Back to Home

Data Processing Addendum

Last updated: 20 February 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Lease Ward ("Processor") and the User ("Controller"). This DPA applies where the User enters or uploads personal data into the Lease Ward platform.

1. Definitions

  • "Applicable Data Protection Law" — means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any applicable data protection legislation.
  • "Controller" — means the User who determines the purposes and means of processing personal data.
  • "Processor" — means Lease Ward, which processes personal data on behalf of the Controller.
  • "Personal Data" — has the meaning given in UK GDPR.
  • "Sub-processor" — means a third party engaged by Processor to process Personal Data.

2. Scope and Purpose of Processing

Processor shall process Personal Data solely:

  • To provide the Lease Ward services under the Terms of Service
  • In accordance with documented instructions from the Controller
  • In compliance with Applicable Data Protection Law

Processor shall not process Personal Data for its own purposes.

3. Nature and Purpose of Processing

The nature of processing includes:

  • Storage
  • Organisation
  • Retrieval
  • Structuring
  • Logging
  • Deletion

The purpose of processing is to provide:

  • Compliance tracking tools
  • Repairs risk logging
  • Notice generation tools
  • Evidence pack generation
  • Risk timeline monitoring

4. Categories of Data Subjects

Data subjects may include:

  • Tenants
  • Guarantors
  • Permitted occupiers
  • Contractors (if entered by User)
  • Landlords (account holders)

5. Categories of Personal Data

Personal Data processed may include:

  • Names
  • Contact details
  • Property addresses
  • Deposit information
  • Tenancy agreement details
  • Uploaded documents
  • Compliance certificate data
  • Repair records and communications logs

Processor does not intentionally collect special category data. Controller is responsible for ensuring no unlawful data is uploaded.

6. Controller Obligations

The Controller warrants that:

  • It has a lawful basis for processing Personal Data
  • It has provided appropriate privacy notices to data subjects
  • It complies with Applicable Data Protection Law
  • It will not upload unlawful or excessive Personal Data

Controller remains solely responsible for:

  • Accuracy of Personal Data
  • Legal validity of notices generated
  • Compliance with housing and regulatory law

7. Processor Obligations

Processor shall:

  • Process Personal Data only on documented instructions
  • Ensure persons authorised to process data are subject to confidentiality
  • Implement appropriate technical and organisational security measures
  • Assist Controller in responding to data subject requests (where reasonably practicable)
  • Notify Controller without undue delay upon becoming aware of a personal data breach affecting Controller data

Processor shall not:

  • Sell Personal Data
  • Use Personal Data for marketing purposes
  • Process Personal Data outside the scope of this DPA

8. Security Measures

Processor implements appropriate technical and organisational measures, including:

  • Encrypted transmission (HTTPS/TLS)
  • Secure authentication systems
  • Access controls and role restrictions
  • Infrastructure-level security controls
  • Restricted internal access to production systems

While reasonable measures are implemented, no system can guarantee absolute security.

9. Sub-processors

Controller authorises Processor to engage Sub-processors.

Current Sub-processors may include:

  • Stripe — payment processing
  • Supabase — database infrastructure and authentication
  • Vercel — hosting infrastructure

Processor shall ensure Sub-processors are subject to contractual data protection obligations and shall remain responsible for Sub-processor compliance.

10. International Transfers

Where Sub-processors process Personal Data outside the United Kingdom, Processor shall ensure appropriate safeguards are implemented, including:

  • Standard Contractual Clauses (where required)
  • Adequacy decisions (where applicable)

11. Data Subject Rights

Processor shall:

  • Assist Controller, where reasonably possible, in responding to data subject requests
  • Provide access, rectification, deletion or restriction tools within the platform where available

Controller remains responsible for responding to data subject requests.

12. Data Breach Notification

Processor shall notify Controller without undue delay after becoming aware of a personal data breach affecting Controller data.

Notification shall include:

  • Description of the breach
  • Categories of data affected
  • Steps taken to mitigate impact

Controller remains responsible for regulatory reporting unless otherwise agreed.

13. Data Retention and Deletion

Upon termination of the Services:

  • Controller may request deletion of Personal Data
  • Processor shall delete or anonymise data within a reasonable period, subject to legal obligations
  • Backup systems may retain data temporarily in accordance with standard retention cycles

14. Audit Rights

Controller may request reasonable information regarding Processor's data protection measures.

Processor is not required to permit on-site audits unless legally required.

15. Liability

Liability for data protection breaches shall be governed by the limitation of liability provisions in the Terms of Service.

16. Governing Law

This DPA is governed by the laws of England and Wales.

Questions?

For questions regarding this Data Processing Addendum:

Lease Ward

hello@leaseward.com
Terms of ServicePrivacy PolicyCookie PolicyData Processing Addendum

© 2026 Lease Ward. All rights reserved.