Legal
Data Processing Agreement
Last updated: January 2026
Overview
Harch Corp S.A. recognizes that data protection is fundamental to our relationships with clients, partners, and stakeholders. Our Data Processing Agreement (DPA) establishes the terms and conditions under which we process personal data on behalf of our clients, ensuring compliance with the General Data Protection Regulation (GDPR), the Kingdom of Morocco's Law No. 09-08 on the Protection of Personal Data, and other applicable data protection laws. This page outlines the key provisions of our DPA and provides access to our DPA template for review and execution.
Key Provisions
Our DPA incorporates the following key provisions, each designed to ensure robust data protection and compliance with international standards:
1. Processing Scope
The DPA clearly defines the subject matter, duration, nature, and purpose of the processing, the types of personal data processed, and the categories of data subjects. All processing activities are documented in an annex that is reviewed and updated quarterly to reflect any changes in our data processing operations.
2. Subprocessor Management
We maintain an up-to-date list of authorized sub-processors and notify clients of any changes to sub-processors at least 30 days in advance. Clients have the right to object to the appointment of a new sub-processor. All sub-processors are bound by contractual obligations providing at least the same level of data protection as contained in the DPA. We conduct due diligence assessments on all sub-processors before engagement and review their compliance annually.
3. Data Security
We implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption at rest and in transit (AES-256 and TLS 1.3), access controls and authentication mechanisms (multi-factor authentication, role-based access control), regular security testing and vulnerability assessments (annual penetration tests, quarterly vulnerability scans), employee training and confidentiality obligations, and physical security measures at our data centers and offices. Security measures are documented in our Technical and Organizational Measures (TOMs) annex.
4. Audit Rights
Clients have the right to audit our compliance with the DPA, subject to reasonable notice of at least 30 business days. Audits may be conducted by the client or by a qualified independent third-party auditor at the client's expense. We cooperate fully with audits and provide reasonable access to relevant facilities, systems, and records. We also make available current third-party audit reports, including SOC 2 Type II and ISO 27001 certificates, to reduce the need for on-site audits.
5. Breach Notification
We notify clients without undue delay and no later than 72 hours after becoming aware of a personal data breach. Notifications include the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its effects. We also provide reasonable assistance to clients in meeting their obligation to notify supervisory authorities and affected data subjects under applicable law.
6. Data Return and Deletion
Upon termination of the DPA or at the client's request, we return or securely delete all personal data processed under the DPA within 90 days, unless retention is required by applicable law. We provide written certification of deletion upon request. For data that must be retained for legal compliance, we continue to protect such data in accordance with the DPA and applicable law and process it only for the purpose of compliance.
Download DPA Template
Our standard DPA template is available for review and download. This template incorporates all mandatory provisions required by the GDPR, Moroccan data protection law, and best practices for data processing arrangements. If you require modifications to our standard template or have specific regulatory requirements, our legal team will work with you to address them.
Contact Legal TeamContact for DPA Execution
To initiate the DPA execution process, request a modified DPA, or discuss specific data protection requirements for your engagement with Harch Corp S.A., please contact our legal team:
Legal Department — Data Protection
Email: legal@harchcorp.com
Address: Harch Corp S.A., 123 Boulevard Mohammed V, Casablanca 20000, Morocco
Response time: We aim to respond to all DPA inquiries within 5 business days.
Last updated: January 2026 | This DPA is governed by the laws of the Kingdom of Morocco and incorporates GDPR requirements where applicable.