Data Processing Agreement
This Data Processing Agreement (DPA) forms part of the Terms of Service between Tristan Bates trading as Let IQ (the Data Processor) and the customer (the Data Controller).
1. Definitions
Data Controller: the customer who determines the purposes and means of processing personal data.
Data Processor: Tristan Bates trading as Let IQ, who processes personal data on behalf of the Data Controller.
Personal Data: any information relating to an identified or identifiable natural person as defined under UK GDPR.
UK GDPR: the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018.
2. Scope and purpose
The Data Processor processes personal data on behalf of the Data Controller solely for the purpose of providing the Let IQ compliance management service as described in the Terms of Service.
3. Nature of processing
The Data Processor carries out the following processing activities on behalf of the Data Controller:
- Storage of compliance documents and property records
- Processing of tenancy information and tenant personal data
- Processing of financial information including bank statements
- Generation of compliance reports and statutory documents
- Automated analysis of documents for compliance tracking purposes
4. Categories of personal data
The following categories of personal data may be processed under this agreement:
- Tenant names and contact details
- Tenant addresses
- Financial information relating to tenants
- Right to Rent documentation
- Any other personal data contained within documents uploaded by the Data Controller
5. Data Controller obligations
The Data Controller confirms that:
- They have a lawful basis for processing all personal data uploaded to Let IQ
- They have provided appropriate privacy notices to data subjects whose data is uploaded
- They are responsible for responding to data subject requests relating to personal data they control
- They will notify Let IQ immediately of any instruction that may conflict with UK GDPR
6. Data Processor obligations
The Data Processor agrees to:
- Process personal data only on documented instructions from the Data Controller
- Ensure all personnel with access to personal data are bound by appropriate confidentiality obligations
- Implement appropriate technical and organisational security measures as described in clause 8
- Notify the Data Controller without undue delay, and no later than 24 hours, upon becoming aware of a personal data breach
- Assist the Data Controller in responding to data subject requests where reasonably possible
- Delete or return all personal data upon termination of the service in accordance with the retention policy in the Privacy Policy
- Make available all information necessary to demonstrate compliance with this agreement
7. Sub-processors
The Data Controller provides general authorisation for the Data Processor to engage the following sub-processors:
- Stripe Inc: payment processing — stripe.com/privacy
- DigitalOcean LLC: cloud infrastructure and hosting, London, United Kingdom
The Data Processor will notify the Data Controller of any intended changes to sub-processors with reasonable notice. The Data Controller may object to changes within 14 days of notification.
The Data Processor will ensure all sub-processors are bound by data protection obligations equivalent to those in this agreement.
8. Security measures
The Data Processor maintains the following technical and organisational security measures:
- Encryption of personal data in transit using TLS
- Encryption of personal data at rest
- Access controls limiting data access to authorised personnel only
- Hosting on DigitalOcean infrastructure in London, United Kingdom
- Regular backups of all data
- Security monitoring and logging
9. Data transfers
All personal data is stored and processed within the United Kingdom. No personal data is transferred outside the United Kingdom without appropriate safeguards in place.
10. Audit rights
The Data Controller may request written confirmation of compliance with this agreement at any time. The Data Processor will respond to such requests within 30 days. The Data Processor will provide all information reasonably necessary to demonstrate compliance with this agreement.
11. Duration and termination
This agreement remains in force for the duration of the Terms of Service. Upon termination personal data will be handled in accordance with the data retention policy in the Privacy Policy.
12. Governing law
This agreement is governed by the laws of England and Wales.
Contact
For any questions relating to this agreement contact hello@let-iq.com.