Personal Data Protection and Cyber Security Appendix

“This Appendix (“Appendix”) is incorporated into and forms part of the Agreement between the Parties. This Appendix is subject to the following terms and conditions related to the provision of Personal Data protection and cybersecurity, which the Parties have mutually accepted, by and between Paymob (“Paymob”) and the other contracting party (“You”). You and Paymob are referred to individually as “Party” and collectively as “Parties”.

Article 1: Definitions and Interpretation:

Personal Data: means any data which relates to a natural person if that person can, whether directly or indirectly in conjunction with any other data, be identified from it and includes sensitive personal data.

Personal Data Protection Law (PDPL): means all applicable laws and regulations relating to the processing of personal data issued within the Territory. These laws and regulations may be amended from time to time by authenticated authorities.

Service: means service pursuant to the Agreement as otherwise agreed with Paymob.

CSP: means "Cloud Service Provider."

PCI DSS: means Payment Card Industry Data Security Standard, which provides the baseline for what constitutes cardholder data and sensitive authentication data. This standard is created and managed by the PCI Security Standards Council.

Cyber Incident Report: means a report which includes full details of the security breach or attack, detailing its impact, response, and recommendations.

Change Management Process: means a structured approach to planning, implementing, and controlling changes to systems, processes, or policies while minimizing risks and disruptions

Hardware Security Module (HSM): means a physical device that securely manages, processes, and stores cryptographic keys to protect sensitive data and transactions.

Exit Strategy: means a predefined plan ensuring the orderly termination of services, including data retrieval, seamless transfer, secure data deletion, and hardware return) if applicable (.

Paymob System: means the Paymob infrastructure technology that provides Paymob Services to its clients and enables it to provide comprehensive solutions within the Territory, facilitating seamless digital transactions and improving access to financial services for its clients in the Territory.

Article 2: Term

This Appendix shall remain in effect for the duration of the Agreement, and its provisions shall remain binding on Parties even after the expiration of the Agreement, with respect to the data exchanged during the term of this Appendix.

Article 3: Termination of Agreement

The Parties agreed that the Paymob shall have the right to terminate the Agreement or any of its appendices in the event that You breach any of the provisions of this Appendix, without prejudice to the Paymob’s right to seek compensation from You for all losses incurred

Article 4: Personal Data Protection

4.1 The Parties acknowledge that their access to any Personal Data of the other Party, or data that has been transferred, processed, or disclosed as part of their performance of obligations under the Agreement or any of its Appendixes, is conditional upon their full compliance with the data protection provisions set forth in this Appendix

4.2 In addition to Personal Data, the Parties acknowledge that they shall have access to Personal Data related to the other Party and/or its third parties. The Parties agree to process this Personal Data in accordance with applicable PDPL and in this Appendix.

4.3 The Parties undertake to comply with their obligations under the PDPL and acknowledge that they possess all necessary licenses to protect the data and fulfill the obligations referred to in this Appendix.

4.4 The Parties undertake to maintain an accurate record of data processing activities in accordance with the applicable PDPL, regardless of the size or nature of the processing operations.

4.5 The Parties shall share their internal policies for Personal Data with the other party via email to facilitate mutual understanding and compliance.

4.6 The Parties undertake to implement clear procedures to mitigate risks, use and develop technologies to protect Personal Data in accordance with the applicable laws and internal policies shared by the Parties via email in accordance with Article 5.

4.7 The Parties shall store the information and data in accordance with the applicable PDPL and the internal policies of each party.

4.8 The Parties shall implement and maintain appropriate technical and organizational measures to store all Personal Data.

4.9 The Parties undertake to proactively address all issues, make necessary improvements, and demonstrate compliance with the PDPL without any obligation on the non-breaching Party in any way in accordance with the applicable PDPL and the internal policies of each party.

4.10 The Parties undertake to implement any governmental binding decision in accordance with the Territory's applicable laws and regulations.

4.11 The Parties undertake to take all necessary organizational, administrative, and technical measures to ensure the protection of Personal Data from any leakage during all stages of processing, including Personal Data during the transfer process.

4.12 In the event of any losses and/or damages and/or liabilities and/or costs and/or expenses, whether direct or indirect, including reasonable legal costs arising from or related to (a) a breach by either Party of its obligations under this Appendix, or (b) any act or omission by either Party leading to a violation of applicable data protection laws, including but not limited to the applicable Personal Data Protection Law and its amendments, the Party causing such violation shall defend and indemnify the non-breaching Party for all resulting consequences without prejudice to any other rights of the non-breaching Party.

4.13 In the event you commit a security breach, fraud, or misuse of the electronic platform provided by Paymob to perform the Services under this Appendix, You shall immediately notify Paymob via email at support@paymob.com.

4.14 You acknowledge and agree that it shall be solely responsible for all legal obligations and financial burdens resulting from any security or fraudulent incident, including internal fraud by Your employees.

Article 5: Cyber Security

5.1 You shall comply with cybersecurity standards by establishing and maintaining effective security controls for any environment, system, or device used to access the Paymob platforms and systems or to store or process confidential information or any data or information related to this Appendix.

5.2 You shall implement strict controls to ensure that only authorized persons can access Paymob Systems or the information and data, and restrict access to authorized persons only, who are bound by the same cybersecurity standards set forth in this Appendix under a legally binding document.

5.3 You shall ensure confidentiality, integrity, and availability of information and data through encryption and regular backups in accordance with the applicable laws and internal policies of each party shared via email in accordance with Clause (4,5)

5.4 You shall develop and maintain an incident response plan to address, respond to, and/or mitigate cybersecurity incidents immediately.

5.5 You shall follow the below listed plan in case of any incident:

5.6 Informing Phase: You should inform Paymob immediately, not later than 6 hours on a 24/7 basis, when a cybersecurity incident has occurred and been identified, and be in direct communication with Paymob.

5.7 Reporting Phase: You should submit an Initial Cyber Incident Report. While incidents categorized as ‘Major’ risk are to be reported to Paymob within 12 hours from the time of occurrence, those categorized as ‘Medium’ and ‘Low’ risks are to be reported to Paymob within 24 hours and 48 hours respectively. The initial report should include the data of the final report and resolution of the incident and return to normal process.

5.8 Incident Situation Report: You should submit the Incident Situation Report if there are new updates on the earlier reporting until the final resolution of the incident/issue.

5.9 Incident Closure Report: You should submit the Incident Closure Report after resuming normal operations.

5.10 Paymob has the right to terminate the Agreement immediately in the event of any cyber incident, and You shall be liable for any penalty from any regulatory body, while Paymob retains the right for damage compensation.

5.11 You shall train and educate all its employees and/or affiliates who have access to data or information on cybersecurity risks and how to predict and address them. You shall be responsible for all actions of its affiliates and the resulting consequences in this regard.

5.12 You shall operate and implement periodic password update controls for authorized people to access the data and information, as well as use and update antivirus software for all devices connected to the same network through which data and information can be accessed.

5.13 Upon expiration or termination of the Agreement, You shall: (a) promptly return all Paymob data and information; (b) securely delete all copies thereof; and (c) cooperate fully with a final security audit by Paymob to verify compliance with data deletion requirements.

5.14 You shall continuously monitor information systems to detect and respond to cybersecurity threats, establish a mechanism for reporting any cybersecurity incidents, and ensure that Paymob and the authorities are promptly notified of any discovered cybersecurity event.

5.15 In the event You fail to mitigate a security vulnerability, You shall immediately notify Paymob and disclose all potential security vulnerabilities that may facilitate the exchange of information and data. Failure to comply with this notification requirement shall result in liability for any resulting damage.

5.16 You acknowledge and agree that Paymob and the Central Bank in the Territory or its deputed representatives shall have the right to conduct security audits, compliance inspections, and forensic investigations at any time during the term of the Agreement.

5.17 You shall ensure that its systems comply with current PCI Data Security standards and any amendments thereto from time to time.

5.18 You shall indemnify Paymob in the event of any incident or losses and/or damages and/or liabilities and/or costs and/or expenses, whether direct or indirect, including reasonable legal costs arising from or related to (a) a breach of its obligations under this clause, or (b) any act or omission leading to a violation of Paymob cybersecurity, or (c) breach of its obligations under this Appendix.

5.19 You acknowledge that You agreed and reviewed on Paymob’s cybersecurity policy, and general and private obligations for cybersecurity before using or accessing Paymob platform or resources.

5.20 You shall comply with all applicable laws and regulations, Paymob’s cybersecurity policy, security requirements, including Data Protection, access control, and incident reporting. In the case of default by You, Paymob has the right to terminate the Agreement immediately, and You shall be liable for any penalty applied by the governmental and/or regulatory authorities and/or banks while Paymob retains the right to compensate for damages.

5.21 You acknowledge and ensure secure hardware and software installation, maintenance, and timely updates to prevent vulnerabilities.

5.22 You shall maintain an updated list of authorized users with defined access privileges to Paymob System.

5.23 You shall remove access rights for the users immediately upon the termination of the Agreement or after notice from Paymob to remove the access of a user.

5.24 You shall align with Paymob and follow the agreed process of Change Management Process or system modification, including security risk assessments, without any effect on the stability of the Service.

5.25 You shall follow the escalation process for resolving cybersecurity incident and compliance issues as per the matrix mentioned in this Appendix. In the case of default, Paymob has the right to terminate the Agreement, and You shall be liable for any penalty from the regulatory bodies while Paymob retains the right for damage compensation.

5.26 You acknowledge that all sensitive data shall be end-to-end encrypted, while double encryption may be considered based on the risk assessment.

5.27 You shall establish encryption processes, a robust cryptographic key management policy, standards, and procedures covering key generation, distribution, installation, renewal, revocation, recovery, and expiry.

5.28 You acknowledge that the encryption keys and other forms of authentication should be kept under the control of Paymob and should be stored in an appropriate Hardware Security Module (HSM) where technically feasible. In case the encryption keys are kept with You, in exceptional circumstances, it should be subject to appropriate risk management and controls to protect data confidentiality, data integrity, and authenticity.

5.29 Upon termination or expiration of this Appendix, You shall follow and execute an Exit Strategy to ensure: (a) complete data retrieval and transfer to Paymob in a Paymob-specified format; (b) irreversible deletion of all Paymob data and provision of verifiable proof; (c) smooth transfer of all activities and processes; and (d) return of any dedicated Paymob hardware. You agree that Paymob shall have the right to conduct audits, examinations, and reviews of You's systems, including cybersecurity and forensic audits, and to access third-party audit reports and Vulnerability Assessment and Penetration Testing (VA&PT) results.

5.30 You shall implement a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) and must notify Paymob of any service disruptions.

Article 6: Notice

Notices under this Appendix will be valid and have legal effect if sent by email, certified mail with return receipt, or international courier, to the respective addresses shown above or such other address as either party shall designate. Notice shall be deemed given when received.

In the case of Paymob:

Official notices: legal@paymob.com

Official Email for Cyber Security and Personal Data: security@paymob.com

Support: support@paymob.com

In the case of Your Email address registered or specified in the Agreement.

Article 7: Severability

Unless otherwise stated in this Appendix, all of the terms, provisions, requirements, and specifications contained in the Agreement remain in full force and effect. In the event of any conflict or inconsistency between the provisions of the Agreement and this Appendix, the provisions of the latter shall prevail.

Article 8: Governing Law

8.1 The governing law of this Appendix shall be the substantive law of the nation where the Service is provided. Any dispute arising out of or in connection with this Appendix. shall be referred to and finally resolved by the competent courts of such nation.