LEGAL

Data Processing Agreement

Last updated: 1 March 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Remote& | AI ("Processor", "we", "us") and the customer ("Controller", "you") for the provision of HR and payroll services. This DPA sets out the terms under which we process personal data on your behalf.

1. Definitions

"Controller" means the entity that determines the purposes and means of the processing of personal data — in this context, the customer organisation that uses Remote& to manage its employees and contractors.

"Processor" means Remote& | AI, which processes personal data on behalf of the Controller in order to deliver the services described in the main service agreement.

"Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to names, national identification numbers, bank account details, salary information, contact details, and employment records.

"Processing" means any operation or set of operations performed on personal data, whether by automated means or otherwise, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

2. Scope of Processing

We process personal data solely to provide the services agreed upon in the main service agreement. The categories of personal data processed include:

  • Employee identity data: Full name, date of birth, nationality, national ID or Iqama number, passport details, and photographs.
  • Employment records: Job title, department, employment contract details, start and end dates, probation status, and performance records.
  • Payroll data: Salary, allowances, deductions, GOSI contributions, bank account details (IBAN), and payslip history.
  • Leave and attendance data: Annual leave balances, sick leave records, time and attendance logs.
  • Compliance data: GOSI registration status, Saudization records, visa and work permit information.
  • Contact information: Email addresses, phone numbers, emergency contact details, and residential addresses.

3. Processing Purpose

Personal data is processed exclusively for the following purposes:

  • Managing the employee lifecycle, including onboarding, transfers, promotions, and offboarding.
  • Calculating and processing payroll, including GOSI contributions, allowances, deductions, and end-of-service benefits.
  • Generating employment contracts, payslips, experience certificates, and other HR documents.
  • Monitoring and maintaining compliance with labour laws, social insurance regulations, and wage protection systems across the GCC.
  • Producing analytics and reports for workforce planning, cost management, and audit purposes.
  • Providing employee self-service access to personal records, payslips, and leave management.

We will not process personal data for any purpose other than those specified above without prior written instruction from the Controller.

4. Data Security

We implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include:

  • Encryption: All personal data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
  • Access controls: Role-based access controls ensure that only authorised personnel can access personal data. Multi-factor authentication is enforced for all administrative accounts.
  • Audit logging: All access to and modifications of personal data are recorded in tamper-evident audit logs. Logs are retained for a minimum of 24 months.
  • Infrastructure security: Our platform is hosted on ISO 27001-certified cloud infrastructure with 24/7 monitoring, intrusion detection, and automated vulnerability scanning.
  • Incident response: We maintain a documented incident response plan and will notify the Controller of any personal data breach without undue delay and in any event within 72 hours of becoming aware of the breach.

5. Sub-processors

We engage the following categories of sub-processors to deliver our services. The Controller authorises the use of these sub-processors subject to the conditions set out in this DPA:

  • Cloud hosting providers: Infrastructure-as-a-service providers that host the Remote& platform and store encrypted personal data in data centres located within the GCC region.
  • Payment processing providers: Entities that facilitate salary payments, bank transfers, and WPS file submissions on behalf of the Controller.
  • Communication providers: Email and notification services used to deliver payslips, onboarding invitations, and system alerts to employees.
  • Analytics and monitoring providers: Services used for platform performance monitoring, error tracking, and usage analytics (personal data is anonymised or pseudonymised before processing).

We will inform the Controller of any intended changes to sub-processors at least 30 days in advance, giving the Controller the opportunity to object. All sub-processors are bound by data processing agreements no less protective than this DPA.

6. Data Subject Rights

We will assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable data protection laws. These rights include:

  • Right of access: Data subjects may request confirmation of whether their personal data is being processed and, if so, access to that data and information about how it is processed.
  • Right to rectification: Data subjects may request correction of inaccurate personal data or completion of incomplete data.
  • Right to erasure: Data subjects may request deletion of their personal data where there is no compelling reason for its continued processing, subject to legal retention obligations.
  • Right to data portability: Data subjects may request a copy of their personal data in a structured, commonly used, machine-readable format (such as CSV or JSON).
  • Right to restrict processing: Data subjects may request that processing of their data be restricted in certain circumstances, such as during a dispute about data accuracy.

The Controller remains responsible for communicating with data subjects regarding their requests. We will respond to the Controller's instructions regarding data subject requests within 10 business days.

7. International Transfers

Remote& stores all primary personal data within the GCC region, with data centres located in Saudi Arabia and the United Arab Emirates. We do not transfer personal data outside the GCC unless strictly necessary for the provision of services and only with appropriate safeguards in place.

Where international transfers are required (for example, to support a sub-processor located outside the GCC), we ensure that adequate data protection safeguards are in place, including:

  • Standard contractual clauses approved by the relevant data protection authority.
  • Verification that the receiving country provides an adequate level of data protection.
  • Additional technical measures such as encryption and pseudonymisation to protect data during transfer.

We comply with the Saudi Arabia Personal Data Protection Law (PDPL), the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, and other applicable data protection regulations in the jurisdictions where we operate.

For questions about this DPA or our data processing practices, please contact us at privacy@remoteand.ai.