How Venture Insights processes personal data.

Document version: dpa.v1.0-ksa-bilingual-2026 · Effective date: 2026-05-11

This Addendum (the "Addendum") supplements the executed mutual NDA between Venture Insights ("VI") and the client (together the "Parties"). It governs VI's processing of personal data on behalf of the client under the Personal Data Protection Law of the Kingdom of Saudi Arabia (Royal Decree No. M/19 dated 9/2/1443H — the "PDPL") and its implementing regulations.

In case of conflict between this Addendum and the NDA, this Addendum prevails for personal data only.

---

1. Definitions

1.1. Capitalised terms not defined here have the meanings given in the PDPL. Defined terms in the NDA carry the same meaning here.

1.2. "Controller" means the entity that determines the purpose and means of processing personal data — the client under this Addendum.

1.3. "Processor" means the entity that processes personal data on behalf of the Controller — VI under this Addendum.

1.4. "Sub-processor" means any third party engaged by VI to carry out any processing of personal data on behalf of the client.

1.5. "Personal Data Breach" means any security incident leading to unauthorised access, alteration, disclosure or destruction of personal data.

---

2. Scope & Roles

2.1. The client is the Controller. The client determines the purpose, duration and categories of personal data submitted to the Platform and bears Controller-level obligations under the PDPL.

2.2. VI is the Processor. VI processes personal data on behalf of the client per the client's documented instructions, which at minimum include use for the Platform purposes set out in the NDA and as described in the Privacy Notice.

2.3. VI shall notify the client in writing if it reasonably believes the client's instructions violate the PDPL.

---

3. Processing Particulars

---

4. VI's Obligations as Processor

VI shall:

1. Process per instructions — process personal data only on documented client instructions, unless required otherwise by law (in which case VI will notify the client where not legally prohibited).
2. Confidentiality — ensure all personnel with access to personal data are bound by statutory or contractual confidentiality.
3. Security measures — implement and maintain the measures set out in Schedule I.
4. Data-subject-rights assistance — assist the client in responding to data-subject requests (access, correction, deletion, portability, restriction) within ten (10) business days.
5. Breach notification — notify the client within seventy-two (72) hours of discovering a Personal Data Breach, with all information needed to notify SDAIA and affected data subjects.
6. DPIA assistance — provide reasonable information to assist the client with personal-data-impact assessments and prior consultation with SDAIA where required.

---

5. Sub-processors

5.1. The client expressly authorises VI to engage the sub-processors listed in Schedule II.

5.2. VI may from time to time appoint new sub-processors or replace existing ones, provided that:

• The client is notified at least fourteen (14) days in advance via Platform or email.
• The new sub-processor is bound by data-protection obligations no less protective than those in this Addendum.
• The client has a reasonable right to object. If the objection cannot be resolved, the client may terminate the engagement without termination fees.

5.3. VI remains liable for the acts of its sub-processors as if performed by VI itself.

---

6. International Data Transfers

6.1. The client authorises the transfer of personal data outside the Kingdom of Saudi Arabia exclusively to the listed sub-processors, under contractual safeguards equivalent to the PDPL.

6.2. VI is progressively migrating production storage to KSA-resident infrastructure in line with the SDAIA Cloud Computing Special Provisions.

6.3. AI inference outside the KSA is limited to the minimum personal data necessary, and only under no-retention / no-training settings with the AI providers.

---

7. Artificial Intelligence

7.1. VI uses a multi-model consensus engine (Anthropic Claude, OpenAI GPT, xAI Grok) to process brief content.

7.2. VI contractually ensures with each AI provider:

• No retention — input data is deleted after inference completes or within thirty (30) days at the latest.
• No training — inputs are not used to train or fine-tune any general model.
• Encryption in transit — all API requests over TLS 1.2+.

7.3. The client may request exclusion of a specific AI provider from its engagement; VI will provide reasonable alternatives.

---

8. Retention, Return & Deletion

8.1. On termination of the engagement, VI shall:

• Cease all active processing of the client's personal data immediately.
• Return all personal data to the client in a machine-readable format on written request within thirty (30) days.
• Delete all personal data from production systems within ninety (90) days, except routine back-ups (deleted in the ordinary back-up rotation) and information legally required to be retained (AML, ZATCA — seven (7) years).

8.2. VI shall confirm deletion in writing on request.

---

9. Audit Right

9.1. The client may, no more than once per year, request reasonable information from VI to verify compliance with this Addendum.

9.2. The client may request an on-site audit upon reasonable suspicion of breach, subject to:

• Thirty (30) days' written notice.
• An independent auditor bound by confidentiality.
• Coordinated timing and scope to minimise operational impact.

---

10. Liability

Liability under this Addendum is subject to the limitation-of-liability provisions in the NDA and Terms of Service. This Addendum does not limit statutory liabilities of Controller or Processor under the PDPL.

---

11. Amendments

VI may amend this Addendum to track PDPL or implementing-regulation updates. Material amendments are notified at least fourteen (14) days in advance; the client may object per clause 5.2.

---

12. Governing Law & Dispute Resolution

This Addendum is governed by the laws of the Kingdom of Saudi Arabia. Disputes shall be referred to the Saudi Center for Commercial Arbitration (SCCA), seated in Riyadh, in the Arabic language. In case of conflict between the two versions, the Arabic version prevails.

---

Schedule I — Technical & Organisational Measures

1. Access control — account-level authentication, role-based access control (RBAC), argon2id password storage, secure httpOnly sessions.
2. Encryption at rest — managed Postgres with AES-256 at-rest encryption; asset storage (Vercel Blob) encrypted at rest.
3. Encryption in transit — TLS 1.2+ on all endpoints, auto-renewed certificates.
4. Secrets encryption — third-party API keys stored AES-256-GCM with a key held outside the database.
5. Logging & monitoring — append-only audit log of all administrative and sensitive actions; error tracking via Sentry (when enabled).
6. Rate limiting — applied to account-level endpoints to prevent brute-force attacks.
7. Backup & recovery — daily database backups with periodic restore testing.
8. Business continuity — documented incident-response procedures and key-rotation runbook.
9. Personnel training — mandatory annual PDPL training for personnel with access to personal data.

---

Schedule II — List of Sub-processors