DATA PROCESSING ADDENDUM (DPA)

Concluded Pursuant to Moroccan Law n° 09-08 Relating to the Protection of Individuals with Regard to the Processing of Personal Data

This Data Processing Addendum (“DPA”) is entered into by and between:

The CLIENT, acting as the Data Controller (the “Responsable du traitement”), duly organized and existing under the laws of Morocco, with its registered office at Tanger;

AND

Musak Leads Media, acting as the Data Processor (the “Sous-traitant”), an automation and digital systems provider duly organized under the laws of the Kingdom of Morocco, with its registered office at Tanger;

Collectively referred to as the “Parties” and individually as a “Party”.


ARTICLE 1 — PURPOSE AND LEGAL FRAMEWORK

1.1. The present DPA governs the conditions under which the Processor processes personal data on behalf of the Controller within the framework of the automation, deployment, maintenance, and operation of WhatsApp Business API communication systems and AI-assisted customer interaction infrastructures.

1.2. The Parties expressly acknowledge and agree that all processing activities conducted under this DPA shall be subject to and interpreted in accordance with:

  • Moroccan Law n° 09-08 relating to the protection of natural persons with regard to the processing of personal data;
  • Implementing decrees and regulatory decisions issued by the Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (“CNDP”);
  • Any other applicable Moroccan legal or regulatory provision concerning data privacy, confidentiality, cybersecurity, and digital communications.

1.3. This DPA forms an integral part of the Master Service Agreement (“MSA”) or any principal services agreement executed between the Parties.


ARTICLE 2 — DEFINITIONS

For the purposes of this DPA:

  • Personal Data” means any information relating to an identified or identifiable natural person within the meaning of Law n° 09-08.
  • Sensitive Data” includes, without limitation, health-related information, legal dispute information, identification data, and any category of data deemed sensitive under Moroccan law.
  • Processing” refers to any operation performed upon personal data including collection, recording, organization, storage, consultation, transmission, deletion, or destruction.
  • Data Subject” means the individual to whom the personal data relates.
  • Sub-processor” means any third party engaged by the Processor to assist in processing activities.

ARTICLE 3 — SUBJECT MATTER OF PROCESSING

3.1. The Processor is authorized to process personal data exclusively for the purpose of providing automation and AI-assisted communication services including, but not limited to:

  • WhatsApp Business API deployment and maintenance;
  • Automated appointment booking systems;
  • Multilingual conversational support;
  • AI-generated customer interaction workflows;
  • CRM and database querying automation;
  • Lead qualification and customer communication management;
  • Workflow orchestration through n8n infrastructure;
  • Integration with Meta Cloud API and OpenAI/GPT-4o systems.

3.2. Categories of personal data processed may include:

  • Full names;
  • Telephone numbers;
  • Email addresses;
  • Appointment details;
  • Medical appointment information;
  • Legal consultation information;
  • Customer inquiry records;
  • Chat histories;
  • Technical metadata and communication logs.

3.3. Categories of Data Subjects may include:

  • Patients;
  • Clients of legal practices;
  • Real estate customers;
  • E-commerce customers;
  • Employees and representatives of the Controller;
  • Prospective customers and leads.

ARTICLE 4 — PROCESSING UNDER DOCUMENTED INSTRUCTIONS

4.1. The Processor shall process personal data solely on the documented written instructions of the Controller.

4.2. The Processor shall not:

  • use the data for its own commercial purposes;
  • sell, disclose, monetize, or exploit personal data independently;
  • determine the purposes or essential means of processing.

4.3. The Controller remains solely responsible for:

  • determining the lawfulness of processing;
  • obtaining all legally required consents and authorizations;
  • fulfilling all declarations and notification obligations before the CNDP;
  • ensuring the legal basis for processing sensitive data.

4.4. Where the Processor considers that an instruction infringes Moroccan law or CNDP requirements, it shall immediately notify the Controller in writing.


ARTICLE 5 — CONFIDENTIALITY OBLIGATIONS

5.1. The Processor undertakes to maintain strict confidentiality concerning all personal data processed on behalf of the Controller.

5.2. The Processor shall ensure that all employees, contractors, consultants, administrators, engineers, and any other personnel authorized to access personal data:

  • are bound by strict contractual confidentiality obligations;
  • have executed enforceable Non-Disclosure Agreements (“NDAs”);
  • receive appropriate privacy and cybersecurity awareness training;
  • access personal data solely on a strict need-to-know basis.

5.3. Confidentiality obligations shall survive the termination or expiration of the contractual relationship between the Parties.


ARTICLE 6 — TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

6.1. Pursuant to Article 14 of Law n° 09-08, the Processor shall implement appropriate technical and organizational security measures to preserve the confidentiality, integrity, availability, and resilience of personal data.

6.2. Such measures shall include, without limitation:

a) Encryption and Secure Transmission

  • Encryption of data in transit using HTTPS/TLS protocols;
  • Secure API authentication mechanisms;
  • Encrypted administrative access channels.

b) Access Control

  • Multi-factor authentication (MFA) for all infrastructure and database access;
  • Role-based access control policies;
  • Restricted administrator privileges.

c) Data Minimization and Masking

  • Masking or obfuscation of sensitive identifiers where technically feasible;
  • Limitation of stored data strictly to operational necessity.

d) Logging and Retention Controls

  • Automated deletion and purging of technical logs after thirty (30) days unless a longer retention period is legally required;
  • Monitoring of unauthorized access attempts.

e) Infrastructure Security

  • Secure cloud hosting environments;
  • Segregation of production and testing environments;
  • Periodic security updates and vulnerability remediation procedures.

f) Incident Preparedness

  • Internal breach response procedures;
  • Backup and recovery systems designed to ensure service continuity.

6.3. The Processor does not guarantee absolute security and the Controller acknowledges that no information system can be entirely immune from cybersecurity risks.


ARTICLE 7 — INTERNATIONAL DATA TRANSFERS

7.1. The Parties expressly acknowledge that the technical architecture utilized under the Services involves international data transfers outside the territory of the Kingdom of Morocco, including through:

  • Meta Platforms, Inc. and Meta Cloud API infrastructure;
  • OpenAI API services and associated cloud infrastructure providers.

7.2. The Controller expressly acknowledges and confirms that:

  • such transfers may involve jurisdictions not recognized by Moroccan authorities as providing an equivalent level of data protection;
  • prior authorization from the CNDP may be legally required under Articles 43 and 44 of Law n° 09-08.

7.3. The Controller represents and warrants that it has:

  • obtained all required authorizations from the CNDP; or
  • initiated and undertaken the necessary procedures to obtain such authorizations.

7.4. The Processor shall not be held liable for the Controller’s failure to obtain the required CNDP approvals concerning cross-border data transfers.


ARTICLE 8 — SUB-PROCESSORS

8.1. The Controller grants the Processor general written authorization to engage the following categories of Sub-processors:

  • cloud infrastructure providers;
  • AI processing providers;
  • messaging infrastructure providers;
  • workflow orchestration providers;
  • database hosting providers.

8.2. The Controller specifically authorizes the use of:

  • Meta Platforms, Inc.;
  • OpenAI, L.L.C.;
  • affiliated infrastructure providers necessary for API delivery.

8.3. The Processor shall ensure that Sub-processors are contractually bound by data protection obligations substantially equivalent to those contained in this DPA.

8.4. The Processor shall remain responsible for exercising reasonable oversight concerning the security and compliance posture of its Sub-processors.


ARTICLE 9 — ASSISTANCE WITH DATA SUBJECT RIGHTS

9.1. Taking into account the nature of the processing, the Processor shall provide reasonable technical and organizational assistance to enable the Controller to respond to requests from Data Subjects exercising their legal rights under Law n° 09-08, including:

  • right of access (droit d’accès);
  • right of rectification (droit de rectification);
  • right to object to processing (droit d’opposition);
  • deletion requests where legally applicable.

9.2. Such assistance may include:

  • retrieval of relevant records;
  • modification or deletion of records where technically feasible;
  • exportation of communication logs;
  • restriction or suspension of automated workflows.

9.3. The Processor shall not directly respond to Data Subject requests unless expressly instructed by the Controller or legally required to do so.


ARTICLE 10 — PERSONAL DATA BREACH NOTIFICATION

10.1. The Processor shall notify the Controller without undue delay, and in all circumstances within twenty-four (24) to forty-eight (48) hours after becoming aware of:

  • unauthorized access;
  • accidental disclosure;
  • alteration;
  • destruction;
  • loss;
  • compromise of personal data.

10.2. Such notification shall include, where available:

  • the nature of the incident;
  • categories of affected data;
  • likely consequences of the breach;
  • corrective actions implemented or proposed;
  • mitigation measures undertaken.

10.3. The Processor shall cooperate in good faith with the Controller in connection with any legally required notification to the CNDP or affected Data Subjects.


ARTICLE 11 — AUDIT AND COMPLIANCE COOPERATION

11.1. Upon reasonable written request and subject to confidentiality obligations, the Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.

11.2. Any audit request shall:

  • occur during normal business hours;
  • avoid disruption to the Processor’s operations;
  • remain limited to matters directly relevant to the Services.

11.3. The Controller shall bear all costs associated with audits unless a material breach attributable to the Processor is established.


ARTICLE 12 — DATA RETENTION AND DELETION

12.1. Upon termination of the Services or written instruction from the Controller, the Processor shall, at the Controller’s choice:

  • return the personal data; or
  • securely delete or anonymize the personal data,

unless retention is required by applicable law or necessary for legitimate security, evidentiary, or compliance purposes.

12.2. Backup systems and archived logs may persist temporarily according to standard disaster recovery cycles.


ARTICLE 13 — LIABILITY

13.1. Each Party shall remain liable for its own violations of Law n° 09-08 and applicable regulatory obligations.

13.2. The Processor shall not be liable for:

  • unlawful instructions issued by the Controller;
  • the Controller’s failure to obtain CNDP authorizations;
  • the legality of data collection by the Controller;
  • decisions made autonomously by third-party platforms outside the Processor’s reasonable control.

13.3. The Controller indemnifies and holds harmless the Processor against claims, sanctions, fines, or administrative actions arising from:

  • unlawful data collection practices;
  • absence of valid consent;
  • failure to comply with CNDP formalities;
  • unauthorized international data transfers attributable to the Controller.

ARTICLE 14 — TERM AND TERMINATION

14.1. This DPA shall enter into force on the Effective Date of the principal agreement between the Parties.

14.2. It shall remain in effect for the duration of the Services involving personal data processing.

14.3. Termination of the principal agreement shall automatically terminate this DPA, subject to any surviving obligations concerning confidentiality, liability, and data protection.


ARTICLE 15 — GOVERNING LAW AND JURISDICTION

15.1. This DPA shall be governed exclusively by the laws of the Kingdom of Morocco.

15.2. Any dispute arising from or relating to this DPA shall fall under the exclusive jurisdiction of the competent courts of Tanger, Morocco.