Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ANUBRIS (PRIVATE) LIMITED("Processor") and the Tenant ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller.

1. Definitions

• Personal Data — any information relating to an identified or identifiable natural person.
• Processing — any operation performed on personal data, including collection, storage, use, modification, transfer, and deletion.
• Controller — the Tenant who determines the purposes and means of processing personal data.
• Processor — ANUBRIS (PRIVATE) LIMITED, which processes personal data on behalf of the Controller.
• Sub-Processor — a third party engaged by the Processor to process personal data.
• Data Subject — an identifiable individual whose personal data is processed.

2. Scope of Processing

The Processor processes personal data solely for the purpose of providing the BedShift platform services, including:

• User account management and authentication
• Resident and booking record management
• Financial transaction processing and invoicing
• Communication delivery (email, push notifications)
• File and document storage

Categories of data subjects include tenant owners, administrators, staff, and residents. Types of personal data processed include names, email addresses, phone numbers, CNIC numbers, payment information, and uploaded documents.

3. Sub-Processors

The Processor engages the following sub-processors:

The Processor will notify the Controller at least 14 days before engaging a new sub-processor. The Controller may object in writing within that period.

4. Security Measures

The Processor implements the following technical and organizational measures:

• Encryption at rest — all database volumes and stored files are encrypted.
• Encryption in transit — all communications use TLS 1.2 or higher.
• Password hashing — user passwords are hashed using bcrypt with 12 salt rounds.
• Access controls — role-based access with six tiers (superAdmin, owner, admin, staff, resident, user).
• Audit logs — all significant actions are logged with user identity, timestamp, and action details.
• Session management — JWT access tokens (15-minute expiry) with refresh tokens (7-day expiry), backed by Redis.
• Tenant isolation — strict tenant-scoped queries preventing cross-tenant data access.

5. Data Breach Notification

In the event of a personal data breach, the Processor will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:

• Nature of the breach and categories of data affected
• Approximate number of data subjects and records concerned
• Likely consequences of the breach
• Measures taken or proposed to address the breach

6. Data Subject Requests

When the Processor receives a request from a data subject regarding their personal data (access, rectification, deletion, or portability), it will forward the request to the Controller within 24 hours. The Processor will assist the Controller in fulfilling the request to the extent technically feasible.

7. Audit Rights

The Controller may audit the Processor's compliance with this DPA once per calendar year, with at least 30 days' written notice. The Processor will provide reasonable access to relevant documentation, systems, and personnel. Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.

8. Term and Termination

This DPA remains in effect for the duration of the underlying Terms of Service. Upon termination, the Processor will, at the Controller's election, return or delete all personal data within 30 days, unless retention is required by applicable law. The Processor will provide certification of deletion upon request.

9. Contact

For DPA-related inquiries, contact us at [email protected].