Legal Documents

Important information about using our service

Data Processing Agreement (DPA)

Last updated: [Insert Date]

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller") and us ("Data Processor").

This DPA applies where we process personal data on your behalf in connection with your use of the Service.

2. Definitions

Personal Data: Information relating to identified or identifiable individuals (e.g., tenant names, contact details).

Processing: Any operation performed on personal data (e.g., collection, storage, modification, deletion).

Data Subject: The individual whose personal data is being processed (e.g., tenants).

GDPR: General Data Protection Regulation (EU) 2016/679 and UK GDPR.

3. Roles and Responsibilities

You (Data Controller)

You are responsible for:

  • Determining the purposes and means of processing personal data
  • Ensuring you have a lawful basis for processing
  • Obtaining necessary consents from tenants
  • Responding to data subject requests (e.g., access, deletion)
  • Complying with data protection laws

Us (Data Processor)

We are responsible for:

  • Processing data only on your documented instructions
  • Implementing appropriate security measures
  • Assisting with data subject requests where possible
  • Notifying you of data breaches
  • Deleting or returning data upon termination

4. Scope of Processing

We process personal data to provide the Service, including:

Categories of Data:

  • Tenant names and contact information
  • Tenancy and lease details
  • Rent payment records
  • Maintenance requests
  • Compliance documents
  • Property information

Processing Activities:

  • Storage and retrieval
  • Display and reporting
  • Calculations (e.g., rent arrears, net income)
  • Document generation (e.g., receipts, reports)

Data Subjects:

  • Tenants (current and former)
  • Guarantors
  • Emergency contacts

5. Your Instructions

We will process personal data only in accordance with your documented instructions.

Your instructions include:

  • Actions you take within the Service (e.g., adding, editing, deleting data)
  • Settings and preferences you configure
  • Requests you make via support channels

If we believe an instruction violates data protection laws, we will inform you immediately.

6. Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

Technical Measures:

  • Encryption in transit (TLS/SSL) and at rest
  • Access controls and authentication
  • Regular security audits and penetration testing
  • Automated backups and disaster recovery

Organizational Measures:

  • Staff training on data protection
  • Confidentiality agreements with employees
  • Incident response procedures
  • Vendor security assessments

7. Sub-Processors

We may engage third-party sub-processors to assist with providing the Service.

Current Sub-Processors:

  • Cloud hosting providers (e.g., AWS, Vercel)
  • Database services (e.g., Supabase, PostgreSQL)
  • Payment processors (e.g., Stripe)
  • Email service providers
  • Analytics providers

We will:

  • Maintain a list of current sub-processors
  • Notify you of any changes to sub-processors
  • Ensure sub-processors comply with data protection obligations

8. Data Subject Rights

Under GDPR and similar laws, data subjects have rights including:

  • Right of access: View their personal data
  • Right to rectification: Correct inaccurate data
  • Right to erasure: Request deletion of data
  • Right to data portability: Receive data in a structured format
  • Right to object: Object to certain types of processing

Your Responsibilities: You are responsible for responding to data subject requests.

Our Assistance: We will assist you by providing tools to export, modify, or delete data within the Service.

9. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify you without undue delay (and within 72 hours where feasible)
  • Provide details of the breach, including affected data and individuals
  • Describe measures taken to mitigate the breach
  • Assist with your breach notification obligations

10. Data Retention and Deletion

We will retain personal data only as long as necessary to provide the Service.

Upon Termination:

  • We will delete or return all personal data within 30 days (unless legally required to retain it)
  • You may request data export before termination

Backups: Data in backups will be deleted according to our retention schedule (typically 90 days).

11. Audits and Compliance

You have the right to audit our compliance with this DPA.

We will:

  • Provide information and documentation upon reasonable request
  • Allow audits or inspections (with reasonable notice)
  • Assist with compliance assessments

12. International Data Transfers

We may transfer personal data to countries outside the EEA/UK.

Where we do so, we will ensure:

  • Adequate safeguards are in place (e.g., Standard Contractual Clauses)
  • Compliance with GDPR Chapter V requirements

13. Liability and Indemnity

Each party is liable for its own breaches of data protection laws.

We are not liable for breaches caused by your instructions or misuse of the Service.

14. Term and Termination

This DPA remains in effect for the duration of the Terms of Service.

Upon termination:

  • We will cease processing personal data
  • We will delete or return data as instructed

15. Governing Law

This DPA is governed by the same law as the Terms of Service.

16. Contact Us

For questions about data processing:

DPO Email: [Insert DPO Email]
Company Email: [Insert Email]
Address: [Insert Address]

Have questions about these terms? Contact us