Data processing addendum
This DPA forms part of the Terms of service. It governs the processing of personal data by Bin Haider Darwish Printing & Designing S.P.C. ("BHD Group", processor) on behalf of the customer (controller) when using the Diwan platform.
1. Roles
The customer is the data controller. BHD Group is the data processor. For on-prem deployments, BHD Group does not act as processor at all, the customer self-hosts and we never see the data.
2. Subject matter and duration
Processing is for the duration of the subscription, plus 30 days for export, plus a further 30 days backup roll-off. Subject matter is governance work: meetings, decisions, members, documents, audit trail.
3. Categories of data subjects and data
- Subjects: board members, committee members, employees, athletes (for sport-sector tenants), and any other person the customer chooses to record.
- Data: contact details, role, attendance, voting record, document authorship, audit log entries.
4. Sub-processors
| Sub-processor | Purpose | Region |
|---|---|---|
| Cloudflare | DNS, TLS termination, edge cache | Global |
| Hostinger | VPS hosting | EU |
| BHD Dardasha | WhatsApp OTP delivery | OM |
| Paymob (Phase 8) | Payment processing | EG/OM |
We notify customers in advance of new sub-processors. For on-prem, no sub-processors apply.
5. Security measures
- TLS 1.2+ on all public endpoints; Cloudflare Full (Strict) origin certificate
- Per-tenant data isolation enforced by middleware + AsyncLocalStorage; cross-tenant access is impossible
- OTP login; no passwords stored
- Per-tenant role matrix with module-level CRUD permissions
- Immutable audit log of every admin action
- Atomic file writes via withFileLock; no torn writes
- Daily VPS backups; 30-day retention
- Operator access logged and auditable
6. Breach notification
We notify the customer within 72 hours of confirming a personal-data breach affecting their tenant, with the nature of the breach, affected data, our containment steps, and recommended customer actions.
7. International transfers
Cloud Saas data resides primarily in the EU (Hostinger). Cloudflare's edge may cache static assets globally. For customers requiring strict data residency in Oman, on-prem is the recommended deployment.
8. Audit
Customers on Enterprise may request a security questionnaire response and an extract of relevant audit-log entries. On-site audit by appointment.
9. Return / deletion of data
On termination, we provide a complete data export (JSON for structured data, ZIP for documents) within 7 business days of request. Primary deletion within 30 days; backup roll-off within 60 days.
10. Contact
DPA queries: use the contact form (subject "DPA") · BHD Group, Muscat, Sultanate of Oman.