Logo
ProFlow
Home/Data Processing Agreement

ProFlow 360

Data Processing Agreement

Data protection commitments and processing terms for ProFlow 360.

Effective Date: [10th May 2026]
Last Updated: [25th May, 2026]

This Data Processing Agreement (“DPA”) forms part of the Terms of Service, Privacy Policy, subscription agreement, order form, invoice, or any other written agreement between ProFlow 360 (“ProFlow,” “Processor,” “we,” “our,” or “us”) and the customer, tenant organisation, or subscriber using the ProFlow 360 platform (“Customer,” “Tenant,” “Controller,” “you,” or “your”).

This DPA governs the processing of Personal Data by ProFlow 360 on behalf of the Customer in connection with the use of the ProFlow 360 website, SaaS platform, tenant dashboard, client portal, document management tools, renewal tracking, support services, invoice and quotation features, payment-related features, notifications, email tools, and related services.

By using ProFlow 360, the Customer agrees to this DPA.

1. Purpose of this DPA

The purpose of this DPA is to define the responsibilities of the parties when ProFlow 360 processes Personal Data on behalf of the Customer.

This DPA is intended to support compliance with applicable data protection laws, including, where applicable, the UAE Personal Data Protection Law, Federal Decree-Law No. 45 of 2021, and any other applicable privacy or data protection laws. The UAE government describes Federal Decree-Law No. 45 of 2021 as the UAE’s Personal Data Protection Law framework for protecting confidentiality and privacy of personal data.

2. Definitions

For the purposes of this DPA:

“Controller” means the party that determines the purposes and means of processing Personal Data.

“Processor” means the party that processes Personal Data on behalf of the Controller.

“Customer Data” means all data, files, records, documents, messages, images, content, and information submitted to or processed through ProFlow 360 by or on behalf of the Customer.

“Personal Data” means any information relating to an identified or identifiable natural person, including names, contact details, identification information, employment information, documents, account data, communication records, and technical identifiers.

“Sensitive Data” means Personal Data that may require additional protection under applicable law, including identity documents, visa records, passport details, Emirates ID records, financial information, health-related information if uploaded, biometric data if uploaded, or other sensitive categories.

“Processing” means any operation performed on Personal Data, including collection, recording, storage, organisation, structuring, retrieval, consultation, use, disclosure, transmission, restriction, deletion, or destruction.

“Sub-processor” means any third party engaged by ProFlow 360 to process Personal Data on behalf of the Customer.

“Services” means the ProFlow 360 platform and related services provided to the Customer.

3. Roles of the Parties

For Personal Data uploaded, submitted, or managed by the Customer through the ProFlow 360 platform:

  • The Customer is the Controller.
  • ProFlow 360 is the Processor.
  • Customer clients, employees, staff, portal users, or other individuals may be Data Subjects.

The Customer determines the purpose, scope, accuracy, lawfulness, and retention of Personal Data processed through its workspace.

ProFlow 360 processes Personal Data only to provide, secure, maintain, support, and improve the Services, or as otherwise instructed by the Customer or required by law.

4. Customer Responsibilities

The Customer is responsible for:

  • Having a valid legal basis to collect and process Personal Data.
  • Obtaining all required consents, permissions, authorisations, or contractual rights.
  • Ensuring Personal Data uploaded to the platform is accurate, relevant, lawful, and necessary.
  • Ensuring users are authorised to access Personal Data.
  • Managing user roles and permissions.
  • Responding to requests from Data Subjects where the Customer is the Controller.
  • Ensuring uploaded documents do not violate laws, contracts, privacy rights, or third-party rights.
  • Not uploading unnecessary Sensitive Data.
  • Configuring the platform appropriately for its business and compliance needs.

The Customer must not use ProFlow 360 to process Personal Data unlawfully.

5. ProFlow 360 Responsibilities

ProFlow 360 will:

  • Process Personal Data only according to the Customer’s documented instructions, this DPA, the Terms of Service, and applicable law.
  • Use Personal Data only as necessary to provide and support the Services.
  • Apply reasonable technical and organisational security measures.
  • Limit access to Personal Data to authorised personnel, contractors, and systems.
  • Require confidentiality obligations from persons authorised to process Personal Data.
  • Use reasonable efforts to support the Customer with privacy and security obligations where technically possible.
  • Notify the Customer of material security incidents involving Customer Personal Data, where required by law and reasonably possible.
  • Maintain appropriate records and operational controls for platform security and service delivery.

6. Processing Instructions

The Customer instructs ProFlow 360 to process Personal Data for the following purposes:

  • Creating and managing tenant workspaces.
  • Managing user accounts and access permissions.
  • Managing client company records.
  • Managing employee records.
  • Uploading, storing, displaying, and organising documents.
  • Tracking document expiry and renewal dates.
  • Sending service notifications, reminders, and alerts.
  • Managing client portal access.
  • Managing cases, tasks, service requests, quotations, invoices, payments, and receipts.
  • Providing platform support and support ticket handling.
  • Generating reports and operational dashboards.
  • Hosting public website content and CMS media where applicable.
  • Maintaining logs, security records, backups, and system performance.
  • Complying with legal, contractual, security, or operational obligations.

ProFlow 360 may also process Personal Data where required to protect the platform, prevent misuse, enforce agreements, comply with law, or respond to lawful requests.

7. Categories of Data Subjects

Personal Data processed through ProFlow 360 may relate to:

  • Customer administrators and tenant users.
  • Tenant employees and staff.
  • Client company representatives.
  • Client portal users.
  • Employees of client companies.
  • Vendors, consultants, and service contacts.
  • Billing and payment contacts.
  • Support contacts.
  • Website visitors and form submitters.
  • Other individuals whose data is uploaded by or on behalf of the Customer.

8. Categories of Personal Data

The platform may process the following categories of Personal Data:

  • Name and contact details.
  • Email address and phone number.
  • Company details and role information.
  • User login and authentication data.
  • Client company records.
  • Employee records.
  • Passport, visa, Emirates ID, labour card, tenancy, trade licence, or similar document details where uploaded.
  • Document expiry dates and renewal history.
  • Uploaded files and attachments.
  • Invoices, quotations, payments, receipts, and transaction references.
  • Support ticket messages and attachments.
  • Notifications and communication records.
  • Activity logs, audit logs, IP addresses, browser information, device data, and usage data.
  • Any other Personal Data submitted by the Customer or its users.

9. Sensitive Data

The Customer acknowledges that the platform may process Sensitive Data if the Customer uploads such information.

The Customer is responsible for ensuring that Sensitive Data is uploaded only where lawful, necessary, authorised, and appropriate.

ProFlow 360 does not require Customers to upload Sensitive Data unless it is necessary for the Customer’s own business process. The Customer must avoid uploading excessive or irrelevant Sensitive Data.

10. Duration of Processing

ProFlow 360 will process Personal Data for the duration of the Customer’s use of the Services, unless otherwise required by:

  • The Customer’s instructions.
  • Applicable law.
  • Contractual obligations.
  • Backup retention policies.
  • Security, audit, dispute resolution, or legal requirements.

Upon termination of the Services, Personal Data may be retained, exported, deleted, anonymised, or archived according to the Terms of Service, Privacy Policy, this DPA, applicable law, and any agreed retention process.

11. Confidentiality

ProFlow 360 will ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations.

Access to Personal Data will be limited to personnel, contractors, systems, and service providers who require access for legitimate service, security, support, maintenance, or legal purposes.

12. Security Measures

ProFlow 360 will implement reasonable technical and organisational measures designed to protect Personal Data against unauthorised access, accidental loss, destruction, alteration, disclosure, or misuse.

Such measures may include:

  • Authentication and session controls.
  • Role-based access control.
  • Tenant-level access separation.
  • Database access controls.
  • Storage access controls.
  • Secure transmission where supported.
  • Audit logs and activity tracking.
  • Permission checks for sensitive routes.
  • Private storage or signed access for selected attachments where implemented.
  • Backup and recovery practices.
  • Monitoring and error logging.
  • Administrative access restrictions.
  • Reasonable development and deployment controls.

No system can guarantee absolute security. The Customer is responsible for securing its own devices, accounts, users, passwords, email systems, and internal processes.

13. Sub-processors

The Customer authorises ProFlow 360 to use Sub-processors to provide the Services.

Sub-processors may include providers for:

  • Cloud hosting.
  • Database services.
  • File storage.
  • Email delivery.
  • Payment processing.
  • Analytics.
  • Error monitoring.
  • Security.
  • Support tools.
  • Development and infrastructure services.

ProFlow 360 will take reasonable steps to ensure Sub-processors process Personal Data only for authorised purposes and apply appropriate confidentiality and security protections.

ProFlow 360 remains responsible for the performance of its Sub-processors to the extent required by applicable law and the relevant agreement.

14. Third-Party Payment and Communication Providers

Where payment, email, analytics, or communication services are provided by third-party providers, such providers may process data according to their own terms and privacy policies.

The Customer acknowledges that ProFlow 360 may need to share limited Personal Data with such providers to deliver platform functionality.

15. International Data Transfers

Personal Data may be stored, processed, or accessed in countries outside the UAE depending on hosting infrastructure, service providers, technical support, and operational requirements.

Where international transfer safeguards are required, ProFlow 360 will use reasonable contractual, technical, or organisational safeguards appropriate to the nature of the Services and applicable law.

The official UAE legislation source states that the UAE PDPL is active and forms the legal framework for personal data protection.

16. Assistance with Data Subject Requests

Where the Customer is the Controller, the Customer is responsible for responding to Data Subject requests.

To the extent technically possible and commercially reasonable, ProFlow 360 may assist the Customer with requests relating to:

  • Access.
  • Correction.
  • Deletion.
  • Restriction.
  • Objection.
  • Data portability.
  • Withdrawal of consent.
  • Cessation of processing.

ProFlow 360 may refer Data Subjects to the relevant Customer where the request concerns data controlled by that Customer.

17. Data Correction and Deletion

The Customer may correct, update, delete, archive, or export Personal Data using available platform functionality, subject to system limitations, legal retention, audit logs, backups, and document history requirements.

Deletion may not immediately remove data from backups, audit logs, email logs, security logs, or legally retained records.

18. Personal Data Breach Notification

If ProFlow 360 becomes aware of a confirmed Personal Data breach affecting Customer Personal Data, ProFlow 360 will notify the Customer without undue delay where required by law and reasonably possible.

Such notification may include, where available:

  • Nature of the incident.
  • Categories of affected data.
  • Approximate number of affected records, if known.
  • Measures taken or proposed.
  • Recommended actions for the Customer.
  • Contact point for follow-up.

The Customer remains responsible for determining whether notice to regulators, Data Subjects, or other parties is required, unless ProFlow 360 is legally required to notify directly.

19. Audits and Compliance Information

Upon reasonable written request, ProFlow 360 may provide information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, operational limitations, and protection of other customers’ data.

Any audit must:

  • Be limited to relevant systems and documentation.
  • Not compromise platform security or other customers’ data.
  • Not disrupt operations.
  • Be conducted at the Customer’s cost unless required by law or agreement.
  • Be subject to reasonable notice and confidentiality obligations.

20. Return or Deletion of Data

Upon termination of the Services, the Customer may request export or deletion of Customer Data, subject to:

  • Payment status.
  • Technical availability.
  • Legal obligations.
  • Backup retention.
  • Audit and security requirements.
  • Contractual terms.
  • Reasonable processing time.

ProFlow 360 may retain certain records where necessary for legal, tax, accounting, dispute resolution, security, fraud prevention, backup, or legitimate business purposes.

21. Government, Legal, and Regulatory Requests

ProFlow 360 may disclose Personal Data where required by law, court order, regulator, government authority, law enforcement, or other lawful process.

Where legally permitted, ProFlow 360 may notify the Customer of such requests.

22. Customer Instructions That Violate Law

ProFlow 360 is not required to follow Customer instructions that, in its reasonable opinion, would violate applicable law, security requirements, third-party rights, or platform integrity.

If ProFlow 360 believes an instruction is unlawful or unsafe, it may refuse the instruction, request clarification, suspend processing, or take appropriate protective measures.

23. Limitation of Liability

Liability under this DPA is subject to the limitation of liability provisions in the Terms of Service or applicable agreement between the parties.

To the maximum extent permitted by law, ProFlow 360 is not liable for:

  • Personal Data uploaded without lawful authority.
  • Incorrect or excessive data uploaded by the Customer.
  • Unauthorised access caused by Customer users.
  • Shared passwords or compromised Customer accounts.
  • Customer failure to manage user permissions.
  • Customer failure to respond to Data Subject requests.
  • Misuse of exported data.
  • Third-party provider failures beyond ProFlow 360’s reasonable control.

24. Customer Indemnity

The Customer agrees to indemnify and hold harmless ProFlow 360 from claims, penalties, damages, losses, costs, and expenses arising from:

  • Customer’s unlawful processing of Personal Data.
  • Customer’s breach of this DPA.
  • Customer’s failure to obtain required consent or authority.
  • Customer’s uploaded content or documents.
  • Customer’s failure to manage access permissions.
  • Customer’s violation of third-party rights.
  • Customer’s failure to comply with applicable data protection laws.

25. Conflict Between Documents

If there is a conflict between this DPA and the Terms of Service regarding Personal Data processing, this DPA will control only to the extent of the conflict relating specifically to Personal Data processing.

All other terms remain governed by the Terms of Service or applicable agreement.

26. Changes to this DPA

ProFlow 360 may update this DPA from time to time.

Where changes materially affect data processing obligations, ProFlow 360 may provide notice through the platform, email, or website.

Continued use of the Services after updates means the Customer accepts the updated DPA.

27. Governing Law

This DPA is governed by the laws of the United Arab Emirates, unless another governing law is agreed in a separate written agreement.

Disputes will be handled according to the dispute resolution and jurisdiction provisions in the Terms of Service or applicable agreement.

28. Contact

For questions about this DPA or data processing matters, contact:

Company Name: Manhatin Computer Software Consultancy
Platform: ProFlow 360
Email: info@mc1services.com
Support Email: mzubair@mc1services.com
Phone: +971508322799
Address: HQ, Al majaz 3, 359-1, Sharjah - UAE
Website: mc1services.com

 

 

Appendix A — Details of Processing

A.1 Subject Matter

Processing of Personal Data through the ProFlow 360 SaaS platform for tenant workspace management, client and employee document management, renewal tracking, invoices, quotations, payments, support tickets, notifications, reports, and related business operations.

A.2 Nature and Purpose of Processing

The nature and purpose of processing includes:

  • Hosting and storing Customer Data.
  • Managing user accounts and permissions.
  • Managing client companies and employee records.
  • Managing document uploads, expiry dates, renewals, and reminders.
  • Managing quotations, invoices, payments, and receipts.
  • Sending emails and notifications.
  • Providing customer support.
  • Maintaining security, logs, backups, and service performance.
  • Generating reports and analytics.
  • Supporting public website CMS assets where applicable.

A.3 Duration of Processing

For the duration of the Customer’s use of the Services and for any additional period required for backup, legal, security, tax, accounting, audit, dispute resolution, or legitimate operational purposes.

A.4 Categories of Data Subjects

  • Tenant users.
  • Tenant employees.
  • Client company representatives.
  • Client portal users.
  • Employees of client companies.
  • Billing contacts.
  • Support contacts.
  • Website visitors and form submitters.
  • Other individuals whose data is uploaded by the Customer.

A.5 Categories of Personal Data

  • Names.
  • Emails.
  • Phone numbers.
  • Job titles and roles.
  • Company records.
  • Employee records.
  • Identity and document records where uploaded.
  • Passport, visa, Emirates ID, labour card, licence, tenancy, or related document details where uploaded.
  • Expiry dates and renewal information.
  • Invoices, quotations, payments, receipts, and transaction references.
  • Support tickets and attachments.
  • Notifications and communication records.
  • Activity logs, audit logs, IP addresses, browser data, and technical identifiers.

A.6 Sensitive Data

Sensitive Data may include identity documents, visa/passport details, Emirates ID records, labour cards, financial information, or other sensitive data uploaded by the Customer.

The Customer is responsible for ensuring such data is processed lawfully and only where necessary.

Appendix B — Security Measures

ProFlow 360 may apply the following security measures, as appropriate:

  • Authentication and session management.
  • Role-based access control.
  • Tenant-level segregation.
  • Client portal access controls.
  • Database row-level security where implemented.
  • Permission checks on server routes.
  • Storage access controls.
  • Signed URLs for selected private attachments.
  • HTTPS/TLS where supported.
  • Audit and activity logs.
  • Backup processes.
  • Error logging and monitoring.
  • Access limitation for administrative users.
  • Development and deployment controls.
  • Incident response procedures.

Security measures may evolve over time as the platform improves.