Data Processing Addendum
Effective 4 July 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between the institution (“Customer”, the data controller) and BeeShelf, operated by iBX Design Consultancy (“BeeShelf”, the data processor), Dubai Silicon Oasis, United Arab Emirates, governing BeeShelf’s processing of personal data on the Customer’s behalf. It is designed to satisfy the requirements of the GDPR (Art. 28) and equivalent data-protection laws. A countersigned copy is available on request for institutions that require one.
1. Roles & scope
The Customer is the controller and BeeShelf is the processor of the personal data processed to provide the BeeShelf service (the “Service”). BeeShelf processes such data only to provide the Service and only on the Customer’s documented instructions, including as configured through the Service and set out in this DPA and the main agreement.
2. Nature of processing (Annex A)
- Subject matter: provision of a cloud library-management service.
- Duration: the term of the main agreement, plus any wind-down period in §9.
- Categories of data subjects: the Customer’s library members/borrowers (which may include students and minors) and staff users.
- Categories of personal data: names; contact details (email); library card identifiers; member category; account credentials (hashed); borrowing activity (loans, holds, requests, fines); and, unless disabled, reading-preference signals. BeeShelf does not require special-category data to run.
3. Processor obligations
- Instructions. Process personal data only on the Customer’s documented instructions, and inform the Customer if an instruction appears to infringe applicable law.
- Confidentiality. Ensure personnel authorised to process the data are bound by confidentiality.
- Security. Implement appropriate technical and organisational measures (§4).
- Sub-processors. Engage sub-processors only under §5.
- Assistance. Assist the Customer with data-subject requests (§6), breach notification (§7), and, where applicable, data protection impact assessments and prior consultation.
- Deletion / return. On termination, delete or return personal data per §9.
- Audits. Make available information needed to demonstrate compliance and allow for reasonable audits (§8).
4. Security measures
BeeShelf maintains, at a minimum:
- Encryption of personal data in transit (TLS) and at rest.
- Strict multi-tenant isolation enforced at the database level (row-level security), so one institution’s data is never accessible to another.
- Credentials stored only as salted hashes; rate-limiting and abuse protection on authentication.
- Role-based access controls; least-privilege access to production systems.
- Data hosted in the European Union, with regular automated backups from which data can be restored.
5. Sub-processors
The Customer authorises BeeShelf to engage the sub-processors listed at beeshelf.com/legal/subprocessors. BeeShelf imposes data-protection obligations on each sub-processor no less protective than those in this DPA, and remains responsible for their performance. BeeShelf will give the Customer at least 30 days’ prior notice of any new sub-processor, during which the Customer may object on reasonable data-protection grounds; the parties will then work in good faith to resolve the objection.
6. Data-subject requests
Taking into account the nature of the processing, BeeShelf assists the Customer by appropriate technical and organisational measures — including the Service’s self-serve data export, correction, deletion, retention, and personalization-opt-out controls — in responding to requests to exercise data-subject rights. If BeeShelf receives such a request directly, it will (unless legally required otherwise) direct the individual to the Customer.
7. Personal data breaches
BeeShelf will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Customer’s data, and provide information reasonably available to help the Customer meet its own notification obligations.
8. Audits
BeeShelf will make available information reasonably necessary to demonstrate compliance with this DPA and contribute to audits conducted by the Customer or its authorised auditor, subject to reasonable confidentiality, notice, and frequency limits.
9. Return & deletion
On termination of the Service, and at the Customer’s choice, BeeShelf will return or delete the Customer’s personal data within a reasonable period, and delete existing copies unless retention is required by law. The Customer can also export its data at any time during the term.
10. International transfers
BeeShelf hosts primary data in the EU. Where a sub-processor processes personal data outside the EU/EEA, BeeShelf ensures an appropriate transfer mechanism (such as the EU Standard Contractual Clauses, with any applicable UK or Swiss addendum) is in place.
11. General
In case of conflict between this DPA and the main agreement on data-protection matters, this DPA prevails. This DPA is governed by the same law as the main agreement (in the absence of one, the laws of the United Arab Emirates).
To request a signable copy of this DPA, contact hello@beeshelf.com.