1. Statutory Context & Global Compliance Framework
DevNexa is a registered digital agency operating under the laws of the Islamic Republic of Pakistan. We maintain full statutory compliance with the **Prevention of Electronic Crimes Act (PECA), 2016**, the directives of the **Federal Board of Revenue (FBR)**, and the **Securities and Exchange Commission of Pakistan (SECP)**.
For international operations, we strictly adhere to the **General Data Protection Regulation (GDPR)** (EU/UK) and the **California Consumer Privacy Act (CCPA)** regarding the processing of data of EU/UK and US citizens respectively. DevNexa acts as a Data Processor when handling client customer data, and a Data Controller when managing direct client accounts.
2. Categories of Information Collected
We collect and process the following categories of information:
- Client Credentials & Business Data: Legal name, company registration numbers, tax identification numbers (NTN/FTN), registered office address, and contact details.
- Financial & Billing Information: Bank account numbers, international wire routing details (IBAN/SWIFT), invoice histories, and payment processing tokens. (We do not store complete raw credit card numbers locally).
- Project & Source Code Assets: Proprietary assets, database schemas, custom n8n/Make automation configurations, designs, deployment keys, and source code repository accesses.
- Technical Usage Metadata: IP addresses, browser configurations, session tracking logs, and analytical markers collected during interaction with our systems.
3. Legal Basis and Purposes of Processing
We process data under the following legal bases:
- Performance of Contract: To deliver custom Web Development, Mobile Development, AI integrations, and Dedicated Team services.
- Legal Obligation: To satisfy tax records audit requirements under the **Income Tax Ordinance, 2001** of Pakistan and mandatory anti-money laundering (AML) compliance.
- Consent: Where you explicitly authorize access to third-party integrations, databases, or analytics suites.
4. Data Retention & Source Code Security Safeguards
Source code and cloud credentials provided to DevNexa are classified as **Restricted Client Assets**.
Our safeguards include:
- Mandatory Multi-Factor Authentication (MFA) on all third-party code repos, Supabase instances, n8n automation portals, and AWS/GCP nodes.
- Symmetric encryption (AES-256) for secure credential sharing tools (e.g., Bitwarden / 1Password).
- Periodic security audits and strict access control lists (ACLs) restricting server access to designated engineers only.
Client record files are retained for a minimum period of **six (6) years** following project completion to ensure compliance with Pakistani tax audit periods.
5. Cross-Border Data Transfers
As an agency with global operations, DevNexa coordinates resources across Pakistan, North America, the Middle East, and Europe. By contracting with us, you acknowledge that your project assets and technical information will be securely transferred and processed across these jurisdictions. We utilize **Standard Contractual Clauses (SCCs)** approved by the European Commission to govern all international data transfer protocols.
6. Your Statutory Rights (GDPR / CCPA / PECA)
Subject to statutory exemptions, you hold the following rights:
- The Right to Access & Portability: Obtain a structured copy of the personal and business metadata we store.
- The Right to Rectification: Request correction of incomplete or outdated registration, tax, or contact data.
- The Right to Erasure ("Right to be Forgotten"): Request complete deletion of files when no longer required for contractual execution or tax audit compliance.
- The Right to Limit Processing: Object to automated analysis, digital profiling, or promotional outreach.
To invoke these rights, issue an official notice to our Legal & Data Protection Officer at: legal@devnexa.dev.