Data Processing Addendum

ESTATEOPS DATA PROCESSING ADDENDUM
Version 2.0.0 — Effective 10 February 2026

This Data Processing Addendum ("DPA") forms part of and supplements the EstateOps Terms of Service (the "Agreement") between the customer ("Controller") and EstateOps Ltd ("Processor"), and applies to the extent that the Processor processes Personal Data on behalf of the Controller in connection with the EstateOps platform (the "Service").

1. DEFINITIONS

1.1 In this DPA, the following terms have the meanings given to them in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018:
(a) "Personal Data" means any information relating to an identified or identifiable natural person.
(b) "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, and erasure.
(c) "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
(d) "Controller" means the party that determines the purposes and means of Processing.
(e) "Processor" means the party that Processes Personal Data on behalf of the Controller.
(f) "Sub-processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.
(g) "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

1.2 Terms not defined in this DPA have the meanings given to them in the Agreement.

2. SCOPE AND ROLES

2.1 The Controller determines the purposes and means of Processing Personal Data entered into the Service. The Processor Processes Personal Data solely on behalf of and in accordance with the documented instructions of the Controller.

2.2 Details of Processing:
(a) Subject matter: Provision of the EstateOps property management platform.
(b) Duration: For the term of the Agreement plus any applicable retention period.
(c) Nature and purpose: Storage, retrieval, organisation, and presentation of estate management data as directed by the Controller through use of the Service.
(d) Categories of Personal Data: Names, email addresses, IP addresses, role assignments, activity timestamps, and any Personal Data included in estate records by the Controller.
(e) Categories of Data Subjects: The Controller's employees, contractors, team members, and any individuals whose data is entered into the Service by the Controller.

3. PROCESSOR OBLIGATIONS

3.1 The Processor shall:
(a) Process Personal Data only on documented instructions from the Controller, unless required to do so by UK law, in which case the Processor shall inform the Controller of that legal requirement before Processing (unless prohibited from doing so by law).
(b) Ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in clause 5.
(d) Not engage another Processor (Sub-processor) without prior specific or general written authorisation of the Controller, subject to clause 4.
(e) Assist the Controller, taking into account the nature of Processing, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under UK GDPR.
(f) Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of UK GDPR, taking into account the nature of Processing and the information available to the Processor.
(g) At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless UK law requires storage of the Personal Data.
(h) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

3.2 The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes UK GDPR or other UK data protection provisions.

4. SUB-PROCESSORS

4.1 The Controller provides general written authorisation for the Processor to engage Sub-processors, subject to the requirements of this clause.

4.2 Current Sub-processors:

(a) Neon Tech Inc — Database hosting and management.
    Location: EU West (London / Frankfurt regions).
    Purpose: PostgreSQL database storage and query processing.

(b) Vercel Inc — Application hosting and content delivery.
    Location: EU / UK edge network.
    Purpose: Application hosting, serverless function execution, and static asset delivery.

4.3 The Processor shall:
(a) Notify the Controller of any intended changes to Sub-processors (additions or replacements) not less than 30 days before the change takes effect.
(b) Provide the Controller with the opportunity to object to such changes. If the Controller objects on reasonable grounds related to data protection, the parties shall discuss the objection in good faith. If no resolution is reached, the Controller may terminate the affected Service.
(c) Impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA.
(d) Remain fully liable to the Controller for the performance of each Sub-processor's obligations.

5. SECURITY MEASURES

5.1 The Processor implements and maintains the following technical and organisational measures:

(a) Encryption:
- Data in transit: TLS 1.2 or higher for all communications.
- Data at rest: Encryption using industry-standard algorithms.

(b) Access Control:
- Role-based access control within the Service.
- Authentication required for all access.
- Principle of least privilege applied to internal access.

(c) Logging and Monitoring:
- Append-only audit logging of significant operations.
- Administrative action logging with actor identification.

(d) Data Separation:
- Logical tenant separation ensuring Controller data is isolated from other customers.

(e) Personnel:
- Confidentiality obligations for all personnel with access to Personal Data.

(f) Incident Response:
- Documented incident response procedures.
- Designated personnel responsible for breach assessment and response.

5.2 The Processor shall regularly review and, where necessary, update these measures to maintain an appropriate level of security.

6. PERSONAL DATA BREACH NOTIFICATION

6.1 The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach. The Processor shall use reasonable endeavours to provide such notification within 48 hours of becoming aware of the breach.

6.2 The notification shall include, to the extent available:
(a) A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned.
(b) The name and contact details of the Processor's point of contact for further information.
(c) A description of the likely consequences of the breach.
(d) A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

6.3 Where it is not possible to provide all information at the same time, the Processor shall provide information in phases without undue further delay.

6.4 The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

7. DATA SUBJECT RIGHTS

7.1 The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of UK GDPR.

7.2 The Processor shall promptly notify the Controller if it receives a request from a Data Subject in respect of their Personal Data. The Processor shall not respond to such a request directly unless authorised to do so by the Controller.

8. INTERNATIONAL TRANSFERS

8.1 The Processor shall not transfer Personal Data to a country outside the United Kingdom unless:
(a) The transfer is to a country that has been deemed adequate by the Secretary of State under Section 17A of the Data Protection Act 2018; or
(b) Appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses; or
(c) A derogation under Article 49 of UK GDPR applies.

8.2 Where transfers are made in reliance on appropriate safeguards, the Processor shall ensure that the relevant transfer mechanism is in place before the transfer occurs.

9. DATA RETENTION AND DELETION

9.1 The Processor shall retain Personal Data for the duration of the Agreement.

9.2 Upon termination or expiry of the Agreement:
(a) The Controller may request export of Personal Data within 30 days.
(b) Following the export period, the Processor shall delete all Personal Data within 30 days, except where retention is required by UK law.
(c) Audit logs shall be retained for 7 years in accordance with regulatory requirements, after which they shall be securely deleted.

9.3 The Processor shall provide written confirmation of deletion upon request by the Controller.

10. AUDITS

10.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

10.2 The Controller (or its appointed third-party auditor, subject to reasonable confidentiality obligations) may conduct an audit of the Processor's compliance with this DPA, subject to:
(a) Reasonable advance notice of not less than 30 days.
(b) Audits being conducted during normal business hours.
(c) The auditor complying with reasonable security and confidentiality requirements.
(d) No more than one audit per 12-month period, unless a Personal Data Breach has occurred or a supervisory authority requires an audit.

11. CONTROLLER OBLIGATIONS

11.1 The Controller shall:
(a) Ensure that it has a lawful basis for Processing Personal Data and for instructing the Processor to Process Personal Data on its behalf.
(b) Provide clear and adequate privacy notices to Data Subjects.
(c) Not instruct the Processor to Process Personal Data in violation of UK GDPR or other applicable data protection law.
(d) Be responsible for the accuracy, quality, and legality of Personal Data provided to the Processor.

12. LIABILITY

12.1 Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

12.2 Nothing in this DPA limits either party's liability for breaches of UK GDPR to the extent that such liability cannot be limited under applicable law.

13. TERM AND TERMINATION

13.1 This DPA shall come into effect on the date the Controller first uses the Service and shall remain in effect for the duration of the Agreement.

13.2 This DPA shall automatically terminate upon termination or expiry of the Agreement, subject to the Processor's obligations regarding deletion or return of Personal Data.

13.3 Clauses that by their nature should survive termination shall survive, including clauses 6 (Breach Notification), 9 (Retention and Deletion), 10 (Audits), and 12 (Liability).

14. GOVERNING LAW

14.1 This DPA is governed by and construed in accordance with the laws of England and Wales.

14.2 Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

15. CONTACT

Data Protection Officer: estateops@oshylabs.eu
Security Team: estateops@oshylabs.eu
General: estateops@oshylabs.eu

UPDATED DPA ADDITIONS

Data Retention
Real estate data retention: All property, asset, and transaction records retained for 6 years post-contract termination in accordance with UK Limitation Act 1980. Automated deletion triggers at 6-year + 30-day grace period.

Data Minimization
Processing limitation: Only process Personal Data strictly necessary for service delivery. Implement pseudonymization for internal analytics and reporting where feasible. Regular data minimization audits conducted quarterly.

Sub-processors
Current sub-processor list:
- Stripe Inc. - Payment processing (EU servers)
- Neon Database - Database hosting (EU region)
- Vercel Inc. - Application hosting and CDN (EU edge locations)

Sub-processor changes: 30-day advance notice provided via email. Customers may object to new sub-processors within 14 days; alternative arrangements will be offered where feasible.