Trust Centre

Data Processing Addendum

DPA for agencies using the LetAdmin platform.

This Data Processing Addendum ("DPA") forms part of the agreement between:

LetAdmin Ltd
224 Wellesbourne, 139–145 Preston Road
Brighton, BN1 6BA, United Kingdom
Email: privacy@letadmin.com

("LetAdmin", "Processor", "we", "us")

and

The letting agency or company that has signed up to use the LetAdmin platform
("Agency", "Controller", "you")

together referred to as the "Parties".

This DPA applies when LetAdmin processes Personal Data on behalf of the Agency in connection with the LetAdmin platform.

1. Definitions

For this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in UK GDPR.
  • "Processing", "Controller", "Processor", "Data Subject", "Supervisory Authority" have the meanings given in UK GDPR.
  • "UK GDPR" means the UK General Data Protection Regulation, as retained in UK law.
  • "Services" means the LetAdmin platform and related support services.
  • "Subprocessor" means any third party engaged by LetAdmin to process Personal Data on behalf of the Agency.

If there is any conflict between this DPA and the main services agreement, this DPA takes priority for data protection matters.

2. Roles of the Parties

  1. The Agency is the Controller of the Personal Data.
  2. LetAdmin is the Processor, processing Personal Data on behalf of the Agency.
  3. The Agency is responsible for:
    • deciding which Personal Data is entered into the Services
    • ensuring it has a lawful basis for all processing activities
    • providing any required notices to Data Subjects
  4. LetAdmin will only process Personal Data:
    • on the Agency's documented instructions, and
    • as necessary to provide the Services.

3. Subject matter, nature and purpose of processing

LetAdmin processes Personal Data to provide the Services, including:

  • managing properties, landlords, tenants, and applicants
  • sending communications (emails, SMS) as instructed by the Agency
  • running workflows and automations
  • performing reconciliation and accounting tasks (including via Open Banking)
  • generating reports, statements and documents
  • providing support and troubleshooting
  • maintaining logs and audit trails
  • improving and securing the Services

Further details of the categories of data and purposes are set out in Annex 1.

4. Agency instructions

  1. LetAdmin will process Personal Data only:
    • in accordance with this DPA,
    • the main services agreement, and
    • the Agency's documented instructions (including configuration of the Services).
  2. If LetAdmin believes an instruction infringes UK GDPR or other applicable data protection laws, LetAdmin will inform the Agency without undue delay.
  3. LetAdmin may process Personal Data where required by UK law. In such cases, LetAdmin will inform the Agency of that legal requirement (unless prohibited by law).

5. Confidentiality

  1. LetAdmin will ensure that any person authorised to process Personal Data is:
    • subject to a duty of confidentiality, and
    • only given access to the data they need to perform their job.
  2. LetAdmin staff are trained on data protection and security appropriate to their role.

6. Security

  1. LetAdmin implements appropriate technical and organisational measures to protect Personal Data, including (without limitation):
    • data encryption in transit and at rest
    • role-based access control and least-privilege permissions
    • mandatory multi-factor authentication for internal access
    • secure hosting and storage (Heroku EU, AWS S3 eu-west-2, Vercel EU)
    • logging and monitoring of key actions
    • regular backups and tested restore procedures
  2. These measures are described in more detail in the LetAdmin Product Privacy Policy.
  3. LetAdmin will maintain these measures and may update them from time to time, provided the overall level of protection is not reduced.

7. Use of Subprocessors

  1. The Agency authorises LetAdmin to use Subprocessors to provide the Services.
  2. LetAdmin will:
    • only use Subprocessors that provide sufficient guarantees of GDPR compliance
    • put in place written contracts with Subprocessors imposing data protection obligations no less protective than this DPA
  3. LetAdmin maintains a list of current Subprocessors, available on request. This list may include:
    • hosting and infrastructure providers
    • email and SMS providers
    • AI model providers (currently OpenAI and Anthropic)
    • Open Banking provider (currently Finexer)
    • analytics, logging and monitoring tools
  4. LetAdmin will notify the Agency (for example, via email or the app) of any intended changes to Subprocessors that materially affect the processing of Personal Data. The Agency may object on reasonable data protection grounds. If the Parties cannot agree a solution, the Agency may terminate the relevant Services.
  5. LetAdmin remains responsible for the acts and omissions of its Subprocessors as if they were its own.

8. Data subject rights

  1. If LetAdmin directly receives a request from a Data Subject relating to Personal Data processed on behalf of the Agency (for example, access, deletion, objection), LetAdmin will:
    • notify the Agency without undue delay, and
    • not respond directly, unless authorised or required by law.
  2. LetAdmin will provide reasonable assistance to the Agency in fulfilling Data Subject rights, taking into account the nature of the processing and the tools available in the Services.

9. Assistance with compliance

Taking into account the nature of processing and information available, LetAdmin will provide reasonable assistance to the Agency with:

  • security of processing
  • data protection impact assessments (DPIAs), where required
  • consultations with the ICO or other supervisory authorities, where required

Any extensive or unusual assistance may be subject to reasonable fees, agreed in advance.

10. International transfers

  1. Personal Data may be processed outside the UK/EU when using certain Subprocessors (for example, AI or email providers).
  2. Where Personal Data is transferred outside the UK/EU, LetAdmin will ensure appropriate safeguards are in place, such as:
    • adequacy regulations
    • International Data Transfer Agreements (IDTAs)
    • the UK Addendum to the EU Standard Contractual Clauses
    • other legally recognised transfer mechanisms
  3. LetAdmin will provide details of relevant transfer safeguards upon reasonable request.

11. Personal data breaches

  1. A Personal Data Breach is a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
  2. If LetAdmin becomes aware of a Personal Data Breach affecting Personal Data processed on behalf of the Agency, LetAdmin will:
    • notify the Agency without undue delay after becoming aware of it
    • provide information reasonably required for the Agency to meet its legal obligations, where known
    • take appropriate steps to mitigate and remedy the breach
  3. The Agency is responsible for assessing whether to notify the ICO and Data Subjects, and for making any such notifications.

12. Deletion or return of data

  1. Upon termination or expiry of the Services, or upon written request from the Agency, LetAdmin will:
    • delete Personal Data processed on behalf of the Agency, or
    • return it to the Agency in a commonly used format,
    except where LetAdmin is required by law to retain some data (for example, for financial record-keeping).
  2. Deletion from backups may occur in accordance with LetAdmin's standard backup retention cycles.

13. Audits and information

  1. LetAdmin will provide the Agency with information reasonably necessary to demonstrate compliance with this DPA and UK GDPR, which may include:
    • security documentation
    • summaries of third-party audit reports (where available)
    • answers to reasonable written questions
  2. If the Agency reasonably believes further audit is necessary, the Parties will discuss the scope and method. Any on-site audits:
    • must be agreed in advance
    • will be carried out during normal business hours
    • must respect LetAdmin's confidentiality and security obligations
    • may be subject to reasonable fees, agreed in advance

14. Liability

  1. Each Party's liability under this DPA is subject to the limitations and exclusions of liability set out in the main services agreement, except where prohibited by law.
  2. Nothing in this DPA limits either Party's liability for:
    • death or personal injury caused by negligence
    • fraud or fraudulent misrepresentation
    • any other liability that cannot be limited under applicable law

15. Term and termination

  1. This DPA comes into effect when the Agency starts using the LetAdmin platform and remains in force for as long as LetAdmin processes Personal Data on behalf of the Agency.
  2. Termination of the main services agreement automatically results in termination of this DPA, subject to Sections 10 and 12 (retention, deletion and return of data).

16. Governing law and jurisdiction

This DPA is governed by the laws of England and Wales.

The Parties submit to the exclusive jurisdiction of the courts of England and Wales for any disputes arising out of or in connection with this DPA.

Annex 1 – Details of processing

1. Categories of Data Subjects

The Personal Data processed may relate to:

  • Landlords
  • Tenants and occupiers
  • Applicants and enquirers
  • Contractors and suppliers (where recorded in the system)
  • Agency staff and users of the platform

2. Categories of Personal Data

Depending on how the Agency uses the Services, this may include:

  • Identification and contact details (names, addresses, phone numbers, email addresses)
  • Tenancy and application details (rent, term, start/end dates, property addresses, notes)
  • Financial data (account identifiers, transaction data via Open Banking)
  • Communications (emails, SMS content, viewing confirmations, notices)
  • Documents (ASTs, IDs, certificates, inspection reports, statements)
  • Technical data and logs (login timestamps, IP addresses, device/browser information)
  • AI-generated content and prompts (summaries, drafts, internal assistant messages)

Special category data is not intentionally required by LetAdmin. If the Agency chooses to store such data, it remains responsible for ensuring a lawful basis and appropriate safeguards.

3. Purpose of processing

Personal Data is processed for the following purposes:

  • Letting and property management operations
  • Tenancy administration and compliance
  • Communications with landlords, tenants, applicants and contractors
  • Accounting and client money management, including reconciliation
  • Record-keeping and audit
  • Operation, security and improvement of the Services

4. Duration of processing

LetAdmin will process Personal Data for the duration of the services agreement with the Agency, plus any retention period described in the Product Privacy Policy and this DPA, unless a longer period is required by law.

Annex 2 – Subprocessors

LetAdmin uses the following categories of Subprocessors:

  • Infrastructure & hosting – e.g. Heroku, AWS, Vercel
  • Email & messaging – e.g. transactional email and SMS providers
  • AI providers – currently OpenAI and Anthropic
  • Open Banking provider – currently Finexer
  • Logging & monitoring – e.g. error tracking and log aggregation tools
  • Analytics – privacy-friendly analytics tools (for product usage insights)

Details of current Subprocessors, including locations and roles, will be provided upon request.