Data Processing Addendum (DPA)

DONE MENAT FZCO
Data Processing Addendum (DPA)
Effective Date: 4 May 2026

1. Parties and Incorporation

This Data Processing Addendum ("DPA") forms a binding part of the agreement between:

• DONE MENAT FZCO, a company incorporated in Dubai Silicon Oasis Free Zone, United Arab Emirates (registration number DSO-FZCO-6511), having its registered address at Dubai Silicon Oasis, DDP, Building A2, Dubai, UAE ("DONE" or "Processor"); and
• The client entity accessing or using the DONE platform ("Client" or "Controller").

This DPA is incorporated into and forms part of the Terms and Conditions available at www.done.fyi ("Terms") and applies to all processing of Personal Data by DONE on behalf of the Client in connection with the DONE platform and services. In the event of conflict between this DPA and the Terms with respect to data protection matters, this DPA shall prevail.

By accessing or using the DONE platform, the Client agrees to be bound by this DPA. This DPA takes effect on the date the Client first accesses the platform or executes an order form, whichever is earlier.

2. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given to them in the Terms and Conditions or applicable Data Protection Law:

• "Data Protection Law" means all applicable laws and regulations relating to the processing, privacy, and protection of personal data, including without limitation: the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) and its implementing regulations; the EU General Data Protection Regulation (Regulation 2016/679) (GDPR) where applicable; the UK General Data Protection Regulation and the UK Data Protection Act 2018 (UK GDPR) where applicable; and any other applicable national or regional data protection legislation;
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Law;
• "Processing" means any operation or set of operations performed on Personal Data, including collection, storage, use, disclosure, alteration, combination, restriction, erasure, or destruction;
• "Controller" means the Client, as the entity that determines the purposes and means of processing Personal Data;
• "Processor" means DONE, as the entity that processes Personal Data on behalf of the Controller;
• "Sub-Processor" means any third party engaged by DONE to process Personal Data on behalf of the Client;
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed;
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021;
• "IDTA" means the International Data Transfer Addendum to the EU SCCs as issued by the UK Information Commissioner's Office under section 119A of the Data Protection Act 2018;
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

3. Subject Matter, Nature, and Purpose of Processing

3.1 Subject Matter. DONE processes Personal Data on behalf of the Client for the purposes of providing the DONE platform and associated services as described in the Terms and any applicable order form.

3.2 Nature of Processing. The processing activities performed by DONE as Processor include: hosting and storage of Personal Data within the Client's academy; transmission of Personal Data as required to deliver platform features; access to Personal Data for technical support and maintenance; and such other processing as is strictly necessary to operate the platform in accordance with the Client's instructions.

3.3 Purpose. DONE processes Personal Data solely for the purpose of delivering the contracted services. DONE shall not process Personal Data for its own independent commercial purposes.

3.4 Duration. Processing commences on the date the Client first accesses the platform and continues for the duration of the agreement, including any renewal periods, and for ninety (90) days following termination or expiry, during which Client Data remains accessible for export. Thereafter, Personal Data will be deleted in accordance with Clause 14.

4. Categories of Personal Data and Data Subjects

4.1 Categories of Data Subjects. The Personal Data processed may relate to: the Client's employees and personnel; learners and trainees registered on the Client's academy; contractors and partners of the Client; and such other individuals whose data the Client uploads to the platform.

4.2 Categories of Personal Data. The Personal Data processed may include:

• Identity data: name, job title, employee number, role;
• Contact data: work email address, telephone number;
• Learning and performance data: course enrolment, completion status, assessment results, progress records;
• Technical data: login timestamps, device identifiers, IP addresses;
• User-generated content: materials, responses, and communications created by users within the platform.

4.3 Special Categories. The Client shall not upload special categories of personal data (as defined under applicable Data Protection Law, including data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data) to the DONE platform without first obtaining DONE's prior written consent and providing evidence of a lawful basis for such processing. DONE may impose additional conditions or decline to process special category data at its discretion.

5. Obligations of DONE as Processor

DONE shall, with respect to Personal Data processed on behalf of the Client:

5.1 Instructions. Process Personal Data only on documented instructions from the Client, including as set out in this DPA and the Terms, unless processing is required by applicable law, in which case DONE shall notify the Client before processing unless prohibited by law from doing so.

5.2 Confidentiality. Ensure that all personnel authorised to process Personal Data are subject to binding confidentiality obligations and have received appropriate data protection training.

5.3 Security. Implement and maintain appropriate technical and organisational measures to protect Personal Data, as further described in Clause 11, taking into account the nature, scope, context, and purposes of processing, and the risks to the rights and freedoms of Data Subjects.

5.4 Sub-Processors. Engage Sub-Processors only in accordance with Clause 9 of this DPA.

5.5 Data Subject Rights. Provide reasonable assistance to the Client in responding to Data Subject rights requests, taking into account the nature of the processing, as further described in Clause 13.

5.6 Compliance Assistance. Provide the Client with reasonable assistance in ensuring compliance with obligations under applicable Data Protection Law relating to security, breach notification, data protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of processing and information available to DONE.

5.7 Deletion or Return. On termination of the agreement, deal with Personal Data in accordance with Clause 14.

5.8 Information and Audit. Make available to the Client information reasonably necessary to demonstrate DONE's compliance with its obligations as Processor and allow for and contribute to audits in accordance with Clause 12.

5.9 Notification of Unlawful Instructions. If DONE believes that any instruction from the Client infringes applicable Data Protection Law, DONE shall promptly inform the Client. DONE shall not be required to follow any instruction that it reasonably believes to be unlawful.

6. Obligations of the Client as Controller

The Client represents, warrants, and undertakes that:

6.1 Lawful Basis. It has determined and maintained a valid lawful basis for all processing of Personal Data it submits to the DONE platform, in compliance with applicable Data Protection Law.

6.2 Consent and Notice. Where processing is based on consent, it has obtained freely given, specific, informed, and unambiguous consent from all relevant Data Subjects. It has provided all Data Subjects with clear, accessible, and accurate privacy notices in compliance with applicable Data Protection Law.

6.3 Data Accuracy. It is responsible for the accuracy, quality, and legality of all Personal Data it submits to the platform and the means by which it acquired that data.

6.4 Data Subject Rights. It is responsible for managing and responding to Data Subject rights requests from its own users. Where DONE's assistance is required, the Client shall submit requests to DONE in writing at info@done.fyi.

6.5 Compliance. It will comply with all applicable Data Protection Laws in connection with its use of the DONE platform, including any obligations relating to data protection impact assessments and prior regulatory consultation.

6.6 Special Categories. It will not upload special category personal data without prior written agreement from DONE.

6.7 Sole Responsibility. The Client is solely responsible for all Personal Data within its academy and white-labelled applications. DONE disclaims all liability arising from the Client's failure to comply with its obligations as Data Controller.

7. Instructions

7.1 The Client's instructions to DONE regarding the processing of Personal Data are set out in this DPA, the Terms, and any applicable order form. The Client may issue additional written instructions from time to time, provided such instructions are consistent with this DPA.

7.2 DONE shall promptly notify the Client if it believes an instruction infringes applicable Data Protection Law. Pending resolution, DONE may suspend compliance with the instruction to the extent necessary to avoid a breach of law.

7.3 Where DONE processes Personal Data in accordance with applicable law rather than Client instructions, it will notify the Client as soon as practicable unless prohibited from doing so by law.

8. International Data Transfers

8.1 General. DONE operates a cloud-based platform and may process or store Personal Data in data centres or with service providers located outside the Client's jurisdiction, including outside the UAE, the EEA, or the UK.

8.2 EU/EEA Transfers — Standard Contractual Clauses. Where Personal Data originating from the European Union or European Economic Area is transferred to a country not recognised by the European Commission as providing an adequate level of data protection, such transfer shall be governed by the EU Standard Contractual Clauses (Controller-to-Processor Module, Commission Implementing Decision 2021/914 of 4 June 2021), which are hereby incorporated into this DPA by reference and shall apply automatically without further action by the parties. The following information supplements the SCCs:

• Data exporter: the Client (as Controller);
• Data importer: DONE (as Processor);
• The subject matter, nature, purpose, and duration of processing are as set out in this DPA;
• The categories of data subjects and personal data are as set out in Clause 4;
• The competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs based on the Client's EU establishment.

Copies of the SCCs can be accessed at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914 and are available from DONE upon request at info@done.fyi.

8.3 UK Transfers — International Data Transfer Addendum. Where Personal Data originating from the United Kingdom is transferred internationally, such transfer shall additionally be governed by the UK International Data Transfer Addendum (IDTA) issued by the UK Information Commissioner's Office, which is hereby incorporated into this DPA by reference and shall apply automatically for UK-established Clients.

8.4 Other Jurisdictions. For transfers from other jurisdictions, DONE shall implement such other appropriate transfer mechanisms as are required under applicable local Data Protection Law.

8.5 By entering into this DPA, the Client is deemed to have executed the applicable transfer mechanisms, including the SCCs and IDTA where relevant, as data exporter. No further action or signature is required by the Client.

8.6 Sub-Processor Transfers. Where DONE engages Sub-Processors located outside the Client's jurisdiction, DONE shall ensure appropriate transfer mechanisms are in place with each Sub-Processor, consistent with applicable Data Protection Law.

9. Sub-Processors

9.1 General Authorisation. The Client grants DONE a general authorisation to engage Sub-Processors to assist in delivering the platform services, subject to the conditions set out in this Clause 9.

9.2 Sub-Processor List. DONE maintains a current list of all Sub-Processors engaged in the processing of Client Personal Data, including the name, location, and the nature of processing carried out by each. This list is publicly available at www.done.fyi/sub-processors and is updated whenever a change is made.

9.3 Notification of Changes. DONE will provide the Client with not less than thirty (30) days' prior written notice (by email or via the platform) before engaging any new Sub-Processor or replacing an existing Sub-Processor. The notice will identify the new Sub-Processor and describe the nature of the processing it will perform.

9.4 Client Objection. The Client may object to the addition of a new Sub-Processor by providing written notice to DONE within fifteen (15) days of the change notification, stating the reasonable grounds for objection. The parties will work together in good faith to resolve the objection. If the parties cannot resolve the objection within thirty (30) days, either party may terminate the relevant service by providing written notice, with a pro-rata refund of prepaid fees for the unused portion of the subscription term.

9.5 Sub-Processor Obligations. Before engaging any Sub-Processor, DONE shall impose on the Sub-Processor data protection obligations that are no less protective than those imposed on DONE under this DPA, including with respect to confidentiality, security, and international transfer requirements.

9.6 DONE Responsibility. DONE remains fully responsible to the Client for the performance of each Sub-Processor's data protection obligations. DONE will notify the Client of any Sub-Processor failure that affects Client Personal Data.

10. Data Breach Notification

10.1 Notification Obligation. In the event DONE becomes aware of a confirmed or reasonably suspected Personal Data Breach affecting Client Personal Data, DONE will notify the affected Client without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach, to the extent reasonably practicable.

10.2 Content of Notification. The breach notification will include, to the extent reasonably available at the time of notification:

• A description of the nature of the Personal Data Breach;
• The categories and approximate number of Data Subjects and Personal Data records affected;
• The name and contact details of a point of contact at DONE from whom further information can be obtained;
• The likely consequences of the Personal Data Breach;
• The measures taken or proposed to address the breach and to mitigate its possible adverse effects.

10.3 Regulatory Notification. The Client is solely responsible for notifying its competent supervisory authority and affected Data Subjects in accordance with applicable Data Protection Law. DONE will cooperate with and assist the Client in fulfilling these obligations, to the extent reasonably practicable.

10.4 No Admission. A breach notification from DONE does not constitute an admission of fault, negligence, or liability. DONE's liability in relation to any breach shall be governed by Clause 15 and the Terms.

10.5 Limitation. DONE's notification obligation under this Clause applies only to breaches affecting Personal Data within DONE's systems. DONE shall not be liable for breaches resulting from: Client-side security failures; Client's failure to secure user credentials; acts of third-party threat actors beyond DONE's reasonable control; or force majeure events.

11. Security Measures

11.1 DONE shall implement and maintain commercially reasonable technical and organisational measures designed to ensure a level of security appropriate to the risk presented by the processing of Personal Data. Such measures include, as appropriate:

• Encryption of Personal Data in transit using industry-standard TLS protocols;
• Access controls limiting access to Personal Data to authorised personnel on a need-to-know basis;
• Authentication requirements for platform access;
• Infrastructure monitoring and intrusion detection systems;
• Regular assessment of and improvements to security measures;
• Business continuity and disaster recovery procedures;
• Staff training on data protection and security obligations;
• Logical segregation of Client data.

11.2 DONE may update its security measures from time to time, provided that any updates do not materially reduce the overall level of protection afforded to Personal Data.

11.3 No Absolute Security. DONE does not warrant that its security measures will prevent all possible breaches. The Client acknowledges the inherent risks of transmitting and storing data online.

12. Audit Rights

12.1 Information. Upon the Client's reasonable written request, DONE will make available to the Client all information reasonably necessary to demonstrate DONE's compliance with its obligations as Processor under this DPA, including: relevant security certifications; third-party audit reports or security assessments; and written responses to data protection questionnaires.

12.2 Third-Party Audit. Where the information provided under Clause 12.1 is insufficient for the Client to reasonably assess DONE's compliance, the Client may, at its own cost, request an audit to be conducted by a mutually agreed independent third-party auditor. The following conditions apply:

• The Client must provide DONE with not less than thirty (30) days' prior written notice specifying the scope and proposed timing of the audit;
• The audit must be conducted during normal business hours and in a manner that minimises disruption to DONE's operations;
• The scope of the audit is limited to DONE's processing of the Client's Personal Data and related security practices;
• Audits may not be conducted more than once per calendar year, except where a confirmed Personal Data Breach has occurred;
• The auditor shall be bound by confidentiality obligations no less protective than those in Clause 3 of the Terms;
• The Client shall share the audit report with DONE promptly upon completion.

12.3 Regulatory Audits. DONE shall cooperate with any audit or investigation conducted by a competent supervisory authority in relation to the processing of Client Personal Data, to the extent required by applicable law.

12.4 Costs. The Client shall bear all costs associated with any third-party audit under this Clause, including DONE's reasonable costs of cooperating with and facilitating the audit.

13. Data Subject Rights Assistance

13.1 DONE will, taking into account the nature of the processing, provide reasonable technical and operational assistance to the Client in responding to Data Subject rights requests (including rights of access, rectification, erasure, restriction, objection, and data portability) that the Client receives from Data Subjects in connection with Personal Data processed by DONE on the Client's behalf.

13.2 DONE will forward to the Client, without undue delay, any Data Subject rights request it receives directly that relates to Personal Data processed on behalf of the Client. DONE will not respond directly to such requests without the Client's prior written authorisation, except as required by applicable law.

13.3 The Client shall be solely responsible for communicating the outcome of any Data Subject rights request to the Data Subject. DONE is not responsible for compliance with obligations that rest with the Client as Data Controller.

13.4 DONE may charge the Client its reasonable costs for providing assistance with Data Subject rights requests that are excessive in scope or frequency.

14. Data Retention and Deletion on Termination

14.1 Access Post-Termination. Following termination or expiry of the agreement for any reason, Client Personal Data will remain accessible within the platform for a period of ninety (90) days (the "Transition Period") to allow the Client to export its data.

14.2 Export. The Client is responsible for exporting its data during the Transition Period. DONE will provide reasonable assistance with data export in a standard format upon written request at DONE's then-current professional services rates, where applicable.

14.3 Deletion. Upon expiry of the Transition Period, DONE will securely delete or irreversibly anonymise all Client Personal Data from live systems. Deletion from backup and archival systems will occur in accordance with DONE's standard backup rotation cycle, which does not exceed ninety (90) days from the date of deletion from live systems.

14.4 Retention Exceptions. DONE may retain Personal Data beyond the Transition Period to the extent required by applicable law (including financial record-keeping requirements under UAE law) or as may be necessary to establish, exercise, or defend legal claims. Any such retained data will be handled in accordance with DONE's Privacy Policy.

14.5 Certification. Upon written request following completion of deletion, DONE will provide the Client with a written certification confirming that Client Personal Data has been deleted from DONE's systems, to the extent technically practicable.

15. Limitation of Liability

15.1 DONE's total aggregate liability under or in connection with this DPA, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall be subject to and governed by the limitation of liability provisions set out in the Terms and Conditions, including the aggregate liability cap and the exclusion of indirect, consequential, and punitive damages.

15.2 DONE shall not be liable under this DPA for any loss, damage, claim, or expense arising from: (a) the Client's failure to comply with its obligations as Data Controller; (b) the Client's failure to ensure a lawful basis for processing; (c) the Client's use of the platform in breach of this DPA or applicable Data Protection Law; (d) Personal Data Breaches caused by the Client or its users; (e) force majeure events; or (f) third-party actions beyond DONE's reasonable control.

15.3 Each party's liability for breach of the Standard Contractual Clauses (where applicable) shall be governed by the terms of the SCCs, subject to the overall liability cap in the Terms.

16. Confidentiality

All Personal Data processed by DONE under this DPA is subject to the confidentiality obligations set out in Clause 3 of the Terms and Conditions, which are incorporated herein by reference. DONE shall ensure that all personnel with access to Client Personal Data are bound by appropriate confidentiality obligations.

17. Data Protection Impact Assessments

Where the Client is required by applicable Data Protection Law to conduct a data protection impact assessment (DPIA) in connection with its use of the DONE platform, DONE will provide reasonable cooperation and assistance, including by providing available information about its processing activities and security measures. The Client is solely responsible for conducting and documenting the DPIA.

18. Governing Law and Dispute Resolution

This DPA is governed by the laws of the United Arab Emirates. Any disputes arising under or in connection with this DPA shall be resolved in accordance with the tiered dispute resolution process set out in Clause 23 of the Terms and Conditions, which is incorporated by reference.

Where this DPA incorporates the EU Standard Contractual Clauses, the SCCs shall also be subject to the governing law and jurisdiction provisions specified therein, which shall apply to the SCCs in addition to the general governing law of this DPA.

19. General

19.1 Entire DPA. This DPA, together with the Terms and Conditions and any applicable order form, constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior agreements and understandings on this subject.

19.2 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

19.3 Updates. DONE may update this DPA from time to time to reflect changes in applicable Data Protection Law or DONE's processing activities. Material changes will be notified in accordance with the variation procedure in the Terms. Continued use of the platform following the applicable notice period constitutes acceptance.

19.4 Conflicts. In the event of conflict between this DPA and the Terms on matters of data protection, this DPA shall prevail. In the event of conflict between this DPA and the Standard Contractual Clauses on matters governed by the SCCs, the SCCs shall prevail.

19.5 Company Details. Legal Entity: DONE MENAT FZCO. Registration Number: DSO-FZCO-6511. Registered Address: Dubai Silicon Oasis, DDP, Building A2, Dubai, UAE. Contact: info@done.fyi.

ANNEX A — EU Standard Contractual Clauses Notice

The EU Standard Contractual Clauses (Controller-to-Processor Module) adopted by Commission Implementing Decision 2021/914 of 4 June 2021 are incorporated into this DPA by reference and apply automatically where Personal Data originating from the EU/EEA is processed by DONE.

The full text of the SCCs is available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914

Copies of the SCCs are also available from DONE upon written request to info@done.fyi.

Supplementary information for the SCCs:

• Data exporter: the Client (as identified in the applicable order form or account registration);
• Data importer: DONE MENAT FZCO, Dubai Silicon Oasis, DDP, Building A2, Dubai, UAE;
• Subject matter of processing: provision of the DONE SaaS learning management platform;
• Nature and purpose: hosting, storage, delivery, and support of the Client's online learning academy;
• Duration: as set out in Clause 3.4 of this DPA;
• Categories of data subjects and personal data: as set out in Clause 4 of this DPA;
• Technical and organisational security measures: as set out in Clause 11 of this DPA;
• Sub-processors: as listed at www.done.fyi/sub-processors.

ANNEX B — UK International Data Transfer Addendum Notice

The UK International Data Transfer Addendum (IDTA) issued by the UK Information Commissioner's Office (as may be amended or replaced from time to time) is incorporated into this DPA by reference and applies automatically where Personal Data originating from the United Kingdom is processed by DONE.

The IDTA supplements the EU SCCs incorporated in Annex A and modifies them as required to ensure compliance with UK data protection law. The full text of the IDTA is available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/

Copies of the IDTA are also available from DONE upon written request to info@done.fyi.

ANNEX C — Sub-Processor Policy

DONE currently engages Sub-Processors to assist in delivering the platform. The current list of Sub-Processors, including their name, location, and function, is maintained and publicly available at www.done.fyi/sub-processors.

DONE undertakes to:

• Keep the Sub-Processor list current and accurate;
• Provide the Client with not less than thirty (30) days' prior written notice before adding or replacing any Sub-Processor;
• Impose on all Sub-Processors data protection obligations that are no less protective than those in this DPA;
• Remain responsible for the acts and omissions of each Sub-Processor as if they were the acts and omissions of DONE.