Data Processing Agreement

This Data Processing Agreement ("DPA") governs the processing of personal data by Anvira ("Processor") on behalf of the Customer ("Controller") in connection with the Customer's use of Anvira's service. It is incorporated into the Terms of Service by reference.

Subject matter: processing of end-buyer personal data (phone, conversation content, qualification details, KYC documents when uploaded) to enable the Customer's real-estate brokerage operations on WhatsApp and email.

Duration: for the term of the Customer's subscription plus the Customer's applicable regulatory retention period (typically 5 years for KYC records under UAE AML/CFT obligations).

The Processor will process personal data only on documented instructions from the Controller, including those instructions embedded in the Customer's configuration of the service (e.g. consent scopes, jurisdiction selection, sanctions provider choice).

Data subjects: end-buyers who initiate contact with the Customer via WhatsApp or forwarded portal emails; administrators of the Customer's account.

Personal data categories: contact identifiers (phone, name), conversation content, voluntary qualification details (budget, preferences), and where the compliance module is enabled, identity documents and source-of-funds evidence.

The Processor shall:

• process data only on the Controller's documented instructions;
• ensure persons authorized to process the data are bound by confidentiality obligations;
• implement appropriate technical and organisational measures including encryption in transit (TLS 1.2+), at rest (AES-256), and Row-Level Security tenant isolation;
• assist the Controller in responding to data-subject rights requests, namely access (provided as a data export), rectification, and erasure. Erasure is performed by deleting or irreversibly anonymising the data subject's personal data except records the Controller is legally required to retain — in particular AML/CFT identity and source-of-funds records, which are kept for the statutory retention period (typically 5 years) under UAE PDPL Art. 8 / KSA PDPL Art. 10 read with the applicable AML/CFT law, then erased once that obligation lapses. The Processor does not provide a separate processing-restriction mechanism or a structured data-portability flow beyond the export described above;
• notify the Controller without undue delay, and in any event within 72 hours of the Processor becoming aware of it, of any personal-data breach affecting the Controller's data. The Processor relies on operational monitoring and incident reports rather than automated breach-detection; the 72-hour period runs from the Processor's actual awareness of a breach, not from its occurrence;
• make available to the Controller all information necessary to demonstrate compliance with this DPA, and submit to audits on reasonable advance notice not more than once per twelve months.

The Controller authorises the Processor to engage the sub-processors listed in the Privacy Policy at /legal/privacy. The Processor will notify the Controller at least 30 days before adding or replacing any sub-processor. If the Controller objects, the Controller may terminate the affected portion of the service for cause.

Where personal data is transferred outside the United Arab Emirates / KSA to a jurisdiction that has not been recognised as providing an adequate level of protection, the parties will put in place an appropriate transfer safeguard permitted under the applicable PDPL regulations — such as standard contractual clauses where and when issued by the competent UAE / KSA authority, binding contractual commitments, or the data subject's explicit consent — before such transfer takes place.

On termination of the subscription, the Processor will, at the Controller's choice, delete or return all Customer personal data within 60 days, except where retention is required by applicable law. Nightly archive snapshots are pruned on a 30-day rolling window during the subscription term.

The liability provisions of the underlying Terms of Service (including the 12-month-fees cap) apply to claims under this DPA. Statutory liability under applicable PDPL regulations is unaffected to the extent it cannot be limited by contract.

This DPA is governed by the laws of the United Arab Emirates, consistent with the Terms of Service.

Customers wishing to execute this DPA as a signed document may request a signed counterpart from legal@anviraplus.it.com. Anvira will return a counter-signed copy within five business days.