Data Processing Agreement
Download PDFLast updated: March 1, 2026
1. Definitions
In this Data Processing Agreement (“DPA”):
- “Controller” means the entity that determines the purposes and means of the processing of Personal Data (i.e., the Customer subscribing to the Hadar platform).
- “Processor” means Hadar Real Estate, which processes Personal Data on behalf of the Controller.
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.
- “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- “Applicable Data Protection Law” means the UAE Federal Decree-Law No. 45 of 2021 (UAE PDPL), the DIFC Data Protection Law No. 5 of 2020, the EU General Data Protection Regulation (GDPR), and any other applicable data protection legislation.
2. Scope and Purpose of Processing
This DPA applies to all Personal Data processed by the Processor on behalf of the Controller in connection with the provision of the Hadar CRM platform and related services (“Services”).
Subject Matter: Provision of a cloud-based real estate CRM, AI-powered communication tools, and lead management services.
Duration:The term of the Controller’s subscription agreement, plus any period required for data return or deletion.
Nature & Purpose: Storage, organisation, retrieval, and analysis of lead data, property inquiries, communication logs, and transaction records to deliver the Services.
Categories of Data Subjects:The Controller’s clients, leads, prospects, and end users of the platform.
Types of Personal Data: Contact details (name, email, phone), property preferences, financial qualification data, communication transcripts, and usage metadata.
3. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including with respect to international data transfers, unless required by applicable law.
- Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing.
- Not engage another processor (sub-processor) without prior specific or general written authorisation of the Controller.
- Assist the Controller in ensuring compliance with its obligations related to security, breach notification, data protection impact assessments, and prior consultation.
- At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage.
- Make available to the Controller all information necessary to demonstrate compliance with its obligations and allow for and contribute to audits.
4. Data Security Measures
The Processor implements and maintains the following technical and organisational security measures:
- Encryption in transit using TLS 1.3 and at rest using AES-256.
- Role-based access controls with multi-factor authentication for all personnel with access to Personal Data.
- Regular security assessments and penetration testing (at least annually).
- Logical separation of Controller data in multi-tenant infrastructure.
- Automated backups with encrypted storage and tested recovery procedures.
- Employee security awareness training and background checks for personnel with access to Personal Data.
- Incident response plan with documented procedures for detecting, reporting, and mitigating security incidents.
5. Sub-processors
The Controller provides general authorisation for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 14 days.
The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract. The current list of sub-processors is:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, storage | United States / EU |
| Stripe | Payment processing and billing | United States |
| Resend | Transactional email delivery | United States |
| OpenRouter | AI model routing and inference | United States |
| HeyGen | AI avatar video generation | United States |
| Vapi | AI voice agent and telephony | United States |
| OpenAI | AI language models and speech-to-text (Whisper) | United States |
| ElevenLabs | AI voice synthesis and conversational voice agent | United States |
| Firecrawl | Web scraping for property data enrichment | United States |
6. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including:
- Right of access to their Personal Data.
- Right to rectification of inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”).
- Right to restriction of processing.
- Right to data portability.
- Right to object to processing.
The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject without responding to that request itself, unless legally required to do so.
7. Data Breach Notification
The Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller.
The notification shall include, at minimum:
- A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records concerned.
- The name and contact details of the Processor’s data protection contact.
- A description of the likely consequences of the Data Breach.
- A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects.
The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Data Breach.
8. Audit Rights
The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with its obligations under this DPA and Applicable Data Protection Law.
- The Controller (or an independent third-party auditor mandated by the Controller) may conduct audits, including inspections, no more than once per calendar year, with at least 30 days’ prior written notice.
- Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor’s operations.
- The Controller shall bear the costs of any audit, unless the audit reveals material non-compliance by the Processor.
- The Processor may satisfy audit requests by providing relevant certifications, third-party audit reports (e.g., SOC 2 Type II), or allowing the Controller to review its security documentation.
9. Data Return and Deletion
Upon termination or expiry of the subscription agreement, the Processor shall, at the Controller’s election:
- Return all Personal Data to the Controller in a commonly used, machine-readable format (e.g., CSV or JSON); or
- Delete all Personal Data and existing copies, unless applicable law requires continued storage.
The Processor shall complete the return or deletion within 30 daysof the Controller’s written request. The Processor shall certify in writing that deletion has been carried out.
Data retained for compliance with legal obligations (e.g., tax or AML records) shall remain subject to the confidentiality and security obligations of this DPA.
10. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the United Arab Emirates, without regard to its conflict of law provisions.
Any dispute arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Dubai, United Arab Emirates.
Where the Controller is established in the European Economic Area, the Standard Contractual Clauses (SCCs) approved by the European Commission shall apply to international transfers of Personal Data in addition to this DPA.
11. Contact
Hadar Real Estate — Data Protection
Email: privacy@hadar-ai.com
Address: Dubai, United Arab Emirates
For questions about this DPA or to exercise your rights, contact us at privacy@hadar-ai.com.