Sada HQ — منصة صدى

Last updated: June 10, 2026

Data Protection Policy

This policy describes how Sada HQ processes and protects data across workspaces, integrations, and infrastructure. It complements the Privacy Policy with operational detail for business customers.

Summary

You control business data in your workspace. Sada acts as a service provider processing data on your instructions. Security controls include encryption, access restrictions, and audit logging.

Overview

Sada HQ serves multi-location businesses primarily in Oman and the GCC. We process account data, Google Business Profile data, survey responses, and campaign records to deliver the subscribed features.

Processing roles

Your organization

You decide which branches to connect, which team members receive access, and what content is published to Google or customers.

Sada HQ

We provide the platform, run sync jobs, store data securely, and process information necessary to operate features you enable. For end-customer survey or WhatsApp data you collect, you are responsible for lawful collection and consent.

Data categories

  • Identity & access: workspace admins, employee accounts, roles, OTP logs.
  • Business operations: branch listings, reviews, Maps metrics, reports.
  • Customer records: survey answers, phone numbers, marketing consent.
  • Integration secrets: encrypted OAuth tokens for Google and Meta.
  • Technical: server logs, error traces, backup snapshots.

Processing purposes

  • Deliver contracted platform features and support.
  • Maintain security, prevent fraud, and enforce acceptable use.
  • Improve reliability and fix defects (using aggregated or pseudonymized telemetry where possible).
  • Comply with legal requests and enforce our Terms.

International processing

Sada may use cloud infrastructure in regions required to operate the service. When data leaves your country, we apply contractual and technical safeguards appropriate to the provider. Contact [email protected] for questions about data location.

Subprocessors

We use third-party providers for hosting, email delivery, and monitoring. They process data only to perform services for Sada and are bound by confidentiality obligations. We do not authorize subprocessors to use your data for their own marketing.

Security measures

  • Encryption in transit (TLS) for all application traffic.
  • Field-level encryption for OAuth tokens and other sensitive credentials at rest.
  • Role-based access inside Sada; production access limited to authorized staff.
  • HttpOnly cookies for refresh tokens; short-lived access tokens for API sessions.
  • Regular dependency updates and monitoring for anomalous API usage.

Incident response

If we become aware of a security incident affecting your workspace data, we will investigate promptly, mitigate harm, and notify affected workspace owners when required by applicable law or when notification is necessary to protect your organization.

Your requests

Workspace owners and authorized contacts may request:

  • Access to account and integration metadata we hold.
  • Correction of inaccurate workspace contact details.
  • Deletion of a workspace after export of data you need.
  • Restriction of processing where technically feasible (e.g. disconnect Google).
Response time
We aim to acknowledge requests within 5 business days and complete verified requests within 30 days, subject to complexity and legal holds.
Regulatory frameworks
We do not automatically apply EU GDPR or UK GDPR to all customers. If specific regulations apply to your organization, describe your requirements when contacting us.

Contact

Data protection inquiries: [email protected]

Questions? [email protected]