Skip to content
BeeShelf
Cataloging Circulation Discovery Pricing Docs
Sign in Get started
Cataloging Circulation Discovery Requests Pricing Docs Sign in

Legal

Privacy PolicyTerms of ServiceData Processing AddendumSub-processorsTrust & Compliance

Data Processing Addendum

Effective 4 July 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between the institution (“Customer”, the data controller) and BeeShelf, operated by iBX Design Consultancy (“BeeShelf”, the data processor), Dubai Silicon Oasis, United Arab Emirates, governing BeeShelf’s processing of personal data on the Customer’s behalf. It is designed to satisfy the requirements of the GDPR (Art. 28) and equivalent data-protection laws. A countersigned copy is available on request for institutions that require one.

1. Roles & scope

The Customer is the controller and BeeShelf is the processor of the personal data processed to provide the BeeShelf service (the “Service”). BeeShelf processes such data only to provide the Service and only on the Customer’s documented instructions, including as configured through the Service and set out in this DPA and the main agreement.

2. Nature of processing (Annex A)

  • Subject matter: provision of a cloud library-management service.
  • Duration: the term of the main agreement, plus any wind-down period in §9.
  • Categories of data subjects: the Customer’s library members/borrowers (which may include students and minors) and staff users.
  • Categories of personal data: names; contact details (email); library card identifiers; member category; account credentials (hashed); borrowing activity (loans, holds, requests, fines); and, unless disabled, reading-preference signals. BeeShelf does not require special-category data to run.

3. Processor obligations

  • Instructions. Process personal data only on the Customer’s documented instructions, and inform the Customer if an instruction appears to infringe applicable law.
  • Confidentiality. Ensure personnel authorised to process the data are bound by confidentiality.
  • Security. Implement appropriate technical and organisational measures (§4).
  • Sub-processors. Engage sub-processors only under §5.
  • Assistance. Assist the Customer with data-subject requests (§6), breach notification (§7), and, where applicable, data protection impact assessments and prior consultation.
  • Deletion / return. On termination, delete or return personal data per §9.
  • Audits. Make available information needed to demonstrate compliance and allow for reasonable audits (§8).

4. Security measures

BeeShelf maintains, at a minimum:

  • Encryption of personal data in transit (TLS) and at rest.
  • Strict multi-tenant isolation enforced at the database level (row-level security), so one institution’s data is never accessible to another.
  • Credentials stored only as salted hashes; rate-limiting and abuse protection on authentication.
  • Role-based access controls; least-privilege access to production systems.
  • Data hosted in the European Union, with regular automated backups from which data can be restored.

5. Sub-processors

The Customer authorises BeeShelf to engage the sub-processors listed at beeshelf.com/legal/subprocessors. BeeShelf imposes data-protection obligations on each sub-processor no less protective than those in this DPA, and remains responsible for their performance. BeeShelf will give the Customer at least 30 days’ prior notice of any new sub-processor, during which the Customer may object on reasonable data-protection grounds; the parties will then work in good faith to resolve the objection.

6. Data-subject requests

Taking into account the nature of the processing, BeeShelf assists the Customer by appropriate technical and organisational measures — including the Service’s self-serve data export, correction, deletion, retention, and personalization-opt-out controls — in responding to requests to exercise data-subject rights. If BeeShelf receives such a request directly, it will (unless legally required otherwise) direct the individual to the Customer.

7. Personal data breaches

BeeShelf will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Customer’s data, and provide information reasonably available to help the Customer meet its own notification obligations.

8. Audits

BeeShelf will make available information reasonably necessary to demonstrate compliance with this DPA and contribute to audits conducted by the Customer or its authorised auditor, subject to reasonable confidentiality, notice, and frequency limits.

9. Return & deletion

On termination of the Service, and at the Customer’s choice, BeeShelf will return or delete the Customer’s personal data within a reasonable period, and delete existing copies unless retention is required by law. The Customer can also export its data at any time during the term.

10. International transfers

BeeShelf hosts primary data in the EU. Where a sub-processor processes personal data outside the EU/EEA, BeeShelf ensures an appropriate transfer mechanism (such as the EU Standard Contractual Clauses, with any applicable UK or Swiss addendum) is in place.

11. General

In case of conflict between this DPA and the main agreement on data-protection matters, this DPA prevails. This DPA is governed by the same law as the main agreement (in the absence of one, the laws of the United Arab Emirates).

To request a signable copy of this DPA, contact hello@beeshelf.com.

BeeShelf

A library system built around the reason the library exists.

Product

Cataloging Circulation Discovery Requests Pricing Documentation

Get going

Get started See the live demo Sign in

Company

Contact Privacy Terms Trust & Compliance
© 2026 BeeShelf · an iBX product Made for the libraries the big systems forgot.