Data Processing Agreement

1. Parties and scope

This agreement is between the resident management company or other organisation that uses the service (the “Controller”) and SimpleFreeholder Ltd, registered in England and Wales (company number [TO CONFIRM], registered office [TO CONFIRM]) (the “Processor”).

It applies to personal data the Processor processes on the Controller's behalf in providing the service — the building and financial data the Controller enters. It does not apply to data for which SimpleFreeholder is itself the controller (such as user account records), which is governed by the privacy notice.

2. Subject matter, nature, and purpose

The Processor processes personal data only to provide the bookkeeping and leaseholder-portal service described in the terms of service — recording charges, issuing invoices, tracking payments and expenses, producing statements and year-end paperwork, and sending related service email. Processing continues for as long as the Controller uses the service.

3. Types of personal data and categories of data subject

Categories of data subject: leaseholders; directors and administrators of the Controller; and any accountant or other party the Controller invites.

Types of personal data: names; contact details (email address, postal address, telephone number); the role a person holds; tenancy records; and financial transaction data (charges, invoices, payments, balances) associated with an individual. No special-category data is required by the service.

4. The Controller's instructions

The Processor processes personal data only on the Controller's documented instructions, including as to international transfers, unless required to do otherwise by law — in which case it will inform the Controller first, unless the law forbids it. Using the features of the service constitutes the Controller's instruction. The Processor will tell the Controller if it considers an instruction breaches data protection law.

5. Confidentiality

The Processor ensures that anyone authorised to process the personal data is bound by an appropriate duty of confidentiality and processes the data only as instructed.

6. Security measures

The Processor implements appropriate technical and organisational measures to protect personal data, including:

• encryption of data in transit and at rest;
• database-level tenant isolation, so one organisation's data cannot be read or altered in the context of another;
• role-based access control, so each user sees only what their role permits;
• an immutable audit log recording who changed what and when;
• daily encrypted backups; and
• access to production systems limited to authorised personnel.

These measures are kept under review and may be updated provided the level of protection is not reduced.

7. Sub-processors

The Controller gives the Processor general authorisation to engage the sub-processors below to deliver the service:

Google Cloud (Google Cloud EMEA Limited)

Hosting, database, file storage, and background job processing — United Kingdom (London region).

Resend

Delivery of outbound transactional email. Processing location and transfer basis: [TO CONFIRM].

Sentry

Error and performance monitoring — European Union region.

The Processor imposes data-protection terms on each sub-processor equivalent to those in this agreement, and remains liable for their performance. The Processor will give the Controller advance notice of any intended change of sub-processor; the Controller may object on reasonable data-protection grounds.

8. International transfers

Application data is hosted in the United Kingdom. Error-monitoring data is held in the European Union, which the UK recognises as adequate. Where any transfer outside the UK is not covered by adequacy, the Processor will ensure an appropriate safeguard (such as the International Data Transfer Agreement or Addendum) is in place.

9. Assisting the Controller

Taking account of the nature of the processing, the Processor assists the Controller, by appropriate technical and organisational measures, to:

• respond to requests from individuals exercising their rights — access, rectification, erasure, restriction, and portability;
• keep personal data secure, notify breaches, and carry out data protection impact assessments where required.

The service provides built-in tools — data export, correction, and deletion — that the Controller can use directly to meet most such requests.

10. Personal data breaches

The Processor notifies the Controller without undue delay, and in any event within [TO CONFIRM — e.g. 48 hours] of becoming aware of a personal data breach affecting the Controller's data, with the information the Controller reasonably needs to meet its own reporting obligations.

11. Return and deletion

On termination of the service the Controller may export its data for a reasonable period. After that, the Processor deletes the data in line with the published retention policy, except where it is required by law to retain it — in which case the retained data is restricted to that legal purpose.

12. Audit

The Processor makes available to the Controller the information reasonably necessary to demonstrate compliance with this agreement, and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor it mandates, on reasonable notice and subject to confidentiality.

13. General

This agreement is governed by the law of England and Wales. If any conflict arises between this agreement and the terms of service on a data-protection matter, this agreement prevails. The Processor may update this agreement to reflect changes in law or in the service, provided the level of protection for personal data is not reduced.