Data Protection Agreement

MERIT SUPER PLATFORM - DATA PROTECTION AGREEMENT

This Data Protection Agreement (the “DPA”) explains how Merit, including its direct or indirect subsidiaries, Affiliates, and related entities worldwide (collectively, “Merit”, “we”, “us”, or “our”), processes Personal Data solely in its capacity as a Data Processor (regardless of the geographic location from which the Platform is accessed) on your behalf in connection with access to and use of the Merit Super Platform and the products and services offered through it (collectively, the “Platform”).

This DPA forms an integral part of, and is incorporated by reference into, the agreement governing your access to and use of the Platform and any associated products, features, or services made available through it (the “ Platform Agreement”).

This DPA applies automatically where Merit processes Personal Data on behalf of You in the course of providing the Services. No separate execution of DPA is required.

For the avoidance of doubt:

1. This DPA does not apply to Personal Data processed by Merit in its capacity as an independent Data Controller for purposes such as account administration, billing, compliance, platform operations, or Platform-level security. Such processing is governed by the Privacy Policy.

2. Where Merit acts as a Data Processor, it processes Personal Data strictly on your documented instructions and in compliance with applicable data protection laws, including the Saudi Personal Data Protection Law (“PDPL”).

3. This DPA, together with the Platform Agreement and the Privacy Policy, ensures that Personal Data processed through the Platform is handled in a lawful, fair, transparent, and secure manner, with appropriate technical and organizational measures in place to protect the rights of Data Subjects.

Capitalised terms used but not defined in this Data Processing Addendum shall have the meanings given to them in the Platform Terms of Use or, where applicable, the relevant Product Terms.

“Merit” – defined as Merit, including its direct or indirect subsidiaries, affiliates, and related entities worldwide.

“Platform / Merit Super Platform” – defined as the Merit Super Platform and the products, services, tools, and functionalities offered through it.

“DPA” – defined as this Data Protection Agreement.

“Platform Agreement” – defined as the agreement governing your access to and use of the Platform and any associated products, features, or services made available through it.

“Personal Data” – defined consistent with PDPL: any information relating to an identified or identifiable natural person, including data provided to or generated within the Platform in connection with your use of the Platform.

“You / Customer” – defined as the entity or person accessing or using the Platform and instructing Merit to process Personal Data on its behalf.

“Services” – defined as the Platform services and any associated products, tools, modules, or functionalities provided by Merit to You under the Platform Agreement.

“Data Processor / Processor” – defined as Merit, when processing Personal Data on your documented instructions and not determining the purposes or means of processing.

“Data Controller / Controller” – defined as the party determining the purposes and means of processing Personal Data, which may be You or Merit depending on the processing context.

“Joint Controllers” – defined as Merit and You, where both determine the purposes and means of processing Personal Data jointly.

“Applicable Data Protection Laws / PDPL” – defined as the Saudi Personal Data Protection Law and any other data protection or privacy laws applicable to the processing of Personal Data.

“Privacy Policy / Platform Privacy Policy” – defined as the policy published by Merit governing Personal Data processed by Merit in its capacity as an independent Controller, including Platform administration, security, and operations.

“Sub-processor / Sub-processors” – defined as third-party service providers engaged by Merit to process Personal Data on behalf of You under documented instructions.

“Data Subject” – defined as an identified or identifiable natural person whose Personal Data is processed under this DPA.

“Sensitive Personal Data” – defined as Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health, sex life, sexual orientation, biometric or genetic data, or any other category deemed sensitive under Applicable Data Protection Laws.

“B2B / B2B2C Use Cases” – defined in context as business-to-business and business-to-business-to-consumer use cases supported by the Platform.

“Documentation / Documented Instructions” – defined as instructions provided by You in writing, via the Platform, or through agreed operational workflows for the processing of Personal Data.

“Personal Data Breach” – defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

The Platform enables you to subscribe to and use different services, products, tools, and functional modules through a single unified environment. Depending on the nature of the subscribed service or product and the specific processing activity, Merit’s role under applicable data protection laws may vary. Accordingly:

• Where Merit determines the purposes and means of processing Personal Data in connection with a service or functionality, Merit acts as a Data Controller.

• Where Merit processes Personal Data strictly on documented instructions received from you, and you determine the purposes and means of processing (for example, where you upload, manage, or operate Personal Data relating to your own end users, employees, or loyalty program users), Merit acts as a Data Processor on behalf of you.

• Where Merit and you jointly determine the purposes and means of processing in relation to a specific service or functionality, Merit and you act as Joint Controllers, and your and/or Merit's respective responsibilities are allocated in accordance with applicable law.

All such processing activities are governed by this DPA, together with the Platform Agreement arrangement between Merit and you.

Merit processes only those categories of Personal Data that are necessary, relevant, and proportionate to operate, secure, deliver, and administer the Platform and the services, products, tools, and functionalities made available through it, in accordance with this DPA and applicable Data Protection Laws. The Platform is a business-to-business (B2B) platform that may support business-to-business-to-consumer (B2B2C) use cases. Accordingly, Merit processes Personal Data relating to:

• your authorised users and representatives; and

• where applicable, end users or loyalty program participants, whose Personal Data is provided to or generated within the Platform by you in connection with your use of the Platform.

The categories of Personal Data that may be processed include, but are not strictly limited to, the following:

1. Account, Identity, and Business Contact Data

   Personal Data processed in connection with the registration for, access to, and administration of Platform accounts and user access, including:

   • legal business name, commercial registration details, and other registered entity information;

   • corporate documentation and information submitted for Know Your Business (KYB), sanctions screening, or compliance verification;

   • names, job titles, and business contact details of administrators and other authorised users or representatives;

   • business email addresses, telephone numbers, and associated professional contact identifiers;

   • assigned user roles, permissions, access scopes, and entitlements; and

   • login credentials, authentication factors, and authentication-related metadata (such as login timestamps, access status, and session identifiers).

   Information relating solely to legal entities does not constitute Personal Data. However, where such information relates to an identified or identifiable natural person (such as a director, signatory, authorised user, end user or company representative), it constitutes Personal Data and is processed in accordance with this DPA and the Privacy Policy.

2. Your Data and End-User Data (B2B2C Use Cases)

   Depending on the services, products, or modules subscribed to by you, the Platform may process Personal Data uploaded to, generated through, or otherwise made available via the Platform by you, which may include Personal Data relating to:

1. Merit shall process Personal Data to the extent necessary to provide, operate, maintain, support, and improve the Platform and the Services made available to You . Such processing shall be carried out in accordance with the documented instructions communicated by you, including as set out in this DPA, the Platform Agreement and applicable legal bases under the PDPL, including contractual necessity and legal obligations.
2. You confirm that you have obtained all necessary authorisations, consents, or lawful bases required under applicable Data Protection Laws for the processing of Personal Data through the Platform and that your instructions to Merit comply with applicable Data Protection Laws.

1. Each party shall comply with its respective obligations under Applicable Data Protection Laws. Merit shall process Personal Data in accordance with this DPA, the Platform Agreement, and Applicable Data Protection Laws, and shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with the processing.
2. Merit shall not process Personal Data for its own independent purposes in its capacity as Processor and shall promptly inform the Customer if, in Merit’s reasonable opinion, any documented instruction infringes Applicable Data Protection Laws.

1. Merit shall implement and maintain appropriate technical and organisational security measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access. Such measures are detailed in the Privacy Policy to ensure confidentiality, integrity, availability, and resilience of Personal Data, including access control, encryption, monitoring, incident response, and third-party oversight.
2. These measures shall be proportionate to the risks associated with the processing and may include, as appropriate, access controls, authentication mechanisms, encryption, logging and monitoring, internal security policies, and confidentiality obligations imposed on personnel with access to Personal Data. Merit shall regularly review and update its security measures to reflect technological developments and evolving security risks.

1. In the course of providing the Services, as further described in the Platform Privacy Policy and/or in each Product Terms Merit may engage third-party service providers and vendors for both platform-level and product-level processing of your Personal Data on your behalf (“Sub-processors”) in order to support the operation, maintenance, and improvement of the Platform and related products and services in accordance with this DPA and the Platform Agreement. Such services may include, without limitation, data hosting and cloud infrastructure, application development and maintenance, analytics, marketing and sales support, payment and credit card transaction processing, customer relationship management, and customer support services.
2. Merit shall ensure that any Sub-processor is subject to written contractual obligations that provide a level of protection for Personal Data no less protective than those set out in this DPA, including obligations relating to confidentiality, security, and data protection compliance.
3. Sub-processors shall process Personal Data only on Merit’s documented instructions and only to the extent necessary to perform the services for which they are engaged, and shall implement appropriate technical and organisational measures in accordance with Applicable Data Protection Laws.
4. Merit shall remain responsible for the acts and omissions of its Sub-processors in relation to the processing of Personal Data under this DPA.
5. Merit shall ensure that any Sub-processor is subject to written contractual obligations that provide a level of protection for Personal Data no less protective than those set out in this DPA, including obligations relating to confidentiality, security, and data protection compliance.
6. Sub-processors shall process Personal Data only on Merit’s documented instructions and only to the extent necessary to perform the services for which they are engaged, and shall implement appropriate technical and organisational measures in accordance with Applicable Data Protection Laws.
7. Merit shall remain responsible for the acts and omissions of its Sub-processors in relation to the processing of Personal Data under this DPA.

1. This DPA applies to the Processing of Personal Data by Merit on behalf of you, regardless of where such Personal Data is Processed, including where Personal Data is transferred to, stored in, or accessed from countries other than the Kingdom of Saudi Arabia or the country in which the Customer or relevant data subjects are located.
2. Merit may transfer Personal Data internationally as part of providing and supporting the Platform and related services including through the use of Sub-processors or infrastructure located outside the Kingdom of Saudi Arabia. Where Personal Data is transferred across borders, Merit shall ensure that such transfers are carried out in accordance with applicable Data Protection Laws and are subject to appropriate safeguards designed to ensure that Personal Data remains adequately protected wherever it is processed.
3. Such safeguards may include, where required by applicable Data Protection Laws, the use of recognised legal transfer mechanisms, contractual protections, or other appropriate technical and organisational measures. These measures may include, without limitation, contractual commitments imposed on recipients of Personal Data, encryption of Personal Data in transit and at rest, access controls, information security policies, and other safeguards appropriate to the nature of the transfer and the risks involved.
4. Where applicable Data Protection Laws require the use of specific transfer mechanisms for international transfers of Personal Data (such as standard contractual clauses or equivalent safeguards), Merit shall take reasonable steps to implement such mechanisms prior to or in connection with the relevant transfer. Merit shall also take reasonable steps to ensure that any third parties receiving Personal Data in connection with an international transfer provide a level of protection consistent with this Agreement and the Applicable Data Protection Laws.
5. Merit may be required to disclose Personal Data in response to legally binding requests from competent governmental, regulatory, or law enforcement authorities. Where permitted by law, Merit shall take reasonable steps to notify the Customer of such requests.

1. Taking into account the nature of the processing and the information available to it, Merit shall provide You with reasonable assistance to enable You to respond to requests from data subjects exercising their rights under Applicable Data Protection Laws in accordance with the procedures described in the Platform Privacy Policy, including rights of access, correction, or deletion, where applicable and to the extent such Personal Data is processed by Merit on behalf of the You.

2. Merit shall not respond directly to any data subject request unless required to do so under applicable Data Protection Laws or expressly instructed by you.

3. Any assistance provided by Merit under this Clause shall be subject to applicable Data Protection Laws and shall not require Merit to take actions that are unlawful, technically infeasible, or disproportionate in light of the nature of the services.

   1. Confidentiality of Personal Data. Merit shall ensure that any personnel authorised to process Personal Data are subject to appropriate confidentiality obligations, whether arising under contractual arrangements or statutory duties, and that such personnel receive appropriate training in relation to the protection and handling of Personal Data.

   2. Customer Responsibilities and Lawful Instructions. You represent and warrant that You have provided all notices and obtained all rights, consents, and authorisations required under Applicable Data Protection Laws for the processing of Personal Data through the Platform. You shall ensure that its instructions to Merit are lawful and compliant with Applicable Data Protection Laws. Merit shall promptly inform You if it becomes aware that an instruction from You infringe applicable Data Protection Laws.

   3. Government, Regulatory, and Law Enforcement Requests. If Merit receives a legally binding request from a competent governmental, regulatory, or law enforcement authority requiring the disclosure of Personal Data, Merit shall, to the extent permitted by applicable law, notify You without undue delay and provide reasonable assistance to enable You to respond to such request or seek appropriate protective measures.

1. Merit shall notify You without undue delay after becoming aware of a Personal Data breach affecting your Personal Data. Such notification shall include information reasonably necessary to allow You to assess the impact of the breach and to comply with any applicable notification obligations under Applicable Data Protection Laws.

1. Upon reasonable request and subject to appropriate confidentiality and security safeguards, Merit shall make available information necessary to demonstrate compliance with the DPA. The parties acknowledge that any audit or inspection rights shall be exercised in a manner that:

   1. minimises disruption to Merit's operations, protects the confidentiality of other customers' data and ensures that access is limited to personnel and records relevant to Your Personal Data.

   2. Merit may fulfil its obligations under this clause through the provision of reports, certifications, or remote inspection tools, at its discretion, provided that such measures reasonably enable you to verify compliance.

1. This DPA shall remain in effect for as long as Merit processes Personal Data on your behalf under this DPA. Upon termination or expiry of the Platform Agreement, Merit shall, at your option, return or securely delete Personal Data, unless retention is required under applicable law.
2. Merit retains Personal Data only as necessary to fulfil the purposes under this DPA, comply with legal obligations, or enforce rights. Upon termination or expiry, Personal Data will be returned, securely deleted, or anonymized, in accordance with this DPA and the Privacy Policy, including the retention periods set therein.

1. In the event of any inconsistency between this DPA and the Platform Agreement, this DPA shall prevail in respect of matters relating to the protection and processing of Personal Data.

1. This Agreement shall be governed by and construed in accordance with the laws of the Kingdom of Saudi Arabia.

1. The provisions of this Agreement which by their nature are intended to survive termination or expiry of the Agreement, including provisions relating to confidentiality, security, audit, and deletion of Personal Data, shall survive such termination or expiry.

For privacy inquiries or rights requests related to this Agreement:

Email:

dpo@meritincentives.com