Data Processing Agreement

Auri processes personal data on behalf of the Customer solely for the purpose of delivering the contracted Service. Auri does not use Customer personal data for marketing, AI-model training, analytics product development, or any third-party data sharing.

The Customer remains the data controller and is responsible for establishing the lawful basis for processing.

On behalf of the Customer, Auri processes:

— Guest personal data — name, contact details (email, phone), date of birth, language preference, room number where applicable.
— Treatment-related data — selections, scheduling preferences, allergies and contraindications (medical SPA tier), staff notes.
— Payment data — processor tokens only. Full card numbers are never stored by Auri (handled by Stripe / Tap).
— Marketing consent flags.
— Booking history and operational records.

Exact data categories depend on the modules each Customer enables.

Auri processes personal data only to:
— Operate the booking and resource management system as configured by the Customer.
— Send transactional notifications (booking confirmations, reminders, cancellation notices) per Customer configuration.
— Generate reports and analytics for the Customer's own use.
— Support the Customer's own GDPR / PDPL obligations (data-subject access requests, erasure requests, exports).

Auri implements technical and organisational measures appropriate to the risk of processing:

— Data isolation — each Customer receives a dedicated database and dedicated Google Cloud project.
— Encryption — data encrypted at rest (Google Cloud default disk encryption, AES-256) and in transit (TLS 1.2+).
— Authentication — bcrypt password hashing (cost 12), server-side sessions, configurable timeouts, optional MFA.
— API security — bearer-token authentication with constant-time comparison to prevent timing attacks.
— Audit logging — all administrative actions logged for traceability.
— Backups — daily automated snapshots, 30-day retention, point-in-time recovery.
— Network — HTTPS-only, HSTS enabled, strict Content-Security-Policy headers.

Full security documentation lives at /legal/security.

Auri uses the following sub-processors to deliver the Service. Each operates under their own DPA and applicable data-transfer mechanisms.

Auri gives 30 days' notice of any new or changed sub-processor via the privacy@auri-system.com mailing list. Customers may object within 30 days, in which case Auri will either replace the sub-processor or allow the Customer to terminate the affected Service without penalty.

Where personal data is transferred outside the EU/EEA or outside the UAE / Saudi Arabia, Auri uses Standard Contractual Clauses (SCCs) with all sub-processors handling such transfers. Customers may request copies of executed SCCs by emailing privacy@auri-system.com.

For GCC Customers requiring data-localisation, Auri configures the GCP region to a GCC region (typically Bahrain, me-central1).

Where Auri becomes aware of a personal data breach affecting Customer data, Auri notifies the Customer without undue delay and in any case within 72 hours. The notice includes:
— Nature of the breach.
— Categories and approximate number of data subjects affected.
— Likely consequences.
— Measures taken or proposed to address the breach and mitigate harm.

Customers may audit Auri's compliance with this DPA on reasonable notice (typically 30 days), once per calendar year, at the Customer's expense, and subject to confidentiality obligations. Auri may satisfy this through third-party audit reports or certifications when available. Enterprise-tier Customers may negotiate additional audit rights in their Service Agreement.