Data Processing Agreement (DPA)

Effective Date: 1st August 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between:

Data Processor

MSP SecureView LLC-FZ
Meydan Grandstand, 6th Floor
Meydan Road, Nad Al Sheba
Dubai, United Arab Emirates

and

Data Controller

The Customer

This DPA governs the processing of Personal Data by MSP SecureView LLC-FZ (“Processor”) on behalf of the Customer (“Controller”) in connection with the provision of the Services.

1. Definitions

For the purposes of this Agreement:

Applicable Data Protection Law means all applicable privacy and data protection laws relevant to the parties and processing activities, including where applicable:

  • EU General Data Protection Regulation (EU GDPR)
  • UK GDPR
  • United States federal and state privacy laws
  • UAE Federal Decree Law No. 45 of 2021 on Personal Data Protection
  • Other applicable national or regional privacy laws

Controller means the entity determining the purposes and means of processing Personal Data.

Processor means MSP SecureView LLC-FZ.

Personal Data means any information relating to an identified or identifiable natural person.

Processing means any operation performed on Personal Data including collection, storage, use, transmission, disclosure or deletion.

Sub-Processor means a third party engaged by the Processor to assist in providing the Services.

2. Scope and Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the Services.
Processing activities may include:

  • User account administration
  • Client and contact synchronization
  • Report generation
  • Report delivery
  • Activity and audit logging
  • Email communications
  • AI-assisted report generation
  • Billing administration
  • Platform support
  • Service administration
  • Security monitoring

The Processor shall not process Personal Data for unrelated purposes.

The Processor shall process Personal Data only on the documented instructions of the Controller, except where otherwise required by applicable law. Where applicable law requires processing other than on the Controller’s instructions, the Processor shall inform the Controller before such processing unless prohibited by law.

3. Categories of Personal Data

The Processor may process:

  • Names
  • Email addresses
  • Company names
  • IP addresses
  • Billing information
  • Report recipient information
  • User activity information
  • Audit records
  • Authentication information
  • Client account information
  • Platform usage information
  • AI-generated report content inputs and outputs

4. Categories of Data Subjects

  • Data subjects may include:
  • Customer employees
  • Customer contacts
  • Platform users
  • Report recipients
  • Client contacts

5. Sensitive Data

The Services are not intended for the storage or processing of special category or sensitive personal data.

Customers should not submit:

  • Health information
  • Biometric information
  • Government identification numbers
  • Criminal records information
  • Other special category data as defined by applicable law

If such information is submitted, the Customer remains responsible for ensuring they have an appropriate lawful basis to do so.

6. Processor Responsibilities

The Processor shall:

  • Process Personal Data only as necessary to provide the Services
  • Ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations or are under an appropriate statutory duty of confidentiality.
  • Implement appropriate technical and organizational security measures
  • Restrict access to authorized personnel only
  • Take reasonable steps to prevent unauthorized access, disclosure, alteration or destruction of Personal Data
  • Notify Customers of confirmed security incidents without undue delay
  • Assist Customers where reasonably necessary to satisfy applicable privacy obligations

7. Security Measures

  • The Processor maintains security measures including:
  • Encryption in transit using TLS/HTTPS
  • Encryption at rest using AES-256 encryption
  • Multi-Factor Authentication (MFA) for platform users
  • Role-based access controls
  • Audit logging
  • Secure password handling
  • Access restriction controls
  • Authentication monitoring
  • Security event logging
  • Regular security updates
  • Vulnerability management

Current user roles include:

  • MSP Admin
  • Basic User
  • Read-Only User

The Processor may modify security measures from time to time provided that overall security protections are not materially reduced.

8. Artificial Intelligence Processing

The Services may use third-party artificial intelligence services to assist with generating report content, executive summaries, recommendations and similar outputs.

Information submitted for AI processing may include:

  • Customer names
  • Client names
  • Billing information
  • Report findings
  • Recommendations
  • Operational information required to generate report content

Customers acknowledge that such information may be processed by approved AI Sub-Processors solely for the purpose of providing the Services.

Customers remain responsible for reviewing all AI-generated content before use, distribution or implementation.

The Processor does not guarantee the accuracy, completeness or suitability of AI-generated outputs.

The Processor shall use commercially reasonable efforts to ensure that approved AI Sub-Processors process Personal Data solely to provide AI-assisted functionality within the Services and not for unrelated purposes, subject to the applicable terms governing those AI Sub-Processors.

9. Data Storage and Hosting

The Customer acknowledges and agrees that:

  • The Processor is incorporated in the United Arab Emirates
  • Platform infrastructure is hosted using Amazon Web Services (AWS)
  • Primary hosting is located within the United States
  • Personal Data may be processed and stored within the United States and other jurisdictions utilized by authorized Sub-Processors

The Processor shall implement reasonable safeguards to protect Personal Data regardless of processing location.

10. International Data Transfers

The Customer acknowledges that Personal Data may be transferred internationally where required to provide the Services.

Where legally required, the Processor shall implement appropriate safeguards including:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions where applicable
  • Contractual protections with Sub-Processors
  • Other lawful transfer mechanisms recognized by applicable law

11. Sub-Processors

The Customer authorizes the Processor to engage Sub-Processors necessary to provide the Services.

Current Sub-Processors may include:

  • Amazon Web Services (AWS) – Hosting infrastructure
  • Auth0 – Authentication services
  • Stripe – Payment processing
  • Mandrill – Email delivery
  • Google Analytics – Usage analytics
  • Anthropic (Claude) – AI-assisted content generation

The Processor may engage additional Sub-Processors from time to time.

The Processor may replace or appoint additional Sub-Processors provided such appointment does not materially reduce the level of protection afforded to Personal Data.

The Processor shall maintain a publicly available Sub-Processor list and take reasonable steps to ensure Sub-Processors maintain appropriate security and privacy obligations.

The Processor remains responsible for its Sub-Processors to the extent required by applicable law.

12. Data Retention and Deletion

Nothing in this Agreement requires the Processor to delete Customer Data before the Services have been terminated in accordance with the Terms of Service.

Upon termination of the Services:

  • Customer access to the Services shall be terminated
  • Active Customer Data shall be deleted in accordance with this Agreement and the Processor’s documented data retention procedures.
  • Certain information may remain temporarily within backup systems
  • Monthly platform backups may be retained for up to six (6) months
  • Generated PDF reports may be retained for up to two (2) years where reasonably necessary for audit, security, fraud prevention, legal, regulatory or operational purposes
  • Information retained for legal, regulatory, security or operational purposes may continue to be stored where required

Following expiration of applicable retention periods, retained information shall be securely deleted or anonymized where appropriate.

Before permanent deletion, Customers remain responsible for exporting any Personal Data or Customer Data they wish to retain using the export functionality made available through the Services.

13. Customer Data Requests

Customers may request termination of their account by contacting SecuVeo Support.

Termination requests shall be processed in accordance with the Terms of Service. Where the Customer is subject to a fixed-term or rolling subscription agreement, termination shall take effect in accordance with the applicable contractual notice and termination provisions.

Following termination of the Services, the Processor shall process the deletion of Customer Data in accordance with this Agreement and applicable retention requirements.

The Processor may take reasonable steps to verify the identity and authority of the individual submitting the termination request before processing the request.

14. Data Export

Customers may export PDF reports and any other export formats made available through the Services from time to time.

15. Data Subject Rights

Where required under applicable law, the Processor shall reasonably assist the Customer in responding to:

  • Access requests
  • Rectification requests
  • Deletion requests
  • Restriction requests
  • Data portability requests
  • Objection requests

The Customer remains responsible for determining whether such requests are valid and lawful.

16. Security Incidents

The Processor shall notify affected Customers without undue delay following confirmation of a security incident affecting Personal Data.

Notification may include:

  • Nature of the incident
  • Categories of affected information
  • Potential impact
  • Actions taken
  • Mitigation measures

The Processor shall take reasonable steps to investigate and mitigate confirmed security incidents.

The Processor shall reasonably cooperate with the Controller in investigating, mitigating and responding to confirmed Personal Data breaches affecting the Services.

Where legally permitted, the Processor shall promptly notify the Controller of any legally binding request for disclosure of Personal Data by a public authority.

17. Audit Rights

The Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.

Any audit request must:

  • Be reasonable in scope
  • Be provided with reasonable advance notice
  • Not unreasonably interfere with normal business operations
  • Be subject to appropriate confidentiality obligations

The Processor may satisfy audit requests through the provision of policies, procedures, certifications or other compliance documentation where appropriate.

The Controller shall bear its own costs associated with any audit unless otherwise required by applicable law or agreed in writing.

18. Liability

Liability arising under this DPA shall be governed by the Terms of Service between the parties.

Nothing within this DPA shall expand the liability of either party beyond the limitations contained within the Terms of Service.

19. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Emirate of Dubai and the applicable Federal laws of the United Arab Emirates. Subject to any mandatory law to the contrary, the courts of Dubai shall have exclusive jurisdiction over any dispute arising out of or relating to this DPA.

20. Changes to this DPA

The Processor may update this DPA from time to time to reflect:

  • Changes in applicable law
  • Changes to Services
  • Changes to Sub-Processors
  • Changes to security practices

Material changes will be communicated through the Services or via email where appropriate.

Continued use of the Services following publication of an updated DPA constitutes acceptance of the revised version.

21. Contact Information

Data Protection Contact

Email: legal@secuveo.com

Websites:

  • https://secuveo.com
  • https://app.secuveo.com

Address:
MSP SecureView LLC-FZ
Meydan Grandstand, 6th Floor
Meydan Road, Nad Al Sheba
Dubai, United Arab Emirates

22. Entire Agreement and Order of Precedence

This Data Processing Agreement forms part of the Terms of Service and should be read together with the Privacy Policy and any documents expressly incorporated by reference.

If there is any conflict between this Data Processing Agreement, the Terms of Service and the Privacy Policy, the documents shall apply in the following order of precedence:

  1. This Data Processing Agreement, where applicable;
  2. The Terms of Service; and
  3. The Privacy Policy.

Nothing in this Data Processing Agreement limits any obligations imposed upon either party under applicable data protection laws.

22. Acceptance

By creating an account, subscribing to the Services, renewing a Subscription, or otherwise using the Services, the Customer acknowledges and agrees to this Data Processing Agreement.