Data Processing Agreement

• Controller — the Customer organisation that determines the purposes and means of processing personal data.
• Processor — eClips, which processes personal data on behalf of the Controller.
• Personal Data — any information relating to an identified or identifiable natural person that is contained in documents or data submitted to the Service.
• Processing — any operation performed on Personal Data, including collection, storage, extraction, analysis, and transmission.
• Sub-processor — a third party engaged by eClips to assist in processing Personal Data.

eClips processes Personal Data solely to provide the Service described in the Terms of Service. Processing activities include:

• Receiving and storing documents submitted via API, email, or messaging channels.
• Extracting structured data (names, amounts, dates) from documents using AI models.
• Routing extracted data to connected integrations designated by the Controller.
• Storing processing logs, confidence scores, and triage decisions.

The categories of Personal Data processed depend on the documents the Controller submits. Typical categories include: vendor and employee names, contact details, financial transaction details, and any other personal data appearing in invoices, contracts, or purchase orders.

The Controller warrants that:

• It has a lawful basis for submitting Personal Data to the Service.
• It has provided required notices and obtained required consents from data subjects.
• It will not submit special-category data (health, biometric, criminal records) without a separate written agreement.
• It will promptly notify eClips of any restriction or correction instruction from a data subject.

eClips agrees to:

• Process Personal Data only on documented instructions from the Controller (these Terms constitute such instructions).
• Ensure personnel authorised to process Personal Data are subject to confidentiality obligations.
• Implement appropriate technical and organisational security measures (encryption at rest and in transit, access controls, audit logging).
• Assist the Controller in responding to data subject rights requests, given the nature of the processing.
• Notify the Controller without undue delay (and no later than 72 hours) upon becoming aware of a Personal Data breach.
• Delete or return all Personal Data upon termination as described in the Privacy Policy.
• Make available information necessary to demonstrate compliance with this DPA and allow for audits upon reasonable notice.

The Controller grants general authorisation to engage the following Sub-processors:

We will notify the Controller of any intended changes to Sub-processors at least 14 days in advance. The Controller may object in writing within that period.

Where Personal Data is transferred to countries outside the EEA or UAE, eClips relies on adequacy decisions, Standard Contractual Clauses, or other lawful transfer mechanisms approved under applicable law. Details are available upon request at legal@eclips.tech.

eClips implements the following technical and organisational measures:

• Encryption of all data at rest (AES-256) and in transit (TLS 1.3).
• Row-level security (RLS) enforcing strict tenant isolation in the database.
• API keys never stored client-side; service-role keys used server-side only.
• Automated error monitoring and alerting.
• Regular security reviews and access audits.
• Staff background checks and mandatory confidentiality agreements.

Where a data subject exercises rights under applicable law (access, rectification, erasure, restriction, portability, objection), the Controller should submit the request to eClips via privacy@eclips.tech. eClips will respond within 5 business days with relevant data or confirmation of deletion, enabling the Controller to fulfil its obligations within the required timeframe.

This DPA remains in force for the duration of the Service agreement. Upon termination, eClips will delete all Personal Data within the timeframe specified in the Privacy Policy, unless retention is required by law.

This DPA is governed by the laws of the United Arab Emirates. For EU-based Controllers, the DPA is also subject to GDPR requirements, and Standard Contractual Clauses (Commission Decision 2021/914) are incorporated by reference where applicable.

To request a signed copy of this DPA, email legal@eclips.tech.