Data Processing Agreement

In this DPA:

• "Controller" means the landlord using the Portlio platform who determines the purposes and means of processing tenant personal data.
• "Processor" means Portlio, which processes personal data on behalf of the Controller.
• "Personal Data" has the meaning given in UK GDPR.
• "Processing" has the meaning given in UK GDPR.
• "Data Subject" means a tenant or other individual whose personal data is processed through the platform.
• "Sub-processor" means any third party appointed by Portlio to process personal data.
• "UK GDPR" means the UK General Data Protection Regulation and Data Protection Act 2018.

The Controller warrants and agrees that:

• They have a valid lawful basis under UK GDPR for the processing of tenant personal data using the platform (typically legitimate interests or performance of a contract).
• They have provided tenants with the required privacy notices explaining that Portlio is used to manage their tenancy data.
• They will only instruct Portlio to process personal data in accordance with UK GDPR.
• They are responsible for the accuracy and legality of the personal data they upload to the platform.
• They will handle any data subject requests from tenants relating to data the Controller holds in Portlio.

Portlio agrees to:

• Process personal data only on the documented instructions of the Controller, except where required to do so by law.
• Ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organisational security measures in accordance with Article 32 UK GDPR (see Section 7).
• Not engage sub-processors without the Controller's prior general authorisation (see Section 5).
• Assist the Controller in responding to data subject requests, to the extent reasonably possible given the nature of the processing.
• Notify the Controller without undue delay upon becoming aware of a personal data breach affecting tenant data.
• Delete or return all personal data to the Controller upon termination of the agreement, as directed.
• Make available all information necessary to demonstrate compliance with this DPA.

The Controller provides general authorisation for Portlio to engage the following sub-processors. Portlio will notify Controllers of any changes to this list with reasonable advance notice.

Where personal data is transferred to countries outside the UK, Portlio ensures appropriate safeguards are in place — including Standard Contractual Clauses or reliance on adequacy decisions — in accordance with Chapter V of UK GDPR.

Portlio implements the following technical and organisational measures to protect personal data:

• Encryption of data in transit (TLS) and at rest
• Role-based access controls ensuring users can only access their own data
• Row-level security policies at the database layer
• Regular backups with point-in-time recovery
• Monitoring and alerting for unusual access patterns
• Secure authentication with hashed credentials

In the event of a personal data breach that is likely to affect tenant personal data processed on behalf of the Controller, Portlio will notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will include, where known: the nature of the breach, the categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

Upon termination of the Controller's account, Portlio will, at the Controller's election, either delete or return all personal data processed on the Controller's behalf within 30 days, and delete existing copies unless required by law to retain them. The Controller may export their data at any time from within the platform prior to termination.

This DPA is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the courts of England and Wales.