Gomgasht
GomgashtWorkforce Health OS

Data Processing Agreement

Last updated: April 2, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Data Controller") and Gomgasht Inc. ("Data Processor") for the provision of the Gomgasht Workforce Health OS platform and related services.

Purpose

This DPA establishes the obligations of both parties regarding the processing of personal data in connection with the Services. It ensures compliance with applicable data protection laws, including the UAE PDPL, GDPR, PIPEDA, and other relevant regulations.

Definitions

  • Personal Data: Any information relating to an identified or identifiable individual
  • Processing: Any operation performed on personal data, including collection, storage, use, transfer, and deletion
  • Data Subject: The individual to whom personal data relates
  • Sub-processor: A third party engaged by Gomgasht to process personal data on behalf of the Data Controller
  • Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data

Processing Scope

Gomgasht processes personal data solely for the purpose of providing the Services as described in the service agreement. The categories of data processed include:

  • Employee identification data (name, employee ID, email)
  • Workforce assignment data (site, shift, department)
  • Health screening responses (daily wellness check submissions)
  • Triage and return-to-work case records
  • Access logs and platform usage data

Data Controller and Processor Roles

The customer is the Data Controller and determines the purposes and means of processing employee personal data. Gomgasht is the Data Processor and processes personal data only on documented instructions from the Data Controller. Gomgasht will not process personal data for any purpose other than providing the agreed Services.

Sub-processors

Gomgasht may engage sub-processors to assist in providing the Services. We maintain a current list of sub-processors and will notify the Data Controller at least 30 days before adding a new sub-processor. The Data Controller may object to a new sub-processor within 14 days of notification. All sub-processors are bound by data processing obligations no less protective than those in this DPA.

Security Measures

Gomgasht implements and maintains appropriate technical and organizational measures to protect personal data, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Tenant isolation with dedicated database instances
  • Role-based access control and least-privilege enforcement
  • Multi-factor authentication for administrative access
  • Regular vulnerability assessments and penetration testing
  • Employee background checks and security training
  • Physical security controls at data center facilities

Data Breach Notification

In the event of a confirmed data breach affecting personal data, Gomgasht will:

  • Notify the Data Controller within 72 hours of becoming aware of the breach
  • Provide details of the nature of the breach, categories and approximate number of data subjects affected, and likely consequences
  • Describe measures taken or proposed to address the breach and mitigate its effects
  • Cooperate with the Data Controller in notifying supervisory authorities and affected individuals as required
  • Document the breach and remediation actions in a breach register

Data Retention and Deletion

Gomgasht retains personal data only for as long as necessary to provide the Services or as required by law. Upon termination of the service agreement, Gomgasht will:

  • Provide a 30-day window for the Data Controller to export data
  • Delete all personal data within 90 days of termination unless retention is required by law
  • Provide written confirmation of deletion upon request
  • Ensure sub-processors delete data in accordance with the same timelines

Cross-Border Transfers

Personal data is stored and processed in the region selected by the Data Controller. If cross-border transfers are necessary (for example, for disaster recovery), Gomgasht will ensure appropriate safeguards are in place, including Standard Contractual Clauses or reliance on adequacy decisions. The Data Controller will be notified of any cross-border transfer requirements.

Audit Rights

The Data Controller has the right to audit Gomgasht's compliance with this DPA. Audits may be conducted:

  • Once per year, with 30 days advance written notice
  • By the Data Controller or a qualified independent auditor
  • At the Data Controller's expense, unless the audit reveals material non-compliance

Gomgasht will make available all information necessary to demonstrate compliance and will cooperate with reasonable audit requests. We also provide annual SOC2 reports and third-party security assessment summaries upon request.

Contact

For questions about this Data Processing Agreement or to request a signed copy, contact us at:

[email protected]

Gomgasht Inc., Dubai, United Arab Emirates