information reasonably necessary to demonstrate compliance with this Agreement, which may be satisfied through this Agreement, our published security and product documentation, and responses to a reasonable, written security questionnaire, no more than once per twelve-month period absent a security incident or legal requirement. If the Controller reasonably requires an on-site or systems audit, for example to satisfy its own regulatory obligations, the parties will agree in good faith on reasonable scope, timing, confidentiality protections, and allocation of cost, which the Controller will bear unless the audit reveals a material breach of this Agreement by Toglelabs.
12. Personal Data Breach Notification
Toglelabs will notify the Controller without undue delay after becoming aware of a personal-data breach affecting Controller Personal Data. The notification will, to the extent then known, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. Toglelabs will provide reasonable cooperation and timely further information as it becomes available, to support the Controller in meeting its own breach-notification obligations to regulators or affected individuals under the PDPL.
13. Liability
Each party's liability arising out of or in connection with this Agreement is subject to the limitations and exclusions of liability set out in the Limitation of Liability section of the Terms and Conditions, which apply here as if set out in full, except that nothing in this Agreement limits a party's liability for a breach of the PDPL or other applicable data-protection law to the extent such liability cannot lawfully be limited.
14. Term and General
This Agreement takes effect on the Effective Date and remains in force for as long as Toglelabs processes Controller Personal Data on behalf of the Controller. In the event of a conflict between this Agreement and the Terms and Conditions regarding the processing of Controller Personal Data, this Agreement prevails. This Agreement is governed by the same governing law and dispute-resolution provisions set out in the General Provisions section of the Terms and Conditions. Toglelabs may update this Agreement to reflect changes in applicable law, Sub-processors, or the Service, using the same notice mechanism described in the Amendments section of the Terms and Conditions for material changes.
15. Contact
Questions about this Agreement can be directed to Toglelabs LLC, operating Typeorg, registered in the Sharjah Media City Free Zone, United Arab Emirates, by email at [email protected].