DIFC Data Protection Compliance

1. Our DIFC Registration

Solvagence AI Consulting Limited is incorporated and operates from the Dubai International Financial Centre (DIFC), a Special Economic Zone and internationally recognised financial free zone located in Dubai, United Arab Emirates. As a DIFC-registered entity, we are subject to the independent legal and regulatory framework of the DIFC, including the DIFC Data Protection Law.

The DIFC has been recognised as providing an adequate level of data protection by the European Commission, making it an appropriate base for organisations handling data subject to international data protection standards.

2. DIFC Data Protection Law No. 5 of 2020

The DIFC Data Protection Law No. 5 of 2020 (the "DIFC DP Law"), which came into force on 1 July 2020, is the primary data protection legislation applicable to Solvagence in our capacity as a DIFC-registered entity. The DIFC DP Law is modelled on internationally recognised standards, including principles drawn from the General Data Protection Regulation (GDPR), and is enforced by the Commissioner of Data Protection — the independent supervisory authority within the DIFC.

The DIFC DP Law establishes the following core principles, to which Solvagence is committed:

• Lawfulness, fairness, and transparency — personal data is processed lawfully, fairly, and in a transparent manner in relation to the data subject
• Purpose limitation — personal data is collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes
• Data minimisation — personal data processed is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed
• Accuracy — personal data is kept accurate and, where necessary, up to date
• Storage limitation — personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is processed
• Integrity and confidentiality — personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage
• Accountability — Solvagence, as Data Controller, is responsible for and able to demonstrate compliance with these principles

3. Data Controller Status

Solvagence AI Consulting Limited acts as a Data Controller in respect of personal data collected through our website (agency.solvagence.com) and in the course of our client-facing and business development activities. This means we determine the purposes and means by which personal data is processed.

Where we engage sub-processors or service providers who process personal data on our behalf — such as cloud infrastructure providers or communication platforms — we ensure that appropriate Data Processing Agreements are in place, in accordance with Article 26 of the DIFC DP Law, and that those processors provide sufficient guarantees of technical and organisational data protection measures.

In our client engagement work, where we may access or process client-held data as part of delivering services, we act as a Data Processor in relation to that data, and processing is governed by the applicable client contract and data processing addendum.

4. Lawful Bases We Rely On

Under Article 9 of the DIFC DP Law, personal data may only be processed where a lawful basis applies. Solvagence relies on the following lawful bases:

• Consent (Article 9(1)(a)) — for enquiry form submissions and direct marketing communications, where you have freely and unambiguously provided consent. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.
• Performance of a contract (Article 9(1)(b)) — where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract.
• Legal obligation (Article 9(1)(c)) — where processing is required to comply with applicable DIFC or UAE law.
• Legitimate interests (Article 9(1)(f)) — for business development, account management, and security activities where our legitimate interests are not overridden by your fundamental rights and freedoms. We conduct a Legitimate Interests Assessment before relying on this basis.

5. Data Subject Rights

The DIFC DP Law confers the following rights on individuals ("data subjects") whose personal data we process. You may exercise these rights by contacting us at leaders@solvagence.com:

• Right of access (Article 24) — to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data and information about how it is processed
• Right to rectification (Article 25) — to have inaccurate or incomplete personal data corrected
• Right to erasure (Article 26) — to request deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purpose for which it was collected
• Right to restriction of processing (Article 27) — to request that we restrict the processing of your personal data in certain circumstances
• Right to data portability (Article 28) — to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller
• Right to object (Article 29) — to object to processing based on legitimate interests or for direct marketing purposes
• Rights related to automated decision-making (Article 30) — not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, without human review

We will respond to requests within 30 calendar days. Where the complexity or number of requests requires additional time, we may extend this period by up to 60 days, and will notify you of the extension and the reason for it.

6. Cross-Border Data Transfers

Under Chapter V of the DIFC DP Law, personal data may only be transferred to a jurisdiction outside the DIFC where adequate protection is assured. Our operational footprint — UAE (DIFC HQ), India (Bengaluru), and USA (New Jersey) — means personal data may be processed in these jurisdictions by our personnel and authorised sub-processors.

We ensure compliance with the cross-border transfer requirements through the following mechanisms:

• The USA: transfers are subject to appropriate contractual safeguards in the absence of an adequacy decision
• India: transfers are subject to appropriate internal data handling policies and contractual obligations
• Third-party cloud providers (Azure, AWS, GCP): governed by Data Processing Agreements incorporating Standard Contractual Clauses or equivalent approved transfer mechanisms

We do not transfer personal data to any jurisdiction that does not provide an adequate level of protection without appropriate safeguards in place.

7. Data Breach Notification Protocol

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

• Notify the DIFC Commissioner of Data Protection without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 36 of the DIFC DP Law
• Where the breach is likely to result in a high risk to affected individuals, notify those individuals directly, providing the nature of the breach, likely consequences, and measures taken or proposed
• Maintain an internal record of all data breaches, regardless of whether notification is required, including facts relating to the breach, its effects, and the remedial action taken

We have internal incident response procedures in place and conduct regular security reviews as part of our ISO 9001:2015 certified Quality Management System and our in-progress ISO 27001 Information Security programme.

8. UAE PDPL Alignment

UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "UAE PDPL") applies to entities processing personal data of individuals in the UAE mainland. Whilst Solvagence's primary regulatory framework is the DIFC DP Law, we recognise the complementary applicability of the UAE PDPL in the context of our interactions with UAE-based clients, partners, and contacts outside the DIFC.

Our data processing practices are designed to be consistent with both frameworks. Where the UAE PDPL and the DIFC DP Law impose different standards, we apply the higher standard to ensure comprehensive compliance.

Key UAE PDPL compliance commitments include:

• Establishing a lawful basis for all processing of personal data of UAE residents
• Honouring data subject rights as provided under the UAE PDPL including rights of access, correction, and deletion
• Maintaining records of processing activities involving UAE resident personal data
• Applying appropriate security measures to personal data of UAE residents

9. GDPR Applicability

The General Data Protection Regulation (EU) 2016/679 (GDPR) applies to Solvagence where we offer services to, or monitor the behaviour of, individuals in the European Economic Area (EEA), or where we otherwise fall within the territorial scope of the GDPR.

Where the GDPR applies, Solvagence processes personal data in accordance with GDPR requirements, including the lawfulness, fairness, and transparency principle, data minimisation, purpose limitation, and the full suite of data subject rights as prescribed under the GDPR.

The DIFC has been assessed by the European Commission as providing an adequate level of data protection, which facilitates the transfer of personal data from EEA entities to Solvagence in the DIFC without requiring additional transfer mechanisms. We rely on this adequacy finding where applicable.

10. DIFC Commissioner of Data Protection

The DIFC Commissioner of Data Protection is the independent supervisory authority responsible for overseeing and enforcing the DIFC DP Law. If you wish to make a complaint about our data processing practices, or if you are unsatisfied with our response to a data subject rights request, you may contact the Commissioner directly:

To raise a data protection concern directly with Solvagence, please contact: