Data Protection Addendum
This Data Protection Addendum (the “DPA”) forms part of and is incorporated into the applicable Terms, or other written or electronic agreement between FirmFox Management Consultancies LLC (“FirmFox”) and the relevant business Client (“Client”) under which FirmFox provides the Platform and/or related corporate, immigration, PRO, licensing, compliance, administrative or support services (the “Main Agreement”). This DPA applies only to the extent that, in connection with the Main Agreement, FirmFox processes Personal Data on behalf of the Client as Processor and the Client acts as Controller under Applicable Data Protection Law.
This DPA is primarily intended to address the requirements of applicable data protection laws of the United Arab Emirates. Where other mandatory data protection laws apply to the relevant processing activity, this DPA shall be interpreted, so far as reasonably possible, in a manner consistent with such laws, and any mandatory requirement of such laws shall prevail to the extent of a conflict.
By clicking “I agree”, “Accept”, “Confirm” or a similar acceptance mechanism in relation to the Platform, or by otherwise executing or accepting the Main Agreement electronically or in writing, the Client acknowledges and agrees that, where and to the extent applicable to the processing of Personal Data by FirmFox as Processor on behalf of the Client, this DPA forms an integral part of, and is incorporated by reference into, the Main Agreement.
1. Definitions and Interpretation
1.1. In this DPA, unless the context otherwise requires:
“Applicable Data Protection Law” means the data protection, privacy and related laws and regulations applicable to the processing of personal data under the Subscription Platform Terms, including the applicable laws of the UAE and, where relevant, other mandatory privacy laws applicable to the Client, the data subjects or the processing in question.
“Client Personal Data” means any Personal Data processed by FirmFox or on FirmFox's behalf in connection with the Main Agreement on behalf of the Client.
“Controller” means the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Data Subject” means an identified or identifiable natural person to whom the Personal Data relates.
“Main Agreement” means the applicable Terms, order form, statement of work, or other written or electronic agreement between FirmFox and the Client under which FirmFox provides the Platform and/or related corporate, immigration, PRO, licensing, compliance, administrative or support services, and into which this DPA is incorporated or in connection with which this DPA is entered into.
“Personal Data” means any information relating to a person including without limitation a name, an identification number, location data, an online identifier, or to one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social identity.
“Processor” means the natural or legal person who processes Personal Data on behalf of the Controller.
“Supervisory Authority” means any independent public authority or other competent regulator that is responsible under Applicable Data Protection Law for monitoring the application of such law and for enforcing the rights and obligations relating to the Processing of Personal Data.
“Sub-processor” means any third party appointed by or on behalf of FirmFox to process Client Personal Data on behalf of the Client in connection with the Terms.
“Terms” means the Subscription Terms & Conditions or the Pay-as-you-Go Terms & Conditions in each case where applicable, and includes any other Main Agreement expressly incorporating this DPA.
2. Scope of Processing
2.1. The Client appoints FirmFox to process Client Personal Data to the extent necessary to provide the services under the Terms, including account administration, service request management, document handling, submission support, transaction logging, support services, compliance administration and related operational functions contemplated by the Terms or any other agreement signed between FirmFox and the Client.
2.2. The Client acknowledges that the services may involve immigration, employment, licensing, identification, compliance and corporate records and may therefore include official identifiers, government-issued documents and other sensitive operational records to the extent lawfully provided by the Client and required for the relevant service.
2.3. The categories of data subjects, categories of personal data, purposes of processing, and duration of processing relevant to the services are set out in Annex 1 to this DPA (the "Processing Schedule"). The parties shall update Annex 1 as reasonably necessary to reflect any material changes to the nature or scope of the processing. In the event of a conflict between Annex 1 and the body of this DPA, the body of this DPA shall prevail.
2.4. This DPA is intended to apply only where and to the extent that FirmFox processes Client Personal Data on behalf of the Client in a Controller-to-Processor relationship under Applicable Data Protection Law. It is not intended to operate as a universal data processing addendum for all users or all processing activities. To the extent FirmFox acts as an independent Controller in relation to any Personal Data, the processor-specific provisions of this DPA shall not apply to that processing except where expressly stated.
3. Controller and Processor Allocation
3.1. The parties acknowledge that, for the purposes of Applicable Data Protection Law:
3.1.1. the Client will generally act as Controller in respect of Client Personal Data submitted to FirmFox by or on behalf of the Client for the purpose of receiving the services under the Terms or any other agreement; and
3.1.2. FirmFox will generally act as Processor in respect of such Client Personal Data when processing it on behalf of the Client to provide the relevant services.
3.2. Notwithstanding clause 3.1, the parties acknowledge that FirmFox may act as an independent Controller in relation to Personal Data that FirmFox processes for its own legitimate business purposes, including billing, collections, internal administration, legal and regulatory compliance, fraud prevention, sanctions screening, record-keeping, internal investigations, establishment or defence of legal claims, and the security, improvement and administration of its Platform and systems.
3.3. Where FirmFox acts as an independent Controller, FirmFox shall process the relevant Personal Data in accordance with Applicable Data Protection Law and its applicable privacy notice or privacy policy, and the processor-specific obligations in this DPA shall not apply to such processing except to the extent expressly stated.
4. Client Obligations
4.1. The Client shall ensure that it has all necessary rights, notices, consents, instructions, lawful bases, and permissions required under Applicable Data Protection Law to disclose Client Personal Data to FirmFox and to permit FirmFox and its authorized Sub-processors to process such data for the purposes contemplated by the Terms and this DPA.
4.2. The Client shall ensure that Client Personal Data provided to FirmFox is relevant, lawful, accurate and limited to what is necessary for the relevant services.
4.3. The Client shall remain responsible for the legal basis on which Client Personal Data is collected and transferred to FirmFox, for the accuracy and completeness of the data provided, and for complying with any obligations owed by the Client to Data Subjects under Applicable Data Protection Law, unless Applicable Data Protection Law requires otherwise.
4.4. The Client shall not instruct FirmFox to process Client Personal Data in a manner that would cause FirmFox to breach Applicable Data Protection Law. FirmFox may suspend or refuse any instruction that it reasonably believes is unlawful, inconsistent with the Terms, technically infeasible or likely to expose FirmFox to disproportionate legal, security or operational risk.
5. Processor Obligations
5.1. FirmFox shall process Client Personal Data only on documented instructions from the Client, unless FirmFox is required to do otherwise by applicable law. The Terms, the Client's use of the Platform, the Client's Orders and documented communications reasonably related to the services shall constitute the Client's documented instructions for the purposes of this DPA. Any instructions given outside the Platform shall be provided in writing (including by email) by an authorized representative of the Client. FirmFox may request written confirmation of any instruction that would result in a material change to the nature or scope of processing activities before acting on such instruction.
5.2. If FirmFox reasonably believes that an instruction infringes Applicable Data Protection Law, FirmFox may notify the Client and suspend the relevant processing until the issue is resolved.
5.3. FirmFox shall ensure that persons authorized to process Client Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.
5.4. FirmFox shall process Client Personal Data only to the extent and for as long as necessary to perform its obligations under the Terms, this DPA or as otherwise required by applicable law.
5.5. FirmFox shall maintain, or procure the maintenance of, a record of processing activities carried out on behalf of the Client in connection with the services, to the extent required under Applicable Data Protection Law. Such records shall include, as applicable: the categories of processing carried out on behalf of the Client; the purposes of the processing; any transfers of Client Personal Data to third countries or international organizations; and a general description of the technical and organizational security measures in place.
6. Security Measures
6.1. FirmFox shall implement and maintain reasonable appropriate technical and organizational measures designed to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access or other unlawful processing.
6.2. Such measures may include, as appropriate and proportionate: access controls, user authentication, role-based permissions, logging and monitoring, secure cloud infrastructure, multi-factor authentication for privileged accounts, secure storage, backup procedures, staff confidentiality controls, vendor due diligence, basic encryption or secure transmission methods, and policies or procedures governing access to systems and documents.
6.3. The Client acknowledges that the security measures implemented by FirmFox are high-level and risk-based in nature and are not intended to guarantee absolute security. FirmFox may update or modify its security measures from time to time provided that the overall level of protection is not materially diminished.
7. Subprocessors
7.1. The Client grants FirmFox a general authorization to appoint sub-processors in connection with the provision of the services, provided that FirmFox remains responsible for the performance of its sub-processors to the extent required by Applicable Data Protection Law.
7.2. FirmFox shall ensure that any sub-processor engaged to process Client Personal Data is bound by written obligations that are no less protective, in all material respects, than the obligations imposed on FirmFox under this DPA, to the extent applicable to the services performed by that sub-processor. Upon the Client's reasonable written request, FirmFox shall provide the Client with a summary or appropriately redacted copy of the relevant sub-processor agreement to the extent reasonably permitted by confidentiality and commercial sensitivity considerations.
7.3. FirmFox may make available, upon reasonable request, information about the categories or identity of material sub-processors used in connection with the relevant services, subject to confidentiality, security and commercial sensitivity considerations.
7.4. If the Client reasonably objects to the appointment of a new sub-processor on legitimate data protection grounds, the parties shall discuss the concern in good faith. If the concern cannot be reasonably resolved, FirmFox may, at its option, use reasonable efforts to provide the relevant services without using the objected to sub-processor, or terminate the affected service upon written notice, without liability for future performance of that affected service.
8. International Data Transfers
8.1. The Client acknowledges that Client Personal Data may be processed in or accessed from jurisdictions outside the UAE, including where FirmFox or its sub-processors use cloud infrastructure, software providers, support personnel or operational resources located in other jurisdictions.
8.2. Where FirmFox transfers Client Personal Data across borders, FirmFox shall take the necessary steps to ensure that such transfer is carried out in accordance with Applicable Data Protection Law and subject to appropriate safeguards where required by law.
8.3. To the extent required under Applicable Data Protection Law, the parties shall cooperate in good faith to put in place any additional transfer mechanism, contractual wording or supplementary measure that is reasonably required for the lawful transfer of Client Personal Data.
9. Assistance With Data Subject Requests
9.1. Taking into account the nature of the processing, FirmFox shall provide reasonable assistance to the Client, at the Client's reasonable and documented cost (unless otherwise required by Applicable Data Protection Law), to enable the Client to respond to requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Law. Where reasonably practicable, FirmFox shall notify the Client of any anticipated costs before incurring them, and shall only charge costs that are reasonable and directly attributable to the assistance provided.
9.2. If FirmFox receives a request directly from a Data Subject relating to Client Personal Data for which the Client is the Controller, FirmFox may, unless prohibited by law, refer the request to the Client and may refrain from responding directly except as instructed by the Client or required by law.
10. Compliance Assistance
10.1. Taking into account the nature of the processing and the information available to FirmFox, FirmFox shall provide reasonable assistance to the Client, at the Client's reasonable and documented cost (unless otherwise required by Applicable Data Protection Law), in relation to the Client's compliance obligations concerning security, personal data breach notifications, data protection impact assessments and prior consultations with competent authorities, to the extent such assistance is required under Applicable Data Protection Law and reasonably practicable in the context of the services provided. Where reasonably practicable, FirmFox shall notify the Client of any anticipated costs before incurring them, and shall only charge costs that are reasonable and directly attributable to the assistance provided.
10.2. The Client may, no more than once per calendar year (unless required more frequently by a competent supervisory authority or following a confirmed personal data breach), request that FirmFox provide written information or documentation reasonably evidencing FirmFox's compliance with its obligations under this DPA. Such information may take the form of completed questionnaires, relevant third-party audit reports, certifications (such as ISO 27001 or SOC 2 Type II reports), or equivalent assurance documentation. Where the Client reasonably requires an on-site audit or inspection, the parties shall agree in advance, acting in good faith, on the scope, timing, cost allocation and confidentiality arrangements applicable to such audit. The Client shall provide FirmFox with not less than thirty (30) days' prior written notice before conducting or commissioning any audit under this clause.
11. Personal Data Breaches
11.1. FirmFox shall notify the Client without undue delay, and in any event within seventy-two (72) hours of becoming aware of a personal data breach that is reasonably likely to affect Client Personal Data processed by FirmFox as Processor under this DPA, to the extent such notification is required under Applicable Data Protection Law. Where it is not practicable to provide full details within seventy-two (72) hours, FirmFox shall provide an initial notification within that period followed by further details as soon as reasonably possible thereafter.
11.2. Such notification may be phased if it is not possible to provide all relevant details at once and shall include, to the extent reasonably available at the time: (a) the nature of the breach; (b) the categories of data affected; (c) the likely consequences; and (d) the measures taken or proposed to address the breach and mitigate its possible adverse effects.
11.3. FirmFox shall take reasonable steps to investigate, contain, mitigate and remediate the effects of a personal data breach within its control. Nothing in this clause requires FirmFox to make notifications to Data Subjects or any Supervisory Authority on the Client's behalf unless expressly agreed in writing or required by Applicable Data Protection Law.
12. Return and Deletion of Client Personal Data
12.1. Upon termination or expiry of the Terms, or upon the Client's written request following termination or expiry, FirmFox shall, subject to clauses 12.2 and 12.3, delete or return Client Personal Data processed by FirmFox as Processor under this DPA, in a format and within a timeframe reasonably determined by FirmFox having regard to the nature of the services, technical feasibility and the Client's request.
12.2. FirmFox may retain Client Personal Data to the extent required by applicable law, for legitimate record-keeping, compliance, audit, anti-money laundering, fraud prevention, sanctions screening, accounting, dispute resolution, backup, evidentiary or legal claim purposes, or where retention is otherwise permitted under Applicable Data Protection Law.
12.3. Where deletion is required, deletion from active production systems may occur in accordance with FirmFox's standard technical processes and backup retention cycles, provided that retained copies remain protected in accordance with this DPA for so long as they are retained.
13. Liability
13.1. As between the parties, each party shall be liable for the performance of its own obligations under this DPA and under Applicable Data Protection Law. Nothing in this DPA is intended to create any joint and several liability between the parties beyond what is required by Applicable Data Protection Law.
13.2. Subject to clause 13.3, any liability of either party to the other arising out of or in connection with this DPA shall be subject to, and shall form part of, the exclusions and limitations of liability, caps and other liability provisions set out in the Terms, and such provisions are incorporated into this DPA by reference as if set out in full.
13.3 Clause 13.2 shall not apply to the extent that Applicable Data Protection Law expressly prohibits the limitation of a specific type of liability or remedy. In such case, the relevant limitation shall be disapplied only to the minimum extent necessary to comply with that mandatory requirement.
13.4. Nothing in this DPA shall relieve either party of, or otherwise limit, its own direct responsibilities and liabilities under Applicable Data Protection Law as a Controller or Processor (as applicable), vis-à-vis the competent supervisory authority or the affected Data Subjects to the extent such responsibilities and liabilities cannot lawfully be limited between the parties.
14. Miscellaneous
14.1. This DPA shall commence on the Effective Date and shall remain in force for so long as FirmFox Processes Client Personal Data on behalf of the Client under the Terms, without prejudice to any provisions of this DPA which by their nature are intended to survive expiry or termination.
14.2. Except as expressly modified by this DPA in respect of the Processing of Personal Data, the Terms remain in full force and effect and shall govern the parties’ overall relationship. In case of conflict between this DPA and the Terms in relation to the Processing of Personal Data, this DPA shall prevail to the extent of that conflict.
14.3. This DPA shall be governed by, and construed in accordance with, the governing law specified in the Terms, and any dispute arising out of or in connection with this DPA shall be subject to the dispute resolution provisions of the Terms.
14.4. For the avoidance of doubt, any matter not expressly addressed in this DPA shall be governed by the provisions of the Terms.
14.5. If any provision of this DPA is found by a court or competent authority to be invalid, unlawful or unenforceable under Applicable Data Protection Law or any other applicable law, such provision shall be deemed modified to the minimum extent necessary to make it valid, lawful and enforceable. If such modification is not possible, the relevant provision shall be deemed deleted. Any modification or deletion of a provision under this clause shall not affect the validity and enforceability of the remaining provisions of this DPA.
Annex 1- Processing Schedule
This Annex 1 forms part of, and is incorporated into, the Data Protection Addendum ("DPA") between FirmFox Management Consultancies LLC ("FirmFox") and the Client. Capitalized terms used in this Annex 1 but not otherwise defined herein shall have the meanings given to them in the DPA. In the event of a conflict between this Annex 1 and the body of the DPA, the body of the DPA shall prevail.
Part A - Details of Processing
1. Subject Matter and Nature of Processing. Processing of Client Personal Data by FirmFox as Processor on behalf of the Client, to enable FirmFox to provide the services under the Terms. Processing activities include: collection, recording, storage, retrieval, use, transmission, structuring, disclosure to authorized sub-processors and government authorities, and deletion or return of Client Personal Data, in each case to the extent necessary for the performance of the relevant services.
2. Purposes of Processing. Client Personal Data is processed for the following purposes, to the extent applicable to the services engaged by the Client: (a) Client account setup, access management and platform administration; (b) Processing, preparation and submission of immigration, visa, entry permit and residency applications, renewals and cancellations on behalf of the Client and its sponsored individuals; (c) Processing, preparation and submission of business licensing, trade license and commercial registration applications, renewals, amendments and cancellations; (d) PRO (Public Relations Officer) services and government authority liaison, including submissions to UAE federal and emirate-level authorities; (e) Corporate secretarial services, including preparation and filing of corporate documents, maintenance of company registers and related record-keeping; (f) Employment and labour-related services, including WPS-related filings, labour contract registrations and related submissions to the Ministry of Human Resources and Emiratization or equivalent authority; (g) Compliance and regulatory administration, including anti-money laundering and sanctions screening where applicable;\n(h) Document storage, retrieval and status tracking via the Platform; (i) Customer support, service request management and communications; (j) Billing, invoicing, transaction logging and account management;\n(k) Compliance with FirmFox's legal and regulatory obligations under applicable UAE law.
3. Categories of Data Subjects. The following categories of data subjects may be affected by the processing: (a) Current, prospective and former employees of the Client; (b) Directors, shareholders, officers, partners, managers and authorized signatories of the Client; (c) Individuals sponsored by or employed through the Client for immigration or visa purposes; (d) Dependants of any of the foregoing (to the extent their data is submitted in connection with dependent visa or residency applications); (e) Other natural persons whose Personal Data is submitted by or on behalf of the Client to FirmFox in connection with the services.
4. Categories of Personal Data. The following categories of Personal Data may be processed, to the extent submitted by the Client and required for the relevant service: (a) Identity data: full legal name, date of birth, gender, nationality, place of birth, marital status, and photograph; (b) Official identifier data: passport number and copy, Emirates ID number and copy, national identity card, labour card, establishment card and equivalent government-issued documents; (c) Contact data: residential address, email address, telephone number; (d) Employment and professional data: job title, designation, employer name, employment contract details, salary information, salary certificates, NOC letters, ILOE records, birth certificates, marriage certificates, family book documents (including for UAE nationals),and any other related HR documentation; (e) Immigration and residency data: visa type and number, entry permit number, residency status, visa expiry and renewal dates, and related government correspondence; (f) Corporate and commercial data: company registration numbers, trade licence numbers, memoranda and articles of association, shareholder certificates, corporate resolutions, and related entity documentation; (g) Financial data: bank account details, audited financial statements, and related financial documentation, to the extent submitted for licensing, immigration or compliance purposes; (h) Biometric data: to the extent contained in government-issued identity documents submitted by the Client in connection with the services; (i) Health data: to the extent a medical fitness certificate or equivalent document is required by a government authority in connection with a visa, residency or employment application.
With respect to special categories of Personal Data (items (h) and (i) above), the Client warrants that it has a valid legal basis under Applicable Data Protection Law for the collection and transfer of such data to FirmFox, and that processing of such data by FirmFox is strictly limited to what is required to perform the relevant service or comply with a legal obligation.
5. Duration of Processing. FirmFox will process Client Personal Data for the duration of the applicable Terms and, following their termination or expiry, for such further period as is required or permitted under clause 12 of the DPA. Without limiting the foregoing, FirmFox may retain Client Personal Data for the minimum period required by applicable UAE law, which may include: (a) UAE Labour Law retention obligations in respect of employment records; (b) UAE Commercial Companies Law and licensing authority requirements in respect of corporate records; (c) UAE anti-money laundering legislation (Federal Decree-Law No. 20 of 2018 and related resolutions) which requires retention of certain records for a minimum of five (5) years; (d) any other applicable statutory or regulatory retention obligation. Following the expiry of any applicable retention period, Client Personal Data will be deleted or anonymized in accordance with clause 12 of the DPA.
Part B - International Transfers
Client Personal Data may be transferred to, or accessed from, jurisdictions outside the UAE in connection with the provision of the services, including where FirmFox or its sub-processors utilize cloud infrastructure, software platforms, support personnel or operational resources located in other jurisdictions. Categories of transfer destinations may include, without limitation, jurisdictions in which FirmFox's cloud infrastructure providers, software-as-a-service providers, and material sub-processors are established or from which they provide services. FirmFox shall ensure that all such transfers are carried out in accordance with clause 8 of the DPA and subject to appropriate safeguards where required by Applicable Data Protection Law. The parties shall cooperate in good faith to put in place any additional transfer mechanism required for the lawful transfer of Client Personal Data to any relevant jurisdiction.