Last updated: 10 Nov 2025
This DPA forms part of the Terms between Mawaaid and the Professional and applies where Mawaaid processes Personal Data as a processor on behalf of the Professional (controller).
This DPA forms part of the Terms between Mawaaid (Processor) and the Professional (Controller) to the extent Mawaaid processes Personal Data on behalf of the Professional in delivering the service (e.g., Notes, appointment files, chat with clients).
This DPA applies for as long as Mawaaid processes Personal Data for the Professional under the Terms.
Processing is limited to providing, maintaining, securing, and supporting the platform. Personal Data may include identification, contact, scheduling, and content entered by the Professional. Data subjects may include the Professional, staff/assistants, and clients.
Mawaaid processes Personal Data only on documented instructions from the Professional, including via the dashboard, settings, and APIs, unless required by law.
Mawaaid ensures that persons authorized to process Personal Data are under confidentiality obligations.
Mawaaid implements appropriate technical and organizational measures described in the Privacy Policy (§10) and will keep them under review.
Mawaaid may engage sub-processors for hosting, storage, messaging, security, analytics, and support. Mawaaid remains responsible for sub-processors and imposes data-protection terms no less protective than this DPA. We will notify the Professional at least 15 days before adding or replacing a sub-processor; the Professional may object on reasonable data-protection grounds. A current list or description is available on request.
Where Personal Data is transferred internationally, Mawaaid will use appropriate safeguards (e.g., contractual clauses or other lawful mechanisms). Where applicable, the Standard Contractual Clauses (SCCs) shall apply and prevail in case of conflict.
Taking into account the nature of processing, Mawaaid will assist the Professional with reasonable technical and organizational measures to address data-subject requests, security incidents, DPIAs, and consultations with authorities, to the extent required by law.
Mawaaid will notify the Professional without undue delay after becoming aware of a Personal Data Breach affecting the Professional’s data, providing information reasonably available for the Professional to meet legal obligations.
Within 30 days of termination or on documented request, Mawaaid will delete or return Personal Data (at the Professional’s choice) and delete existing copies, unless storage is required by law or for the establishment, exercise, or defense of legal claims. Evidence of deletion is available on request.
On reasonable notice and at most once per 12 months (unless required by a supervisory authority), Mawaaid will provide information necessary to demonstrate compliance and, where appropriate, allow audits or inspections, subject to confidentiality and security.
This DPA is governed by Lebanese law; mandatory EU/EEA/UK data-protection law prevails where required. If SCCs apply, their governing law clause controls as to the SCCs.