Data Processing Agreement

1. Introduction and Roles

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Abodient Terms of Service between Abodient Ltd ("Abodient", "we", "us") and the customer ("you", the "Customer"). It governs our processing of personal data on your behalf and sets out the commitments required by Article 28 of the UK GDPR and EU GDPR.

This DPA applies whenever you use Abodient to process personal data relating to other individuals — in particular your tenants and professional contacts (contractors, service providers). In respect of that data:

• You are the data Controller — you decide why and how the data is used.
• Abodient is the data Processor — we process it on your documented instructions to provide the service.

Separately, Abodient acts as Controller of your own account data; that processing is governed by our Privacy Policy, not this DPA. If there is any conflict between this DPA and the Terms of Service on data protection matters, this DPA prevails.

2. Scope of Processing

The subject matter, nature, purpose, duration, data types, and data subjects are set out in Annex A. In summary, we process the personal data only to provide the Abodient property-management platform and its features (AI assistance, maintenance coordination, document analysis, professional outreach, notifications) and for no other purpose.

3. Our Obligations as Processor

We commit to the following (UK GDPR / GDPR Article 28(3)):

• Documented instructions. We process personal data only on your documented instructions — including the Terms, this DPA, and your configuration and use of the platform — unless required to do otherwise by law (in which case we will inform you first, unless legally prohibited).
• Confidentiality. Personnel authorised to process the data are bound by appropriate obligations of confidentiality.
• Security. We implement and maintain appropriate technical and organisational measures to protect the data, as described in Annex B (Article 32).
• Sub-processors. We engage the sub-processors listed in Annex C under the conditions in Section 4 below.
• Assistance with data subject rights. Taking into account the nature of the processing, we assist you with appropriate measures to respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, objection). The platform's built-in export and deletion tools are provided for this purpose; for anything they do not cover, contact privacy@abodient.ai.
• Assistance with compliance. We assist you, taking into account the information available to us, with your obligations on security (Art. 32), personal data breach notification (Arts. 33–34), and data protection impact assessments and prior consultation (Arts. 35–36).
• Personal data breach. We notify you without undue delay after becoming aware of a personal data breach affecting your data, with the information reasonably available to us to help you meet your own notification obligations.
• Deletion or return. On termination of the service, we delete or return all personal data processed on your behalf, and delete existing copies, unless retention is required by law (in which case we retain only what is legally required, for only as long as required).
• Demonstrating compliance. We make available to you the information reasonably necessary to demonstrate compliance with Article 28, and allow for and contribute to audits as set out in Section 5.

4. Sub-processors

• Authorisation. You provide general authorisation for us to engage the sub-processors listed in Annex C to support the service.
• Flow-down. We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible to you for each sub-processor's performance.
• Changes. We may add or replace sub-processors. We will update Annex C and, for material changes, give you reasonable advance notice (by email or in-app) so you can object on reasonable data-protection grounds. If you reasonably object and we cannot provide a comparable alternative, you may terminate the affected service.

5. Audits

On reasonable written request (no more than once per year, except after a breach or where required by a regulator), we will provide information reasonably necessary to demonstrate compliance with this DPA — including, where available, third-party certifications or reports for our infrastructure providers. Where these are insufficient, we will cooperate with a reasonable, proportionate audit, subject to confidentiality and reasonable notice.

6. International Transfers

Personal data may be transferred to and processed outside the UK/EEA (including the United States) by us and our sub-processors. Where it is, we ensure an appropriate transfer mechanism is in place — such as a UK adequacy decision, the UK Addendum to the EU Standard Contractual Clauses, or equivalent safeguards. Sub-processor locations are noted in Annex C.

7. Liability, Term and Governing Law

This DPA is effective for as long as we process personal data on your behalf. Liability under this DPA is subject to the limitations and exclusions in the Terms of Service. This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction, consistent with the Terms of Service.

Annex A — Details of Processing

Subject matter: Provision of the Abodient property-management platform.

Duration: For the term of the Customer's use of the service, plus any legally required retention period.

Nature and purpose: Storing, organising, analysing, and transmitting personal data to deliver property-management features — AI-assisted tenant support, maintenance coordination, document analysis, professional outreach, scheduling, and notifications.

Categories of data subjects:

• The Customer's tenants
• The Customer's professional contacts (contractors, service providers)

Categories of personal data:

• Identity and contact details (names, email addresses, phone numbers)
• Property and tenancy details associated with individuals
• Tenant issue reports, messages, and uploaded photos
• Lease, inventory, and related document content
• Communication history with tenants and professionals

Special category data: Not intentionally processed. Customers should not upload special-category data except where strictly necessary; any such data is processed under the same protections.

Annex B — Security Measures

We maintain appropriate technical and organisational measures, including:

• Encryption in transit (HTTPS/TLS) for all data exchanged with the platform and sub-processors; encryption at rest at the database and storage layer.
• Access controls: authentication via Supabase (asymmetric JWT validation), with database-level Row-Level Security enforcing isolation between customers and role-based access (landlord, tenant, agent, admin).
• Tenant/property data isolation, including scoping of document search to the relevant property.
• Secrets management: credentials held in secured environment configuration, never in source code.
• Monitoring: error tracking configured to exclude personal data by default, and application/infrastructure logging.
• Backups of the primary datastore, securely stored and rotated.

We review and update these measures over time as the service and threat landscape evolve.

Annex C — Approved Sub-processors

We have signed data processing agreements in place with our core sub-processors, including Supabase and OpenAI. OpenAI processes API data without using it to train its models and without long-term retention.

Contact

For any questions about this DPA or to exercise data-protection rights on behalf of your data subjects: