Data Processing Agreement (DPA)
Document Reference: GRSCIA-DPA-2025-V2.0 Version: 2.0 Effective Date: January 1, 2025 Last Updated: January 4, 2026 Governing Standard: ADHICS V2 (Abu Dhabi Healthcare Information and Cyber Security Standard)
PARTIES TO THIS AGREEMENT
Data Processor:
GRSCIA, powered and managed by CISOSHARE INSPECTION AUDIT SERVICES - L.L.C - S.P.C Commercial Registration Number: CN-5499111 Address: وسط المدينة, الربينة, 118 : شارع حصة بنت محمد , مبنى, الشيخه شمسه بنت زايد بن سلطان Telephone: +971501123842 Email: info@grscia.ae (hereinafter referred to as "Processor", "GRSCIA", "We", "Us", or "Our")
Data Controller:
The entity subscribing to GRSCIA services as identified in the applicable subscription agreement. (hereinafter referred to as "Controller", "Customer", "You", or "Your")
Processor and Controller are individually referred to as a "Party" and collectively as the "Parties."
RECITALS
WHEREAS:
A. The Controller is a healthcare entity or service provider operating in the Emirate of Abu Dhabi and is subject to the Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS) and UAE Federal Law No. 2 of 2019 on the Use of Information and Communications Technology (ICT) in Healthcare.
B. The Processor provides a healthcare compliance management platform that processes Personal Data and Protected Health Information on behalf of the Controller.
C. The Parties wish to establish their respective obligations regarding the processing of Personal Data in compliance with ADHICS, UAE data protection requirements, and applicable laws.
D. This Data Processing Agreement ("DPA" or "Agreement") sets forth the terms and conditions under which the Processor will process Personal Data on behalf of the Controller.
NOW, THEREFORE, the Parties agree as follows:
1. DEFINITIONS AND INTERPRETATION
1.1 Definitions
In this Agreement, the following terms shall have the meanings ascribed to them:
| Term | Definition |
|---|---|
| "ADHICS" | The Abu Dhabi Healthcare Information and Cyber Security Standard, Version 2, as published and amended by the Department of Health, Abu Dhabi |
| "Applicable Data Protection Law" | All laws and regulations applicable to the processing of Personal Data, including UAE Federal Law No. 2 of 2019, ADHICS, and any other applicable UAE federal or emirate-level legislation |
| "Data Breach" | Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed |
| "Data Subject" | An identified or identifiable natural person to whom Personal Data relates |
| "DoH" | The Department of Health, Abu Dhabi |
| "Personal Data" | Any information relating to an identified or identifiable natural person, including but not limited to PII and PHI |
| "PHI" (Protected Health Information) | Demographic, medical, insurance, and other data collected by healthcare professionals to identify and provide care to a patient |
| "PII" (Personally Identifiable Information) | Information that can be used to identify an individual, including name, Emirates ID, mobile number, email, address, biometric data, IP address, and similar identifiers |
| "Processing" | Any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction |
| "Security Incident" | Any actual or reasonably suspected unauthorized access to, acquisition of, use of, or disclosure of Personal Data |
| "Services" | The GRSCIA healthcare compliance management platform and related services provided under the Master Service Agreement |
| "Sub-processor" | Any third party engaged by the Processor to process Personal Data on behalf of the Controller |
| "UAE" | The United Arab Emirates |
1.2 Interpretation
1.2.1 References to "writing" or "written" include email and other electronic communications.
1.2.2 Headings are for convenience only and shall not affect interpretation.
1.2.3 References to legislation include amendments, re-enactments, and regulations made thereunder.
1.2.4 In the event of conflict between this DPA and other agreements between the Parties, this DPA shall prevail with respect to data protection matters.
2. SCOPE AND PURPOSE OF PROCESSING
2.1 Subject Matter
This DPA governs the processing of Personal Data by the Processor in connection with the provision of the Services to the Controller.
2.2 Nature and Purpose of Processing
The Processor shall process Personal Data solely for the following purposes:
| Purpose | Description |
|---|---|
| Service Delivery | Operating and maintaining the GRSCIA platform, including user authentication, access management, and feature functionality |
| Compliance Management | Enabling the Controller to manage ADHICS compliance, including assessments, evidence management, and reporting |
| Document Management | Storing, processing, and managing documents uploaded by the Controller |
| HR Administration | Processing employee and contractor data for compliance tracking and onboarding workflows |
| Incident Management | Recording, tracking, and reporting security incidents and violations |
| Asset Management | Maintaining records of assets and their security configurations |
| Audit Trail | Maintaining logs and audit trails for compliance and security purposes |
| AI Services | Providing AI-powered compliance assistance, document processing, and checklist generation |
| Technical Support | Providing customer support and troubleshooting services |
| Platform Improvement | Analyzing aggregated, anonymized usage data to improve the Services |
2.3 Categories of Data Subjects
Personal Data processed under this DPA may relate to the following categories of Data Subjects:
- Employees of the Controller
- Contractors and third-party personnel engaged by the Controller
- Patients of the Controller (where applicable)
- Visitors to the Controller's facilities
- Vendors and business partners of the Controller
- Users of the Controller's systems
- Any other individuals whose data is uploaded to the platform by the Controller
2.4 Types of Personal Data
The following types of Personal Data may be processed:
2.4.1 Personally Identifiable Information (PII)
- Full name
- Emirates ID number
- Passport number
- Date of birth
- Gender
- Nationality
- Contact information (email, phone, address)
- Photographs and images
- Biometric data (where applicable)
- IP addresses and device identifiers
- Employment information (job title, department, employee ID)
- Educational and professional qualifications
2.4.2 Protected Health Information (PHI)
- Medical record numbers
- Patient demographic data
- Diagnosis and treatment information
- Laboratory and imaging results
- Prescription and medication data
- Insurance information
- Healthcare provider notes
- Appointment and visit records
- Vaccination records
- Mental health information
- Genetic information
- Any other health-related data uploaded by the Controller
2.4.3 Sensitive Personal Data
- Religious beliefs (where relevant to healthcare)
- Biometric data
- Criminal background check results
- Data concerning health
- Data concerning sexual orientation (where relevant to healthcare)
2.5 Duration of Processing
Processing shall continue for the duration of the Master Service Agreement and any applicable transition period, unless otherwise specified or required by law.
3. OBLIGATIONS OF THE PROCESSOR
3.1 General Obligations
The Processor shall:
3.1.1 Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries or international organizations, unless required by UAE law. In such cases, the Processor shall inform the Controller of the legal requirement before processing, unless prohibited by law.
3.1.2 Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.1.3 Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as further detailed in Section 5.
3.1.4 Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller, as detailed in Section 6.
3.1.5 Assist the Controller in ensuring compliance with its obligations regarding security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
3.1.6 At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless storage is required by law.
3.1.7 Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
3.1.8 Immediately inform the Controller if, in the Processor's opinion, an instruction infringes Applicable Data Protection Law.
3.2 ADHICS-Specific Obligations
In accordance with ADHICS requirements, the Processor shall:
3.2.1 Implement controls as per the "Service Provider" control category defined in ADHICS V2.
3.2.2 Enforce strict UAE residency for the platform database and tenant databases, and ensure any approved non-database processing exception is documented, contractually safeguarded, and disclosed to the Controller.
3.2.3 Maintain ADHICS compliance certification and provide evidence of such compliance upon request.
3.2.4 Support the Controller in meeting its ADHICS compliance obligations by providing necessary documentation, reports, and audit support.
3.2.5 Implement access controls ensuring that only authorized personnel with a legitimate need can access Personal Data.
3.2.6 Maintain comprehensive audit logs of all access to and processing of Personal Data.
3.2.7 Notify DoH of security incidents in accordance with ADHICS incident reporting requirements, in coordination with the Controller.
3.3 Restrictions on Processing
The Processor shall NOT:
3.3.1 Process Personal Data for any purpose other than as specified in this DPA or as instructed by the Controller.
3.3.2 Sell, rent, lease, or otherwise commercially exploit Personal Data.
3.3.3 Use Personal Data for profiling, automated decision-making, or marketing purposes without explicit written consent from the Controller.
3.3.4 Aggregate Personal Data with data from other sources for the Processor's own purposes.
3.3.5 Transfer Personal Data outside the UAE without complying with the requirements of Section 7.
3.3.6 Access, use, or disclose Personal Data except as necessary to perform the Services or as required by law.
4. OBLIGATIONS OF THE CONTROLLER
4.1 General Obligations
The Controller shall:
4.1.1 Ensure that it has a lawful basis for the processing of Personal Data and that all necessary consents have been obtained from Data Subjects.
4.1.2 Provide documented instructions to the Processor regarding the processing of Personal Data.
4.1.3 Ensure the accuracy, completeness, and lawfulness of Personal Data provided to the Processor.
4.1.4 Comply with all Applicable Data Protection Law in its use of the Services and processing of Personal Data.
4.1.5 Notify the Processor promptly of any changes to processing instructions or data protection requirements.
4.1.6 Implement appropriate security measures within its own systems and processes.
4.1.7 Train its personnel on data protection requirements and acceptable use of the Services.
4.2 ADHICS-Specific Obligations
The Controller shall:
4.2.1 Maintain overall responsibility for ADHICS compliance within its organization.
4.2.2 Ensure that processing instructions to the Processor comply with ADHICS requirements.
4.2.3 Notify DoH of data breaches within the timelines specified by ADHICS, with assistance from the Processor.
4.2.4 Conduct data protection impact assessments where required.
4.2.5 Appoint appropriate personnel (e.g., CISO, DPO) as required by ADHICS.
4.2.6 Maintain records of processing activities.
4.3 Warranties
The Controller warrants that:
4.3.1 All Personal Data provided to the Processor has been collected lawfully and in accordance with Applicable Data Protection Law.
4.3.2 It has provided appropriate privacy notices to Data Subjects.
4.3.3 It has obtained all necessary consents for the processing described in this DPA.
4.3.4 Its instructions to the Processor comply with Applicable Data Protection Law.
5. SECURITY MEASURES
5.1 Technical Measures
The Processor shall implement and maintain the following technical security measures:
5.1.1 Encryption
| Measure | Specification |
|---|---|
| Data at Rest | AES-256-GCM encryption |
| Data in Transit | TLS 1.3 (minimum TLS 1.2) |
| Key Management | HSM-protected keys (Cloud), Customer-managed keys (BYOD) |
| Backup Encryption | AES-256 with separate key storage |
5.1.2 Access Control
- Multi-factor authentication (MFA) mandatory for all users
- Role-based access control (RBAC) with principle of least privilege
- Unique user identifiers and credentials
- Automatic session timeout and re-authentication
- Failed login attempt monitoring and lockout
- Privileged access management
5.1.3 Network Security
- Firewall and intrusion detection/prevention systems
- Network segmentation and isolation
- DDoS protection
- Secure API gateway with rate limiting
- mTLS for agent communications (BYOD deployments)
5.1.4 Application Security
- Secure software development lifecycle (SDLC)
- Regular code security reviews (static and dynamic analysis)
- Dependency vulnerability scanning
- Input validation and output encoding
- Protection against OWASP Top 10 vulnerabilities
5.1.5 Monitoring and Logging
- Comprehensive audit logging with SHA-256 tamper-evident hashing
- Real-time security monitoring and alerting
- Log aggregation and correlation
- Minimum 2-year log retention
- Anomaly detection
5.2 Organizational Measures
The Processor shall implement and maintain the following organizational security measures:
5.2.1 Personnel Security
- Background checks for personnel with access to Personal Data
- Confidentiality agreements and non-disclosure obligations
- Regular security awareness training
- Principle of need-to-know access
- Disciplinary procedures for security violations
5.2.2 Physical Security
- Secure data center facilities within UAE
- Physical access controls (biometric, card access)
- Environmental controls (fire suppression, climate control)
- 24/7 monitoring and surveillance
- Visitor management procedures
5.2.3 Operational Security
- Documented security policies and procedures
- Change management processes
- Patch management (Critical: 24h, High: 7 days, Medium: 30 days)
- Vulnerability management program
- Business continuity and disaster recovery planning
5.2.4 Third-Party Security
- Security assessment of Sub-processors
- Contractual security requirements for Sub-processors
- Ongoing monitoring of Sub-processor compliance
5.3 Security Assessments
The Processor shall:
5.3.1 Conduct vulnerability assessments at least weekly.
5.3.2 Perform penetration testing at least annually by qualified independent third parties.
5.3.3 Maintain current security certifications and assessments as specified in the SLA.
5.3.4 Provide security assessment reports to the Controller upon reasonable request.
6. SUB-PROCESSORS
6.1 General Authorization
The Controller provides general authorization for the Processor to engage Sub-processors, subject to the requirements of this Section.
6.2 List of Sub-processors
The Processor shall maintain a current list of Sub-processors in a public register and in Annex C of this DPA. The public register is available at:
As of the effective date of this DPA, approved Sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (Core) | Platform/tenant infrastructure hosting | UAE Region |
| Amazon Web Services (Bedrock) | AI processing for configured features | UAE Region |
| Stripe, Inc. | Payment processing (approved operational exception) | International |
| Microsoft (Azure/Graph) | Transactional communications | UAE / Configured region |
| Sentry | Error and performance telemetry | Configured region |
| MCP ADHICS v2 service | Regulatory assistant orchestration | Configured region |
6.3 New Sub-processors
6.3.1 The Processor shall notify the Controller at least 30 days before engaging any new Sub-processor.
6.3.2 The Controller may object to the engagement of a new Sub-processor within 14 days of notification. If the Controller reasonably objects, the Parties shall negotiate in good faith to resolve the objection.
6.3.3 If no resolution can be reached within 30 days, the Controller may terminate the affected Services without penalty.
6.4 Sub-processor Requirements
The Processor shall:
6.4.1 Enter into written agreements with each Sub-processor imposing data protection obligations substantially similar to those in this DPA.
6.4.2 Conduct appropriate due diligence on Sub-processors before engagement.
6.4.3 Remain fully liable to the Controller for the performance of Sub-processor obligations.
6.4.4 Ensure Sub-processors comply with ADHICS requirements applicable to their processing activities.
6.4.5 Ensure Sub-processors handling platform and tenant database layers operate within UAE residency controls, and ensure any approved non-database exception is contractually controlled and disclosed.
6.5 Sub-processor Audits
The Processor shall:
6.5.1 Obtain and review audit reports or certifications from Sub-processors annually.
6.5.2 Make Sub-processor audit information available to the Controller upon request.
7. INTERNATIONAL DATA TRANSFERS
7.1 Data Residency
7.1.1 The Processor enforces strict UAE residency for the platform database and tenant databases.
7.1.2 Certain approved non-database processing operations (including billing and MCP-related operations) may involve cross-border processing as documented in Annex C and the Sub-Processor Register.
7.1.3 Any approved international processing shall comply with ADHICS, UAE law, and the contractual safeguards required under this DPA.
7.2 Transfer Conditions
Where international transfers are authorized, the Processor shall ensure:
7.2.1 A documented legal and contractual transfer basis is in place.
7.2.2 Appropriate safeguards are in place, including:
- Binding corporate rules
- Standard contractual clauses
- Certification mechanisms
- Codes of conduct with binding commitments
7.2.3 DoH approval is obtained where required by ADHICS.
7.2.4 Transfers are limited to the minimum data required for the approved purpose, with PHI controls applied as required by law and regulator direction.
7.3 Remote Access
7.3.1 Remote access to Personal Data from outside the UAE is prohibited unless:
- The personnel have valid DoH licenses (where applicable)
- The Controller has provided explicit written authorization
- DoH approval has been obtained where required
- Appropriate security controls are in place
7.3.2 Remote support and maintenance access is restricted, logged, and limited to authorized personnel under contractual confidentiality and security controls.
8. DATA SUBJECT RIGHTS
8.1 Processor Assistance
The Processor shall assist the Controller in responding to requests from Data Subjects to exercise their rights, including:
| Right | Processor Assistance |
|---|---|
| Access | Provide Data Subject's Personal Data in portable format upon Controller request |
| Rectification | Correct inaccurate Personal Data upon Controller instruction |
| Erasure | Delete Personal Data upon Controller instruction (subject to legal retention requirements) |
| Restriction | Restrict processing upon Controller instruction |
| Portability | Export Personal Data in machine-readable format |
| Objection | Implement processing restrictions as instructed |
8.2 Response Timeframes
8.2.1 The Processor shall respond to Controller requests regarding Data Subject rights within 5 business days.
8.2.2 Where a Data Subject contacts the Processor directly, the Processor shall promptly redirect the request to the Controller.
8.3 Costs
Reasonable assistance for Data Subject requests is included in the Services. The Processor may charge reasonable fees for manifestly unfounded, excessive, or repetitive requests.
9. DATA BREACH NOTIFICATION
9.1 Notification to Controller
9.1.1 The Processor shall notify the Controller of any Data Breach without undue delay and in any event within 24 hours of becoming aware of the breach.
9.1.1(a) For controller-relevant incidents tracked by the Platform, the 24-hour notice is automated through in-app Owner Portal notices with immutable audit records (breach_notices + breach_notice_events + notice ledger).
9.1.2 Initial notification shall include, to the extent known:
- Nature of the Data Breach
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of Personal Data records concerned
- Contact details for further information
- Likely consequences of the breach
- Measures taken or proposed to address the breach
9.1.3 Where information is not immediately available, the Processor shall provide information in phases without undue delay.
9.1.4 Notice channel for this DPA breach workflow is in-app only (Owner Portal), unless otherwise required by applicable law.
9.2 ADHICS Breach Notification
In accordance with ADHICS DP 1.7 and IM 2, the Processor shall:
9.2.1 Support the Controller in completing and submitting the "Data Breach Form" to DoH within 72 hours of acknowledging the incident.
9.2.2 Provide DoH with requested information within 30 working days after initial reporting.
9.2.3 Notify DoH SOC per the incident priority timelines:
| Priority | DoH Notification | Updates |
|---|---|---|
| P1 Critical | Near real-time | Real-time |
| P2 Severe | Within 1 hour | Every 1 hour |
| P3 Moderate | Within 4 hours | Every 4 hours |
| P4 Low | Within 24 hours | Every 24 hours |
9.3 Processor Cooperation
The Processor shall:
9.3.1 Cooperate fully with the Controller in investigating and remediating any Data Breach.
9.3.2 Preserve all evidence related to the breach.
9.3.3 Implement immediate containment and remediation measures.
9.3.4 Provide a detailed incident report including root cause analysis.
9.3.5 Implement measures to prevent recurrence.
9.3.6 Assist the Controller in notifying affected Data Subjects where required.
9.4 Controller Responsibility
The Controller remains responsible for:
9.4.1 Determining whether notification to DoH is required.
9.4.2 Submitting required notifications to DoH.
9.4.3 Notifying affected Data Subjects where required.
9.4.4 Coordinating with regulatory authorities.
10. AUDIT AND COMPLIANCE
10.1 Audit Rights
10.1.1 The Controller may audit the Processor's compliance with this DPA, subject to:
- Reasonable advance notice (minimum 30 days)
- Confidentiality obligations
- Conduct during business hours
- Minimal disruption to Processor operations
10.1.2 Audits may be conducted by the Controller or an independent third party appointed by the Controller.
10.1.3 The Controller shall bear the costs of any audit unless the audit reveals material non-compliance by the Processor.
10.2 Processor Cooperation
The Processor shall:
10.2.1 Provide reasonable access to facilities, systems, and personnel for audit purposes.
10.2.2 Provide relevant documentation, logs, and records.
10.2.3 Respond to audit inquiries within 10 business days.
10.2.4 Address identified non-conformities within agreed timeframes.
10.3 Compliance Certifications
10.3.1 The Processor shall maintain certifications and assessments as specified in the SLA, including:
- ADHICS Service Provider compliance
- Annual security assessments
- Penetration testing reports
10.3.2 The Processor shall provide copies of certifications and assessment summaries upon request.
10.4 Regulatory Audits
10.4.1 The Processor shall cooperate with audits by DoH, TASNEEF-RINA, or other regulatory bodies.
10.4.2 The Processor shall notify the Controller promptly of any regulatory audit affecting the Controller's data.
11. DATA RETENTION AND DELETION
11.1 During the Agreement
11.1.1 Personal Data shall be retained for the duration necessary to provide the Services and fulfill the purposes described in this DPA.
11.1.2 The Controller may instruct the Processor to delete specific Personal Data at any time, subject to legal retention requirements.
11.1.3 BYOD custody boundary: primary tenant database and primary tenant documents/files in BYOD infrastructure remain under Controller custody.
11.1.4 For BYOD lifecycle export, the Processor returns only control-plane Personal Data it processes (lifecycle and billing timing records).
11.2 Upon Termination
11.2.1 Upon termination or expiration of the Master Service Agreement, the Processor shall:
- For Cloud deployment: return processor-hosted Personal Data (including platform/tenant-cloud hosted records) within the 30-day transition period, then delete from production systems within 30 days after transition and from backup systems within 90 days.
- For BYOD deployment: return control-plane Personal Data processed by the Processor within the 30-day transition period; Customer remains responsible for extraction and retention actions in Customer BYOD infrastructure.
- Provide a certificate of destruction upon request
11.2.2 Exceptions to deletion:
- Data required to be retained by UAE law
- Audit logs required for compliance (minimum 2 years)
- Data subject to ongoing legal proceedings or investigations
11.3 Secure Deletion
11.3.1 Deletion shall be performed using industry-standard secure deletion methods that prevent recovery.
11.3.2 The Processor shall ensure that Sub-processors also securely delete Personal Data.
12. LIABILITY AND INDEMNIFICATION
12.1 Processor Liability
12.1.1 The Processor shall be liable for damages caused by processing that does not comply with this DPA or the Controller's lawful instructions.
12.1.2 The Processor's liability shall be limited as set forth in the SLA and Master Service Agreement.
12.2 Indemnification
12.2.1 The Processor shall indemnify the Controller against:
- Claims arising from the Processor's breach of this DPA
- Claims arising from the Processor's violation of Applicable Data Protection Law
- Claims arising from the Processor's unauthorized processing of Personal Data
- Fines or penalties imposed by regulatory authorities due to the Processor's actions
12.2.2 The Controller shall indemnify the Processor against:
- Claims arising from the Controller's breach of this DPA
- Claims arising from the Controller's violation of Applicable Data Protection Law
- Claims arising from the Controller's instructions that infringe Applicable Data Protection Law
12.3 Limitation
12.3.1 The limitations of liability set forth in the SLA and Master Service Agreement apply to this DPA, except for:
- Gross negligence or willful misconduct
- Breach of confidentiality obligations
- Indemnification obligations
- Liability that cannot be excluded by law
13. TERM AND TERMINATION
13.1 Term
This DPA shall commence on the effective date of the Master Service Agreement and continue until the Master Service Agreement terminates or expires, unless earlier terminated in accordance with this Section.
13.2 Termination
13.2.1 This DPA shall automatically terminate upon termination of the Master Service Agreement.
13.2.2 Either Party may terminate this DPA if the other Party materially breaches this DPA and fails to cure such breach within 30 days of written notice.
13.2.3 Either Party may terminate this DPA immediately if required by changes in Applicable Data Protection Law.
13.3 Survival
The following provisions shall survive termination:
- Section 3.1.6 (Deletion or return of data)
- Section 9 (Data Breach Notification) - for breaches discovered post-termination
- Section 10 (Audit and Compliance) - for 1 year post-termination
- Section 11 (Data Retention and Deletion)
- Section 12 (Liability and Indemnification)
- Section 14 (Confidentiality)
14. CONFIDENTIALITY
14.1 Confidentiality Obligations
14.1.1 Each Party shall maintain the confidentiality of information disclosed by the other Party under this DPA.
14.1.2 The Processor shall ensure that personnel with access to Personal Data are subject to confidentiality obligations.
14.2 Exceptions
Confidentiality obligations do not apply to information that:
- Is or becomes publicly available without breach
- Was known to the receiving Party prior to disclosure
- Is independently developed without use of confidential information
- Is required to be disclosed by law (with advance notice where permitted)
14.3 Duration
Confidentiality obligations survive termination for 3 years, except for trade secrets which remain confidential indefinitely.
15. GENERAL PROVISIONS
15.1 Governing Law
This DPA shall be governed by and construed in accordance with the laws of the United Arab Emirates.
15.2 Jurisdiction
The courts of Abu Dhabi, United Arab Emirates shall have exclusive jurisdiction over disputes arising from this DPA.
15.3 Severability
If any provision of this DPA is found unenforceable, the remaining provisions shall continue in full force and effect.
15.4 Entire Agreement
This DPA, together with the Master Service Agreement, SLA, Terms of Use, Privacy Policy, and Cookie Policy, constitutes the entire agreement between the Parties regarding data processing.
15.5 Amendment
This DPA may only be amended in writing signed by both Parties, except for:
- Updates to Sub-processor lists (per Section 6.3)
- Updates required by changes in Applicable Data Protection Law
15.6 Notices
All notices under this DPA shall be in writing and delivered to:
- Controller: The contact details in the subscription agreement
- Processor: compliance@grscia.ae
15.7 No Third-Party Rights
This DPA does not confer any rights on third parties except as expressly stated.
15.8 Relationship to Other Agreements
In the event of conflict between this DPA and other agreements between the Parties, this DPA shall prevail for data protection and processing matters. For non-data-protection matters, precedence is governed by the MSA/Order Form framework.
16. CONTACT INFORMATION
16.1 Processor Contacts
| Role | Contact |
|---|---|
| Data Protection Officer | dpo@grscia.ae |
| Privacy Inquiries | privacy@grscia.ae |
| Security Incidents | security@grscia.ae |
| Legal/Compliance | compliance@grscia.ae |
| General | info@grscia.ae |
| Telephone | +971501123842 |
16.2 Regulatory Contacts
| Authority | Contact |
|---|---|
| DoH AAMEN Program | aamen@doh.gov.ae |
| ADHICS Inquiries | adhics@doh.gov.ae |
| DoH SOC | soc@doh.gov.ae, +971 2 419 3777 |
ANNEX A: PROCESSING DETAILS
A.1 Subject Matter of Processing
Healthcare compliance management platform services including document management, compliance assessment, HR administration, incident management, asset management, and AI-powered compliance assistance.
A.2 Duration of Processing
From the commencement of the Master Service Agreement until its termination, plus any applicable transition and retention periods.
A.3 Nature and Purpose of Processing
As described in Section 2.2 of this DPA.
A.4 Categories of Data Subjects
As described in Section 2.3 of this DPA.
A.5 Types of Personal Data
As described in Section 2.4 of this DPA.
A.6 Special Categories of Data
- Health data (PHI)
- Biometric data (where applicable)
- Criminal background check results
- Other sensitive data as uploaded by the Controller
ANNEX B: TECHNICAL AND ORGANIZATIONAL MEASURES
The Processor implements the technical and organizational measures described in Section 5 of this DPA and the SLA. A summary is provided below:
B.1 Encryption
- AES-256-GCM at rest
- TLS 1.3 in transit
- HSM-protected key management
B.2 Access Control
- MFA mandatory
- RBAC with least privilege
- Session management
- Audit logging
B.3 Infrastructure Security
- UAE-based data centers
- Network segmentation
- DDoS protection
- 24/7 monitoring
B.4 Operational Security
- Vulnerability management
- Penetration testing
- Incident response
- Business continuity
B.5 Personnel Security
- Background checks
- Confidentiality agreements
- Security training
ANNEX C: APPROVED SUB-PROCESSORS
As of the effective date:
| Name | Service | Location | Security Measures |
|---|---|---|---|
| Amazon Web Services (Core) | Cloud infrastructure for platform/tenant DB workloads | UAE | SOC 2 Type II, ISO 27001 |
| Amazon Web Services (Bedrock) | AI/ML processing for configured features | UAE | SOC 2, ISO 27001 |
| Stripe, Inc. | Payment processing (approved operational exception) | International | PCI DSS Level 1 |
| Microsoft (Azure/Graph) | Transactional email and communication services | UAE / Configured region | SOC 2, encryption controls |
| Sentry | Application error/performance telemetry | Configured region | Contractual controls, data minimization |
| MCP ADHICS v2 service | Regulatory assistant orchestration | Configured region | Contractual controls, scoped processing |
The public Sub-Processor Register is available at View. The Controller may request updates at any time by contacting privacy@grscia.ae.
SIGNATURES
This Data Processing Agreement is incorporated into and forms part of the Master Service Agreement between the Parties. By accepting the Master Service Agreement, both Parties agree to be bound by the terms of this DPA.
Document Information:
| Field | Value |
|---|---|
| Document Reference | GRSCIA-DPA-2025-V2.0 |
| Version | 2.0 |
| Effective Date | January 1, 2025 |
| Last Updated | January 4, 2026 |
| Review Cycle | Annual |
| Next Review | January 2027 |
| Document Owner | GRSCIA Legal & Compliance |
This Data Processing Agreement is designed to comply with ADHICS V2 Data Privacy and Protection (DP) domain requirements and UAE Federal Law No. 2 of 2019 on the Use of ICT in Healthcare.
© 2025-2026 GRSCIA, powered and managed by CISOSHARE INSPECTION AUDIT SERVICES - L.L.C - S.P.C. All rights reserved.