Last updated: May 13, 2026
This Data Processing Agreement (“DPA”) is entered into between Rowstr FZ-LLC, a company registered in the United Arab Emirates (“Processor” or “Rowstr”), and the organization subscribing to the Rowstr service (the “Controller” or “Customer”). The DPA is incorporated into and forms part of the Rowstr Terms of Service at /terms (the “Agreement”).
By accepting the Agreement, the Customer accepts this DPA on behalf of itself and any affiliates whose personal data it processes through the Service. A counter-signed version of this DPA is available on request to [email protected].
Capitalized terms have the meaning set out in the Agreement. In addition:
Rowstr processes Customer Personal Data to provide the Service in accordance with the Agreement. The duration, nature, and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I. Processing continues for the term of the Agreement and any post-termination period required for return or deletion.
For Customer Personal Data, the Customer is the Controller and Rowstr is the Processor. Where Rowstr processes Personal Data relating to Customer's own account (account owner, team members, billing contacts, support communications), Rowstr acts as Controller and that processing is governed by the Privacy Policy at /privacy.
Rowstr will process Customer Personal Data only on documented instructions from Customer. The Agreement and this DPA constitute Customer's complete and final documented instructions for the purposes of Article 28(3)(a) GDPR and the equivalent provisions of the UAE PDPL. Additional instructions outside the scope of the Agreement may incur additional fees and must be agreed in writing. Rowstr will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.
Rowstr will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and receive appropriate training. Access is limited to the personnel who need it to perform the Agreement.
Rowstr will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against a Personal Data Breach, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks to Data Subjects. A description of the current measures is at /security and forms part of Annex II.
Customer grants Rowstr a general authorization to engage Sub-processors. The current list is available on written request to [email protected]. Rowstr will:
Customer may object to a new Sub-processor on reasonable data-protection grounds within 30 days of the notice. If Rowstr cannot reasonably accommodate the objection, either party may terminate the affected portion of the Service on written notice, and Customer will receive a pro-rata refund of any prepaid unused fees.
Taking into account the nature of the processing, Rowstr will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligations to respond to Data Subject requests under the Applicable Data Protection Law. The Service provides functionality to enable Customer to access, rectify, restrict, port, and delete Customer Personal Data. If Rowstr receives a Data Subject request directly, it will refer the request to Customer and will not respond except on Customer's instruction.
Rowstr will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and, where feasible, no later than 72 hours after becoming aware. The notification will, to the extent then known, describe the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed. Rowstr will provide reasonable assistance to Customer in meeting Customer's notification obligations.
Rowstr will provide Customer with reasonable assistance, taking into account the nature of the processing and the information available, to enable Customer to carry out Data Protection Impact Assessments and to engage in prior consultations with supervisory authorities where required by Articles 35 and 36 GDPR or the equivalent provisions of the UAE PDPL.
Where Rowstr processes Customer Personal Data of Data Subjects in the EEA, the UK, or Switzerland and that processing involves a transfer to a country that has not received an adequacy decision, the SCCs apply as follows and are deemed entered into between the parties:
For transfers governed by the UAE PDPL, the parties rely on adequacy where available or on equivalent contractual and technical safeguards consistent with Article 23 PDPL.
Rowstr will make available to Customer, on reasonable written request and at intervals of no more than once every twelve months (except following a Personal Data Breach), information sufficient to demonstrate compliance with this DPA, including (a) the information published at /security and the current sub-processor list (available on request), (b) responses to a reasonable security questionnaire, and (c) the most recent third-party certifications or audit reports, if any. Customer may, at its own cost and on reasonable prior written notice, conduct an audit limited to the matters reasonably required to verify compliance, subject to confidentiality and reasonable scheduling to avoid disruption of the Service. On-site audits require a mutually agreed scope and timetable.
On termination or expiry of the Agreement, Rowstr will, at Customer's choice, return or delete Customer Personal Data, unless retention is required by Applicable Data Protection Law. The Service provides self-service data export for 30 days following termination. After that period, Customer Personal Data is deleted from production within 30 days and from backups within 90 days. Rowstr will confirm deletion in writing on request.
The limitations and exclusions of liability set out in the Agreement apply to claims under or in connection with this DPA, except where applicable law does not permit such limitations.
In the event of conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA prevails. Where the SCCs apply, the SCCs prevail over this DPA to the extent of any conflict.
This DPA is governed by the laws of the United Arab Emirates, except that for SCCs and matters concerning the processing of Personal Data of EEA/UK Data Subjects, the law specified in the relevant module of the SCCs governs.
Subject matter. Provision of the Rowstr Service.
Duration. Term of the Agreement and any post-termination retention period required by Applicable Data Protection Law.
Nature and purpose. Hosting, storage, transmission, display, encoding, indexing, search, analytics, backup, security monitoring, and other processing as required to provide the Service.
Types of Personal Data. Identification and contact data of Customer's users; talent and model profile data; media files (which may include image or audio of natural persons); scheduling and planning data; messages, comments, and notes; integration metadata.
Categories of Data Subjects. Customer's employees, contractors, and team members; talents, models, and creators contracted by Customer; Customer's contacts, prospects, and counterparties whose data Customer chooses to process.
Special categories of data. The Service is not designed for the processing of special categories of personal data (e.g., health, biometric, racial or ethnic origin). Customer warrants that it will not upload such data unless it has a valid legal basis and has notified Rowstr in writing.
Frequency. Continuous, throughout the term.
A non-exhaustive description of the technical and organizational measures Rowstr applies is published at /security and incorporated by reference. The measures cover, at minimum:
The list of authorized Sub-processors is maintained by Rowstr and available on written request to [email protected]. The list will be updated as set out in Section 7.