NowSection 21 abolished · possession via Section 8 only
LetCompliance

Start tracking today

2.65M UK landlords · most still on spreadsheets

Start free trial

Navigation

Account

Start 14-day free trialSign in to dashboard
AES-256 GDPR 5-min setup GOV.UK

Legal · UK GDPR Article 28

Data Processing Agreement

How LetCompliance processes personal data on your behalf as your processor under UK GDPR Article 28, including security, sub-processors and breach handling.

Last updated:

For letting agents and businesses: when you use LetCompliance to handle other people’s data (such as your tenants’), you are the controller and we are your processor. This DPA forms part of our Terms and sets out how we protect that data. No separate signature is needed: it applies automatically when you use the Service.

1. Parties and Roles

This Data Processing Agreement ("DPA") forms part of, and is governed by, the LetCompliance Terms of Service. It applies where you use LetCompliance to process personal data about other people (for example your tenants, applicants or guarantors). For that data, you (the customer, for example a letting agent or property manager) are the "Controller" and LetCompliance, operated by Erdem Volkan as a sole trader in the United Kingdom, is the "Processor". Terms such as "personal data", "processing", "data subject", "controller" and "processor" have the meanings given in UK GDPR and the Data Protection Act 2018. Where LetCompliance determines the purposes and means of processing (for example your own account and billing data), LetCompliance is the controller and that processing is governed by our Privacy Policy, not this DPA.

2. Subject Matter, Duration, Nature and Purpose

Subject matter: the provision of the LetCompliance software service to you. Duration: for as long as you have an active account, plus the retention period in Section 9. Nature and purpose: storing, organising, retrieving and transmitting personal data so you can run lettings, compliance, communications, finance and related tasks within the Service, on your instructions.

3. Types of Personal Data and Data Subjects

  • Data subjects: your tenants, prospective tenants and applicants, guarantors, and other individuals whose details you enter.
  • Personal data: names and contact details; tenancy and property details; identity and right-to-rent information you upload; compliance and inspection records; financial figures such as rent and arrears; and documents you store.
  • You must not use the Service to process special category data unless it is strictly necessary for a legitimate purpose and you have a lawful basis to do so.

4. Our Obligations as Processor

In line with UK GDPR Article 28, LetCompliance will:

  • Process the personal data only on your documented instructions, including the instructions inherent in your use of the Service, unless required to do otherwise by law (in which case we will tell you, unless the law prohibits it).
  • Ensure that people authorised to process the data are under an appropriate duty of confidentiality.
  • Implement appropriate technical and organisational security measures (Section 6).
  • Respect the conditions for engaging sub-processors (Section 7).
  • Assist you, taking into account the nature of the processing, to respond to data subject requests (Section 8).
  • Assist you with security, breach notification, data protection impact assessments and consultation with the ICO, taking into account the information available to us.
  • Delete or return the personal data at the end of the service, and make available the information needed to demonstrate compliance and allow for audits (Section 10).

5. Your Obligations as Controller

  • You confirm you have a lawful basis to process the personal data you put into the Service, and that your instructions to us comply with data protection law.
  • You are responsible for the accuracy of the data you enter and for providing any privacy information your data subjects require.
  • You will not instruct us to process data in a way that breaches UK GDPR.

6. Security

We maintain appropriate technical and organisational measures designed to protect personal data, including:

  • Encryption of data in transit (TLS) and at rest (AES-256).
  • Logical isolation of each account using database Row Level Security, so one customer cannot access another customer’s data.
  • Access controls and authentication, with access restricted to what is needed to operate the Service.
  • Server-side, restricted handling of sensitive credentials such as HMRC tokens.
  • Ongoing review and prompt application of security updates.

7. Sub-Processors

You give general authorisation for LetCompliance to engage the sub-processors below to provide the Service. Each is bound by data protection terms consistent with this DPA. We will give you reasonable notice of any intended change (addition or replacement) so you can object on reasonable data protection grounds.

  • Supabase: database, file storage and authentication. Hosted in the EU (Frankfurt region).
  • Vercel: application hosting and serverless processing. EU region (Frankfurt).
  • Stripe: payment processing and, where you enable it, Direct Debit rent collection. Processes in the US under the UK extension to the EU-US Data Privacy Framework.
  • Resend: transactional and reminder email delivery.
  • Brevo: SMS reminder delivery (EU).
  • HMRC is a statutory recipient, not a sub-processor: data is sent to HMRC only where a user connects and submits Making Tax Digital information.

8. Data Subject Rights

The Service provides tools to view, edit, export and delete the personal data you hold, which lets you respond to most data subject requests (access, rectification, erasure, portability) yourself. Where a data subject contacts us directly about data you control, we will refer them to you. We will provide reasonable assistance, taking into account the nature of the processing, to help you meet your obligations.

9. International Transfers

Personal data is hosted in the EU (Frankfurt). Transfers from the UK to the EEA are protected by the UK Government’s data adequacy regulations for the EEA. Where a sub-processor processes data outside the UK and EEA (for example Stripe in the US), the transfer is made under an approved mechanism such as the UK extension to the EU-US Data Privacy Framework.

10. Breach Notification

We will notify you without undue delay after becoming aware of a personal data breach affecting your data, with the information you reasonably need to meet your own notification duties. Separately, we maintain our own breach response process, including notifying the ICO and (for breaches affecting our HMRC integration) HMRC within 72 hours where required. See our Security Policy.

11. Return and Deletion of Data

On termination of your account you can export your data. We will then delete the personal data within 30 days, unless we are required by law to retain it (for example billing and tax records, kept for the period UK law requires).

12. Audit and Compliance

On reasonable written request, and no more than once a year unless required by a regulator or following a breach, we will make available the information reasonably necessary to demonstrate compliance with this DPA. Any audit must respect the confidentiality and security of other customers’ data and our systems.

13. Liability and Governing Law

Liability under this DPA is subject to the limitations and exclusions in the LetCompliance Terms of Service. This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction. If anything in this DPA conflicts with the Terms of Service on the subject of data protection, this DPA prevails.

14. Contact

For any question about this DPA or to raise a data protection matter, contact us at letcomplianceuk@gmail.com.

Related

Privacy policyTerms of serviceSecurity