This DPA forms part of the Terms of Service between you (the "Controller", i.e. your letting agency) and UNIVERSALHOMEANDTECH LTD (the "Processor"). It addresses Article 28 UK GDPR requirements.
Scope
We process personal data on your behalf for the purpose of providing the Estate-HQ service. The types of data and data subjects vary by use; typically: tenant names, addresses, phone numbers, emails, tenancy details, payment references, documents you upload.
Our obligations
- Process data only on documented instructions from you (configurations and use of the service count as instructions).
- Ensure personnel are bound by confidentiality.
- Implement appropriate technical and organisational measures (encryption in transit, hashed passwords, daily backups, role-based access, isolated multi-tenant database scopes).
- Engage sub-processors (listed in the Privacy Policy) only after due diligence and with written terms equivalent to this DPA.
- Notify you of any data breach affecting your data without undue delay (within 48 hours of discovery).
- Help you respond to data subject access requests using the self-service export and deletion tools, or directly on request.
- Return or delete all your data at the end of the service (30-day grace, then deletion).
- Make available all information necessary to demonstrate compliance and submit to audits.
International transfers
Primary infrastructure is UK/EU based. Any transfer outside the UK/EU happens only via Standard Contractual Clauses or other adequate safeguards.
Conflict
If any term conflicts with the Terms of Service, this DPA prevails for matters of personal data processing.