Data Processing Addendum + Cookies

This Data Processing Addendum (the DPA) supplements the Terms of Service and applies whenever Watin processes personal data on behalf of a business customer (the Controller). It reflects the obligations of UAE Federal Decree-Law No. 45 of 2021 (PDPL) and good-faith alignment with the GDPR Article 28 baseline where data subjects are protected under EU law.

The Controller determines the purpose and means of processing. Watin acts as Processor and processes personal data only on documented instructions from the Controller, including with regard to international transfers, unless processing is required by UAE law to which Watin is subject.

• Subject matter — provision of the Watin VAT compliance and invoicing platform.
• Nature & purpose — hosting, processing, transmitting, and presenting customer-uploaded data so the Controller can fulfil its UAE tax obligations.
• Categories of data subjects — Controller's personnel, customers, suppliers, and any individuals whose data appears in the Controller's books.
• Categories of data — names, contact details, TRNs, financial transaction records, invoice line items, and any documents the Controller chooses to upload.
• Duration — for the term of the subscription, plus the retention periods set out in the Privacy Policy.

The Controller authorizes the following sub-processors:

• Supabase Inc. — managed Postgres + storage (Singapore region).
• Vercel Inc. — application hosting, edge runtime, build & deploy.
• Stripe Inc. — payment processing and card tokenization.
• Resend Inc. — transactional and (consented) marketing email delivery.
• Functional Software Inc. (Sentry) — error & performance monitoring (no Customer Data fields scrubbed in-flight).
• UAE Federal Tax Authority — EmaraTax e-invoicing — invoice clearance over Peppol PINT-AE, only when the Controller opts in to FTA submission.

We will give the Controller thirty (30) days' notice of any new or replaced sub-processor before engaging it. The Controller may object in writing on reasonable data-protection grounds.

Some sub-processors operate outside the UAE. Where transfers occur we rely on the safeguards permitted under PDPL Article 22, including processor-to-processor contracts requiring equivalent protection. We do not transfer personal data to jurisdictions that lack adequate data-protection laws unless the Controller has explicitly authorized the transfer or a derogation applies.

Watin maintains technical and organizational measures appropriate to the risk: encryption in transit and at rest, row-level multi-tenant isolation, append-only audit logging with tamper detection, role-based access controls, MFA enforcement, vulnerability scanning, penetration testing, incident response procedures, and ongoing staff security training. The current security posture is summarized on /security.

We will notify the Controller without undue delay (and in any event within seventy-two (72) hours of becoming aware) of a personal-data breach affecting Customer Data, with a description of the nature, the categories and approximate number of data subjects, the likely consequences, and the measures taken or proposed.

Upon reasonable written request, and no more than once per annum (or more frequently in the event of a suspected breach), the Controller may audit Watin's compliance with this DPA, either by reviewing an independent attestation (SOC 2, ISO 27001 where available) or via a mutually-agreed third-party auditor under confidentiality obligations. Routine commercial activity may not be unduly disrupted.

On termination of the subscription, the Controller may export all Customer Data via the in-product export tools or by written request. After the retention periods set out in the Privacy Policy elapse, we delete or anonymize Customer Data and certify deletion on request.

The Service uses the following categories of cookies and similar storage technologies:

• Strictly necessary — session, CSRF token, MFA challenge state. Cannot be disabled.
• Functional — workspace switcher, theme preference, locale. Disabling these may degrade your experience.
• Analytics — Vercel Analytics + Speed Insights. Loaded only with consent or under legitimate interest where local law permits.
• Marketing — none. We do not run third-party advertising cookies on the Service.

Consent is requested on first visit via the cookie banner. You may withdraw consent at any time from the footer link "Cookie preferences". Disabling all non-necessary cookies will not block access to the Service.

DPA queries, sub-processor objections, audit requests: dpa@watin.app.