1. Parties and roles
1.1 This DPA forms part of, and is incorporated into, the Terms of Service between CCP Project Enablement Ltd, company number 17004871, trading as HouseComply ("Processor", "we") and the customer agreeing to those Terms ("Customer", "Controller", "you").
1.2 For personal data you enter about properties, landlords, tenants and occupants ("Customer Personal Data"), you are the Controller and HouseComply is the Processor. HouseComply is a separate, independent Controller only for your own account and billing data — that processing is governed by our Privacy Policy, not this DPA.
1.3 This DPA prevails over any conflicting term of the Terms of Service in respect of the processing of Customer Personal Data. Terms not defined here have the meaning given in the UK GDPR and the Data Protection Act 2018.
2. Details of the processing
The subject-matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in Annex 1.
3. Processing only on documented instructions
3.1 We process Customer Personal Data only on your documented instructions — including as to international transfers — unless required to do otherwise by UK law, in which case we inform you first unless the law prohibits it.
3.2 The Terms of Service, this DPA, and your configuration and use of the Service constitute your documented instructions. Additional instructions must be agreed in writing.
3.3 We will inform you if, in our opinion, an instruction infringes the UK GDPR or other data protection law.
4. Your obligations and warranties as Controller
You warrant and undertake that:
- 4.1 you have a valid Article 6 lawful basis for the Customer Personal Data you enter and instruct us to process;
- 4.2 where the data includes special category data (Article 9) — for example health, disability or vulnerability information recorded in hazard or fitness records — you hold a valid Article 9 condition (and any Schedule 1 Data Protection Act 2018 condition or appropriate policy document required);
- 4.3 you have provided the transparency information required by Articles 13–14 to the data subjects, including tenants and occupants whose data you enter (who are third-party data subjects), or have another lawful route; and
- 4.4 your instructions to us comply with data protection law.
5. Confidentiality
Persons authorised by HouseComply to process Customer Personal Data are bound by appropriate contractual or statutory confidentiality obligations, and access is granted on a least-privilege, need-to-know basis.
6. Security
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as summarised in Annex 2 — including encryption in transit and at rest, access controls, and a do-not-store boundary for payment card numbers, security codes, passwords and multi-factor authentication codes.
7. Sub-processors
7.1 You give general authorisation for HouseComply to engage the sub-processors listed in Annex 3 to process Customer Personal Data.
7.2 We will give you prior notice of any intended addition or replacement of a sub-processor (through the Service or our published sub-processor list), giving you a reasonable opportunity to object on reasonable data-protection grounds.
7.3 We impose on each sub-processor, by written contract, data protection obligations no less protective than those in this DPA, and remain liable to you for each sub-processor's compliance.
8. International transfers
8.1 Some sub-processors are located outside the UK (see Annex 3). We will only transfer, or permit the transfer of, Customer Personal Data outside the UK where a valid Chapter V transfer mechanism is in place — the UK's adequacy regulations (including the EEA), the UK Extension to the EU–US Data Privacy Framework where the recipient is certified, or the UK International Data Transfer Agreement / UK Addendum to the EU Standard Contractual Clauses supported by a Transfer Risk Assessment.
8.2 The mechanism applied to each sub-processor is identified in Annex 3. Customer Personal Data, including inspection records, is held in the United States by Airtable under the safeguard stated in Annex 3.
9. Assistance with data subject rights
Taking into account the nature of the processing, we assist you by appropriate technical and organisational measures, insofar as possible, to respond to data subject requests under Articles 12–23. Where a data subject (including a tenant) contacts us directly about Customer Personal Data, we will direct them to you as Controller and assist your response.
10. Personal data breaches, and assistance with security and impact assessments
10.1 We notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, with the information you reasonably need to meet your Article 33 and 34 obligations.
10.2 We provide reasonable assistance with your data protection impact assessments (Article 35) and prior consultation (Article 36), taking into account the nature of the processing and the information available to us.
11. Deletion or return
On termination of the Service, or at your earlier choice, we will delete or return all Customer Personal Data and delete existing copies, unless UK law requires storage. Operational and support-data retention, including the 12-month pseudonymisation of support records, applies as stated in the Privacy Policy.
12. Audit and information
We make available to you the information reasonably necessary to demonstrate compliance with Article 28, and allow for and contribute to audits — on reasonable notice, no more than once a year absent a breach or regulator requirement, subject to confidentiality, and where practicable satisfied by our existing documentation and certifications.
13. Term, liability and governing law
13.1 This DPA takes effect when you accept the Terms of Service and continues for the duration of the Service plus any period required to complete deletion or return.
13.2 Liability under this DPA is subject to the limitations in the Terms of Service to the extent permitted by law; nothing limits liability that cannot be limited by law.
13.3 This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction.
Annex 1 — Details of processing
- Subject-matter: provision of the HouseComply property-compliance inspection and audit-pack service.
- Duration: the term of the Service plus the deletion/return period (clause 11).
- Nature and purpose: recording property inspections; running the compliance rule-engine; generating audit packs and reports; storing supporting documents and photographs; operating support.
- Types of personal data: names, addresses and contact details; tenancy details; inspector identity; inspection observations, hazard and condition records and photographs; special category data (health, disability or vulnerability) where it appears in hazard or fitness records; support correspondence.
- Categories of data subjects: your staff and inspectors; landlords; tenants and occupants of the inspected properties.
Annex 2 — Technical and organisational measures
Encryption in transit (TLS) and at rest; role-based, least-privilege access; authentication via Supabase (EEA); authenticated, signed-URL asset delivery (Cloudinary); environment and secret hygiene; logging and monitoring; the do-not-store boundary (no payment card numbers, security codes, passwords or MFA codes persisted, enforced by a reject-at-intake guard); support-data retention with 12-month pseudonymisation; and a documented incident-response procedure.
Annex 3 — Approved sub-processors and transfer mechanisms
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase, Inc. | Application database and authentication (account and login data) | European Union | UK adequacy (EEA) — no separate mechanism |
| Airtable, Inc. | Operational system of record — all inspection data (including tenant and special-category data) and Support Issues records | United States | UK IDTA / UK Addendum + Transfer Risk Assessment |
| Cloudinary Ltd | Photo and document hosting and transformation (authenticated assets) | United States | UK IDTA / UK Addendum + Transfer Risk Assessment |
| Stripe Payments UK Ltd / Stripe, Inc. | Payment and subscription processing (billing data) | UK / Ireland / US | Stripe DPA — DPF (UK Extension) where certified / UK IDTA |
| Vercel, Inc. | Application hosting and content delivery | US (EU-resident data; US control-plane) | UK IDTA / UK Addendum + TRA |
| Resend, Inc. | Transactional and escalation email delivery | EU delivery | UK adequacy (EEA) / Addendum if US control-plane |
| Make (operated by Make.com) | Workflow automation and webhooks | EU | UK adequacy (EEA) |
| Cloudflare, Inc. | Network, CDN and security | US (EU-resident data; US control-plane) | DPF (UK Extension) where certified / UK IDTA |
| Upstash, Inc. | Anti-abuse signal storage and rate-limiting | EU (US control-plane) | UK IDTA / UK Addendum + TRA |
A current list of our sub-processors is published at housecomply.co.uk/sub-processors. The AI support helper (Anthropic, PBC) is not engaged for the current early-access round; it will be added to this Annex, with a UK IDTA, a Transfer Risk Assessment and zero-retention terms, only if and when that feature is enabled.