Data Processing Addendum
For controllers who need a DPA in their drawer — and the GDPR / UAE PDPL clauses that go with it.
1. Parties and scope
This Data Processing Addendum ("DPA") supplements the Managable Terms of Service between Managable FZE ("Processor") and the Customer ("Controller"). It governs all processing of Personal Data carried out by Managable on the Customer's behalf, under GDPR Article 28, UAE Federal Decree-Law No. 45 of 2021, and equivalent applicable laws.
2. Subject matter and duration
Subject matter: provision of the Managable service. Duration: for as long as the underlying Terms of Service are in effect, plus the 30-day retention window described in our Privacy Policy.
3. Nature and purpose of processing
Managable processes Personal Data to: store and surface it in the Customer's workspace; deliver Aether's actions on the Customer's behalf; reconcile financial transactions; provide email and billing communications; and meet legal obligations.
4. Categories of data subjects and Personal Data
- The Customer's clients and contacts: name, email, phone, organisation, billing address, project history.
- The Customer's transactions: amount, currency, counterparty, memo, invoice reference, settlement timestamp.
- The Customer's team members: name, email, role, login activity.
- The Customer themselves: email, billing details, audit-log activity.
5. Sub-processors
Current list at Privacy Policy §4. We notify Controllers in writing at least 30 days before adding a new sub-processor, and respect any reasonable objection raised within that window.
6. Security measures
See security for the full set of technical and organisational measures. Notable inclusions: encryption at rest (AES-256), encryption in transit (TLS 1.3), per-workspace key rotation, MFA, RBAC, audit logging, 24/7 on-call, quarterly penetration tests.
7. Data subject rights
Managable assists Controllers in fulfilling access, correction, deletion, restriction, and portability requests. Most rights can be exercised directly from the Customer's workspace settings; for anything that cannot, our team responds within 5 business days.
8. International transfers
Cross-border transfers, where they occur, are covered by the EU Standard Contractual Clauses (2021 version, Modules 2 and 3) and, for UK transfers, the IDTA. UAE PDPL transfers rely on the lawful-basis framework set out in Federal Decree-Law No. 45/2021.
9. Breach notification
Managable will notify affected Controllers without undue delay — and within 72 hours where feasible — upon becoming aware of a Personal Data breach. The notification will describe nature, scope, mitigation, and contact for further information.
10. Audits
The Customer may, no more than once per year and with 30 days' notice, audit Managable's controls — either via written request for our SOC 2 report once available, or via a third-party audit at the Customer's expense.
11. How to execute this DPA
Workspace owners on Growth and Scale plans can request a counter-signed PDF by emailing [email protected] with the legal entity name and registered address.