Data Processing Agreement

Version: 1.0 | Effective: March 2026 | Operator: Mango Technologies Ltd (DIFC-Incorporated)

1. Definitions

1.1 Applicable Laws

"DIFC DPL" means the Dubai International Financial Centre Data Protection Law No. 5 of 2020 and all amendments thereto.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
"UAE PDPL" means the United Arab Emirates Personal Data Protection Law, Federal Decree-Law No. 45 of 2021, as amended.

1.2 Parties

"Controller" or "Client" means the subscriber to the Mango DMA service who determines the purposes and means of processing Personal Data within their account.
"Processor" or "Mango" means Mango Technologies Ltd, a company incorporated in the Dubai International Financial Centre, with its principal place of business at DIFC, Dubai, United Arab Emirates.
"Sub-processor" means any entity engaged by Mango to process Personal Data on behalf of the Controller, as further detailed in Section 5 and Annex A.

1.3 Processing Terms

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under DIFC DPL Article 1, GDPR Article 4(1), and UAE PDPL Article 1.
"Processing" means any operation performed on Personal Data including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"Data Subject" means the natural person to whom Personal Data relates.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"Standard Contractual Clauses (SCC)" means the contractual clauses approved by the European Commission under Commission Implementing Decision (EU) 2021/914 (Module 2 - Controller to Processor).
"Security Incident" means any event resulting in or creating a reasonable likelihood of Personal Data compromise, unauthorized access, or loss.

1.4 Service-Specific Terms

"Mango DMA" means the AI-powered digital agency automation platform operated by Mango Technologies Ltd, including all associated dashboards, APIs, agents, and integrations.
"Service Agreement" means the written agreement between Controller and Mango governing the provision of Mango DMA services, including all Statements of Work or SOWs.
"Brand Bible" means the Client's centralized brand configuration and content strategy document stored within Mango DMA.
"Encrypted Token" means any OAuth token, API credential, or authentication material encrypted using Fernet symmetric encryption (AES-256, PBKDF2-HMAC-SHA256 key derivation).

2. Scope and Roles

2.1 Applicability

This DPA applies to all Processing of Personal Data that occurs in connection with the provision of Mango DMA services to the Controller. This DPA is incorporated by reference into the Service Agreement and shall form an integral part thereof. In the event of any conflict between this DPA and the Service Agreement, the provisions of this DPA shall prevail with respect to the Processing of Personal Data.

2.2 Controller Responsibilities

The Controller shall:

Ensure that it has a lawful basis for Processing Personal Data prior to submitting such data to Mango DMA;
Ensure that all Personal Data provided to Mango complies with applicable data protection laws;
Provide accurate, complete, and lawful instructions to Mango regarding the Processing of Personal Data;
Ensure that Data Subjects have been provided with fair processing notices in accordance with DIFC DPL Articles 13-14, GDPR Articles 13-14, and UAE PDPL Article 24;
Obtain appropriate consents or legal basis for any transfers of Personal Data to third countries, particularly to the United States;
Establish and maintain its own security measures for systems and devices that access Mango DMA;
Promptly notify Mango of any amendment, suspension, or termination of an instruction to Process Personal Data;
Cooperate with Mango in fulfilling Data Subject access requests, deletion requests, and other rights.

2.3 Processor Responsibilities

Mango shall:

Process Personal Data only on documented written instructions from the Controller;
Ensure that persons authorized to Process Personal Data are bound by confidentiality or appropriate statutory obligations;
Implement and maintain Technical and Organisational Measures (TOMs) as described in Annex B;
Engage Sub-processors only with prior written authorization from the Controller;
Assist the Controller in fulfilling Data Subject rights requests;
Notify the Controller of Personal Data Breaches without undue delay and no later than 72 hours from discovery;
Return or delete Personal Data upon termination or expiration of the Service Agreement, as instructed;
Permit audits and inspections by the Controller or independent auditors;
Cooperate with competent data protection authorities.

2.4 Limitations on Processing

Mango shall not Process Personal Data for any purpose other than to provide Mango DMA services as documented in the Service Agreement and pursuant to the Controller's documented instructions. Mango shall not combine Personal Data received from different Controllers unless expressly authorized in writing. Mango shall not use Personal Data for building or improving machine learning models, competitive intelligence, or secondary purposes without explicit prior written consent from the Controller.

3. Processor Obligations

3.1 Processing Instructions

Mango shall not commence Processing of Personal Data until it has received written instructions from the Controller specifying the identity and role of the Controller; the categories of Personal Data to be Processed; the nature and purpose of Processing; the type and duration of Processing; the categories of Data Subjects; any technical and organisational security requirements; and whether Mango is authorized to engage Sub-processors.

3.2 Confidentiality

Mango shall ensure that all natural persons who are authorized to Process Personal Data on Mango's behalf are placed under a legally binding confidentiality obligation that survives the termination of their engagement, are trained on the requirements of DIFC DPL, GDPR, and UAE PDPL on an ongoing basis, and have access to Personal Data only to the extent necessary to perform their assigned functions.

3.3 Security Obligations

Mango shall maintain and implement comprehensive Technical and Organisational Measures as detailed in Annex B, including:

Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);
Role-based access controls and principle of least privilege;
Multi-factor authentication for administrative access;
Regular vulnerability assessments and penetration testing;
Incident response procedures and breach notification protocols;
Data subject access request fulfillment procedures;
Deletion or return of Personal Data upon Service termination.

3.4 Sub-processor Authorization and Management

The Controller grants Mango general authorization to engage Sub-processors, provided that Mango provides the Controller with a list of all Sub-processors prior to their engagement and at least 30 days prior to any change; the Controller has the right to object to the engagement of a new Sub-processor on reasonable grounds; and Mango remains fully liable to the Controller for any failure by a Sub-processor to fulfill its data protection obligations.

3.5 Data Subject Rights Assistance

Mango shall assist the Controller to facilitate Data Subject rights including:

Right of Access (DIFC DPL Article 18, GDPR Article 15, UAE PDPL Article 19): Complete export of all Personal Data associated with a Data Subject within 10 business days.
Right of Rectification (DIFC DPL Article 20, GDPR Article 16): Correction of inaccurate Personal Data within 5 business days.
Right of Erasure (DIFC DPL Article 21, GDPR Article 17, UAE PDPL Article 21): Deletion of Personal Data upon Controller instruction.
Right to Data Portability (GDPR Article 20): Export in structured, machine-readable format (JSON, CSV) upon request.
Right to Object (GDPR Article 21, UAE PDPL Article 22): Disable automated decision-making features upon Controller instruction.
Right to Restrict Processing (GDPR Article 18, DIFC DPL Article 19): Suspend active Processing (except storage) upon Controller request.

4. Security Measures

4.1 Encryption

Data in Transit: TLS 1.2 or higher for all network communications. HTTPS mandatory for all user-facing interfaces.
Data at Rest: AES-256 encryption. OAuth tokens and API credentials encrypted using Fernet symmetric encryption (AES-256, PBKDF2-HMAC-SHA256 key derivation).
Key Management: Keys derived via PBKDF2-HMAC-SHA256 (100,000 iterations) from secrets in GCP Secret Manager (me-central1, UAE). Rotated at least annually.

4.2 Access Controls

Multi-factor authentication (MFA) mandatory for all administrative access.
Role-based access control (RBAC) and row-level security (RLS) enforced via PostgreSQL database policies to ensure tenant isolation.
Service-to-service authentication uses signed JWT tokens rotated every 24 hours.

4.3 Audit Logging and Monitoring

All access to Personal Data logged with timestamp, user identifier, operation type, and data category.
Audit logs retained for a minimum of 7 years and protected from unauthorized modification.
Real-time monitoring alerts Mango security operations to suspicious access patterns.

4.4 Data Isolation and Multi-tenancy

Each Client's data logically isolated at the application and database level via row-level security policies.
No Client shall have access to another Client's data except as explicitly authorized.
Isolation verified through quarterly penetration testing and automated security scanning.

5. Sub-processors

The Controller authorizes Mango to engage the following Sub-processors:

Sub-processor	Role	Location	Data Categories	Processing Activity
Google Cloud Platform (Vertex AI)	AI Service Provider	USA / Global	Brand config, content, user prompts	AI model inference, generative content
Google Cloud Platform (Cloud SQL, GCS, Secret Manager)	Infrastructure Provider	me-central1 (UAE)	All Personal Data	Storage, encryption, secret management
fal.ai	Image Generation	USA	Brand config, content briefs	FLUX.2 image generation, LoRA training
Ideogram	Text Image Generation	USA	Brand config, social captions	Ideogram V3 text-heavy image synthesis
Perplexity AI	Intelligence Platform	USA	Research keywords, brand topics	Audience research, trend detection
Stripe	Payment Processing	USA	Billing name, email, Stripe customer ID	Payment authorization, subscription billing
Meta Platforms (Instagram/Facebook)	Social Publishing	USA	Content, engagement metrics	Social media posting, analytics retrieval
LinkedIn (Microsoft)	Social Publishing	USA	Content, engagement metrics	LinkedIn posting, analytics retrieval
TikTok (ByteDance)	Social Publishing	USA (Project Texas)	Content, engagement metrics	TikTok posting, analytics retrieval
YouTube (Google)	Video Publishing	USA	Content, engagement metrics	YouTube Shorts publishing, analytics retrieval

Mango shall notify the Controller of any addition, removal, or significant change to Sub-processors at least 30 days in advance. The Controller may object within 15 days of notice on reasonable data protection grounds.

6. International Data Transfers

6.1 Transfer Mechanisms

For transfers outside the EEA or the United Arab Emirates, Mango applies the following mechanisms in order of precedence:

Adequacy Decisions: Where the recipient jurisdiction has an EU adequacy decision or is a DIFC licensee under DIFC DPL, no additional safeguards are required.
Standard Contractual Clauses (SCCs): For transfers to the United States involving EU resident Personal Data, Mango relies upon EU SCCs (Module 2 - Controller to Processor) per Commission Implementing Decision (EU) 2021/914. Incorporated by reference in Annex C.
UAE-Specific Transfers: For UAE data subjects, Mango complies with UAE PDPL Articles 29-30 requiring prior written Controller consent and contractual guarantees of equivalent protection.

6.2 Schrems II Compliance

Mango acknowledges the CJEU decision in Schrems II (Case C-311/18) and conducts Transfer Impact Assessments for US transfers, implements binding contractual clauses limiting government access, and maintains TIA documentation available upon Controller request.

7. Data Subject Rights

Right of Access: Export of all Personal Data associated with a specific Data Subject in JSON/CSV/XML format within 10 business days.
Right of Rectification: Correction of inaccurate or incomplete Personal Data within 5 business days.
Right of Erasure: Deletion within 30 days, except where retention is required by applicable law. Upon termination, all Personal Data deleted within 30 days unless legally required to retain.
Right to Data Portability: Export in structured, machine-readable format within 15 business days at no charge.
Right to Object: Automated decision-making and profiling features disabled upon Controller request.
Right to Restrict Processing: Affected data marked restricted within 10 business days; active Processing ceases while storage continues until Controller releases the restriction.

8. Personal Data Breach Notification

Mango shall notify the Controller of a Personal Data Breach without undue delay and no later than 72 hours from discovery (GDPR Article 33, DIFC DPL Article 25). Notification shall include:

Description of the breach (what happened, when, how);
Categories and approximate number of Data Subjects and records affected;
Likely consequences for Data Subjects and the Controller;
Measures taken or proposed to mitigate harm;
Detailed forensic incident report within 10 business days.

The Controller remains responsible for notifying Data Subjects and supervisory authorities. Mango shall cooperate and provide reasonable assistance.

9. Audit Rights

The Controller, or an independent auditor acting on the Controller's behalf, has the right to audit Mango's compliance with this DPA upon 30 days' written notice. One comprehensive audit is permitted per calendar year at no additional charge. Audit reports shall be kept confidential.

10. Term, Termination, and Data Return

This DPA commences on the Effective Date and continues for the duration of the Service Agreement. Upon termination or expiration:

Mango shall cease all Processing within 5 business days;
The Controller shall elect within 30 days to receive a full data export (JSON/CSV, delivered within 15 business days) or request secure deletion (completed within 30 business days with a deletion certificate).

Permitted Retention After Termination (maximum 7 years): legal compliance obligations, anonymized audit logs, tax and accounting records (7 years per UAE tax law), and data necessary to defend legal claims.

Retention Period: 5 years for active subscriber data (matching platform Terms of Service), extended to 7 years where required by applicable law, tax regulation, or legal hold.

11. Governing Law and Dispute Resolution

11.1 Governing Law

Primary: Laws of the Dubai International Financial Centre (DIFC), specifically DIFC Data Protection Law No. 5 of 2020.
EU Data Subjects: GDPR (EU) 2016/679 applies concurrently with DIFC DPL.
UAE Data Subjects: UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) applies concurrently with DIFC DPL.

11.2 Dispute Resolution

Tier 1 – Good Faith Negotiation (30 days)
Tier 2 – Mediation (30-60 days): Administered by the DIFC Dispute Resolution Authority.
Tier 3 – DIFC Courts: Exclusive jurisdiction, no objection to jurisdiction.

Annex A: Description of Processing

Category	Data Types	Source	Processing Purpose	Retention	Legal Basis
Business Identity	Business name, email, company name, role, phone	Controller input, OAuth SSO	Service delivery, authentication, account management	Subscription + 7 years	Service contract, legitimate interest
Brand Configuration	Brand name, voice, tone, target audience, colors, logo, brand bible (JSON)	Controller upload, dashboard	Content generation, brand consistency, strategy	Subscription + 7 years	Service contract
AI-Generated Content	Social captions, blog drafts, email campaigns, image prompts, video scripts	Generated by Gemini agents	Content delivery, analytics, quality review	Subscription + 30 days archive	Service contract
Social Engagement Data	Post IDs, likes, comments, shares, impressions, reach, engagement rate	Meta, LinkedIn, TikTok APIs	Performance analytics, trend detection, audience insights	Subscription + 90 days	Service contract, legitimate interest
OAuth Tokens	Instagram, Facebook, LinkedIn, TikTok, YouTube tokens	OAuth authorization flow	API authentication, social platform integration	Subscription duration; refreshed on use	Service contract, controller authorization
Billing Information	Stripe customer ID, subscription plan, billing email	Stripe OAuth / webhook	Payment processing, subscription management	Subscription + 7 years	Service contract, tax obligation
Usage Analytics	Feature usage, API requests, login timestamps	Application logging	Performance monitoring, product improvement	Subscription + 1 year	Legitimate interest
Security & Audit	IP addresses, user agents, login timestamps, audit trail	Audit logging system	Security monitoring, incident response, compliance	7 years	Legal obligation, legitimate interest

Annex B: Technical and Organisational Measures (TOMs)

No.	Measure	Category	Implementation Details
1	Encryption in Transit	Technical	TLS 1.2+ for all network communications. HTTPS mandatory for all user-facing interfaces. Annual certificate rotation.
2	Encryption at Rest	Technical	AES-256-GCM for database fields containing Personal Data. Fernet encryption for OAuth tokens with key rotation every 90 days.
3	Key Management	Technical	PBKDF2-HMAC-SHA256 key derivation from secrets in GCP Secret Manager (me-central1, UAE). Key rotation every 12 months minimum.
4	Access Control – AuthN	Technical	MFA mandatory for all user and admin access. JWT bearer tokens rotated every 24 hours. OAuth 2.0 with PKCE for third-party integrations.
5	Access Control – AuthZ	Technical	RBAC enforced at application layer. PostgreSQL row-level security (RLS) for tenant isolation. Least privilege principle. Weekly access reviews.
6	Audit Logging	Technical	All data access logged with timestamp, user ID, IP, operation type, affected fields, result. Logs immutable and separated from production. 7-year retention.
7	Vulnerability Management	Technical	Annual external penetration testing. Quarterly automated vulnerability scanning (OWASP Top 10). Monthly dependency scanning. High/critical remediation within 30 days.
8	Data Isolation	Technical	PostgreSQL RLS for tenant isolation. Separate GCS paths per tenant for media. Quarterly penetration testing to verify isolation.
9	Incident Response	Organisational	Documented plan with defined roles, escalation, forensic protocols. Semi-annual training. Annual simulated breach exercises.
10	Backup & DR	Technical	Daily automated PostgreSQL backups. GCS replication. Encrypted backups. Recovery tested quarterly (RTO: 2h, RPO: 1h).
11	Third-Party Risk	Organisational	Due diligence of Sub-processors before engagement. Annual security assessments. Contractual SLAs requiring compliance.
12	Data Subject Rights	Organisational	Documented procedures for access, rectification, erasure, portability, restriction. Acknowledge within 5 days, respond within 30 days.
13	Personnel Training	Organisational	Annual data protection training. Signed confidentiality agreements. Disciplinary procedures. Background checks for sensitive access.
14	Privacy by Design	Organisational	PIAs for new features. Data minimization. Pseudonymization where feasible. Privacy controls for Controllers.
15	Monitoring	Organisational	Real-time SIEM monitoring via Cloud Logging. Monthly security reviews. Quarterly TOM effectiveness reviews.
16	Business Continuity	Organisational	Redundant systems across GCP availability zones (me-central1). Automated failover. Annual BCP testing.

Annex C: EU Standard Contractual Clauses

Incorporation by Reference – Module 2 (Controller to Processor)

This Annex incorporates by reference the EU Standard Contractual Clauses for data transfers from controllers in the EU/EEA to processors located outside the EU/EEA, as approved by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

Exporter (Data Controller): As defined in the Service Agreement.
Importer (Data Processor): Mango Technologies Ltd, DIFC, Dubai.

The parties incorporate Clauses 1-7 of the EU SCCs (Module 2) with the following supplementary terms: the Processor shall process Personal Data only to the extent necessary to provide Mango DMA services; Sub-processors require prior written authorization with 30 days' advance notice of changes; upon termination, the Processor shall return or delete all Personal Data at the Controller's election.

Schrems II Supplementary Measures: The Processor warrants that US government access to Personal Data shall be limited to legally authorized requests; the Processor shall seek to narrow the scope of any government access request; and the Processor shall maintain and produce Transfer Impact Assessment documentation demonstrating compliance with Schrems II principles.

Signature Block

To execute this DPA, please contact hello@mangosuite.com to receive a countersigned copy. By continuing to use Mango DMA services under the Service Agreement, the Controller agrees to be bound by the terms of this DPA.

CONTROLLER

By: _______________________________
Name (Print): _______________________________
Title: _______________________________
Company: _______________________________
Date: _______________________________

PROCESSOR: Mango Technologies Ltd

By: _______________________________
Name (Print): _______________________________
Title: _______________________________
Date: _______________________________

DIFC, Dubai, United Arab Emirates
hello@mangosuite.com

Data Processing Agreement v1.0 · March 2026 · Mango Technologies Ltd · mangosuite.com