Legal review pending. This document is a structural draft prepared by TETRA Agency. Final wording will be reviewed by Saudi legal counsel before commercial use. Last updated: April 2026.
This Data Processing Agreement (DPA) governs how TETRA Agency processes personal data on behalf of clients (the Controller) when delivering engagement services.
It complements TETRA's master engagement contract and is incorporated by reference into every Statement of Work where personal data processing is involved.
Controller — the client. Determines purposes and means of processing.
Processor — TETRA Agency. Processes personal data only on the Controller's documented instructions.
Sub-processors — third-party platforms TETRA uses (hosting, analytics, CRM, AI inference). Listed in our sub-processor schedule, available on request.
Identity data: names, job titles, contact details of Controller's employees and end users.
Behavioural data: aggregated and anonymised usage patterns from analytics integrations.
Transactional data: order data, billing details where TETRA implements e-commerce surfaces.
Special categories: TETRA does not process sensitive personal data without written instruction.
Encryption in transit (TLS 1.3) and at rest (AES-256) on all production systems.
Access controls: role-based, least-privilege, MFA on all admin surfaces.
Audit logging: all data-access events logged with retention aligned to PDPL minimums.
Sub-processor due diligence: SOC 2 Type II or equivalent certification required.
Vercel — hosting + edge compute (US/EU regions, GDPR-compliant DPA in place).
Sanity — content management (US, GDPR + CCPA compliant).
Resend — transactional email (US, GDPR + CCPA compliant).
PostHog — product analytics (EU regional hosting, GDPR-first).
Microsoft Clarity — session replay with PII masking (Microsoft global DPA).
Sub-processors are added or removed only with 30 days written notice.
TETRA assists the Controller in responding to data subject access, rectification, erasure, restriction, and portability requests under PDPL and GDPR.
Response time: within 5 business days of Controller's documented request.
TETRA notifies the Controller without undue delay (and within 72 hours where feasible) of any actual or suspected personal data breach.
Notification includes: nature of breach, categories and approximate number of data subjects, likely consequences, mitigation measures.
Personal data is retained only as long as necessary to deliver the engagement plus a 90-day grace period for handover.
On termination, TETRA returns or deletes all personal data per Controller's election within 60 days.
Where personal data leaves Saudi Arabia, TETRA relies on Standard Contractual Clauses (SCCs) or equivalent mechanisms approved under PDPL Article 29.
Data Protection enquiries: dpo@tetra-agency.com. Response within 5 business days.
Questions about this policy? Get in touch.