Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between DIGIQUEST CONSULTING (operating under the brand name Taqyid), acting as Data Processor, and the Customer, acting as Data Controller. This DPA governs the processing of personal data by Taqyid on behalf of the Customer in accordance with the EU General Data Protection Regulation (GDPR) and the Malaysian Personal Data Protection Act 2010 (PDPA), as amended in 2025.

1. Definitions

• "Customer Data" means any personal data that the Customer uploads, submits, or otherwise makes available through the Taqyid platform.
• "Data Controller" means the Customer, who determines the purposes and means of processing Customer Data.
• "Data Processor" means DIGIQUEST CONSULTING (Taqyid), which processes Customer Data on behalf of the Customer.
• "Sub-processor" means a third party engaged by Taqyid to assist in the processing of Customer Data.
• "Data Subject" means any identified or identifiable natural person whose personal data is processed.

2. Scope and purpose of processing

Taqyid processes Customer Data solely for the purpose of providing the halal compliance management service as described in the Terms of Service. This includes:

• Storing and managing halal certificates, supplier records, and audit data
• Processing user account information for authentication and access control
• Generating compliance reports and dashboards
• Sending platform notifications and alerts (e.g., certificate expiry)
• Providing technical support when requested by the Customer

3. Categories of data and data subjects

3.1 Categories of personal data

• User identification data (name, email address, role, company)
• Authentication data (hashed passwords, session tokens)
• Usage data (access logs, feature interactions, timestamps)
• Business data uploaded by the Customer (supplier contacts, audit records, training records)

3.2 Categories of data subjects

• Customer employees and authorised users of the platform
• Customer suppliers and their contact persons (as uploaded by the Customer)
• Auditors and compliance personnel referenced in audit records

4. Obligations of the Processor

Taqyid shall:

• Process Customer Data only on documented instructions from the Customer, unless required by applicable law
• Ensure that all personnel authorised to process Customer Data are bound by confidentiality obligations
• Implement appropriate technical and organisational measures to protect Customer Data (as described in our Privacy Policy, Section 8)
• Not engage any sub-processor without prior notification to the Customer (see Section 6)
• Assist the Customer in responding to data subject requests (access, rectification, erasure, portability)
• Assist the Customer in ensuring compliance with data breach notification obligations
• Delete or return all Customer Data upon termination, at the Customer's choice, within thirty (30) days
• Make available to the Customer all information necessary to demonstrate compliance with this DPA

5. Obligations of the Controller

The Customer shall:

• Ensure that it has a lawful basis for processing personal data and transferring it to Taqyid
• Provide documented instructions regarding the processing of Customer Data
• Inform data subjects about the processing of their data via the platform
• Not upload sensitive personal data (Article 9 GDPR categories) unless expressly agreed in writing

6. Sub-processors

Taqyid uses the following sub-processors to deliver the service:

Taqyid will notify the Customer at least thirty (30) days before adding or replacing a sub-processor. If the Customer objects to a new sub-processor on reasonable data protection grounds, the Customer may terminate the affected service by providing written notice within thirty (30) days of the notification.

7. International data transfers

Customer Data is primarily stored in the Asia-Pacific region (Singapore). Where personal data is transferred outside the European Economic Area or Malaysia, Taqyid ensures that appropriate safeguards are in place, including the European Commission's Standard Contractual Clauses (SCCs) and equivalent contractual protections, combined with technical measures such as encryption in transit and at rest.

8. Data breach notification

Taqyid shall notify the Customer without undue delay and in any event within forty-eight (48) hours of becoming aware of a personal data breach affecting Customer Data. The notification shall include:

• The nature of the breach, including categories and approximate number of data subjects affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach
• The contact point for further information (DPO at dpo@taqyid.com)

9. Audit rights

The Customer may, upon reasonable notice and no more than once per year (unless a data breach has occurred), request information or conduct an audit to verify Taqyid's compliance with this DPA. Taqyid shall cooperate with such requests and provide access to relevant documentation, logs, and security reports. Audits shall be conducted during normal business hours and shall not unreasonably disrupt Taqyid's operations.

10. Duration and termination

This DPA shall remain in effect for the duration of the Customer's use of the Taqyid service. Upon termination, Taqyid shall, at the Customer's choice, delete or return all Customer Data within thirty (30) days, and provide written confirmation of deletion. Taqyid may retain data where required by applicable law, in which case it shall inform the Customer and continue to protect such data in accordance with this DPA.

11. Governing law

This DPA is governed by French law. For data processing subject to GDPR, the provisions of GDPR shall prevail in the event of any conflict. For data processing subject to the Malaysian PDPA, the provisions of PDPA shall apply to the extent required.