KeyflowKEYFLOW

Data Processing Addendum

Version: 1.0  |  Dated: 15 July 2026

This Data Processing Addendum is incorporated into the Terms of Service and is executed per agency via in-product acceptance by an authorised representative of the agency. In respect of personal data processing, it prevails over the Terms of Service.


between

the real-estate agency that subscribes to the Services (the “Agency” / “Controller”), a real-estate agency licensed in Dubai, United Arab Emirates, identified by its RERA Office Registration Number (ORN) and registered address as recorded at acceptance;

and

KeyFlow Technology Ltd (“KeyFlow” / “Processor”), a company licensed in the Dubai International Financial Centre under Commercial Licence CL-12435, of Unit GA-00-SZ-01-FX-07, Level 1, Gate Avenue South Zone, DIFC, Dubai, UAE.

(each a “Party”, together the “Parties”)

Version1.0 — 15 July 2026
Legal basisArticle 24, DIFC Data Protection Law No. 5 of 2020 (“DP Law”)
Scope of servicesThe KeyFlow software services used by the Agency: the first-generation LeaseFlow and LeadsFlow products, and, upon the Agency's migration, the next-generation Keyflow platform (Arc, Atlas, Connect, Ledger, Console, Keys) — together the “Services”
ExecutionIncorporated into the Terms of Service; executed per agency via in-product acceptance by an authorised representative

Recitals

(A) The Agency uses the Services to manage its real-estate business, in the course of which KeyFlow Processes Personal Data relating to the Agency's clients and contacts on the Agency's behalf.

(B) Article 24 of the DP Law requires such Processing to be governed by a legally binding written agreement. This Addendum is that agreement. It supplements the terms of service governing the Agency's use of the Services and prevails over them in respect of Personal Data processing.

1. Definitions

Capitalised terms have the meanings given in the DP Law. “Agency Personal Data” means Personal Data Processed by KeyFlow on the Agency's behalf in providing the Services, as described in Annex A. For the avoidance of doubt, Personal Data for which KeyFlow determines its own purposes and means (platform account identity, security and audit records, as described in KeyFlow's privacy notice) is processed by KeyFlow as Controller and is outside this Addendum.

2. Roles

2.1 For Agency Personal Data, the Agency is the Controller and KeyFlow is the Processor.

2.2 The Agency warrants that it has a lawful basis for the Processing it instructs, that it has provided its clients with the information required by Articles 29–30 of the DP Law and applicable UAE law, and that its instructions comply with Applicable Law.

3. Subject matter, duration, nature and purpose

As set out in Annex A (which forms part of this Addendum). Duration: the term of the Agency's use of the Services, plus the wind-down and disposal periods in clause 9.

4. Processor obligations (Article 24(5))

KeyFlow shall:

  • (a) Documented instructions. Process Agency Personal Data only on the Agency's documented instructions. The Parties agree the Agency's instructions are: the functionality of the Services as configured and operated by the Agency's users, this Addendum, and any further written instructions the Agency gives through the Services or to privacy@keyflowae.com. KeyFlow shall inform the Agency if, in its opinion, an instruction contravenes the DP Law.
  • (b) Confidentiality. Ensure that every person authorised to Process Agency Personal Data (currently the founder-operator; in future, employees and contractors bound by KeyFlow's Internal Data Protection Policy) is committed to confidentiality.
  • (c) Security. Implement and maintain the technical and organisational measures summarised in Annex B, and not materially degrade them during the term.
  • (d) Sub-processors. Engage the sub-processors listed in Annex C (general authorisation granted). KeyFlow shall give the Agency at least 14 days' written notice of any intended addition or replacement, during which the Agency may object on reasonable data-protection grounds; shall impose data-protection obligations no less protective than this Addendum on every sub-processor by written contract; and remains fully liable to the Agency for sub-processor performance.
  • (e) Data subject rights. Taking into account the nature of the Processing, assist the Agency by appropriate technical and organisational measures in fulfilling the Agency's obligation to respond to Data Subject requests under Articles 32–40 (the Services include self-service export and documented request-handling workflows).
  • (f) Breach notification. Notify the Agency without undue delay after becoming aware of a Personal Data Breach affecting Agency Personal Data, providing the information reasonably required for the Agency's own obligations under Articles 41–42.
  • (g) Deletion or return. At the end of the provision of the Services (including the wind-down in clause 9), at the Agency's choice, delete or return all Agency Personal Data and delete existing copies, save to the extent Applicable Law requires retention (in which case KeyFlow shall isolate and protect the data and process it for no other purpose), applying Article 22 of the DP Law and KeyFlow's Retention & Erasure Schedule.
  • (h) Demonstration and audit. Make available to the Agency information reasonably necessary to demonstrate compliance with Article 24, and allow for and contribute to audits (including inspections) conducted by the Agency or its mandated auditor, no more than once per 12-month period on at least 14 days' notice, during business hours, at the Agency's cost, and subject to reasonable confidentiality and security requirements. KeyFlow's current compliance documentation (Record of Processing Activities, DPIA, Internal Data Protection Policy, Retention & Erasure Schedule) is available on request.

5. International transfers

5.1 The Services are hosted in AWS ap-southeast-1 (Singapore) — an adequate jurisdiction under Article 26(2) of the DP Law and Appendix 3 of the DIFC Data Protection Regulations.

5.2 The Agency authorises the transfers inherent in the Services, as documented in KeyFlow's Record of Processing Activities: onshore-UAE flows initiated by the Data Subject (UAE PASS authentication and digital signature) or conducted under the Article 28 procedure (Dubai Land Department verifications); limited transfers to the USA (Apple push-notification delivery, minimised to device tokens and notification content); and, if and when activated for the Agency, Meta/WhatsApp messaging — which KeyFlow shall not activate before compliant safeguards under Article 27 are in place.

5.3 Legacy first-generation file storage in AWS me-central-1 (UAE) is being consolidated to Singapore; KeyFlow shall complete that consolidation no later than the production launch of the next-generation platform.

6. Liability and governing law

6.1 Each Party's liability under this Addendum is subject to the limitations and exclusions of the underlying services terms, save that nothing limits liability for a Party's breach of the DP Law that results in an administrative fine or Data Subject compensation attributable to that Party's own non-compliance (Articles 62–64).

6.2 This Addendum is governed by the laws of the DIFC, and the DIFC Courts have exclusive jurisdiction.

7. Order of precedence

In respect of Personal Data processing, this Addendum prevails over the services terms and any prior arrangement between the Parties.

8. Term

This Addendum is effective from the Agency's acceptance and continues while KeyFlow provides the Services to the Agency, surviving the Agency's migration from the first-generation products to the next-generation platform.

9. First-generation wind-down

The Parties record that LeaseFlow and LeadsFlow will be wound down in Q4 2026 following the Agency's migration to the next-generation platform. Clause 4(g) applies to the wind-down: the Agency's data will be migrated with the Agency's confirmation, and residual first-generation copies disposed of per Article 22.


Annex A — Processing particulars

ItemDescription
Subject matterProvision of the Services (real-estate agency operations software)
Nature and purposeHosting, storage, structuring, retrieval, display, transmission and deletion of Agency business records: property/tenancy/lease management; lead and contact management (including inbound retrieval from Meta Lead Ads where the Agency connects its own account); client messaging (email; WhatsApp when activated); invoicing, payments and cheque tracking; document generation and (on the next-generation platform) UAE PASS e-signing; maintenance requests; notifications
Categories of Data SubjectsThe Agency's clients and prospective clients: tenants, landlords/owners, buyers, sellers, leads; the Agency's own staff (account data)
Categories of Personal DataNames (EN/AR); contact details; Emirates ID numbers and identity attributes; tenancy/lease and transaction terms (rents, deposits, dates); property records; lead/enquiry details and source attribution; message content and delivery metadata; invoicing, payment and post-dated cheque records; documents uploaded or generated in the Services
Special CategoriesNot intended to be processed; the Agency shall not instruct processing of Special Categories through the Services
DurationTerm of the Services + wind-down (clause 9) + statutory retention (Retention & Erasure Schedule)

Annex B — Technical and organisational measures (summary)

Hosting in AWS ap-southeast-1 (Singapore): databases encrypted at rest in private isolated subnets with no public access; TLS 1.2+ in transit; document storage with SSE/KMS encryption, versioning and public access blocked. Application: strict per-tenant isolation (every query scoped to the Agency); capability-based authorisation with per-user denies; UAE PASS verified identity (SOP2/SOP3) on the next-generation platform — no passwords held; hashed session tokens with remote revocation; append-only audit logging of every mutation (7-year retention). Operational: secrets in AWS Secrets Manager; CI without static cloud credentials; daily encrypted backups; production access restricted to the founder-operator. Full detail: KeyFlow Internal Data Protection Policy §4 and ROPA column J.

Annex C — Authorised sub-processors

Sub-processorPurposeLocation/notes
Amazon Web ServicesPrimary infrastructure (compute, database, storage, email via SES)Singapore (ap-southeast-1); legacy first-gen file storage in me-central-1 pending consolidation (clause 5.3)
AtlassianOperational/support toolingCloud
Microsoft 365Corporate emailCloud
ApplePush-notification delivery (device tokens, notification content)USA — minimised payloads
Lean TechnologiesPayment initiation and account data (sandbox today; production subject to DPA per clause 4(d) notice)UAE/ADGM
Meta PlatformsLead Ads inbound retrieval (where Agency-connected); WhatsApp messaging (only upon activation with Article 27 safeguards)USA

UAE PASS / Digital Dubai and the Dubai Land Department are independent controllers of their own government services and are not sub-processors of KeyFlow.


KeyFlow Technology Ltd — Data Processing Addendum v1.0 — 15 July 2026. Incorporated into the Terms of Service; executed per agency via in-product acceptance by an authorised representative.

KeyFlow Technology Ltd | DIFC Commercial Licence CL-12435