Storexio

Data Processing Agreement (DPA)

Storexio Data Processing Agreement
Effective Date: 20/04/2026
Last Updated: 20/04/2026

This Data Processing Agreement (“DPA”) is entered into between:

Mehdi Ghazlavi Electronic L.L.C., trading as Storexio, registered in the United Arab Emirates under registration / licence number 1592588 (“Processor”, “Storexio”, “we”, “us”, or “our”),

and

[Merchant Legal Name], a business, company, or other legal person using Storexio’s Services (“Controller”, “Merchant”, or “you”).

This DPA forms part of, and is incorporated into, the Storexio Terms & Conditions, Merchant Terms / Seller Terms, subscription order, or other written or electronic agreement governing the Services between the parties (the “Main Agreement”).

1. Background and Purpose

1.1 The Controller uses Storexio’s platform, software, storefront tools, merchant dashboard, order-management tools, messaging tools, and related services (the “Services”).

1.2 In connection with the Services, Storexio may Process Personal Data on behalf of the Controller.

1.3 The parties enter into this DPA to set out their respective rights and obligations in relation to such Processing.

1.4 This DPA is intended to address requirements applicable to controller-processor relationships under applicable data-protection law, including, where relevant, the UAE federal personal-data framework and, where applicable, the separate regimes of DIFC and ADGM. UAE official guidance identifies the federal Personal Data Protection Law as the core UAE framework, while DIFC and ADGM maintain separate data-protection systems. ([U.AE][1])

2. Definitions

In this DPA, unless the context requires otherwise:

“Applicable Data Protection Law” means any law, regulation, rule, regulatory requirement, or binding guidance applicable to the Processing of Personal Data under the Main Agreement, including, where relevant:

  • the applicable federal laws of the United Arab Emirates relating to personal-data protection;
  • the data-protection laws and regulations of DIFC, where applicable;
  • the data-protection laws and regulations of ADGM, where applicable.

“Controller” means the party which determines the purposes and means of Processing Personal Data.

“Processor” means the party which Processes Personal Data on behalf of the Controller.

“Personal Data” means any information relating to an identified or identifiable natural person.

“Processing” or “Process” means any operation performed on Personal Data, whether or not by automated means, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, transmission, restriction, erasure, or destruction.

“Sub-Processor” means any third party appointed by Processor to Process Personal Data on behalf of Controller.

“Security Incident” means any confirmed or reasonably suspected accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Personal Data Processed by Processor under this DPA.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

3. Scope of this DPA

3.1 This DPA applies only to Personal Data that Storexio Processes on behalf of the Controller in connection with the Services.

3.2 This DPA does not apply to Personal Data for which Storexio acts as an independent Controller, including data Processed by Storexio for its own account administration, billing, security, fraud prevention, product analytics, legal compliance, and service improvement purposes, to the extent Storexio lawfully determines the purposes and means of such Processing.

3.3 Where Storexio Processes Personal Data as Controller for its own purposes, such Processing is governed by Storexio’s Privacy Policy and applicable law, not by this DPA.

4. Roles of the Parties

4.1 The parties acknowledge and agree that, with respect to Personal Data Processed by Storexio on behalf of the Controller under the Main Agreement:

  • the Controller is the Controller of such Personal Data; and
  • Storexio is the Processor of such Personal Data.

4.2 The Controller remains solely responsible for:

  • determining whether the Services are appropriate for its intended Processing activities;
  • establishing a lawful basis for Processing;
  • providing legally required notices;
  • obtaining any required consents, permissions, or authorizations;
  • responding to Data Subject requests where legally required;
  • ensuring that its instructions to Storexio comply with Applicable Data Protection Law.

4.3 The parties acknowledge that official DIFC and ADGM materials expressly address controller and processor duties, records, security, breach response, DPIAs, and transfer controls under their respective regimes. ([DIFC][3])

5. Subject Matter, Nature, and Purpose of Processing

5.1 Subject Matter. The subject matter of the Processing is the provision of the Services by Storexio to the Controller.

5.2 Nature of Processing. Processing activities may include receiving, recording, storing, organizing, structuring, hosting, retrieving, viewing, transmitting, updating, analyzing in limited service-operational contexts, backing up, securing, and deleting Personal Data.

5.3 Purpose of Processing. Storexio will Process Personal Data solely as necessary to provide, maintain, secure, support, and improve the Services for the Controller, and as otherwise permitted under this DPA and the Main Agreement.

5.4 Duration. Storexio will Process Personal Data for the duration of the Main Agreement, and thereafter only for so long as required for deletion workflows, legal retention duties, security logs, backup cycles, or other lawful and documented obligations.

6. Categories of Data and Data Subjects

6.1 The categories of Personal Data Processed under this DPA may include:

  • names;
  • email addresses;
  • phone numbers;
  • delivery and billing addresses;
  • customer account or order identifiers;
  • order history and transaction-related records;
  • communications between Merchant and customer;
  • support-related information;
  • device and usage metadata associated with service operation;
  • any other Personal Data submitted by or on behalf of the Controller through the Services.

6.2 The categories of Data Subjects may include:

  • the Controller’s customers;
  • prospective customers;
  • recipients of goods or services;
  • the Controller’s staff users, administrators, and representatives;
  • suppliers or business contacts of the Controller;
  • other individuals whose Personal Data is submitted to the Services by or on behalf of the Controller.

6.3 Unless expressly agreed otherwise in writing, the Controller shall not use the Services to Process special categories of data, criminal-conviction data, or other highly sensitive data requiring enhanced legal handling, except where the Controller has independently determined that such Processing is lawful and the Services are appropriate.

7. Controller Instructions

7.1 Storexio shall Process Personal Data only on the documented instructions of the Controller, including the instructions set out in:

  • this DPA;
  • the Main Agreement;
  • the Controller’s use of the Service settings and features;
  • other documented instructions mutually agreed by the parties.

7.2 Storexio may refuse to follow an instruction that it reasonably believes is unlawful, technically infeasible, outside the scope of the Services, or inconsistent with this DPA or the Main Agreement.

7.3 If Storexio believes that an instruction violates Applicable Data Protection Law, Storexio may notify the Controller and suspend the relevant Processing until the issue is resolved.

7.4 ADGM’s published materials specifically note that a controller’s processor agreement is required and that approved clauses may satisfy Article 26(3) requirements in controller-to-processor scenarios. ([ADGM][2])

8. Processor Obligations

Storexio shall, in relation to Personal Data Processed under this DPA:

8.1 Process Personal Data only on documented instructions from the Controller, unless otherwise required by applicable law.

8.2 Ensure that persons authorized to Process Personal Data are bound by confidentiality obligations or are under an appropriate statutory duty of confidentiality.

8.3 Implement appropriate technical and organizational measures to protect Personal Data, taking into account the nature of the Processing, the risks presented, and the state of the art.

8.4 Assist the Controller, taking into account the nature of the Processing and the information available to Storexio, in fulfilling the Controller’s obligations relating to security, breach response, Data Subject rights, and other legally required support duties.

8.5 Not sell Personal Data or Process it for unrelated independent commercial purposes while acting as Processor under this DPA.

8.6 Comply with the Sub-Processor provisions in Section 10.

Official ADGM guidance states that security obligations apply to both controllers and processors and should be assessed based on the state of the art, costs, nature, scope, context, and risks of the Processing. ([ADGM][4])

9. Confidentiality

9.1 Storexio shall ensure that any person authorized to Process Personal Data on its behalf:

  • has a legitimate business need to access such Personal Data;
  • is bound by confidentiality obligations.

9.2 Storexio shall take reasonable steps to ensure the reliability, training, and awareness of personnel with access to Personal Data.

10. Sub-Processors

10.1 The Controller grants Storexio a general authorization to appoint Sub-Processors in connection with the provision of the Services.

10.2 Storexio shall ensure that any Sub-Processor is bound by written obligations that provide a level of data protection no less protective, in all material respects, than those set out in this DPA, to the extent applicable to the services performed by that Sub-Processor.

10.3 Storexio remains responsible for the performance of its Sub-Processors to the extent required by applicable law and contract.

10.4 Upon reasonable request, Storexio shall provide information about the categories or identity of relevant Sub-Processors, subject to confidentiality, security, and operational limitations.

10.5 If the Controller reasonably objects to a new Sub-Processor on legitimate data-protection grounds, the parties shall discuss the objection in good faith. If no reasonable solution is available, Storexio may suspend the affected feature or the Controller may cease using the affected part of the Services.

11. Security of Processing

11.1 Storexio shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

11.2 Such measures may include, where appropriate:

  • encryption in transit;
  • access-control and role-based permission measures;
  • authentication controls;
  • logging and monitoring;
  • network and infrastructure protections;
  • vulnerability and patch management;
  • backup and recovery procedures;
  • incident-response processes;
  • organizational security governance.

11.3 Storexio may update its security measures from time to time, provided that such updates do not materially reduce the overall level of protection for Personal Data.

11.4 ADGM guidance expressly states that processors as well as controllers must implement appropriate technical and organizational security measures, and that the regulations do not prescribe a single fixed set of controls but instead require a risk-based assessment. ([ADGM][4])

12. Assistance With Data Subject Requests

12.1 Taking into account the nature of the Processing, Storexio shall provide reasonable assistance to the Controller, through technical and organizational measures where possible, to enable the Controller to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law.

12.2 Storexio shall, to the extent legally permitted:

  • promptly notify the Controller if it receives a Data Subject request directly relating to Personal Data Processed under this DPA; and
  • not respond to such request except on the Controller’s documented instructions, unless required by law.

12.3 ADGM guidance publishes detailed materials on individual rights and controller obligations, and DIFC materials also emphasize individual rights within their regime. ([DIFC][3])

13. Personal Data Breach / Security Incident

13.1 Storexio shall notify the Controller without undue delay after becoming aware of a confirmed Security Incident affecting Personal Data Processed under this DPA.

13.2 Such notification shall include, where reasonably available:

  • the nature of the Security Incident;
  • the categories of affected Personal Data;
  • the likely consequences;
  • measures taken or proposed to address the incident;
  • contact details for follow-up.

13.3 Storexio shall take reasonable steps to contain, investigate, remediate, and document the Security Incident.

13.4 Storexio shall reasonably cooperate with the Controller in relation to any legally required notifications, mitigation, remediation, or communications, taking into account the nature of the Processing and the information available to Storexio.

13.5 Storexio’s notification of a Security Incident is not an admission of fault or liability.

Official ADGM guidance specifically addresses processor and controller obligations concerning breach notifications and security of processing. ([ADGM][2])

14. Data Protection Impact Assessments and Consultations

14.1 To the extent required by Applicable Data Protection Law and taking into account the nature of the Processing and information available to Storexio, Storexio shall provide reasonable assistance to the Controller with:

  • data protection impact assessments;
  • risk assessments;
  • prior consultations with regulators or authorities;
  • other similar compliance assessments.

14.2 Storexio may charge reasonable fees for extensive or bespoke assistance not already included within the Services.

14.3 ADGM officially publishes dedicated DPIA guidance and identifies DPIAs as required for high-risk projects under its regulations. ([ADGM][2])

15. Records and Audit Support

15.1 Storexio shall make available to the Controller such information as is reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, privilege, security, and operational limitations.

15.2 Where required by Applicable Data Protection Law and reasonably necessary, Storexio shall allow for audits or inspections by the Controller or an independent auditor mandated by the Controller, provided that:

  • reasonable prior written notice is given;
  • the audit is limited to information relevant to Processing under this DPA;
  • the audit is conducted during normal business hours;
  • it does not unreasonably interfere with Storexio’s business operations;
  • the auditor is subject to confidentiality obligations;
  • the Controller bears its own audit costs, unless the audit reveals a material breach by Storexio.

15.3 Storexio may satisfy audit requests through current third-party certifications, summary audit reports, questionnaires, or similar documentation where appropriate.

15.4 ADGM guidance identifies record-keeping, processor obligations, and regulator cooperation as part of its controller/processor compliance structure. ([ADGM][2])

16. International Transfers

16.1 The Controller acknowledges that the Services may involve Processing or access to Personal Data in the United Arab Emirates and other jurisdictions where Storexio, its affiliates, or Sub-Processors operate.

16.2 Where Applicable Data Protection Law restricts cross-border transfers of Personal Data, the parties shall ensure that such transfers are made using a valid transfer mechanism under the applicable regime.

16.3 If ADGM law applies and Personal Data is transferred from the ADGM to a jurisdiction that does not provide an adequate level of protection, the parties shall implement an appropriate safeguard recognized under the ADGM Data Protection Regulations 2021, including ADGM SCCs or another approved mechanism where applicable.

16.4 If DIFC law applies, the parties shall implement a lawful export mechanism recognized under the DIFC regime where required.

16.5 The parties acknowledge that ADGM officially states that transfers out of ADGM are restricted unless a Part V mechanism applies, and that its SCCs support controller-to-processor and other transfer scenarios. ([ADGM][2])

17. Return and Deletion of Personal Data

17.1 Upon termination or expiry of the Main Agreement, and subject to Section 17.2, Storexio shall, at the Controller’s choice where technically feasible and consistent with the Services:

  • return Personal Data to the Controller;
  • delete Personal Data from active systems.

17.2 Storexio may retain Personal Data to the extent required by applicable law, security logging obligations, backup cycles, dispute preservation needs, or other documented and lawful retention requirements.

17.3 Where deletion is requested, Storexio may delete data in accordance with its standard technical and operational retention schedules.

17.4 ADGM guidance includes cessation-of-processing obligations and data-breach/security guidance as part of its regulatory framework. ([ADGM][4])

18. Compliance With Law and Government Requests

18.1 If Storexio is required by applicable law, regulator, court, or competent authority to Process or disclose Personal Data contrary to the Controller’s instructions, Storexio shall, to the extent legally permitted, inform the Controller before such Processing or disclosure.

18.2 Nothing in this DPA requires Storexio to act in a manner that would violate applicable law.

19. Controller Warranties

The Controller represents, warrants, and undertakes that:

19.1 it has complied, and will continue to comply, with Applicable Data Protection Law in relation to the Personal Data Processed under this DPA;

19.2 it has all necessary rights, notices, lawful bases, permissions, and consents required to disclose Personal Data to Storexio and instruct Storexio to Process it under the Main Agreement;

19.3 its instructions to Storexio are lawful;

19.4 it will not use the Services to Process data in a manner that violates Applicable Data Protection Law.

20. Sensitive Data and Restricted Uses

20.1 The Controller shall not submit to the Services, nor instruct Storexio to Process, any of the following except where expressly agreed in writing and technically supported by the Services:

  • special categories of personal data;
  • criminal-conviction or offence data;
  • biometric identifiers used for unique identification;
  • children’s data requiring heightened legal safeguards;
  • health or medical records in regulated contexts;
  • any other data requiring materially enhanced contractual, technical, or legal controls.

20.2 If such data is submitted in breach of this DPA, Storexio may suspend the affected Processing and require the Controller to remove the data.

21. Liability

21.1 The liability of each party arising under or in connection with this DPA shall be subject to the liability limitations, exclusions, and allocation of risk set out in the Main Agreement, except to the extent prohibited by applicable law.

21.2 Nothing in this DPA excludes liability that cannot lawfully be excluded.

22. Order of Precedence

22.1 In the event of inconsistency between this DPA and the Main Agreement, this DPA shall prevail with respect to the subject matter of data protection and Processing of Personal Data.

22.2 In the event of inconsistency between this DPA and a signed jurisdiction-specific addendum, SCC module, or other mandatory transfer or privacy addendum, the jurisdiction-specific addendum shall prevail to the extent required by applicable law.

23. Term and Termination

23.1 This DPA becomes effective on the Effective Date or on the date the Controller first uses the Services to Process Personal Data through Storexio, whichever occurs first.

23.2 This DPA remains in effect for so long as Storexio Processes Personal Data on behalf of the Controller under the Main Agreement.

24. Governing Law

24.1 This DPA shall be governed by the same governing law and dispute forum as the Main Agreement, unless Applicable Data Protection Law or a mandatory transfer mechanism requires otherwise.

24.2 Where the Controller is established in, or subject to, DIFC or ADGM, additional or substitute clauses may be required to align this DPA with that jurisdiction’s mandatory rules. UAE official guidance confirms that DIFC and ADGM operate distinct privacy frameworks alongside the federal regime. ([U.AE][1])

25. Contact Information

For notices or questions relating to this DPA, contact:

Mehdi Ghazlavi Electronic L.L.C.
Trading as: Storexio
Registration / Licence No.: 1592588
Email: [email protected]
Phone: +971 56 472 1229
Website: storexio.ae
Address: Dubai, Health Care City, City Bank Building

Schedule 1

Details of Processing

A. Subject Matter

Provision of Storexio’s hosted commerce platform, storefront tools, order management, merchant dashboard, communications tools, and related support services.

B. Duration

For the duration of the Main Agreement, plus any limited post-termination period required for return, deletion, backup expiration, dispute preservation, or legal retention.

C. Nature of Processing

Collection, storage, organization, hosting, retrieval, transmission, display, support, backup, deletion, and related operational Processing necessary to deliver the Services.

D. Purpose of Processing

To enable the Controller to operate an online store or commerce workflow, manage customers and orders, communicate with customers, and use the Services securely and effectively.

E. Categories of Personal Data

  • name
  • email address
  • phone number
  • address
  • order and transaction information
  • communications content
  • support information
  • device / usage metadata
  • any other Personal Data submitted by the Controller through the Services

F. Categories of Data Subjects

  • customers
  • prospective customers
  • merchant staff users
  • business contacts
  • delivery recipients
  • other individuals whose data is uploaded by the Controller

G. Special Categories

None, unless expressly agreed in writing.

Schedule 2

Minimum Security Measures

Storexio shall maintain appropriate measures, which may include as appropriate to the Services and risk profile:

  • encryption of data in transit;
  • logical access controls and authentication measures;
  • role-based permissions;
  • password and credential protection;
  • security monitoring and logging;
  • backup and restoration processes;
  • incident-response procedures;
  • vulnerability and patch management;
  • personnel confidentiality obligations; and
  • vendor / Sub-Processor diligence measures.

Official ADGM guidance confirms that security obligations are risk-based and apply to both controllers and processors, rather than prescribing a single universal control set. ([ADGM][4])