Legal

Data Processing Addendum

Last updated 25 April 2026

Standard DPA applying to every paid workspace. Available for counter-signature on request.

This Data Processing Addendum (“DPA”) forms part of the agreement between Digital Information Technology Solutions (“Processor”) and the workspace owner of a paid Reqdesk workspace (“Controller”) and applies to all personal data processed on the Controller’s behalf via the Reqdesk service.

1. Subject matter and duration

Subject matter: Processing personal data submitted by the Controller (and its end users) into the Reqdesk service.

Duration: From the start of the Controller’s first paid billing period until thirty (30) days after the workspace is hard-deleted.

2. Nature and purpose of processing

The Processor processes personal data only as necessary to:

  • Provide the Service to the Controller.
  • Detect and prevent abuse of the Service.
  • Comply with the law of the Kingdom of Saudi Arabia.

3. Categories of data subject

End users of the Controller (their customers, agents, and members), and the Controller’s own teammates who are workspace members.

4. Categories of personal data

Names, email addresses, optional phone numbers, ticket content, replies, attachments, and metadata of authentication events.

5. Controller’s obligations

The Controller is responsible for ensuring it has a lawful basis for placing each end user’s personal data into Reqdesk, and for honouring data subject rights requests it receives directly.

6. Processor’s obligations

The Processor:

  • Processes personal data only on documented instructions from the Controller (the Controller’s settings and API calls constitute documented instructions).
  • Ensures persons authorised to process personal data are bound by confidentiality.
  • Implements appropriate technical and organisational measures (see /security).
  • Notifies the Controller without undue delay (and at most within seventy-two (72) hours) of becoming aware of a personal data breach affecting the Controller’s data.
  • Returns or deletes the Controller’s personal data at the Controller’s choice when the agreement ends.

7. Sub-processors

The Processor uses the following sub-processors, with prior general authorisation:

  • Cloudflare (Turnstile bot challenge for public-form anti-abuse).
  • Moyasar (payment processing for paid plans).

The Processor will notify the Controller at least thirty (30) days before adding a new sub-processor; the Controller may object, in which case the parties will negotiate in good faith.

8. International transfers

Personal data is processed in a single hosting region. Where that region is outside the Controller’s jurisdiction, processing relies on appropriate safeguards (encryption at rest and in transit, per-workspace isolation, and the sub-processors’ published standard contractual clauses — Cloudflare and Moyasar both publish them). KSA data residency for the Controller’s data can be arranged for paid workspaces on request; the parties will record the arrangement in writing before it takes effect.

9. Security measures

See /security. Significant changes are reflected in this DPA on its next update.

10. Counter-signature

A counter-signed copy of this DPA is available on request. Email legal@reqdesk.support with your workspace ID.