Logo

Privacy Policy

Last Updated: 31 March 2026

This Privacy Policy ("Policy") is entered into by and between Cloud Commit Software Solution SUARL (trading as ASWAR, "Provider", "we", "our"), a Tunisian company with its registered office at Office B25, 2nd Floor Le Montplaisir Building, Rue Omar Kaddeh, Avenue Kheireddine Pacha, 1002 Tunis, Tunisia, and the entity that has entered into a service agreement with ASWAR ("Customer", "you").

This Privacy Policy is incorporated into and forms part of the ASWAR Service Agreement. It reflects the parties' agreement with regard to the processing of Personal Data in connection with the Services.

1. Definitions

  • "Customer Data" means any Personal Data or Personal Information that ASWAR processes on behalf of Customer as a Processor or Service Provider in the course of providing Services.
  • "Personal Data" means any information relating to an identified or identifiable natural person as defined under GDPR, PDPPL, or any identified or identifiable individual as defined under CCPA/CPRA.
  • "Personal Information" means information that identifies, relates to, or could be linked with a California resident as defined under CCPA/CPRA.
  • "Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under this Privacy Policy, including: Regulation (EU) 2016/679 (GDPR), California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), Qatar Personal Data Protection Law No. 13 of 2016 (PDPPL), Tunisian Organic Law n° 2004-63, and all other applicable data protection and privacy laws.
  • "Controller" means the entity which determines the purposes and means of the processing of Personal Data under GDPR or PDPPL.
  • "Business" means the entity providing goods or services to California consumers under CCPA/CPRA.
  • "Processor" means the entity which processes Personal Data on behalf of the Controller under GDPR, PDPPL, or Tunisian law.
  • "Service Provider" means ASWAR acting on behalf of the Business under CCPA/CPRA and processing Personal Information solely for the purposes specified in this Privacy Policy.

2. Scope of Processing

ASWAR shall process Customer Data for the following purposes:

  • Subject Matter: Provision of managed Identity & Access Management (IAM) Services, cloud authentication, compliance monitoring, and access control.
  • Duration: The duration of the Agreement plus the period from the expiry of the Agreement until deletion of all Customer Data by ASWAR in accordance with this Privacy Policy and applicable Data Protection Laws.
  • Nature and Purpose: To provide, maintain, secure, and improve the Services; to provide technical support as requested by Customer; and to comply with legal and regulatory obligations under GDPR Article 6, CCPA 1798.140(w), PDPPL, and Tunisian law.
  • Categories of Data Subjects: Customer's end-users, employees, contractors, authorized representatives, and any other individuals whose data is provided to the Services.
  • Types of Personal Data: Name, email address, username, IP addresses, authentication logs, device identifiers, access patterns, and any other data provided for identity management and authentication purposes.

Customer instructs ASWAR to process Customer Data to provide the Services as described in the Agreement and this Privacy Policy, as required by GDPR Article 28(3), PDPPL requirements, and in compliance with CCPA/CPRA restrictions on service provider processing. ASWAR shall immediately inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

Under CCPA/CPRA, ASWAR certifies it understands the restrictions in 1798.140(w) and shall not use Customer Data for any commercial purpose other than performing the Services or as permitted by law. ASWAR shall not:

  • Retain, use, or disclose Customer Data outside the business purposes specified (CCPA/CPRA)
  • Sell or share Customer Data (CCPA 1798.115)
  • Combine Customer Data with other sources unless permitted by law
  • Process Customer Data outside documented instructions

3. Security Measures

ASWAR shall implement and maintain appropriate technical and organizational measures ("TOMs") as required by GDPR Articles 32-34, PDPPL requirements, and CCPA 1798.150 to protect Customer Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures include:

  • Data Encryption: Encryption of Customer Data at rest using AES-256 and in transit using TLS 1.2 or higher.
  • Access Control: Role-based access control (RBAC), principle of least privilege, and strict identity and access management policies including Multi-Factor Authentication (MFA) for administrative access.
  • Network Security: Use of firewalls, intrusion detection/prevention systems, vulnerability scanning, and penetration testing.
  • Redundancy & Recovery: Encrypted backups, disaster recovery procedures, business continuity planning, and tested recovery mechanisms to ensure availability and access to Customer Data.
  • Employee Confidentiality: All personnel authorized to process Customer Data are subject to strict confidentiality obligations, receive data protection training, and are bound by confidentiality even after termination.
  • Incident Procedures: Documented incident response procedures and escalation protocols as required by GDPR Article 33 and CCPA 1798.150.

Breach Notification Timelines

ASWAR shall notify Customer in the applicable timeframes required by Data Protection Laws after becoming aware of a Personal Data breach affecting Customer Data:

  • GDPR (Article 33): Within 72 hours of becoming aware of a breach (unless unlikely to result in risk)
  • CCPA/CPRA (1798.150): Without unreasonable delay

4. Subprocessors Clause

Customer provides a general authorization for ASWAR to engage Subprocessors as required by GDPR Article 28(2), PDPPL, and permitted under CCPA/CPRA. The list of current Subprocessors is available at https://aswar.io/subprocessors.

ASWAR shall notify Customer of any intended changes concerning the addition or replacement of Subprocessors at least 30 days in advance. Under GDPR Article 28(4), Customer may object to such changes on reasonable grounds related to data protection. If Customer objects, ASWAR will use reasonable efforts to suggest a change in the configuration or use of the Services to avoid processing of Customer Data by the objected-to Subprocessor, or provide an alternative solution.

All Subprocessors must:

  • Be subject to written contracts with equivalent data protection obligations
  • Comply with GDPR Articles 28-32, PDPPL requirements, and CCPA/CPRA restrictions
  • Not further subcontract without prior authorization
  • Be subject to liability for breaches as required by applicable law

5. Data Breach Notification

ASWAR shall notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer Data. ASWAR shall provide sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data breach under Data Protection Laws.

Notifications shall include:

  • Description of the breach and scope
  • Categories and approximate number of affected individuals
  • Likely consequences
  • Remedial measures taken
  • Contact information for further inquiries

6. Data Transfer Rules

Customer Data is hosted in the region(s) selected by the Customer. As part of our disaster recovery mechanism, ASWAR may transfer and replicate Customer Data from the selected main region to a designated recovery region to ensure continuous availability and data resilience. Other than this intended replication, ASWAR shall not transfer Customer Data outside of these regions without Customer's prior written consent, except as necessary to provide the Services or as required by law.

GDPR and UK GDPR Transfers: For any transfers of Customer Data from the EEA or UK to countries that do not ensure an adequate level of data protection, ASWAR shall ensure that appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding Corporate Rules (BCRs)
  • Adequacy decisions
  • Supplementary measures as required by Schrems II

CCPA/CPRA Transfers: ASWAR shall not transfer Personal Information to third parties or cross-border except as permitted by CCPA 1798.140(w).

PDPPL Transfers: Any transfer to countries outside PDPPL jurisdiction shall be subject to Customer's consent and as required by GDPR Article 17, CCPA 1798.105, PDPPL, and Tunisian law, unless applicable law requires storage of the Personal Data.

7. Data Retention and Deletion

ASWAR shall comply with all retention and deletion requirements as required by GDPR Article 17, CCPA 1798.105, PDPPL, and Tunisian law, unless applicable law requires storage of the Personal Data.

ASWAR shall:

  • Retain Customer Data for 30 days after termination to allow Customer to export their data
  • Permanently and securely delete all Customer Data from primary systems within 30 days of request or agreement termination
  • Delete Customer Data from backups on the next scheduled backup rotation (not exceeding 90 days)

For CCPA/CPRA: Customer Data will be deleted or anonymized to prevent re-identification in accordance with 1798.105 deletion requirements.

8. Data Subject Rights and Consumer Rights

GDPR Data Subject Rights (Articles 15-22):

  • Right of access to personal data
  • Right to rectification (correction)
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making

PDPPL Data Subject Rights:

  • Right of access
  • Right to correction
  • Right to erasure
  • Right to restrict processing

CCPA/CPRA Consumer Rights (Cal. Civ. Code 1798.100 et seq.):

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to correct inaccurate personal information
  • Right to opt-out of the sale/sharing of personal information

ASWAR shall respond to Customer's documented requests within agreed timeframes to enable Customer's compliance with applicable law. ASWAR shall also provide certification of deletion or secure destruction upon request.

9. Audits and Compliance

As required by GDPR Article 28(3)(h), PDPPL audit requirements, and CCPA/CPRA audit and cooperation provisions, ASWAR shall:

  • Provide written attestations of compliance upon request
  • Permit audits and inspections at reasonable times with 30 business days' advance notice
  • Cooperate with Customer audits and regulatory authority inspections
  • Provide SOC 2 Type II or equivalent compliance reports where available
  • Limit audits to no more than once per year unless required by regulation or material incident

Reasonable audit costs shall be borne by Customer, unless material non-compliance is discovered.

10. Contact Information

CCPA/CPRA Consumer Rights Contact:

  • Email: contact@aswar.io
  • Address: Office B25, 2nd Floor Le Montplaisir Building, Rue Omar Kaddeh, Avenue Kheireddine Pacha, 1002 Tunis, Tunisia
  • Response Time: 5 business days for data protection inquiries

Regulatory Contacts:

  • For GDPR inquiries: Supervisory Authority in the relevant EEA member state
  • For CCPA/CPRA inquiries: California Attorney General
  • For PDPPL inquiries: Qatar Personal Data Protection Authority
  • For Tunisian law inquiries: Relevant Tunisian authorities

This Privacy Policy supplements and is incorporated into the ASWAR Service Agreement. In the event of any conflict between this Privacy Policy and the Service Agreement, the provisions most protective of personal data shall apply.