Data Processing Agreement

1. Scope

This DPA governs the processing of personal data by PropWealth on behalf of a business customer ("Controller") in connection with their use of the platform.

2. Definitions

"Controller", "Processor", "Data Subject", "Personal Data", and "Processing" carry the meanings given to them in the UK GDPR.

3. Obligations of PropWealth as Data Processor

• Process personal data only on documented instructions from the Controller
• Ensure personnel authorised to process the data are bound by confidentiality
• Implement appropriate technical and organisational security measures
• Assist the Controller in fulfilling data subject rights requests

4. Sub-processors

PropWealth uses the following sub-processors:

• Supabase — database and authentication
• Anthropic — AI processing
• Stripe — payment processing
• Vercel — hosting and content delivery

5. International Data Transfers

Any transfer of personal data outside the UK is protected by appropriate safeguards including standard contractual clauses and the UK International Data Transfer Addendum.

6. Security Measures

PropWealth maintains TLS 1.3 in transit, AES-256 at rest, role-based access control, audit logging, and regular security reviews. See the Security Policy for details.

7. Breach Notification

PropWealth will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach.

8. Assistance with Data Subject Rights

PropWealth will provide reasonable assistance to the Controller to respond to data subject access, rectification, erasure, and portability requests.

9. Deletion on Termination

On termination, PropWealth will, at the Controller's choice, delete or return all personal data, save where retention is required by law.

10. Audit Rights

The Controller may, on reasonable notice and no more than once per year, audit PropWealth's compliance with this DPA, subject to confidentiality.