top of page
Complify_Compliance_Simplified_full.png

TERMS & CONDITIONS

Official version of Spirity Enterprise Middle East Free Zone Company (UAE Dubai, Dubai Silicon Oasis, Building A1 Dubai Digital Park – license nr.: 30986 – from hereinafter: Spirity) – Terms & Conditions, or Terms of Service (from hereinafter: TOS), always updated. We cut legalese as much as possible and simplified boilerplates for a shorter and agile read.

 

Some of our provisions are very specific to what we do. This document is a part of Spirity’s service dubbed “Complify” (from hereinafter: Complify), which service means one-time expert-led compliance assessments are provided. Our Website: complify.pro

 

Spirity Enterprise Middle East FZCO’s company data above and at Section 15.

1. Acceptance of the Terms of Service

Welcome to the Complify Service (from hereinafter: “Complify”, or “Service”) provided by Spirity Enterprise Middle East FZCO (a.k.a. "we", "us", or the “Company”). We are excited to have you as user and member of the community. The following terms and conditions (collectively, these "Terms of Service" or “Terms”) apply to your use of our service known as “Complify”, including any content, functionality and services offered on or via our Website. Please check out our Privacy Policy, that you can review here: www.complify.pro/privacy-policy

Please find our Data Protection Addendum below in Appendix 1. of present Terms of Service.

We want to keep our relationship with you as lean and informal as possible, but please read the Terms of Service carefully before you start using Complify, because by using our Service you accept and agree to be bound and abide by these Terms of Service. Our Terms are linked on every page of the site, according to industry standards, to be easily found.

Should you disagree with some of the provisions herein, you can either leave the Website (although we'll be sad to see you go!) or contact us at hello@complify.pro. Complify is all fast-tracking cybersecurity compliance, and we'll be happy to hear your comments and suggestions.

2. Changes to the Terms of Service and the Website

We reserve the right to update the Website and these Terms of Service from time to time, at our discretion. We will make sure to announce any major changes in a prominent way. Of course, this document is public on our website, and you will be able to see the changes for any new version.

Your continued use of the Website following the publishing of updated Terms of Service means that you accept and agree to the changes.

3. The Service – Complify

Complify is a professional, expert-led compliance assessment service operated by Spirity Enterprise Middle East FZCO (“Spirity”). The purpose of the Service is to provide clients with a tailored compliance assessment and a clear, practical “Plan of Action,” typically delivered within three (3) business days of receiving all necessary information and materials from the client, if so requested.

Each assessment is a one-time engagement based on the package selected on complify.pro. There are no ongoing subscriptions or recurring fees. The Service is designed to provide clarity, direction, and professional insight to support your organization’s data protection, cybersecurity, and compliance posture, but does not constitute continuous consultancy, legal representation, or certification.

Complify is delivered remotely, unless otherwise explicitly agreed in writing. Spirity reserves the right to refuse a service request if the scope exceeds Complify’s defined assessment methodology or if adequate information is not provided by the client.

3.1 The Packages

Spirity provides the Complify service – a one-time, expert-led compliance assessment and accompanying “Plan of Action” – under the Complify brand. This service is offered via distinct “Packages”, each tailored to a specific industry sector and compliance framework. These include, but are not limited to:

  • Department of Defense (DoD) Compliance for contractors working with the United States Department of Defense, or within the U.S. DoD supply chain. (See “DoD Contractors” package on the Website)

  • Non-Banking Financial Services Compliance for non-bank financial institutions. (See “Non-Banking Financial Institutions” package.)

  • Healthcare Data Protection & Compliance for healthcare service providers (including HIPAA and other healthcare-specific regulatory obligations). (See “Healthcare” package.)

  • AI Governance Assessment for companies in the artificial intelligence sector. (See “AI Companies” package.)

  • FinTech Payment Security Compliance for fintech and payment service providers. (See “Fintech” package.)

3.2 Scope and Frameworks supported for the Packages

Each “Package” under the Complify service is tailored to a specific industry sector and regulatory context, and comprises the following elements:

(a) A tailored compliance assessment, using Spirity’s expert-led methodology, mapped to the selected industry package and relevant frameworks.

(b) A “Plan of Action” (PoA) delivered to the client, which summarizes observed gaps, recommended remediation steps, and prioritized actions for the client’s internal use.

The frameworks supported by Complify include (but are not limited to) the following:

  • NIST SP 800‑171

  • CMMC (Level 1 and 2)

  • FTC Safeguards Rule

  • NYS DFS (New York State Department of Financial Services)

  • ISO 27001

  • SOC 2

  • HIPAA (Health Insurance Portability and Accountability Act)

  • PCI‑DSS (Payment Card Industry Data Security Standard)

  • Cyber Essentials (UK/International)

  • DORA (Digital Operational Resilience Act)

  • NIS2 (EU Network and Information Systems Directive)

  • NIST AI RMF 1.0 (Artificial Intelligence Risk Management Framework)

  • ISO 42001 (Management system for artificial intelligence)

Spirity emphasizes that the list above is not exhaustive. As stated on the Website: “20+ frameworks supported, and we’re constantly adding new frameworks. Please contact us to discuss your specific requirements.”

(c) A Cybersecurity Analysis Report, which details the client's cybersecurity posture. It provides a high-level cyber risk assessment to indicate the client's effectiveness at addressing cyber risks.

4. Orders, Pricing, and Payment Terms

4.1 Ordering

Clients may order any Complify Package through the Website www.complify.pro or by direct communication with Spirity. Each Package corresponds to a clearly defined assessment type, industry, and framework scope as published on the Website.

4.2 Pricing

All current Complify Packages, descriptions, and pricing are displayed on the Website. Prices are quoted in U.S. Dollars (USD) unless otherwise stated and may change without prior notice. The applicable price is that which appears at the time the order is confirmed.

 

4.3 Payment Terms

Payment in full is required before the commencement of any assessment. Accepted payment methods are those indicated on the Website at the time of order. Payment completion constitutes acceptance of these Terms and authorizes Spirity to begin the assessment process.

4.4 Refunds and Cancellations

Because each Complify assessment is custom and begins promptly after confirmation, refunds are generally not available once work has started. However, if you cancel within twenty-four (24) hours of purchase and before Spirity has commenced work, you may request a full refund by emailing hello@complify.pro.

 

4.5 Promotions and Modifications

Spirity may, at its sole discretion, offer limited-time promotions or adjust package contents. Such adjustments will not affect orders already confirmed and paid.

5. Delivery of the Assessment and Plan of Action

5.1 Delivery Timeline

Following receipt of all necessary client information, Spirity will deliver the Complify Assessment and accompanying Plan of Action (“PoA”) within three (3) to five (5) business days, unless otherwise communicated due to complexity, volume, or scheduling constraints.

 

5.2 Delivery Method

The deliveries will be provided electronically via email or through a secure communication channel agreed with the client.

 

5.3 Deliverables

Each Package includes:

  • An Assessment Report identifying compliance gaps, strengths, and risk areas within the chosen frameworks.

  • A Plan of Action outlining prioritized remediation steps to achieve or improve compliance.

  • A Cybersecurity Analysis Report, which details the client's cybersecurity posture.

 

5.4 Completion and Acceptance

Delivery is deemed complete once the Assessment and Plan of Action are transmitted to the client. The client shall promptly review the materials and notify Spirity of any factual clarifications within five (5) business days.

 

5.5 No Ongoing Obligations

Complify deliverables represent a one-time service. Spirity’s engagement concludes upon delivery, unless otherwise agreed in writing.

6. Client Obligations and Cooperation

6.1 Information Accuracy

The client shall provide accurate, complete, and up-to-date information necessary for the assessment. Spirity’s conclusions rely on the accuracy and sufficiency of the information provided.

6.2 Timely Cooperation

The client shall cooperate by responding to clarification requests and providing relevant documents or access in a timely manner. Delays caused by missing or incomplete information may extend the delivery timeframe.

 

6.3 Use of Findings

The client acknowledges that Complify assessments constitute professional advisory output, not legal, certification, or audit guarantees. Decisions based on the deliverables are the client’s responsibility.

6.4 Exclusions

Spirity is not responsible for implementing remediation steps, conducting follow-up audits, or ensuring ongoing compliance unless separately contracted.

7. Intellectual Property and Use of Deliverables

7.1 Ownership

All intellectual property rights in the Complify Service, Website content, methodologies, templates, and materials remain the exclusive property of Spirity.

7.2 Client License

Upon full payment, the client receives a limited, non-exclusive, non-transferable license to use the delivered assessment and Plan of Action internally for its own business purposes.

 

7.3 Restrictions

The client may not reproduce, distribute, sublicense, or otherwise share the deliverables, in whole or in part, with third parties without Spirity’s prior written consent, except where legally required or for internal compliance purposes.

 

7.4 Aggregated Data

Spirity may use anonymized and aggregated results derived from assessments for internal analytics, service improvement, and educational purposes, ensuring that no personal or confidential information is disclosed.

8. Confidentiality and Data Protection

8.1 Confidential Information

Both parties agree to maintain in strict confidence all proprietary or non-public information exchanged during the engagement. Spirity shall use such information solely for performing the Complify Service.

8.2 Security Measures

Spirity applies appropriate technical and organizational safeguards, consistent with industry standards, to protect information against unauthorized access, loss, alteration, or disclosure.

8.3 Data Protection

Processing of any personal data is subject to the Data Protection Addendum (Appendix 1) and Spirity’s Privacy Policy available on the Website. Spirity acts as an independent data controller for the processing of personal data necessary to deliver Complify.

8.4 Client Responsibility

The client is responsible for ensuring that any information shared with Spirity complies with applicable privacy laws and that all necessary permissions for such disclosure have been obtained.

9. Disclaimer of Warranties, Limitation of Liability, and Indemnification

9.1 No Warranty

Complify and its deliverables are provided “as is” and “as available.” Spirity makes no warranties, express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, accuracy, or non-infringement.

 

9.2 Professional Judgment

Assessments and recommendations are based on professional judgment at the time of preparation and on the information supplied by the client. Spirity does not guarantee compliance certification, regulatory approval, or audit results.

 

9.3 Limitation of Liability

To the fullest extent permitted by law, Spirity shall not be liable for any indirect, incidental, special, or consequential damages, including but not limited to loss of profit, data, or goodwill. Spirity’s total liability under these Terms shall not exceed the amount paid by the client for the Complify Package giving rise to the claim.

 

9.4 Indemnification

The client agrees to defend, indemnify, and hold harmless Spirity, its officers, and employees from any claims, damages, or expenses (including reasonable attorney’s fees) arising out of the client’s breach of these Terms or misuse of the deliverables.

 

9.5 Access to Client Systems and Data

Spirity does not and shall not have any access to the Client’s internal systems, networks, databases, or infrastructure. The Service provided does not require, and shall not involve, any direct or indirect access to, or interaction with, the Client’s information systems. In the unforeseen event that accidental or unintended access to such systems or data occurs, Spirity shall promptly deny, cancel, or delete such access, and shall take all reasonable and necessary steps to immediately revoke or annul any such access. Under no circumstances shall Spirity use, retain, or exploit any data or access obtained unintentionally.

9.6. Nature of service and Client responsibility

The Service provided by Spirity constitutes a professional, expert-led compliance assessment designed to assist Clients in evaluating their alignment with relevant IT security and data protection standards. The Service relies solely on information and responses submitted by the Client through the designated online Complify service. Please be advised that:

 

  1. Self-Declaration: All responses, statements, and data submitted by the Client are provided as self-declarations made solely by the Client.

  2. Accuracy and Liability: The Client acknowledges and agrees that the accuracy, truthfulness, and completeness of the information provided are the Client’s sole responsibility. Spirity shall not be held liable for any errors, omissions, inaccuracies, or misrepresentations in the information supplied by the Client, nor for any resulting errors, deficiencies, or inaccuracies in the assessment, report, or recommendations derived therefrom.

  3. No Verification or Validation: Our Company does not, and shall not be deemed to, verify, validate, inspect, audit, correct, amend, supervise, or otherwise review the accuracy or completeness of any information provided by the Client. The assessment results are provided based exclusively on the information submitted by the Client, without independent verification by Spirity.

10. Termination

Either party may terminate the Agreement if the other party breaches its material obligations and fails to cure within 30 days of receipt of written notice, or if the other party becomes insolvent or bankrupt, liquidated or is dissolved, or ceases substantially all of its business.

Neither party will be liable for any damages resulting from termination of the Agreement, and termination will not affect any claim arising prior to the effective termination date.

 

The termination of the Agreement shall not affect the validity and effect of such provisions of the Agreement that shall remain effective according to their contractual purpose regardless of the termination of the Agreement, including, in particular, Sections 6 and 8.

11. Geographic Restrictions

We make no claims that our Services, our Website or any of its content is accessible, appropriate, or legal outside of UAE. If you access the Website from outside UAE, you do so on your own initiative and are responsible for compliance with local laws.

12. Governing Law and Jurisdiction

These Terms of Service and any dispute or claim arising out of, or related to them, shall be governed by and construed in accordance with the internal laws of the UAE without giving effect to any choice or conflict of law provision or rule.

Any legal suit, action, or proceeding arising out of or related to these Terms of Service or the Website shall be instituted exclusively in the courts of the UAE.

13. Waiver and Severability

Our failure to exercise or enforce any right or provision of the Terms of Service shall not constitute a waiver of such right or provision. The Terms of Service constitutes the entire agreement between you and Spirity and govern your use of the Service, superseding any prior agreements (including, but not limited to, any prior versions of the Terms of Service). If any provision of these Terms of Service is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable for any reason, such provision shall be eliminated or limited to the minimum extent such that the remaining provisions of the Terms of Service will continue in full force and effect.

14. Feedback and Support

We welcome any comments, questions, and communication at hello@complify.pro

 

We offer support (about our licenses and any relevant topic) hello@complify.pro. We will usually get back to you within 3 business days.

15. Information on Spirity

The service provider and operator of Complify:

 

SPIRITY ENTERPRISE MIDDLE EAST- FZCO Headquarters:

IFZA Business Park, DDP, Premises Number- 30986-001

Dubai

United Arab Emirates

License number: 30986

E-mail contact: hello@complify.pro

Last updated: 2025.10.31.

Appendix 1. DATA PROCESSING ADDENDUM

PREAMBLE

Spirity Enterprise Middle East FZCO (from hereinafter: “Spirity”) and Client entity that is party to the Terms of Service is party to this DPA. Client’s Authorized Affiliates will also be covered by this DPA, provided that Client shall remain responsible for the acts and omissions of its Authorized Affiliates. For the avoidance of doubt, the Client entity that is the contracting party to the Agreement shall, on behalf of itself and its Authorized Affiliates: (a) remain responsible for coordinating, making, and receiving all communication with Spirity under this DPA; and (b) exercise any rights herein in a combined manner with Spirity under this DPA.

1. INTERPRETATION AND APPLICATION

1.1. In this DPA the following terms shall have the meanings set out in this Paragraph 1.1, unless expressly stated otherwise:

  • (a) “Agreement” means every service contract, including the Terms of Service between Spirity and Client

  • (b) “Business Day” means any day which is not a Saturday, Sunday or public holiday, and on which the banks are open for business, in Dubai (UAE).

  • (c) “Cessation Date” has the meaning given in Paragraph 2.8.

  • (d) “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (the “GDPR”) and any implementing legislation or legislation having equivalent effect in every country member of the European Economic Area (references to “Articles” or “Chapters” of the GDPR shall be construed accordingly). It also means the Personal Data Protection Law of the UAE – Federal Decree-Law No. 45. of 2021 (the “PDPL”).

  • (e) “Data Subject Request” means the exercise by Data Subjects of their rights under, and in accordance with, Chapter III of the GDPR.

  • (f) “Data Subject” means the identified or identifiable natural person located in the European Economic Area to whom Client Personal Data relates.

  • (g) “Delete” means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed, and “Deletion” shall be construed accordingly.

  • (h) “Client Personal Data” means any Personal Data Processed by or on behalf of Client

  • (i) “Personal Data” has the same meaning as in Data Protection Laws.

  • (j) “Personnel” means a person’s employees, agents, consultants or contractors.

  • (k) “Processing” has the same meaning as in the Data Protection Laws and means inter alia obtaining, recording, holding, alteration, manipulating, transmission, disclosure, erasure or destruction of data.

  • (l) “Sub-processor” means any third party appointed by or on behalf of Spirity to Process Client Personal Data.

  • (m) “DPA” means Data Protection Addendum.

  • (n) “Client” means users with paid or non-paid license as well.

  • (o) “Instructions” means the content of present DPA and the Terms of Service between the Client and Spirity. Parties agree that these two documents constitute as documented instructions regarding Spirity’s processing of Client Personal Data.

1.2. This DPA is made in accordance with Article 28 of the GDPR.

1.3. In this DPA:

  • (a) the terms, “Data Controller”, “Data Processor”, “Personal Data”, “Personal Data Breach”, “Process” (and its derivatives) and “Supervisory Authority” shall have the meaning ascribed to the corresponding terms in the Data Protection Laws;

  • (b) unless otherwise defined in this DPA, all capitalized terms shall have the meaning given to them in the Agreement.

1.4. Spirity warrants and represents that it is subject to the territorial scope of the Data Protection Laws as determined in accordance therewith. Spirity further agrees that to the extent that it is not in fact subject to the territorial scope of the Data Protection Laws, this DPA shall be deemed automatically void with effect from the Effective Date without requirement of notice.

2. GENERAL REQUIREMENTS OF PROCESSING

2.1. Spirity warrants and undertakes

  • (a) to treat as confidential all Client Personal Data which may be derived form or obtained in the course of the contract or which may come into the possession of Spirity or any Personnel as a result of or in connection with the Services; and

  • (b) to provide all necessary precautions to ensure that all Client Personal Data is treated as confidential by Spirity or any Personnel; and

  • (c) to make sure Client Personal Data is only disclosed to persons specified by Client; and

  • (d) to allow access to any Client Personal Data provided by Client only to persons who are involved in the provision of Services; and

2.2. Spirity shall comply at all times with the Data Protection Laws and shall not perform its obligations under Services in such a way as to cause of any Client to breach any of its applicable obligations under the Data Protection Laws.

2.3. The parties agree that with regard to the Processing of Personal Data by Spirity on behalf of Client, Client is the Controller, Spirity is the Processor and that Spirity will engage Sub-processors as further detailed in Section 5 “Sub-processing” below.

2.4. Client represents and warrants on an ongoing basis – with regards to GDPR (6) – there is and will be throughout the term of the agreement a valid legal basis for Processing by Spirity of Client Personal Data in accordance with this DPA and the Agreement (including any and all instructions issued by Client from time to time in respect of such processing).

2.5. Taking into account the nature of the Processing, Spirity provides appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Client obligations, as reasonably understood by Client, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

2.6. Spirity warrants and undertakes to:

  • (a) Process Client Personal Data only in accordance with Instructions from Client as needed for Services;

  • (b) Additional instructions outside the scope of the Instructions (if any) require prior written agreement between Spirity and Client, including agreement on any additional fees payable by Client to Spirity for carrying out such Instructions;

  • (c) Process Client Personal Data only to the extent, and in such manner, as is necessary for the purpose of Services, or as is required by law or any supervisory body and shall process such personal data in compliance with all applicable Data Protection Laws, regulations, orders, standards and other similar instruments;

2.7. Spirity shall notify Client promptly (but in any event within two (2) business days) should it:

  • (a) Receive notice of any complaint made to a Supervisory Authority or any finding by a Supervisory Authority in relation to its Processing of Client Personal Data;

  • (b) be under a legal obligation to process Client Personal Data, other than under the instructions of the Client. In which case it shall inform Client of the legal obligations, unless the law prohibits such information being shared on important grounds of public interest;

  • (c) receives any Data Subject Request on behalf of a Data Subject of Client Personal Data;

  • (d) become aware that in following the instructions of Client, it shall be breaching Data Protection Laws.

2.8. Subject to Paragraph 2.9, upon the date of cessation of any Services involving the Processing of Client Personal Data (the “Cessation Date”), Spirity shall immediately cease all Processing of the Client Personal Data for any purpose other than for storage unless.

 

2.9. To the fullest extent technically possible in the circumstances, within forty-five (45) Business Days after the Cessation Date, Spirity shall either (at its option):

  • (a) Delete; or

  • (b) irreversibly render Anonymized Data,

all Client Personal Data then within Spirity’s possession.

2.10. Client hereby acknowledges and agrees that, due to the nature of the Client Personal Data Processed by Spirity, return (as opposed to Deletion) of Client Personal Data is not a reasonably practicable option in the circumstances. Having regard to the foregoing, Client agrees that (for the purposes of Article 28(3)(g) of the GDPR) it is hereby deemed (at the Cessation Date) to have irrevocably selected Deletion, in preference of return, of the Client Personal Data.

2.11. Spirity and any Sub-processor may retain Client Personal Data where required by applicable law, for such period as may be required by such applicable law, provided that Spirity and any such Sub-processor shall ensure that such Client Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.

2.12. Client acknowledges and agrees that Spirity shall be freely able to use and disclose Anonymized Data for Spirity’s own business purposes without restriction.

2.13. Spirity shall ensure that its personnel engaged in the Processing of Personal Data are (a) informed of the confidential nature of the Personal Data and have executed written confidentiality agreements; (b) have received appropriate training on their responsibilities, specifically pertaining to security and privacy measures; and (c) only have access to Personal Data to the extent reasonably determined to be necessary in order to perform any obligations, responsibilities, or duties as further specified in this DPA and the Agreement. Further, to the extent permitted by applicable law, Spirity shall ensure that the confidentiality obligations shall survive the termination of the personnel engagement.

3. SECURITY AND BREACH NOTIFICATION

3.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk (which may be of varying likelihood and severity) for the rights and freedoms of natural persons, Spirity shall in relation to Client Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

3.2. In assessing the appropriate level of security, Spirity shall take account in particular of the risks presented by the Processing, in particular from a Person

3.3. Spirity maintains security incident management policies and procedures and shall notify Client, without undue delay, of any breach of its security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data, transmitted, stored or otherwise Processed by Spirity or its Sub-processors of which Spirity becomes aware and which requires notification to be made to Client, a Supervisory Authority and/or Data Subject under Data Protection Laws and Regulations (a “Security Incident”). Security Incident(s) will not include unsuccessful attempts or activities that do not compromise the security of Client Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. Notification provided under this Section 3 shall not be interpreted or construed as an admission of fault or liability by Spirity. Spirity shall make reasonable efforts to identify the cause of such Security Incident and take those steps as Spirity deems necessary and reasonable in order to remediate the cause of such a Security Incident to the extent the remediation is within Spirity’s reasonable control. Additionally, upon request, Spirity shall provide Client with relevant information about the Security Incident, as reasonably required to assist the Client in ensuring Client’s compliance with its own obligations under Data Protection Laws to notify any Supervisory Authority or Data Subject in the event of a Security Incident. The obligations herein shall not apply to incidents that are caused by Client or Client’s users or any non- Spirity products or services.

3.4. Spirity shall at Client’s sole cost and expense co-operate with Client and take such reasonable commercial steps as may be directed by Client to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

4. AUDIT

4.1. Spirity shall provide on request all necessary information and assistance to Client in order for Client to verify Spirity’s compliance with its obligations under this Agreement and the Data Protection Laws. Client may request such information and/or assistance on material change, but maximum once a year.

4.2. Spirity shall make available to Client on request such information as Spirity (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA.

4.3. Subject to Paragraphs 4.5 and 4.6, in the event that Client (acting reasonably) is able to provide documentary evidence that the information made available by Spirity pursuant to Paragraph 4.2 is not sufficient in the circumstances to demonstrate Spirity’s compliance with this DPA, Spirity shall allow for and contribute to audits by Client or an auditor mandated by Client in relation to the Processing of the Client Personal Data by Spirity.

 

4.4. Client shall give Spirity reasonable notice of any audit or inspection to be conducted under Paragraph 4.5 (which shall in no event be less than fifteen (15) Business Days’ notice unless required by a Supervisory Authority pursuant to Paragraph 4.5(f)) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing any form of damage, and hereby indemnifies Spirity in respect of, any damage, injury or disruption to Spirity’s equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Spirity’s other Clients or the availability of Spirity’s services to such other Clients) while its Personnel and/or its auditor’s Personnel (if applicable) are on those premises in the course of any on-premise inspection.

 

4.5. Spirity need not contribute to audits or inspection:

  • (a) to any individual unless he or she produces reasonable evidence of their identity and authority;

  • (b) to any auditor whom Spirity has not given its prior written approval (not to be unreasonably withheld);

  • (c) unless the auditor enters into a non-disclosure agreement with Spirity on terms acceptable to Spirity;

  • (d) where, and to the extent that, Spirity considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Spirity’s other Clients or the availability of Spirity services to such other Clients;

  • (e) outside normal business hours ; or

  • (f) on more than one occasion in any calendar year during the term of the Agreement, except for any additional audits or inspections which Client is required to carry out by Data Protection Laws or a Supervisory Authority, where Client has identified the relevant requirement in its notice to Spirity of the audit or inspection.

 

4.6. Client shall bear any third-party costs in connection with such inspection or audit and reimburse Spirity for all costs incurred by Spirity and time spent by Spirity (at Spirity’s then-current professional services rates) in connection with any such inspection or audit.

5. SUB-PROCESSING

5.1. Client authorizes Spirity to appoint Sub-processors in accordance with this Paragraph 5.

 

5.2. Spirity may continue to use those Sub-processors already engaged by Spirity as at the date of this DPA, subject to Spirity meeting within a reasonable timeframe (or having already met) the obligations set out in Paragraph 5.4.

 

5.3. Spirity shall give Client prior written notice of the appointment of any new Sub-processor, including reasonable details of the Processing to be undertaken by the Sub-processor. Client may in good faith reasonably object to the use of a new Sub-processor by notifying Spirity promptly in writing (e-mail acceptable) within thirty (30) business days after Spirity’s notice. After the thirty business days have passed without you reaching out to us we consider it as an approval of our new Sub-processor. Client’s notice shall explain the Client’s good faith, reasonable grounds for the objection. Spirity and Client shall try to negotiate to remedy the situation, and come to a conclusion, that is acceptable for both parties. If the parties are unable to resolve the objection via negotiations, Spirity will use commercially reasonable efforts to make available to Client a change in the services or recommend a commercially reasonable change to Client’s use of the services to avoid Processing of Client Personal Data by the objected-to new Sub-processor without unreasonably burdening the Client.

 

5.4. With respect to each Sub-processor, Spirity shall ensure that the arrangement between Spirity and the Sub-processor is governed by a written contract including terms which offer at least an equivalent level of protection for Client Personal Data as those set out in this DPA (including those set out in Paragraph 3).

 

5.5 Spirity shall promptly forward any received instructions or requests from Client to the Sub-processor relating to the processing.

6. DATA TRANSFER

6.1. Spirity may transfer or authorize the transfer of Data to countries within the UAE, the EU and/or the European Economic Area (EEA) and to countries that the European Commission has recognized as providing adequate protection – this includes sub-processors. If personal data processed under this Agreement is transferred from a country

within the European Economic Area to a country outside the European Economic Area, Spirity shall ensure that the personal data are adequately protected. To achieve this, Spirity shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of Client Personal Data.

6.2. Spirity shall only engage the Subprocessor after assessing the applicable law for the sub-processor and reasonably concluding that the applicable law does not conflict with Spirity’s obligations under the sub-processing agreement and applicable Data Protection Laws

7. LIABILITY

7.1 Each party’s and all of its Affiliates’ liability, in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Spirity, whether in contract, tort or under any other theory of liability, is subject to the Terms of Service, and any reference to the liability of a party means the total liability of that party and all of its Affiliates under the Agreement and all DPAs together.

bottom of page