Data processing addendum

Data Processing Addendum

Last Updated: June 20, 2025

This Cyberia LLC FZ Data Processing Addendum (the "DPA") is entered into by and between the CYBERIA INTERNATIONAL L.L.C-FZ Customer agreeing to these terms (“Customer”) and CYBERIA INTERNATIONAL L.L.C-FZ, a company registered in the United Arab Emirates under license number 2202593.01, with its registered office at Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Meydan, Dubai, 95195, U.A.E. ("Cyberia LLC FZ"). Cyberia LLC FZ and Customer are collectively referred to as the “Parties” and each a “Party”.

If you are accepting this DPA on behalf of the Customer, you represent and warrant that: (a) you are duly authorized to represent Customer; (b) you accept the terms of this DPA on behalf of Customer; (c) you act as a Controller and have obtained all necessary authorizations, permissions, or other legal bases under Applicable Privacy Laws to lawfully collect, use, and transfer such personal data to Cyberia LLC FZ for processing in accordance with this Addendum.

RECITALS

1. A. Customer is subject to the Data Protection Law and has subscribed to Cyberia LLC FZ’s Terms of Service found at [Link to Terms of Service] (the "Contract”) for the receipt of certain Services from Cyberia LLC FZ as described in the Contract (the “Services”). In delivering the Services under the Contract, Cyberia LLC FZ may process Personal Data controlled by Customer.

2. B. To comply with Data Protection Law, Customer must ensure the appropriate protection of all data, including Personal Data when Customer engages third party vendors. Accordingly, Customer's engagement of Cyberia LLC FZ is conditioned upon Cyberia LLC FZ’s agreement to the terms and conditions of this DPA incorporated by reference into and made a binding part of our Terms of Service [Link to Terms of Service].

DEFINITIONS

“Affiliate” means any entity controlling, controlled by, or under common control with a party, where “control” is defined as: (a) the ownership of at least fifty percent (50%) of the equity or beneficial interests of the entity; (b) the right to vote for or appoint a majority of the board of directors or other governing body of the entity; or (c) the power to exercise a controlling influence over the management or policies of the entity.

“Agreed Liability Cap” means the maximum amount at which a Party’s liability is capped under the applicable Agreement, either per annual period or event giving rise to liability, as applicable.

"Applicable Privacy Laws" means the relevant data protection and privacy laws and regulations to which Customer is subject, including, where applicable, Data Protection Law.

"Authorized Persons" means any person who processes Personal Data on Cyberia LLC FZ’s behalf, including Cyberia LLC FZ’s employees, officers, partners, principals, contractors, and Subcontractors.

"Data Protection Law" means UAE Federal Decree Law No. 45 of 2021 on Personal Data Protection.

"Personal Data" means any information provided or made available to Cyberia LLC FZ, by or on behalf of Cusotmer, in connection with the Services and which relates to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, etc. For the avoidance of doubt, Personal Data includes personally identifiable information.

"Security Incident" means an accidental, unauthorized or unlawful destruction, loss, alteration, disclosure of, or access to, Personal Data.

"Subcontractor" means any third party engaged by Cyberia LLC FZ to process any Personal Data relating to this DPA and/or the Contract.

The terms "Controller", "Processor", and "processing", have the meanings given to them in Applicable Privacy Laws. If and to the extent that Applicable Privacy Laws do not define such terms, then the definitions given in Data Protection Law will apply.

1. Subject Matter and Duration

This DPA governs the processing of personal data on behalf of the Customer in the context of Services provision by Cyberia LLC FZ and related technical support to Customer. The duration corresponds to the duration of the Contract executed by the Parties.

2. Nature, Purpose and Scope of Processing

2.1. Cyberia LLC FZ shall process Personal Data under the Contract as a Processor acting on behalf of Customer unless Cyberia LLC FZ is required to process the Personal Data for other purposes by Data Protection Law. Cyberia LLC FZ agrees that it will process Personal Data as described below.

2.2. Each Party shall comply with its obligations under Applicable Privacy Laws in respect of any Personal Data it processes under this DPA.

2.3. Purpose: Cyberia LLC FZ shall process Personal Data submitted, stored, sent or received by Customer, its Affiliates or Authorized Users via the Services for the purposes of providing the Services and related technical support to Customer in accordance with the Data Processing A.

2.4. Nature of Processing: Collection, storage, organization, structuring, access, transmission, analysis, and deletion of data through automated systems.

2.5.Means of Processing: Web-based platform, encrypted data transmission, user-access interfaces, and data analytics.

3. Categories of Data Subjects

The Personal Data processed may relate to the following categories of data subjects:

3.1. Job applicants of the Customer.

3.2. Current and former employees of the Customer.

3.3. Potential contractors or freelance personnel considered by the Customer.

4. Categories of Personal Data

4.1. Information included in uploaded CVs or profiles including full name, email, phone.

4.2. Sensitive data is not intended to be transferred.

5. Obligations of Cyberia LLC FZ

5.1. Process data only on documented instructions of the Customer;

5.2. Ensure confidentiality and data protection training of authorized personnel;

5.3. Implement technical and organizational security measures;

5.4. Assist the Customer with obligations under Applicable Privacy Laws in case needed;

5.5. Notify the Customer of Security Incidents without undue delay;

5.6. Upon termination, delete or return all Personal Data.

6. Sub-processors

The Customer authorizes the Processor to engage subprocessors, provided the Processor:

6.1. Maintains a list of sub-processors,

6.2. Ensures sub-processors are subject to obligations equivalent to those in this DPA,

6.3. Notifies the Customer of any changes. For this purpose, Cyberia LLC FZ maintains an up-to-date list of authorized sub-processors on its website at [insert URL], which includes the identities and locations of all current sub-processors. The Customer agrees that the publication of changes to the sub-processor list on the website shall constitute sufficient notice under this DPA. The Controller is responsible for regularly reviewing the sub-processor list and keeping itself informed of any changes. The Customer shall have the right to object to a new sub-processor within thirty (30) calendar days of the change being published. If the Customer does not object in writing within this period, the new sub-processor shall be deemed accepted. If the Customer objects to the engagement of that new sub-processor, Customer may elect to suspend or terminate the Contract and this DPA pursuant to the terms of the Contract. The Customer is not entitled to any reimbursement in that case.

6.4. Remains fully liable for any breach of this DPA or the Contract that is caused by an act, error or omission of such sub-processors.

Detailed information on sub-processors and subject matter is included in the Annex [insert URL].

7. Data Access and Security Measures

7.1. Cyberia LLC FZ shall ensure that any Authorized Person is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they process the Personal Data only for the purpose of delivering the Services under the Contract(s) to the Customer.

7.2. Cyberia LLC FZ will implement and maintain all reasonable and appropriate technical and organizational security measures to meet the requirements of Data Protection Law, and in particular, to protect against the occurrence of Security Incidents and to preserve the security, integrity and confidentiality of Personal Data ("Security Measures"). Such Security Measures should consider industry standards, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risk of a Security Incident and potential impact on the rights and freedoms of natural persons.

8. Security Incidents and Breach Notification

In the event of a Security Incident, Cyberia LLC FZ shall notify the Customer without undue delay and provide a written report containing the following information, to the extent known at the time:

8.1. a summary of the nature and circumstances of the Security Incident;

8.2. the categories of Personal Data affected by the incident;

8.3. the number (or estimated number, if not precisely known) of data subjects impacted, and the scope of Personal Data records involved;

8.4. an assessment of the potential or actual consequences of the incident for data subjects;

8.5. details of the actions taken or intended to be taken by Cyberia LLC FZ in response to the incident, including any measures to limit or remedy possible negative effects.

9. Limitation of Liability

Cyberia LLC FZ and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set forth in the Contract.

10. Governing Law and Dispute resolution

10.1. This DPA shall be governed by and construed in accordance with the laws of the United Arab Emirates unless otherwise required by Applicable Privacy laws.

10.2. Any dispute, controversy, or claim arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the competent courts of the Emirate of Dubai, United Arab Emirates.

10.3. All terms of this DPA are hereby incorporated into the Contract. In the event of a conflict between a term in the Contract and a term in this DPA, the term contained in this DPA shall prevail.

10.4. This DPA may not be modified except by a subsequent written instrument signed by both Parties.

10.5. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.

Annex I – Sub-processors

This document contains information about the third-party subcontractors Cyberia LLC FZ uses (as a sub-processor or service provider) to provide Services to its Customers. Customers may register for one or more of the following products provided by Cyberia LLC FZ and as identified below:

a. CV Parser
b. ATS
c. Cyberia Access
d. Career Lab