By creating an account and using Codata services, you agree to these Terms & Conditions.
In these Terms & Conditions:
"Codata" refers to the Codata platform and services provided.
"Controller" means the natural or legal person who determines the purposes and means of processing personal data.
"Processor" means the natural or legal person who processes personal data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Data Subject" means an identified or identifiable natural person whose personal data is processed.
"Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
"Sub-Processor" means any Processor engaged by Codata to process personal data on behalf of the client.
"Written Instructions" means documented instructions provided by the client to Codata regarding the processing of personal data.
"You" or "Client" refers to the individual or organization using Codata services.
Codata provides a secure data processing platform that enables organizations to analyze sensitive data using Privacy Enhancing Technologies (PETs). Our services include:
In-memory data processing and analysis
Data anonymization and encryption tools
Statistical analysis and visualization
API access for automated data processing
User account management and authentication
When you upload datasets containing personal data to Codata for processing:
You act as the Controller and Codata acts as the Processor.
Codata will process personal data only on your documented written instructions.
Codata will not process your personal data for any purposes other than those specified in your written instructions, unless required to do so by applicable laws in the Kingdom of Saudi Arabia.
This relationship applies to client datasets uploaded for analysis. For your user account data (name, email, username), Codata acts as Controller as described in Section 12.
Before submitting any personal data to the Codata platform for processing, you must identify and establish the appropriate lawful basis for processing such data in accordance with Articles 5 and 6 of the Personal Data Protection Law (PDPL).
You are solely responsible for ensuring that you have a valid lawful basis for processing personal data before uploading it to Codata. You must:
Identify the appropriate lawful basis under PDPL Articles 5 and 6 for processing the personal data
Ensure the lawful basis is established and documented before submitting data to Codata
Include the lawful basis in your written instructions to Codata
Maintain records demonstrating compliance with the lawful basis requirements
The lawful bases for processing personal data under PDPL Articles 5 and 6 include, but are not limited to:
Consent: The data subject has given explicit, informed, and freely given consent for the specific processing purpose
Contractual Necessity: Processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the data subject's request prior to entering into a contract
Legal Obligation: Processing is necessary for compliance with a legal obligation to which you (the Controller) are subject under the laws of the Kingdom of Saudi Arabia
Vital Interests: Processing is necessary to protect the vital interests of the data subject or another natural person
Public Interest: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
Legitimate Interests: Processing is necessary for the purposes of your legitimate interests or those of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject
Codata does not require that consent be the lawful basis for all processing. You may rely on any lawful basis recognized under PDPL Articles 5 and 6, provided it is appropriate for your specific processing activities and properly documented.
⚠️ By submitting personal data to Codata, you warrant that you have identified and established the appropriate lawful basis for processing such data, and that you will provide Codata with information about the lawful basis in your written instructions.
Before using Codata's data processing services for client datasets, you must provide written instructions to Codata.
You may provide written instructions via:
Email to: instructions@codata.sa
Online instruction form available in your dashboard
Documented agreement or data processing addendum
Your written instructions must specify:
The purpose(s) of processing to be carried out by Codata
The categories of personal data that Codata will process
The duration of the processing, including any retention periods
Any specific security measures or processing restrictions
These written instructions form an integral part of this agreement between you and Codata.
Codata will process personal data only in accordance with your written instructions.
Codata will notify you in writing, without undue delay, if Codata is unable to comply with your instructions.
Codata will notify you in writing, without undue delay, if Codata is unable to comply with any applicable laws in the Kingdom of Saudi Arabia.
Codata will notify you in writing, without undue delay, if your instructions, in Codata's opinion, violate applicable laws in the Kingdom of Saudi Arabia or any other applicable data protection regulations.
In the event of a Personal Data Breach affecting personal data processed on your behalf:
Codata will notify you without undue delay after becoming aware of the breach.
Notification will be provided within 72 hours of discovery, where feasible.
Codata will provide sufficient information to enable you to meet your obligations under applicable data protection laws, including:
- Description of the nature of the breach
- Categories and approximate number of data subjects affected
- Categories and approximate number of personal data records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
Breach notifications will be sent to the email address associated with your account and to any additional contact provided in your written instructions.
Codata operates exclusively within the Kingdom of Saudi Arabia.
Codata is not subject to regulations outside the Kingdom of Saudi Arabia.
All data processing is performed within the Kingdom of Saudi Arabia.
Codata does not transfer personal data outside of KSA without appropriate safeguards and your explicit consent.
If Codata engages sub-processors subject to foreign regulations, you will be notified as part of the sub-processor disclosure process.
Codata will not require your prior consent for mandatory disclosures of personal data required under applicable laws in the Kingdom of Saudi Arabia.
Codata will notify you of such mandatory disclosures, unless prohibited by law from doing so.
Notification will be provided as soon as legally permissible to enable you to seek legal remedies or take other appropriate action.
Codata currently does not use sub-processors. All data processing is performed directly by Codata within the Kingdom of Saudi Arabia using our own infrastructure and systems.
If Codata determines it is necessary to engage sub-processors in the future:
Codata will notify you in advance of any proposed sub-processor appointment or replacement.
You will have 30 days from the date of notification to object to the proposed sub-processor.
If you object within the objection period, Codata will either not appoint the sub-processor or work with you to find an alternative solution.
Codata will ensure that any sub-processor provides sufficient guarantees to comply with applicable data protection laws.
Codata will ensure that contracts with sub-processors do not reduce the level of protection provided to your personal data.
Codata remains fully liable to you for the performance of any sub-processor's obligations.
Before engaging any sub-processor, Codata will ensure that the sub-processor is bound by data protection obligations equivalent to those in these Terms & Conditions.
You have the right to periodically assess Codata's compliance with applicable data protection laws and these Terms & Conditions.
Requesting compliance reports and certifications from Codata
Conducting on-site or remote audits with reasonable advance notice (minimum 14 days)
Engaging independent third-party assessors to conduct compliance assessments
Reviewing Codata's oversight of any sub-processors
Codata will cooperate with reasonable audit requests and provide necessary documentation and access, subject to:
Reasonable advance notice
Audits conducted during normal business hours
Confidentiality obligations for any proprietary information disclosed
Minimal disruption to Codata's operations
Audits may be conducted no more than once per year, unless required by a regulatory authority or in response to a suspected breach.
If Codata processes personal data in violation of your written instructions or this agreement, Codata may be considered a Controller for that specific processing activity.
In such cases, Codata will be held directly accountable for any violations of applicable data protection laws.
This does not limit your rights to seek remedies for any damages resulting from unauthorized processing.
Codata will immediately notify you if it becomes aware of any processing that violates your instructions or this agreement.
For your user account data (name, username, email address, password), Codata acts as a Controller.
Codata processes your user account data for the following purposes:
Fulfillment of these Terms & Conditions
Delivery of Codata services
Account management and authentication
Communication regarding your account and services
Compliance with legal obligations
Legal Basis: The legal basis for processing your user account data is the performance of this agreement between you and Codata.
Your Rights: Your rights regarding your user account data are described in our Privacy Policy.
Codata implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Codata will maintain these security measures throughout the term of this agreement and will notify you of any material changes to security practices.
Uploaded data files are processed in-memory only and are never stored on Codata servers.
Data is securely deleted immediately upon completion of processing.
Only anonymized, aggregated analysis results are retained as specified in your written instructions.
You may delete analysis results at any time through your dashboard.
Account data is retained while your account is active.
Upon account deletion, your data is securely deleted within 90 days.
Some data may be retained longer if required by applicable laws for legitimate legal purposes (e.g., dispute resolution, fraud prevention).
You are fully responsible for the accuracy and integrity of any data you upload to Codata.
You must ensure you have the legal right to process and share any personal data uploaded to Codata.
You must provide clear and lawful written instructions for the processing of personal data.
You must comply with all applicable laws and regulations when using Codata services.
You are prohibited from using the platform for any unlawful activities or activities that violate the rights of others.
You must maintain the confidentiality of your account credentials and are responsible for all activities under your account.
All technical and design elements of the Codata platform are protected by intellectual property rights.
You may not use, copy, modify, or redistribute any part of the Codata platform without written permission from Codata.
You retain all intellectual property rights to your data and analysis results.
By using Codata, you grant Codata a limited license to process your data solely for the purpose of providing services to you.
Codata's liability for any damages arising from these Terms & Conditions or the use of services is limited to the fees paid by you in the 12 months preceding the claim.
Codata is not liable for indirect, incidental, special, or consequential damages.
This limitation does not apply to liability for gross negligence, willful misconduct, or violations of data protection laws.
Codata is not liable for any loss or corruption of data resulting from your failure to maintain adequate backups.
You may terminate your account at any time through your dashboard settings.
Codata may terminate your account if you violate these Terms & Conditions, with reasonable notice where feasible.
Upon termination, Codata will delete or return all personal data processed on your behalf, as per your written instructions.
If no instructions are provided, Codata will securely delete all data within 90 days of termination.
Sections of these Terms that by their nature should survive termination will remain in effect, including intellectual property, liability, and governing law provisions.
These Terms & Conditions are governed by the laws of the Kingdom of Saudi Arabia.
Any disputes arising from these Terms & Conditions will be subject to the exclusive jurisdiction of the courts of the Kingdom of Saudi Arabia.
Codata complies with applicable data protection regulations in the Kingdom of Saudi Arabia.
Codata may update these Terms & Conditions from time to time.
You will be notified of material changes via email or through a notice on the platform.
Continued use of Codata services after notification constitutes acceptance of the updated Terms & Conditions.
If you do not agree to the updated Terms, you must discontinue use of Codata services.
For questions about these Terms & Conditions, data processing instructions, or to exercise your rights:
General inquiries: Hello@codata.sa
Data processing instructions: instructions@codata.sa
Data Protection Officer: privacy@codata.sa
Breach notifications: security@codata.sa
We aim to respond to all inquiries within 5 business days.