Skip to main content
Hajj & Umrah

Data Processing Agreement

GDPR-Compliant Data Processing Agreement

Effective Date: December 19, 2025

Version: 1.0

About This Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between you (the Data Controller or "Customer") and HajjUmrah Platform (the Data Processor). It governs the processing of personal data in compliance with GDPR and other applicable data protection laws.

Agreement Parties:

Data Controller ("Customer" or "you"):

The entity that determines the purposes and means of processing personal data

Data Processor ("HajjUmrah," "we," "us," or "our"):

HajjUmrah Platform

Data Protection Officer: dpo@hajjumrah.com

1. Definitions

For the purposes of this DPA:

Data Protection Laws

All applicable laws and regulations relating to the processing of Personal Data, including GDPR (EU), UK GDPR, CCPA (California), and any successor legislation.

Personal Data

Any information relating to an identified or identifiable natural person as defined in the GDPR.

Processing

Any operation performed on Personal Data, whether automated or not, as defined in the GDPR.

Data Controller

The natural or legal person which determines the purposes and means of Processing Personal Data.

Data Processor

The natural or legal person which Processes Personal Data on behalf of the Data Controller.

Sub-Processor

Any third party appointed by HajjUmrah to Process Personal Data.

Data Subject

An identified or identifiable natural person.

Data Breach

A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

Supervisory Authority

An independent public authority established by an EU Member State pursuant to GDPR.

2. Scope and Purpose

2.1 Scope

This DPA applies to all Processing of Personal Data by HajjUmrah on behalf of the Customer in connection with the hajj and umrah booking platform services.

2.2 Purpose

The purpose of this DPA is to:

  • Ensure compliance with Data Protection Laws
  • Define the roles and responsibilities of each Party
  • Protect the rights of Data Subjects
  • Establish security and confidentiality requirements

2.3 Hierarchy

In the event of any conflict or inconsistency between:

  1. This DPA prevails over the main agreement
  2. Standard Contractual Clauses (if applicable) prevail over this DPA
  3. Data Protection Laws prevail over all contractual terms

3. Data Controller and Data Processor Obligations

3.1 Customer (Data Controller) Obligations

The Customer shall:

  • Lawfulness: Ensure that it has all necessary legal bases for Processing and sharing Personal Data with HajjUmrah
  • Instructions: Provide clear, lawful, and documented instructions regarding Processing
  • Data Subjects: Provide appropriate notices to Data Subjects and obtain required consents
  • Accuracy: Ensure Personal Data is accurate and up-to-date
  • Cooperation: Cooperate with HajjUmrah in responding to Data Subject requests
  • Compliance: Comply with all applicable Data Protection Laws
  • Documentation: Maintain records of Processing activities

3.2 HajjUmrah (Data Processor) Obligations

HajjUmrah shall:

  • Instructions: Process Personal Data only on documented instructions from the Customer, unless required by law
  • Confidentiality: Ensure that persons authorized to Process Personal Data are bound by confidentiality obligations
  • Security: Implement appropriate technical and organizational measures
  • Sub-Processors: Only engage Sub-Processors in accordance with Section 5
  • Assistance: Assist the Customer in responding to Data Subject requests and ensuring compliance
  • Data Breaches: Notify the Customer of Data Breaches within 24 hours
  • Deletion: Delete or return Personal Data upon termination
  • Audits: Make available all information necessary to demonstrate compliance
  • Documentation: Maintain records of Processing activities
  • Transfers: Not transfer Personal Data outside the EEA except in compliance with Section 9

4. Data Processing Details

Subject Matter of Processing

Processing of Personal Data in connection with the provision of the Hajj and Umrah booking platform services.

Duration of Processing

For the term of the Services Agreement and as required by law thereafter.

Nature and Purpose of Processing

  • User registration and account management
  • Booking processing and management
  • Payment processing
  • Customer support
  • Marketing communications (with consent)
  • Analytics and service improvement

Types of Personal Data

Identity Data:

  • Full name, email, phone number
  • Date of birth, gender, nationality
  • Passport number and expiry date
  • Government-issued ID documents

Contact Data:

  • Residential address
  • Emergency contact information

Financial Data:

  • Payment card information (tokenized)
  • Billing address
  • Transaction history

Travel Data:

  • Booking details and history
  • Travel preferences
  • Dietary requirements
  • Medical conditions (if provided)

Categories of Data Subjects

  • Platform users (pilgrims)
  • Vendor representatives
  • Family members of users
  • Customer support contacts

5. Sub-Processors

5.1 Authorization

The Customer provides general authorization for HajjUmrah to engage Sub-Processors, subject to the conditions in this Section 5.

5.2 Current Sub-Processors

Sub-ProcessorServiceLocationSafeguards
Amazon Web Services (AWS)Cloud hostingUSA, EUSCCs, Encryption
Stripe, Inc.Payment processingUSASCCs, PCI DSS
Google LLCAnalytics, EmailUSASCCs, DPA
SendGrid (Twilio)Email deliveryUSASCCs, DPA
CloudflareCDN, SecurityUSA, GlobalSCCs, DPA

5.3 New Sub-Processors

Notification Process:

  • HajjUmrah shall inform the Customer at least 30 days in advance of any intended changes concerning addition or replacement of Sub-Processors
  • Notification shall be via email to the Customer's designated contact
  • The Customer may object to a new Sub-Processor on reasonable grounds related to Data Protection Laws
  • Objection must be submitted in writing within 14 days of notification
  • If no resolution within 30 days, either Party may terminate the affected Services

6. Security Measures

6.1 Technical and Organizational Measures

Technical Measures:

  • Encryption of Personal Data in transit (TLS 1.3)
  • Encryption of Personal Data at rest (AES-256)
  • Access controls and authentication (including MFA)
  • Network security (firewalls, intrusion detection)
  • Regular security testing and vulnerability assessments
  • Secure software development practices
  • Data backup and recovery procedures

Organizational Measures:

  • Data protection policies and procedures
  • Staff training and awareness programs
  • Confidentiality agreements
  • Access control policies (least privilege principle)
  • Incident response procedures
  • Business continuity and disaster recovery plans
  • Regular security audits and reviews

6.2 Security Standards

HajjUmrah maintains compliance with:

  • ISO/IEC 27001: Information Security Management
  • SOC 2 Type II: Security, Availability, Confidentiality
  • PCI DSS: Payment Card Industry Data Security Standard
  • Industry best practices and standards

7. Data Subject Rights

7.1 Assistance with Data Subject Requests

HajjUmrah shall, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject to exercise their rights under Data Protection Laws.

7.2 Types of Requests

Data Subjects may exercise the following rights:

  • Right of access (Article 15 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to erasure (Article 17 GDPR)
  • Right to restriction of processing (Article 18 GDPR)
  • Right to data portability (Article 20 GDPR)
  • Right to object (Article 21 GDPR)
  • Rights related to automated decision-making (Article 22 GDPR)

7.3 Response Process

HajjUmrah's Obligations:

  1. Forward Data Subject request to Customer within 2 business days
  2. Not respond directly to Data Subject without Customer's prior authorization
  3. Provide reasonable assistance to Customer in responding to request
  4. Implement technical measures to facilitate Data Subject rights

Response Timeframe: Customer must respond to Data Subject within 1 month (or as required by law). May be extended by 2 months for complex requests.

8. Data Breaches

8.1 Notification to Customer

In the event of a Data Breach, HajjUmrah shall:

  • Notify Customer without undue delay and in any event within 24 hours of becoming aware
  • Provide sufficient information to allow Customer to meet its own notification obligations

Information to Include:

  • Nature of the Data Breach
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records affected
  • Likely consequences of the Data Breach
  • Measures taken or proposed to address the Data Breach
  • Measures to mitigate possible adverse effects

8.3 Investigation and Remediation

HajjUmrah shall:

  • Promptly investigate the Data Breach
  • Take reasonable steps to mitigate the effects
  • Provide regular updates to Customer
  • Cooperate with Customer's investigation
  • Provide written root cause analysis within 7 days
  • Implement corrective measures to prevent recurrence

9. International Data Transfers

9.1 Transfer Mechanisms

When transferring Personal Data outside the European Economic Area (EEA), HajjUmrah shall ensure one of the following safeguards:

Primary Mechanism: Standard Contractual Clauses (SCCs)

  • EU Commission approved SCCs
  • Controller-to-Processor or Processor-to-Processor clauses as applicable

Alternative Mechanisms:

  • Adequacy Decision: Transfer to countries with EU adequacy decision
  • Binding Corporate Rules: If applicable
  • Derogations: Specific situations under Article 49 GDPR (with Customer consent)

9.2 Transfer Locations

Personal Data may be transferred to and processed in:

  • United States: AWS data centers, analytics providers
  • United Kingdom: Cloud service providers
  • Other Countries: As listed in Sub-Processors table

10. Audits and Inspections

10.1 Audit Rights

The Customer (or its appointed auditor) has the right to audit HajjUmrah's compliance with this DPA.

10.2 Audit Frequency

Regular Audits:

  • Once per calendar year
  • At least 30 days' advance written notice
  • During normal business hours

Additional Audits:

  • Following a Data Breach
  • Upon reasonable suspicion of non-compliance
  • As required by Supervisory Authority

10.7 Alternative to Audits

HajjUmrah may satisfy audit requirements by providing:

  • SOC 2 Type II report
  • ISO 27001 certification
  • Third-party security assessments
  • Completed security questionnaires

11. Data Deletion and Return

11.1 Upon Termination

Upon termination or expiry of the Services, HajjUmrah shall, at the Customer's choice:

Option A: Deletion

  • Securely delete all Personal Data within 30 days
  • Provide written certification of deletion

Option B: Return

  • Return all Personal Data in commonly used format
  • Delete all copies after return
  • Provide written certification

11.2 Exceptions

HajjUmrah may retain Personal Data to the extent required by:

  • Applicable law (e.g., tax, accounting)
  • Retention obligations (e.g., financial records)

Retained Data: Must be isolated and protected, only processed for compliance purposes, and deleted after retention period expires.

12. Liability and Indemnification

12.1 Liability Framework

Each Party's Liability:

  • For its own breaches of Data Protection Laws
  • For acts of its Sub-Processors (HajjUmrah only)
  • Subject to limitations in main agreement

12.3 Indemnification

HajjUmrah Indemnifies Customer for:

  • Fines imposed by Supervisory Authority due to HajjUmrah's breach
  • Third-party claims resulting from HajjUmrah's breach
  • Costs of responding to Data Subject claims (if caused by HajjUmrah)

Customer Indemnifies HajjUmrah for:

  • Processing Personal Data per Customer's unlawful instructions
  • Customer's breach of Data Protection Laws
  • Claims arising from Customer's use of Services

13. Term and Termination

13.1 Term

This DPA shall commence on the Effective Date and continue for the duration of the Services Agreement.

13.2 Termination

This DPA may be terminated:

By Customer:

  • If HajjUmrah materially breaches and fails to cure within 30 days
  • Upon termination of the Services Agreement
  • If Customer objects to new Sub-Processor

By HajjUmrah:

  • Upon termination of the Services Agreement
  • If Customer provides unlawful instructions

Automatic Termination:

  • Upon expiry of the Services Agreement
  • If Services no longer involve Processing Personal Data

14. General Provisions

14.9 Notices

All notices must be in writing to:

To HajjUmrah:

Data Protection Officer

HajjUmrah Platform

Email: dpo@hajjumrah.com

Delivery Methods:

  • Email (with read receipt)
  • Certified mail
  • Hand delivery

Regulatory Compliance:

This DPA complies with GDPR (EU), UK GDPR, Data Protection Act 2018 (UK), CCPA (California), and other applicable data protection regulations.

Questions About This DPA?

For questions or to request a signed copy of this Data Processing Agreement, please contact our Data Protection Officer.

Contact DPO