Data Processing Agreement
Last updated: February 9, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between KhaleejiAPI ("Processor") and the customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller. This DPA applies to all personal data processed through KhaleejiAPI's services.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person that is processed through the Service.
- Processing: Any operation performed on personal data, including collection, storage, use, transmission, and deletion.
- Sub-processor: Any third party engaged by the Processor to assist in fulfilling its obligations.
- Data Subject: The individual to whom the personal data relates.
3. Scope of Processing
The Processor shall process personal data only for the purpose of providing the KhaleejiAPI services as described in the Terms of Service. This includes:
- Processing API requests containing personal data (e.g., email validation, phone validation)
- Logging API usage for billing, analytics, and debugging purposes
- Storing user account information required for service operation
- Sending transactional emails related to the service
4. Data Retention
API request data (including any personal data within requests) is retained for a maximum of 30 days for operational purposes (debugging, analytics). After this period, request data is permanently deleted. Account data is retained for the duration of the service agreement plus 30 days, unless deletion is requested by the Controller.
5. Data Security
The Processor implements appropriate technical and organizational measures to ensure the security of personal data, including:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Access controls and authentication for all systems
- Regular security audits and vulnerability assessments
- Incident response procedures with 72-hour breach notification
- Employee security training and confidentiality agreements
6. Data Location
All data is processed and stored within the UAE / Middle East region. The Processor does not transfer personal data outside the region unless explicitly required for service provision and agreed upon in writing. All processing complies with UAE PDPL (Personal Data Protection Law) and applicable GCC data protection regulations.
7. Sub-processors
The Processor may engage sub-processors to assist in providing the Service. Current sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | US / EU |
| Resend | Transactional email delivery | US |
8. Data Subject Rights
The Processor assists the Controller in responding to data subject requests including the right to access, rectification, erasure, restriction, portability, and objection. Requests should be directed to privacy@khaleejiapi.dev.
9. Breach Notification
In the event of a personal data breach, the Processor shall notify the Controller without undue delay and within 72 hours of becoming aware of the breach. The notification shall include the nature of the breach, categories and approximate number of data subjects concerned, and measures taken to address the breach.
10. Contact
For questions about this DPA or data processing practices, contact us at privacy@khaleejiapi.dev.