1. Scope and Objectives

• Ensure SAF’s activities comply with applicable UAE federal laws, free-zone regulations, and foreign legal frameworks.
• Define unified principles of privacy, security, business ethics, sanctions and anti-bribery compliance.
• Clarify roles, processes, control procedures, and reporting channels.

2. Applicable Laws and Regulations

• UAE (Federal): Personal Data Protection Law (PDPL), Cybersecurity/ICT regulations, AML/CFT, Anti-Corruption and Fraud provisions.
• DIFC / ADGM: DIFC DP Law 2020, ADGM DPR 2021, overseen by their data protection regulators.
• Brazil: LGPD (Lei Geral de Proteção de Dados), anti-corruption and sanctions regimes.
• Other regions: Local norms apply when services are provided or data processed abroad.

3. Governance and Roles

4. Privacy and Data Protection

4.1 Principles

• Lawfulness, fairness, transparency
• Purpose limitation, data minimization
• Accuracy and relevance
• Storage limitation and accountability
• Security by design and by default

4.2 Data Subjects’ Rights

• Access, rectification, erasure/anonymization (subject to law)
• Restriction, objection, portability (where applicable)
• Consent withdrawal, right to lodge complaints

4.3 Cross-Border Transfers

Transfers allowed where adequate regimes, contractual safeguards (e.g. SCCs), or lawful exceptions exist. DIFC/ADGM and Brazil apply their own adequacy lists and contractual requirements.

4.4 Data Breaches

• Incident detection, containment, remediation
• Risk assessment and notification to regulators within required timeframes
• Communication to affected data subjects if high risk

5. Information Security

• Maintain ISMS based on ISO/IEC 27001/27002
• Data classification, access control (RBAC/ABAC), encryption, secure development lifecycle
• Vulnerability management, monitoring/logging, BCP/DRP
• Regular penetration tests and vendor security assessments

6. Vendor and Processor Management

• Due diligence on legal, sanctions, security, processing locations, sub-processors
• Contractual clauses: confidentiality, secure processing, breach notification, audit rights, localization
• Ongoing reassessment and monitoring

7. Anti-Corruption, Sanctions, AML/CFT

• Anti-Bribery: zero tolerance for bribes, gifts, facilitation payments, conflicts of interest
• AML/KYC: risk-based approach, customer/partner due diligence, transaction monitoring (where applicable)
• Sanctions: screening against UAE, UN, US, EU, Brazilian and other relevant lists

8. Competition, IP and Licensing

• Respect competition law, no anti-competitive agreements or abuse of dominance
• Protection of SAF and third-party intellectual property
• Proper licensing of software, databases and other assets

9. Training, Monitoring and Audit

• Mandatory onboarding and refresher compliance trainings
• Ongoing monitoring of compliance controls
• Independent audits where required

10. Whistleblowing and Reporting

Employees and partners may confidentially report suspected breaches of law, this Policy, or ethical standards. SAF guarantees protection against retaliation.

11. Regional Annexes

• UAE: Full adherence to Federal PDPL; DIFC/ADGM data protection regulations where applicable
• Brazil: LGPD principles of lawful basis, rights of data subjects, DPO appointment, and ANPD cooperation
• Other Regions: SAF commits to local compliance and adaptation of safeguards

12. Amendments and Contacts

This Policy is reviewed at least annually or upon regulatory change. Updates are published on SAF’s website.

Contact: This email address is being protected from spambots. You need JavaScript enabled to view it.