Data Processing Addendum

Data Processing Addendum

02/19/2026 2026-02-19 5:53

Data Processing Addendum (DPA)

Effective Date: February 02, 2026

Between: Cybros Infotech (“Processor”) and The Client (“Controller”).

1. Scope and Applicability

This DPA applies when CybroERP processes “Personal Data” on behalf of the Client as part of the ERP services. It ensures that both parties comply with applicable data protection laws, including the UAE Federal Decree-Law No. 45 of 2021 and India’s Digital Personal Data Protection Act 2023.

2. Processing Instructions

The Processor shall process Personal Data only:

  • To provide the ERP services (Payroll, CRM, HRMS, Accounting).

  • Based on the documented instructions of the Client.

  • To comply with applicable laws (e.g., VAT filing requirements in UAE/India).

3. Technical and Organizational Measures (TOMs)

The Processor maintains a robust security stack to protect data integrity:

  • Infrastructure: Hosted on AlmaLinux/CloudLinux with kernel-level hardening.

  • Security Suite: Imunify360 for real-time malware scanning and WAF (Web Application Firewall).

  • Backup Policy: Daily encrypted backups via JetBackup with off-site redundancy.

  • Encryption: Forced SSL/TLS 1.3 for all browser sessions and AES-256 for database encryption at rest.

4. Sub-Processors

The Client grants general authorization for the Processor to engage sub-processors (e.g., AWS, Azure, or specialized SMTP providers).

  • Notification: The Processor shall maintain an updated list of sub-processors and notify the Client of any intended changes.

  • Liability: The Processor remains fully liable for the performance of the sub-processor’s data protection obligations.

5. Data Subject Rights

If a data subject (e.g., a Client’s employee) makes a request to exercise their rights (access, correction, or deletion), the Processor will:

  • Notify the Client promptly.

  • Provide the necessary tools within the ERP dashboard for the Client to fulfill the request.

6. Personal Data Breach

In the event of a confirmed data breach, the Processor will notify the Client without undue delay (typically within 24–48 hours). The notification will include:

  • The nature of the breach.

  • The categories of data affected.

  • The measures taken to mitigate the impact.

7. Data Return and Deletion

Upon termination of the Service, the Processor shall, at the choice of the Client, delete or return all Personal Data.

  • Standard Grace Period: 30 days.

  • Exception: Data retained to comply with statutory tax or audit laws in the UAE/India.

Dark

Light

Dark

Light