Data Processing Agreement

This DPA forms part of the Mawjly Terms of Service between the customer (the "Controller") and Mawjly (the "Processor") and applies whenever the Processor processes personal data on the Controller's behalf.

The Processor processes personal data only as necessary to provide the Service, for the duration of the customer's subscription, plus the 30-day deletion grace period.

• End-user identifiers (e.g. user_id, channel name).
• Connection metadata (IP address, user agent).
• Message metadata (channel, event name, timestamp). Bodies are not persisted.

• TLS 1.2+ in transit; AES-256 encryption at rest for credentials.
• Role-based access; mandatory TOTP 2FA for all Mawjly admins.
• Annual security review; incident response within 72 hours of confirmed breach.

The Controller authorizes the Processor to engage Paddle (payments), Resend (email), and Cloudflare (edge / CDN) as subprocessors. The Processor remains responsible for their compliance.

Primary processing location is Saudi Arabia. Subprocessor processing may occur in the EU, UK, or US under appropriate safeguards (SCCs / IDTA where applicable).