Data processing agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between you (the “Customer”, acting as controller) and CoreVU Labs(“CoreVU”, acting as processor) for use of the CoreVU Property Management Pro platform and its connected apps (the “Services”). It governs our processing of personal data contained in Customer Data on your behalf.

“Personal Data”, “processing”, “controller”, “processor”, and “data subject” have the meanings given under applicable data-protection law. “Customer Data” means data the Customer and its users submit to the Services. “Sub-processor” means a third party engaged by CoreVU to process Personal Data.

The Customer is the controller and determines the purposes and means of processing. CoreVU processes Personal Data only as a processor, in accordance with the Customer’s documented instructions, including those given through configuration of the Services and this DPA.

• Subject matter: provision of a real estate ERP covering CRM, leasing, sales, facilities, inspections, assets, procurement, finance, workflow, and governed AI.
• Duration: for the term of the subscription plus any retention period required by law.
• Nature and purpose: hosting, storing, and processing Customer Data to deliver and support the Services.
• Categories of data subjects: the Customer’s users, tenants, owners, leads, vendors, suppliers, and contacts.
• Types of Personal Data: contact and identity details, lease and sale records, financial and payment information, work-order and inspection records, and usage data.

• Process Personal Data only on the Customer’s documented instructions.
• Ensure personnel authorised to process data are bound by confidentiality.
• Implement appropriate technical and organisational security measures (Section 7).
• Assist the Customer with data-subject requests and security/breach obligations.
• Make available information necessary to demonstrate compliance and allow for audits subject to reasonable notice and confidentiality.

The Services are multi-tenant with logical isolation between customer workspaces and role-based access control. Governed AI features operate within the Customer’s workspace and under the same permissions; Customer Data is not used to train third-party foundation models and is not disclosed to other customers.

• Encryption of data in transit and access over secure channels.
• Tenant isolation, least-privilege access, and audited administrative actions.
• Authentication controls and role-based permissions.
• Backups, monitoring, and incident-response procedures.

The Customer authorises CoreVU to engage sub-processors (for example, infrastructure hosting, payment, email, and messaging providers) to support the Services. We impose data-protection obligations on each sub-processor no less protective than this DPA and remain responsible for their performance. We will inform the Customer of material changes to our sub-processors and allow a reasonable opportunity to object.

CoreVU Labs operates from India and the UAE and serves the GCC and India. Where Personal Data is transferred across borders, we apply appropriate safeguards consistent with applicable data-protection law.

CoreVU will notify the Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Data, and will provide information reasonably necessary to help the Customer meet its own notification obligations.

On termination of the Services, CoreVU will, at the Customer’s choice, delete or return Customer Data, except where retention is required by law. Deletion is performed within a commercially reasonable period and includes routine backups in line with our retention cycle.

In the event of conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA prevails. To raise a data-protection matter, contact CoreVU Labs at support@corevulabs.com (Mumbai · Hyderabad — India & Dubai — UAE).