Data Processing Addendum

Effective date: March 2026

Last updated: March 6, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between IntellX LLC ("IntellX" or "PanelX") and the subscribing entity ("Client"). This DPA sets out the terms governing the processing of personal data in connection with PanelX's analytics services, in compliance with the Saudi Personal Data Protection Law (PDPL), Royal Decree M/19 (2021), as amended by Royal Decree M/148 (2023), and the PDPL Implementing Regulations (2024).

Definitions

"Data Controller" means the entity that determines the purposes and means of processing personal data. Under this DPA, IntellX is the Data Controller.

"Data Processor" means an entity that processes personal data on behalf of and under the instructions of the Data Controller.

"Data Subject" means an identified or identifiable natural person whose personal data is processed. In the context of PanelX, Data Subjects are panelists participating in the consumer panel.

"Personal Data" means any data relating to a Data Subject that identifies them or makes them identifiable, directly or indirectly.

"Sensitive Data" means personal data revealing ethnic origin, health data, biometric data, or other categories specified in PDPL Article 14.

"SCCs" means Standard Contractual Clauses approved or recognized by SDAIA for cross-border personal data transfers.

"SDAIA" means the Saudi Data and Artificial Intelligence Authority, the regulatory authority responsible for PDPL enforcement.

"Aggregated Data" means market data that has been processed such that no individual Data Subject can be identified, directly or indirectly. Aggregated Data falls outside the scope of the PDPL.

1. Scope and Roles

1.1 Controller Designation

IntellX is the Data Controller under the PDPL. IntellX determines the purposes and means of processing panelist personal data for the purpose of generating aggregated market analytics.

1.2 Client Role

Client is not a joint controller, a data processor, or a sub-processor. Client does not determine the purpose or means of panelist data processing and does not process personal data of panelists at any point. Client is classified as a data recipient of aggregated analytical outputs only. Client receives exclusively aggregated, anonymized data through the PanelX platform: penetration percentages, brand shares, buy rates, and related market statistics. No individual panelist data, no pseudonymized data, and no data from which an individual could be identified, directly or indirectly, is ever disclosed to Client.

1.3 Implications

Because Client is a data recipient and not a joint controller, Client does not inherit PDPL obligations toward panelists. IntellX bears sole responsibility for: obtaining panelist consent (PDPL Article 10), responding to data subject access requests (PDPL Articles 4, 5, 6), breach notification to SDAIA and affected individuals (PDPL Article 24), and maintaining processing activity records (PDPL Implementing Regulations Article 18).

2. Data Categories and Processing Description

2.1 Personal Data Processed

Panelist demographics: nationality, region, socioeconomic class (SEC), household size, income.
Purchase behavior: brands purchased, product volumes, spend amounts, purchase channels, purchase dates, retailer names.
Device data: IP address, user agent.
Location data: city-level location derived from GPS coordinates at the time of purchase capture.

2.2 Sensitive Data Processed

Nationality is processed as a proxy for ethnic origin under PDPL Article 14. Explicit panelist consent with purpose explanation is obtained separately for this category. Purpose: statistical weighting to ensure panel representativeness across KSA population demographics.

2.3 Processing Purpose

IntellX processes panelist personal data for: statistical weighting via iterative proportional fitting (IPF), market analysis and KPI calculation, correction factor calibration, and generation of aggregated market insights.

2.4 Output Delivered to Client

Client receives only aggregated market data: penetration percentages, brand shares, buy rates, purchase frequencies, volume trends, and demographic breakdowns. No individual-level data is delivered to Client. Minimum aggregation threshold: data is reported only when the sample contains 30 or more weighted households per data cell. This is the industry standard minimum cell size for statistical reliability in consumer panel research.

3. Sub-Processor Management

3.1 Current Sub-Processors

Sub-Processor	Location	Processing Purpose	Data Categories
AWS (Amazon Web Services)	Bahrain (me-south-1)	Database infrastructure. Processes data on IntellX instructions. Does not determine purpose.	All panelist personal data (encrypted at rest, AES-256)
Vercel	Mumbai, India (bom1)	Application hosting. Server-side rendering processes request data transiently.	Panelist API request payloads (phone for OTP, capture data with GPS). Transient processing, no persistence.
Anthropic	United States	AI-assisted receipt parsing and product identification via Claude API.	Receipt and product images. Transient processing, no storage per API terms for business accounts.
Clerk	United States	Dashboard user authentication.	Dashboard user email, name, session tokens. Does not process panelist data.
Voyage AI	United States	Product embedding generation for product identification.	Product descriptions only. No personally identifiable information.
Resend	United States	Transactional email delivery.	Dashboard user email addresses only. No panelist data.
Sentry	United States	Error monitoring and performance tracking.	Error logs, stack traces (may contain user identifiers in error context). No panelist personal data.

3.2 Sub-Processor Changes

IntellX shall notify Client at least thirty (30) days before engaging any new sub-processor or replacing an existing sub-processor. Notification shall include the identity of the new sub-processor, its location, and the processing activities it will perform.

3.3 Client Objection Right

Client has the right to object to a new sub-processor within fifteen (15) days of receiving notification. If the objection is not resolved to Client's reasonable satisfaction within thirty (30) days, Client may terminate the subscription agreement without penalty.

3.4 Sub-Processor Liability

IntellX remains fully liable for the acts and omissions of its sub-processors with respect to data protection obligations. IntellX shall ensure that each sub-processor is bound by data processing terms no less protective than those set forth in this DPA.

4. Cross-Border Transfer Safeguards

4.1 Transfer Destinations

Personal data is processed in the following countries:

Destination	Processor	Legal Basis (PDPL Art. 29)	Safeguard
Bahrain	AWS (RDS)	Contractual necessity (Art. 29(1)(c)) + explicit consent	DPA with SCCs. Conservative treatment as cross-border transfer.
India	Vercel	Contractual necessity (Art. 29(1)(c)) + explicit consent	DPA with SCCs. Transient processing only. Data minimization enforced.
United States	Anthropic	Explicit consent for AI processing + contractual necessity (Art. 29(1)(c))	DPA with Anthropic. No data storage per API terms for business accounts.
United States	Clerk	Contractual necessity	DPA. Dashboard user data only, not panelist data.
United States	Voyage AI	Contractual necessity	DPA. Product descriptions only, no PII.
United States	Resend	Contractual necessity	DPA with SCCs. Dashboard user emails only, no panelist data.
United States	Sentry	Contractual necessity	DPA with SCCs. Error logs only, no panelist personal data.

4.2 SCC Availability

SDAIA-compliant Standard Contractual Clauses (SCCs) are executed with each sub-processor that processes personal data outside the Kingdom of Saudi Arabia. Until SDAIA publishes its official model SCCs, IntellX uses contractual clauses modeled on internationally recognized standards and modified for Saudi law compliance, consistent with the SDAIA Risk Assessment Guideline (February 2025). Explicit panelist consent has been obtained for each transfer destination. Client may request copies of executed SCCs upon written request to privacy@panelx.ai.

4.3 Adequacy Updates

When SDAIA publishes its adequate countries list, IntellX will update this clause to reflect any applicable adequacy determinations. Bahrain, as a GCC member with its own Personal Data Protection Law (Law No. 30 of 2018), is a strong candidate for adequacy recognition.

5. Security Requirements

5.1 Technical Measures

Encryption at rest: AES-256 encryption on all database storage (AWS RDS).
Encryption in transit: TLS 1.2 or higher for all data transmissions between client applications, API endpoints, and database infrastructure.
Access controls: Role-based access control (RBAC) with principle of least privilege. Segregation of duties between application access, database access, and infrastructure access.

5.2 Authentication

Panelist authentication: JWT tokens (HS256 algorithm, 7-day expiry) issued after OTP verification.
Dashboard user authentication: Clerk identity provider with email/password and SSO support.
Infrastructure authentication: AWS IAM policies with least-privilege access to RDS and S3 resources.

5.3 Vulnerability Management

IntellX maintains a vulnerability management program that includes: regular dependency updates, monitoring of security advisories for all third-party libraries, and application of Vercel platform security patches.

5.4 Security Assessment

IntellX commits to providing a security self-assessment questionnaire upon Client request. IntellX further commits to obtaining SOC 2 Type I certification within 24 months of first commercial client onboarding. Until SOC 2 certification is obtained, IntellX will provide a right-to-audit clause (see Clause 7) as an alternative assurance mechanism.

5.5 Data Protection Impact Assessment

IntellX has conducted a Data Protection Impact Assessment (DPIA) as required by PDPL Implementing Regulations Article 22 for high-risk processing activities. The DPIA covers the collection and processing of demographic and purchase data from panelists, including the processing of nationality as a proxy for ethnic origin (sensitive data under PDPL Article 14), cross-border transfers to multiple jurisdictions, and AI-assisted receipt and product image processing. A summary of the DPIA findings and mitigation measures is available upon written request.

6. Breach Notification

6.1 Client Notification

IntellX shall notify Client within forty-eight (48) hours of becoming aware of any personal data breach that affects or may reasonably be expected to affect data processed in connection with the analytics services provided to Client.

6.2 Notification Content

The breach notification to Client shall include:

A description of the nature of the breach.
The categories of personal data affected.
The approximate number of data records affected.
A description of the measures taken or proposed to address the breach.
A description of the measures taken or proposed to mitigate potential adverse effects.

6.3 Regulatory Notification

IntellX shall notify SDAIA within seventy-two (72) hours of becoming aware of any breach that poses a risk to the rights and freedoms of data subjects, as required by PDPL Article 24. IntellX shall notify affected data subjects "without undue delay" as required by PDPL Article 24.

6.4 Coordination

The 48-hour Client notification precedes the 72-hour SDAIA notification to allow Client to prepare its own regulatory response and communications. IntellX will cooperate with Client in responding to any regulatory inquiry arising from the breach.

7. Audit Rights

7.1 Annual Audit

Client may audit IntellX's data protection practices once per calendar year, subject to thirty (30) days' prior written notice.

7.2 Scope

Audits are limited to data protection and information security controls relevant to Client's data. Audit scope specifically excludes: proprietary algorithms and methodologies, weighting models, correction factor specifications, business operations unrelated to data protection, and other clients' data.

7.3 Cooperation

IntellX will cooperate with audits by providing access to:

Relevant documentation (privacy policies, security policies, incident response procedures).
Systems descriptions and data flow diagrams.
Records of processing activities (PDPL Implementing Regulations Article 18).
Sub-processor agreements and SCCs (upon execution of a mutual NDA).
Knowledgeable personnel for interviews and clarifications.

7.4 Costs

Each party bears its own costs in connection with audits. If Client requests an audit more frequently than once per calendar year, Client shall bear IntellX's reasonable costs for the additional audit.

8. Data Retention and Deletion

8.1 Analytical Outputs

Anonymized analytical outputs delivered to Client during the subscription term may be retained by Client indefinitely. These outputs are Aggregated Data (as defined above) and fall outside the scope of the PDPL.

8.2 Panelist Data

IntellX retains panelist personally identifiable information in accordance with the retention schedule set forth in the Privacy Policy:

PII (phone, name, GPS, IP): hard deleted within 30 days of consent withdrawal.
Demographics (nationality, region, SEC, household size): anonymized to statistical buckets within 30 days of consent withdrawal.
Purchase history: anonymized (household ID replaced with one-way random token) and retained indefinitely for statistical panel integrity.
Consent records: retained for 5 years after withdrawal per PDPL Implementing Regulations Article 18.

8.3 Contract Termination

Upon termination of the subscription agreement, IntellX will:

Deliver all outstanding analytical outputs owed under the subscription term.
Confirm in writing that no Client-specific analytical outputs remain beyond anonymized panel data.
Client-specific configuration data (category selections, custom segment definitions, saved views) will be available for export for thirty (30) days following termination.

9. Indemnification

9.1 IntellX Indemnification

IntellX shall indemnify, defend, and hold harmless Client and its officers, directors, employees, and agents from and against any third-party claims, losses, damages, liabilities, costs, and expenses (including reasonable legal fees) arising from IntellX's breach of its data protection obligations under this DPA, the PDPL, or any other applicable Saudi data protection legislation.

9.2 Liability Cap

IntellX's indemnification obligations under this Clause 9 are subject to the liability limitations set forth in the Terms of Service, Section 8. Specifically:

General liability cap: the lesser of twelve (12) months' fees paid or SAR 500,000.
Data protection super cap: twenty-four (24) months' fees paid.
Exclusions: fraud, willful misconduct, and gross negligence are excluded from the cap.

9.3 Conditions

IntellX's indemnification obligations are conditioned on Client: (a) promptly notifying IntellX in writing of any claim; (b) granting IntellX sole control of the defense and settlement; and (c) providing reasonable assistance at IntellX's expense.

10. Compliance with Applicable Laws

10.1 PDPL Compliance

IntellX warrants that it processes personal data in compliance with the Saudi Personal Data Protection Law (PDPL), Royal Decree M/19 (2021), as amended by Royal Decree M/148 (2023), the PDPL Implementing Regulations (2024), and all applicable Saudi data protection laws and regulations, including the Regulation on Personal Data Transfer Outside the Kingdom (August 2024).

10.2 Industry Standards

IntellX warrants that its consumer panel research operations comply with the ICC/ESOMAR International Code on Market, Opinion, and Social Research and Data Analytics. This includes, but is not limited to: informed consent, transparency in data collection, separation of research data from marketing communications, and protection of respondent anonymity.

10.3 Regulatory Updates

IntellX shall monitor changes to the PDPL and related regulations and shall update its data protection practices, this DPA, and the Privacy Policy as necessary to maintain compliance. Material changes to this DPA require thirty (30) days' advance written notice to Client.

10.4 Annual Review

This DPA shall be reviewed annually to ensure continued compliance with evolving PDPL regulations and SDAIA guidance. The review will assess any new SDAIA implementing regulations, adequacy decisions, transfer mechanism updates, and sub-processor changes. Clients will be notified of any material revisions resulting from the annual review at least thirty (30) days before revisions take effect.

Execution

This DPA is effective upon execution of the subscription agreement between IntellX and Client. By signing the subscription agreement (Order Form), Client accepts the terms of this DPA. No separate signature is required.

For a downloadable version of this DPA or to request execution via separate instrument, contact:

IntellX LLC

Email: privacy@panelx.ai

Regulatory and Industry References

Saudi Personal Data Protection Law (PDPL), Royal Decree M/19 (2021), amended by Royal Decree M/148 (2023).
PDPL Implementing Regulations (2024).
Regulation on Personal Data Transfer Outside the Kingdom (August 2024).
Risk Assessment Guideline (February 2025).
ICC/ESOMAR International Code on Market, Opinion, and Social Research and Data Analytics.

This Data Processing Addendum is published in English. An Arabic translation will be made available. In the event of conflict between the Arabic and English versions, the Arabic version shall prevail.