Overview
This Data Processing Agreement (“DPA”) governs how Master Media FZ-LLC (trading as “Master AI”) processes personal data on behalf of clients (“Data Controllers”) in connection with our AI consulting, delivery, and managed services.
This DPA is designed to comply with UAE PDPL, EU GDPR, and other applicable data protection regulations. It supplements our Master Services Agreement (MSA) or Statement of Work (SOW).
To request a signed DPA: Email privacy@masterconsult.ai with your engagement details.
1. Definitions
- “Controller” means the client who determines the purposes and means of processing personal data.
- “Processor” means Master Media FZ-LLC (trading as Master AI), acting on behalf of the Controller.
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined by GDPR/PDPL.
- “Processing” means any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.).
- “Sub-processor” means third-party service providers authorized by Controller to process personal data (e.g., cloud hosting, AI providers).
2. Scope of Processing
MASTER AI will process personal data only as instructed by the Controller and solely for the purposes specified in the engagement SOW.
2.1 Subject Matter
AI consulting, model development, RAG system implementation, content management, and related services as detailed in the SOW.
2.2 Duration
Processing commences on engagement start date and continues until project completion or termination, plus any retention period specified in the SOW.
2.3 Nature and Purpose
Processing personal data to deliver AI strategy, model training, evaluation, deployment, and governance services.
2.4 Types of Personal Data
Types vary by engagement but may include: employee data, customer data, user interaction logs, email addresses, and metadata. Special categories of data (e.g., health, biometric) require explicit written authorization.
2.5 Categories of Data Subjects
Controller’s employees, customers, website visitors, or other individuals as specified in the SOW.
3. Controller and Processor Obligations
3.1 Controller Instructions
Master Media FZ-LLC (Master AI) will process personal data only on documented instructions from the Controller. If we believe an instruction violates GDPR/PDPL, we will inform the Controller immediately.
3.2 Confidentiality
All Master Media FZ-LLC (Master AI) personnel authorized to process personal data are bound by confidentiality obligations and receive regular data protection training.
3.3 Data Security
Master Media FZ-LLC (Master AI) implements appropriate technical and organizational measures to protect personal data, including:
- Encryption at rest and in transit (TLS 1.3, AES-256)
- Access controls with role-based permissions
- Regular security audits and penetration testing
- Incident response and breach notification procedures
- Data residency options in UAE or EU regions (as requested)
- SOC 2 Type II certified infrastructure (AWS, Azure)
4. Sub-processors
The Controller grants general authorization for Master Media FZ-LLC (Master AI) to engage sub-processors, subject to the following conditions:
4.1 Current Sub-processors
| Sub-processor | Service | Location |
|---|---|---|
| AWS (Amazon Web Services) | Cloud hosting, compute, storage | UAE, EU, US (Controller choice) |
| Microsoft Azure | Cloud hosting, AI services | UAE, EU, US (Controller choice) |
| OpenAI | LLM API (optional, if approved) | US (zero retention policy) |
| Vercel | Frontend hosting, CDN | Global (edge network) |
| Supabase / PostgreSQL | Database services | UAE, EU, US (Controller choice) |
4.2 Changes to Sub-processors
Master Media FZ-LLC (Master AI) will notify the Controller at least 30 days before adding or replacing any sub-processor. The Controller may object to the change if it poses a material risk to data protection compliance.
4.3 Sub-processor Requirements
All sub-processors must provide data protection guarantees equivalent to this DPA, including appropriate security measures and compliance with GDPR/PDPL.
5. Data Subject Rights
Master Media FZ-LLC (Master AI) will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, objection) within the timelines required by law. We will provide relevant data within 5 business days of a request.
6. Data Breach Notification
In the event of a personal data breach, Master Media FZ-LLC (Master AI) will:
- Notify the Controller within 24 hours of becoming aware
- Provide details of the breach (nature, affected data subjects, potential impact)
- Describe mitigation measures taken and recommended actions
- Cooperate with Controller’s breach notification to regulators
Security contact: security@masterconsult.ai
7. Data Transfers
If personal data is transferred outside the UAE/EEA, Master Media FZ-LLC (Master AI) will implement appropriate safeguards:
- Standard Contractual Clauses (SCCs) approved by EU Commission
- Adequacy decisions (e.g., UK, Switzerland)
- Binding Corporate Rules (BCRs) for multinational clients
- Data residency in UAE/EU regions (default recommendation)
8. Data Deletion and Return
Upon termination or expiry of services, Master Media FZ-LLC (Master AI) will (at Controller’s choice):
- Delete all personal data and provide written confirmation, or
- Return personal data in a structured, machine-readable format (CSV, JSON, database export)
Copies retained for legal, accounting, or regulatory compliance will be securely isolated and deleted when no longer required.
9. Audits and Compliance
The Controller may audit Master Media FZ-LLC (Master AI)’s data processing activities with 30 days’ notice, subject to confidentiality obligations. We will provide:
- SOC 2 Type II reports (annual)
- ISO 27001 certification (upon request)
- Security questionnaires and compliance documentation
- Access to relevant logs and audit trails
10. Liability and Indemnification
Each party’s liability for data protection breaches is governed by the MSA/SOW and applicable law. Master Media FZ-LLC (Master AI) indemnifies the Controller for damages arising from our violation of this DPA or data protection laws, except where the Controller provided unlawful instructions.
11. Governing Law and Disputes
This DPA is governed by the laws of the United Arab Emirates. Disputes will be resolved through arbitration in Dubai, UAE, unless otherwise agreed in the MSA.
12. Amendments
Amendments to this DPA require written agreement from both parties. Master Media FZ-LLC (Master AI) may update sub-processor lists and security measures to maintain compliance, with notice to the Controller.
Version: 1.0 (November 2025)
Requesting a Signed DPA
To execute this DPA for your engagement, email privacy@masterconsult.ai with:
- Your company name and registered address
- Project description and data processing scope
- Preferred data residency region (UAE, EU, US)
- Any specific sub-processor restrictions or requirements
We will provide a customized, counter-signed DPA within 5 business days.
