Data Processing Agreement

Last Updated: January 10, 2025

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between you (the "Controller") and DeckzMart Ltd (the "Processor") regarding the processing of personal data.

1. Definitions

Terms used in this DPA have the meanings defined in UK GDPR and the Data Protection Act 2018:

• "Controller": You (the estate agent, landlord, or property manager)
• "Processor": DeckzMart Ltd
• "Personal Data": Client and tenant information you store in DeckzMart
• "Data Subject": Your clients, tenants, and prospective customers
• "Processing": Any operation performed on personal data
• "Sub-Processor": Third-party service providers used by DeckzMart

2. Roles and Responsibilities

2.1 You Are the Data Controller

As the Controller, you:

• Determine the purposes and means of processing personal data
• Are responsible for obtaining necessary consents
• Must have a lawful basis for processing
• Are liable to data subjects for compliance with data protection laws
• Must respond to data subject rights requests
• Are required to register with the ICO (if applicable)

2.2 DeckzMart Is the Data Processor

As the Processor, DeckzMart:

• Processes data only on your documented instructions
• Implements appropriate technical and organizational measures
• Maintains confidentiality of personal data
• Assists with data subject rights requests
• Notifies you of data breaches
• Deletes or returns data upon request

3. Details of Processing

3.1 Subject Matter

Processing of personal data through DeckzMart's CRM and property management platform.

3.2 Duration

Duration of your DeckzMart subscription plus 30 days for data export/deletion.

3.3 Nature and Purpose

Personal data is processed to enable you to:

• Manage client relationships
• Track property viewings and inquiries
• Store communications history
• Manage tenancy applications
• Generate reports and analytics
• Send communications to clients/tenants

3.4 Types of Personal Data

Categories of personal data you may process:

• Identity Data: Names, addresses, dates of birth
• Contact Data: Email, phone, postal address
• Financial Data: Income, employment, credit information (for tenancy checks)
• Property Preferences: Search criteria, viewing history
• Communications: Messages, emails, notes
• Identification Documents: Passports, driving licenses (for Right to Rent)
• Special Category Data: (If applicable) Disability accommodations, etc.

3.5 Categories of Data Subjects

• Prospective buyers and tenants
• Current tenants
• Property owners (your clients)
• Guarantors and references
• Contractors and service providers

4. Your Obligations as Controller

4.1 Lawful Basis

You must ensure you have a lawful basis for all personal data processing:

• Consent: Obtained freely, specific, informed, and unambiguous
• Contract: Necessary for a tenancy or service agreement
• Legal Obligation: Required by law (e.g., Right to Rent checks)
• Legitimate Interests: Your interests that don't override data subjects' rights

4.2 Transparency

You must provide data subjects with:

• Your privacy policy
• Information about how their data will be used
• Details about third parties (including DeckzMart) who will process their data
• Their rights under UK GDPR

4.3 Data Subject Rights

You are responsible for responding to data subject requests:

• Access requests (SARs)
• Rectification
• Erasure ("right to be forgotten")
• Restriction of processing
• Data portability
• Objection to processing

DeckzMart will assist by providing data export tools and deletion capabilities.

4.4 Data Accuracy

You must:

• Keep personal data accurate and up to date
• Correct inaccurate data promptly
• Delete outdated or unnecessary data

5. DeckzMart's Obligations as Processor

5.1 Process Only on Instructions

DeckzMart will process personal data only:

• On your documented instructions (these Terms and your platform usage)
• As necessary to provide the service
• As required by UK or EU law (with notice to you)

5.2 Confidentiality

All DeckzMart personnel with access to personal data are:

• Bound by confidentiality obligations
• Trained in data protection
• Subject to disciplinary action for breaches

5.3 Security Measures

DeckzMart implements appropriate technical and organizational measures:

Technical Measures:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication
• Regular security testing and audits
• Intrusion detection and prevention systems
• Regular backups with encryption

Organizational Measures:

• Access controls and role-based permissions
• Staff training and awareness programs
• Data breach response procedures
• Regular policy reviews
• Vendor management and due diligence

5.4 Sub-Processors

Current Sub-Processors:

Sub-Processor Changes:

• You will be notified 30 days before adding new sub-processors
• You may object to new sub-processors
• If we cannot accommodate your objection, you may terminate your subscription

5.5 Data Breach Notification

In the event of a personal data breach:

• Notification to you: Within 24 hours of becoming aware
• Information provided:
  • Nature of the breach
  • Data affected
  • Number of data subjects impacted
  • Likely consequences
  • Measures taken to mitigate
• Your responsibility: Assess whether to notify ICO and data subjects

5.6 Assistance with Compliance

DeckzMart will assist you with:

• Data Subject Requests: Providing tools to export, delete, or modify data
• Data Protection Impact Assessments (DPIAs): Providing information about our processing activities
• Consultations with ICO: Providing necessary information
• Security Documentation: Providing evidence of security measures

6. International Data Transfers

Personal data is primarily stored in the UK/EU. Where data is transferred to third countries:

• Adequate Countries: Only to countries with UK adequacy decisions
• Standard Contractual Clauses: EU-approved SCCs with non-EU processors
• Additional Safeguards: Encryption, access controls, and contractual protections

7. Data Retention and Deletion

7.1 Retention

DeckzMart retains personal data:

• For the duration of your subscription
• As long as you instruct (through not deleting data)
• Plus 30 days for backup retention

7.2 Deletion

Upon request or account termination:

• Within 30 days: All personal data deleted or anonymized
• Secure deletion: Data overwritten and not recoverable
• Backups: Deleted from backups within 90 days
• Exceptions: Data retained for legal compliance (with notice)

7.3 Data Return

Before deletion, you may request:

• Complete data export in machine-readable format (CSV, JSON)
• Transfer directly to another provider (where technically feasible)
• Specific data extracts as needed

8. Audits and Inspections

8.1 Your Audit Rights

You have the right to:

• Request information about our processing activities
• Review security and compliance documentation
• Conduct audits (subject to reasonable notice and confidentiality)

8.2 Audit Procedures

To conduct an audit:

1. Provide 30 days' written notice
2. Specify scope and concerns
3. Sign confidentiality agreement
4. Conduct audit during business hours
5. Limit to once per year (unless breach suspected)

8.3 Third-Party Audits

We maintain third-party audit reports:

• Annual security assessments
• Penetration testing reports
• Sub-processor compliance documentation
• Available upon request (with NDA)

9. Liability and Indemnity

9.1 Your Liability

You are liable to data subjects for:

• Your compliance with data protection laws
• Obtaining necessary consents and legal bases
• Providing required transparency information
• Responding to data subject rights

9.2 DeckzMart's Liability

DeckzMart is liable for:

• Processing data outside your instructions
• Failure to implement appropriate security
• Unauthorized disclosure
• Sub-processor non-compliance

9.3 Limitation

Our liability is subject to limitations in the main Terms and Conditions, except where prohibited by law.

10. Term and Termination

10.1 Duration

This DPA is effective for the duration of your DeckzMart subscription and any period during which we process personal data on your behalf.

10.2 Termination

Upon termination of your subscription:

• You may export all data within 30 days
• After 30 days, data will be securely deleted
• Some data may be retained for legal compliance
• You will be notified of any retained data

11. Governing Law

This DPA is governed by the laws of England and Wales and is subject to:

• UK GDPR
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)
• Other applicable UK data protection laws

12. Changes to This DPA

We may update this DPA to reflect:

• Changes in data protection laws
• New processing activities
• Changes in sub-processors

Material changes will be communicated with 30 days' notice.

13. Contact Information

For DPA-related matters:

• Data Protection Officer: dpo@deckzmart.com
• Legal Team: legal@deckzmart.com
• Data Requests: sar@deckzmart.com
• Postal Address: DeckzMart Ltd, London, United Kingdom