Data Processing Agreement

This Data Processing Agreement (“Agreement”) is incorporated into and forms part of the SaaS Terms and Conditions (“Terms”) for the Rentman Platform. By accepting the Terms, whether by clicking "I accept" or similar button or by accessing or using the Rentman Platform, Customer explicitly agrees to be bound by this Agreement. This Agreement is deemed to be an integral part of the Terms entered into between DOTGOMM LTD (“Company”) and the Customer.

Under this Agreement, Company primarily acts as a Data Processor processing Personal Data on behalf of the Customer (who acts as the Data Controller) in connection with the Customer's use of the Rentman Platform. Company may also act as an independent Controller for certain processing activities related to platform administration and improvement.

DEFINITIONS

For the purposes of this Agreement, the terms: “Controller”, “Data Subject”, “Joint-Controller(s)”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, “Special Categories of Personal Data”, and “Sub-Processor” shall have the meanings given to them in Article 4 of the UK GDPR and the Data Protection Act 2018. The following additional terms shall have the meanings:

Customer	means the entity or person that has agreed to the Terms to use the Rentman Platform.
Company	means DOTGOMM LTD (Company No. 16289808) having its registered office at 60 High Street Chobham, Woking, Surrey, United Kingdom, GU24 8AA
Applicable Privacy Laws	all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); the General Data Protection Regulation ((EU) 2016/679) to the extent applicable in the UK (GDPR) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Information Commissioner (ICO) or other relevant regulatory authority and which are applicable to a party (Supervisory Authority); and
Protected Data	means the Personal Data as explicitly set forth in Part A of this Agreement, which is uploaded to, generated within, or accessed through the Rentman Platform, including but not limited to property transaction records, tenant and landlord information, financial records, and any other personal data processed as part of the letting agency services (including its desktop application and web portal), including any data transferred through third-party integrations by or on behalf of the Customer and processed by the Company in its capacity as Processor on behalf of the Customer (acting as Controller) in connection with the Customer's use of the Rentman Platform.

Any other capitalised terms in this Agreement, not defined herein, shall have the meanings set out in the Terms.

1. Scope of this AGREEMENT

   For the purposes of this Agreement and the Terms, the parties acknowledge and agree that:

   • This Agreement applies to all Personal Data processed by the Company through the Rentman Platform on behalf of the Customer, including data accessed through the desktop application, web portal, and third-party integrations, which shall be processed in compliance with the Applicable Privacy Laws.
   • Independent Controllers. This Agreement does not apply to the parties’ respective obligations as independent Controllers of Personal Data. Company and the Customer operate as separate Controllers in respect to the Personal Data either party may independently process in connection with the performance of obligations under the Terms or otherwise. Accordingly:
     • the Company shall be deemed a separate Controller for any Personal Data (i) it collects to provide the services to its clients and customers; and (ii) it collects in the course of providing the Rentman Platform for platform administration and improvement.
     • Customer shall be deemed a separate Controller for Personal Data related to its employees and customers.
     • The parties hereby undertake to respect applicable laws which apply to them as separate Controllers and to be liable separately for their own controllership obligations and responsibilities when acting as separate Controllers.



2. Roles of the parties

   The parties agree that this Agreement shall only apply to processing activities whereby:

   • The Protected Data is exchanged between the Company and the Customer, as part of and in the course of performance of their respective obligations under the Terms.
   • The Company acts as a Data Processor for Customer data processed through the Rentman Platform, and as an independent Controller only for specific platform administration and improvement activities as detailed in Section 13 of this Agreement.

   Nothing in this Agreement relieves either party of any of their respective responsibilities or liabilities under the Applicable Privacy Laws.

3. CUSTOMER’s compliance with Applicable Privacy Laws

   When acting as Controller, Customer shall at all times comply with all Applicable Privacy Laws. Customer shall ensure that all instructions given by it to the Company in respect of Protected Data (including the terms of this Agreement) shall at all times be in accordance with Applicable Privacy Laws. Customer shall be solely responsible for ensuring that it has obtained all applicable consents and has provided all advance notice and information of the processing contemplated hereunder to any Data Subjects, as required of it under Applicable Privacy Laws.

4. company’s compliance with Applicable Privacy Laws

   Company shall process Protected Data in compliance with the obligations placed on it under Applicable Privacy Laws and the terms of this Agreement.

5. Instructions

   Company shall only process (and shall ensure that its personnel and Sub-Processors only process) the Protected Data in accordance with the Customer’s instructions set out at Part A of this Agreement and the terms of this Agreement, except to the extent: (a) that alternative processing instructions are agreed between the parties in writing; or (b) otherwise required by Applicable Privacy Laws (in which case, the Company shall inform Customer of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest). If the Company believes that any instruction received by it from the Customer is likely to infringe the Applicable Privacy Laws, the parties shall discuss and agree onto appropriate amended instructions which are not infringing.

6. Security

   To protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access, the Company shall implement and maintain appropriate technical and organisational measures in accordance with Article 32 of the UK GDPR, including but not limited to: (a) hosting data on secure UK-based Microsoft Azure servers with individual customer databases and encryption at rest and in transit; (b) maintaining comprehensive audit trails of all data access, modifications, and property transactions; (c) implementing role-based access controls with multi-factor authentication; (d) providing secure access through the desktop application and web portal with session timeout controls; (e) ensuring secure integration with third-party portals like Rightmove and Zoopla; and (f) implementing specific security controls for financial data processing including bank reconciliation and payment information, all as further detailed in Part B of this Agreement.

7. Sub-processing

   The Company’s current list of Sub-Processors is set forth in Part C, which includes property portal integration partners (such as Rightmove, Zoopla, and OnTheMarket), electronic signature providers, and development teams in Canada and South Africa. The Company shall maintain an up-to-date list of Sub-Processors and shall notify Customers of any intended changes concerning the addition or replacement of Sub-Processors by email at least thirty (30) days in advance. Customer may object to such changes within fourteen (14) days of receiving notice. If Customer objects to a new Sub-Processor and Company cannot reasonably accommodate Customer's objection, either party may terminate the affected services upon written notice.

8. Data Subjects Rights

   • The Company shall assist the Customer in ensuring compliance with Customer’s obligations pursuant to Articles 32 to 36 of the UK GDPR (and any similar obligations under the Applicable Privacy Laws) taking into account the nature of the processing and the information available to the Customer. Taking into account the nature of the processing, the Customer shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company’s obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR (and any similar obligations under Applicable Privacy Laws) in respect of any Protected Data, as this relates to Protected Data.
   • Customer shall promptly notify the Company if it receives a request from a Data Subject under any Data Protection Law in respect of Personal Data; and ensure that it does not respond to that request except on the documented instructions of the Company or as required by applicable laws to which the Customer is subject, in which case the Customer shall to the extent permitted by applicable laws inform the Company of that legal requirement before responding to the request.



9. International transfers

   Company shall not transfer Protected Data to countries outside the UK/EEA except where appropriate safeguards are in place through UK International Data Transfer Agreements (IDTAs), UK Addendum to EU Standard Contractual Clauses, or other approved transfer mechanisms under UK GDPR. For transfers to Canada, Company relies on the UK's recognition of the EU adequacy decision for Canada. Any future transfers to other non-adequate countries shall only occur after: (1) implementation of appropriate UK IDTAs; (2) completion of transfer impact assessments; and (3) implementation of additional technical and organisational measures as required by the ICO's international transfer risk assessment guidance. Company shall maintain a register of all international transfers and conduct regular risk assessments. If transfer is required by law, Company will inform the Customer of the legal requirement before such transfer, unless prohibited by law.




10. Audits and processing

    The Company shall, in accordance with Applicable Privacy Laws, make available to the Customer such information as is necessary to demonstrate the Company's compliance with its obligations under this Agreement, including access to the platform's built-in auditing tools that track data access and modifications. The Company shall maintain comprehensive audit trails both within the Rentman Platform and in the backend systems to enable tracking of who accessed and modified data, when, and from where. and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR (and under any equivalent Applicable Privacy Laws equivalent to that Article 28) for any Protected Data, and allow for and contribute to audits, including inspections, by the Company (or another auditor mandated by the Company) for this purpose (subject to a maximum of one audit request in any 12-month period, and provided that such audit is conducted on reasonable notice, during normal business hours in the United Kingdom, and results in minimal disruption to Customer’s business, except where the audit relates to or follows a Personal Data Breach).

11. Personal Data Breach

    Company shall notify the Customer without undue delay and in any event within 24 hours of becoming aware of any Personal Data Breach affecting the Protected Data, and shall provide sufficient information to allow the Customer to meet its obligations under Article 33 of the UK GDPR to report the breach to the Information Commissioner's Office. The notification shall include: (a) a description of the nature of the breach; (b) the categories and approximate number of Data Subjects affected; (c) likely consequences of the breach; and (d) measures taken or proposed to address the breach. Company shall cooperate with the Customer and take all reasonable steps to investigate, mitigate and remediate each such Personal Data Breach.

12. Deletion/Return

    • Upon termination of the Terms, Company shall provide Customer with the ability to export the Protected Data through the platform's self-service export tools in a commonly used machine-readable format (such as CSV, XML, or JSON) for a period of thirty (30) Business Days. After this period, Company shall securely delete all Protected Data from its systems, including any copies stored in backup systems, except where required by applicable law to retain such data. This deletion process shall include data stored in both production and backup environments, as well as any data transferred to integrated third-party services. Company shall provide written confirmation of deletion upon Customer's request.
    • Notwithstanding the foregoing, Company may retain anonymised and aggregated data derived from Customer's use of the Rentman Platform, provided that such data cannot be used to identify, either directly or indirectly through combination with other data, any individual Data Subject, Customer, or Customer's clients, and such anonymisation is performed in accordance with the requirements of Article 5(1)(e) of the UK GDPR and ICO guidance on anonymisation. Such anonymised data may be used for platform improvements, statistical analysis, and service optimisation. Company shall ensure compliance with Applicable Privacy Laws in its processing of such anonymised data.



13. Additional Processing Activities

    • Company may process certain Personal Data as an independent Controller strictly limited to: (1) platform usage analytics (such as feature usage patterns and system performance metrics); (2) service improvement activities using anonymised data only; and (3) internal CRM activities relating to Customer contact information and account management. Company shall not process any tenant, landlord, or property transaction data as a Controller. Such processing will be governed by Company's Privacy Policy and conducted in accordance with Applicable Privacy Laws.
    • Each party will provide a compliant data privacy notice to any end-users informing such end-users their respective identities, the purpose or purposes for which end-user Personal Data will be processed, and any other information that, having regard to the specific circumstances of the collection and expected processing, is required to enable fair processing.



14. Liability

    Company shall be liable for any breach of Applicable Privacy Laws resulting from its processing activities as a data processor. Company shall indemnify Customer for any losses incurred due to Company's breach of Applicable Privacy Laws or this Agreement. Customer shall be liable for ensuring the lawful basis for processing and compliance with Applicable Privacy Laws in its role as data controller. All liability shall be subject to the limitations set forth in the Terms.

15. General Terms

    • Confidentiality. The confidentiality provisions in the Terms shall apply to all information and data processed under this Agreement. Company shall ensure that all personnel with access to Protected Data are bound by appropriate confidentiality obligations and have received adequate data protection training.
    • Notices. All notices and communications given under this Agreement must be in writing and will be delivered in accordance with the notice provisions set out in the Terms.
    • Governing Law and Jurisdiction. This Agreement is governed by the laws of England and Wales. Any dispute arising in connection with this Agreement, which the parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of England and Wales, provided that this does not affect the jurisdiction of the Information Commissioner's Office or other relevant supervisory authorities under Applicable Privacy Laws.
    
    

    Part A Processing Activities

    Processing of the Protected Data by Company under this Agreement and the Terms shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in this Part A, in accordance with UK GDPR requirements, EU GDPR where applicable, and the Data Protection Act 2018. Such processing shall adhere to the principles of data minimisation and purpose limitation, ensuring that only data necessary for the specified purposes is processed.

    Subject-matter of processing	To enable Customer's use of the Rentman Platform for property management, letting, and sales activities, including property advertising on major portals, financial management, bank reconciliation, trial balance preparation, and all related data processing necessary for these purposes.
    Duration of the processing	For the duration of the Terms, and for the retention period specified in the data deletion provisions. This includes processing of Protected Data in both live systems and backups, as well as any data processed through third-party integrations enabled by the Customer.
    Nature and purpose of the processing	To process Personal Data as necessary for: (i) property management, letting, and sales activities through the Rentman Platform; (ii) facilitating third-party integrations for property advertising and document management; (iii) providing technical support and maintenance; (iv) generating audit trails of system access and modifications; and (v) creating backups and ensuring data security.
    Type of Personal Data	This includes personal information about tenants, landlords, contractors, property applicants, and customer employees, including but not limited to: names, contact details (phone numbers, email addresses, physical addresses), payment and banking information (including bank account details, rent payment histories, and financial references), employment details and income verification, and any personal information contained within legal documents and contracts related to property transactions and management.
    Categories of Data Subjects	Tenants, landlords, contractors, property applicants, customer employees, and any other individuals whose personal data is processed through the Rentman Platform in connection with property letting, sales, and management activities.

    Part B Minimum technical and organisational security measures

    In accordance with Applicable Privacy Laws, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of the Protected Data to be carried out under or in connection with the SaaS Terms and Conditions, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons and the risks that are presented by the processing, especially from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Protected Data transmitted, stored or otherwise processed, Company shall implement and maintain appropriate technical and organisational security measures proportionate to the risk, which shall be reviewed and updated at least annually or upon material changes to the security infrastructure, documented, and made available to the Customer through the Company's security portal or upon written request, including but not limited to: (a) the encryption and pseudonymisation of Protected Data; (b) secured Microsoft Azure cloud infrastructure with UK-based servers, ensuring data residency compliance with UK GDPR requirements; (c) individual database instances for each Customer on shared MySQL servers with encryption at rest; (d) comprehensive audit logging of data access and modifications through both the Rentman platform interface and backend systems; (e) role-based access controls and multi-factor authentication mechanisms for Company support and development staff when accessing Customer data, all as further detailed in Part B of this Agreement. For any development team access from South Africa, additional controls will be implemented including: (a) strict role-based access control with granular permissions; (b) enhanced monitoring and logging of all data access; (c) regular security audits; and (d) specific restrictions on data transfer and storage. Restriction of access to pseudonymised data where possible; (e) real-time monitoring and automated alerts for any unusual access patterns; (f) secure access mechanisms for the Rentman desktop application and web portal including multi-factor authentication; (g) controls over local backup creation and storage with encryption requirements where applicable; (h) regular penetration testing and security assessments; and (i) those matters mentioned in Articles 32(1)(a) to 32(1)(d) (inclusive) of the GDPR, to Protected Data.

    Part C Company's Authorised Sub-Processors, International Data Transfers, and Transfer Impact Assessment Summary

    Sub-Processor	Processing Activity and Data Categories	Location (inside or outside of the UK or EEA)	Compliance URL	International Transfer Mechanism and Supplementary Measures
    Microsoft Azure	Infrastructure and Technical Support Basic Personal Data, Location Data, Employment-Related Data, Fincancial Data, Communication Data	UK	https://learn.microsoft.com/en-gb/compliance/regulatory/gdpr	N/A
    dotGomm Inc.	Development, Infrastructure, and Support Basic Personal Data, Location Data, Employment-Related Data, Fincancial Data, Communication Data	Canada (Outside UK & EEA, GDPR Adequate Country)	www.dotgomm.ca/dotgomm/compliance.php	This sub-processor is located in Canada, which is recognized by the European Commission (and/or UK Secretary of State) as providing an adequate level of data protection under Article 45 of the GDPR. As such, personal data may be lawfully transferred to this sub-processor without the need for additional safeguards such as Standard Contractual Clauses (SCCs). Nevertheless, supplementary measures have been adopted, including: Encryption of data in transit and at rest Access controls and audit logging Limited data access based on the principle of least privilege Ongoing monitoring of the country’s adequacy status
    Henry Janse van Nieuwenhuizen (Independent Contractor)	Support Basic Personal Data, Location Data, Employment-Related Data, Fincancial Data, Communication Data	South Africa (Outside UK & EEA, GDPR Non-Adequate Country)	www.dotgomm.ca/dotgomm/compliance.php	This sub-processor is located in South Africa, which is not currently recognized by the UK or EU as providing an adequate level of data protection under Article 45 of the UK GDPR or EU GDPR. The transfer of personal data to this sub-processor is therefore governed by the use of the UK International Data Transfer Agreement (IDTA), as approved by the UK Information Commissioner’s Office (ICO), or the UK Addendum to the EU Standard Contractual Clauses. In addition to the IDTA, we have implemented supplementary measures in accordance with the ICO’s and EDPB’s recommendations, including: Encryption of data in transit and at rest Role-based access control and authentication requirements Data minimization and pseudonymization where feasible
    Marike Janse van Nieuwenhuizen (Independent Contractor)	Support Basic Personal Data, Location Data, Employment-Related Data, Fincancial Data, Communication Data	South Africa (Outside UK & EEA, GDPR Non-Adequate Country)	www.dotgomm.ca/dotgomm/compliance.php	This sub-processor is located in South Africa, which is not currently recognized by the UK or EU as providing an adequate level of data protection under Article 45 of the UK GDPR or EU GDPR. The transfer of personal data to this sub-processor is therefore governed by the use of the UK International Data Transfer Agreement (IDTA), as approved by the UK Information Commissioner’s Office (ICO), or the UK Addendum to the EU Standard Contractual Clauses. In addition to the IDTA, we have implemented supplementary measures in accordance with the ICO’s recommendations, including: Encryption of data in transit and at rest Role-based access control and authentication requirements Data minimization and pseudonymization where feasible
    Nathan Combrinck (Independent Contractor)	Support Basic Personal Data, Location Data, Employment-Related Data, Fincancial Data, Communication Data	South Africa (Outside UK & EEA, GDPR Non-Adequate Country)	www.dotgomm.ca/dotgomm/compliance.php	This sub-processor is located in South Africa, which is not currently recognized by the UK or EU as providing an adequate level of data protection under Article 45 of the UK GDPR or EU GDPR. The transfer of personal data to this sub-processor is therefore governed by the use of the UK International Data Transfer Agreement (IDTA), as approved by the UK Information Commissioner’s Office (ICO), or the UK Addendum to the EU Standard Contractual Clauses. In addition to the IDTA, we have implemented supplementary measures in accordance with the ICO’s recommendations, including: Encryption of data in transit and at rest Role-based access control and authentication requirements Data minimization and pseudonymization where feasible