Data processing agreement
How SilaCities processes personal data on behalf of clients acting as data controllers. Request the signable DPA on request.
This Data Processing Agreement (“DPA”) supplements any services agreement (“Principal Agreement”) between Sila Artificial Intelligence Research LLC (“SilaCities”, “Processor”) and you, the client (“Customer”, “Controller”). It governs SilaCities’ processing of personal data on behalf of the Customer in connection with the services.
1 · Definitions
- Personal data, processing, controller, processor, sub-processor, data subject: as defined in the UAE Personal Data Protection Law (PDPL), the EU General Data Protection Regulation (GDPR) or equivalent applicable law.
- Services: the SilaCities platform and any related services provided under the Principal Agreement.
- Applicable law: data-protection laws of the jurisdictions where Customer operates or where data subjects reside, including GDPR, UK GDPR, UAE PDPL and similar.
2 · Roles & responsibilities
The Customer acts as data controller. SilaCities acts as data processor, processing personal data only on documented instructions from the Customer. SilaCities will ensure that persons authorised to process personal data are subject to confidentiality obligations.
3 · Scope of processing
Personal data is processed only to:
- Deliver the services as described in the Principal Agreement
- Comply with the Customer’s documented instructions
- Comply with applicable law (with prior notice to Customer where permitted)
Categories of data and data subjects are those described in the Principal Agreement or order form. SilaCities will not process personal data for its own purposes or sell it to third parties.
4 · Security measures
SilaCities implements appropriate technical and organisational measures to protect personal data, including:
- Encryption of personal data in transit and at rest
- Strict access controls with role-based permissions and least-privilege
- Regular security testing, vulnerability management and audits
- Incident detection, response, and post-incident review
- Staff training on data-handling and confidentiality
- Deployment isolation, no cross-customer data flow
5 · Sub-processors
SilaCities uses a narrow set of vetted sub-processors for hosting, email, analytics and monitoring. Each is bound by contractual obligations substantially equivalent to this DPA. A current list is available on request, and we notify Customer of material changes before adding a new sub-processor.
6 · Data subject rights
SilaCities assists the Customer in responding to data subject requests (access, rectification, deletion, portability, objection) by providing appropriate tools and, where necessary, reasonable cooperation within the timelines set by applicable law.
7 · International transfers
Where personal data is transferred across borders, SilaCities uses appropriate safeguards, including Standard Contractual Clauses, adequate-country arrangements, and equivalent mechanisms under UAE PDPL, to ensure a protected level equivalent to the Customer’s home jurisdiction.
8 · Breach notification
SilaCities notifies the Customer without undue delay and, where feasible, within 72 hours of becoming aware of a personal-data breach affecting the Customer’s data. Notification includes the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
9 · Audit rights
Customer has the right, on reasonable notice and at reasonable intervals, to audit SilaCities’ compliance with this DPA, either directly or through an independent auditor bound by confidentiality obligations. Audits are conducted to minimise disruption to services.
10 · Return & deletion
On termination of the Principal Agreement, SilaCities returns or deletes all personal data processed on behalf of the Customer, as the Customer elects, except where retention is required by applicable law. Certification of deletion is provided on request.
11 · Liability
Liability under this DPA is subject to the limitations of liability set out in the Principal Agreement, except where applicable law prohibits such limitation.
12 · Signing the DPA
A signable version of this DPA, including our current list of sub-processors and security practices, is available on request. Write to legal@silacities.com or to our Data Protection Officer at dpo@silacities.com.