Data Processing Agreement

2.1 Data Controller

The Customer acts as the Data Controller and:

• Determines the purposes and means of processing Personal Data
• Ensures lawful basis for processing exists
• Provides necessary instructions to PropPack.ai
• Responds to Data Subject requests
• Maintains records of processing activities

2.2 Data Processor

PropPack.ai acts as the Data Processor and:

• Processes Personal Data only on documented instructions from the Controller
• Implements appropriate technical and organizational measures
• Assists the Controller in meeting GDPR obligations
• Maintains confidentiality of Personal Data
• Deletes or returns Personal Data upon termination

3.1 Subject Matter

Provision of property transaction management services via the PropPack.ai platform.

3.2 Duration

For the duration of the Customer's subscription and 30 days thereafter for data retention.

3.3 Nature and Purpose

• Storage and management of property information
• Generation of Property Information Packs
• Facilitation of property transactions
• Communication between transaction parties
• Document storage and sharing

3.4 Types of Personal Data

• Contact information (names, emails, phone numbers, addresses)
• Property ownership information
• Financial information related to property transactions
• Identity verification documents
• Communication records
• Transaction history

3.5 Categories of Data Subjects

• Property buyers and sellers
• Estate agents and solicitors
• Property owners
• Authorized representatives

4.1 Processing Instructions

PropPack.ai shall:

• Process Personal Data only on documented instructions from the Controller
• Immediately inform the Controller if instructions violate GDPR
• Not process Personal Data for any other purpose

4.2 Confidentiality

PropPack.ai shall:

• Ensure all personnel are bound by confidentiality obligations
• Limit access to Personal Data to authorized personnel only
• Implement need-to-know access controls

4.3 Security Measures

PropPack.ai implements:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for all accounts
• Regular security audits and penetration testing
• Access logging and monitoring
• Secure data centers with physical security controls
• Regular backup and disaster recovery procedures

5.1 Authorized Sub-processors

The Controller authorizes the use of the following sub-processors:

5.2 Sub-processor Changes

PropPack.ai shall:

• Notify the Controller of any intended changes to sub-processors
• Provide 30 days notice before engaging new sub-processors
• Allow the Controller to object to new sub-processors
• Ensure all sub-processors comply with the same data protection obligations

7.1 Notification Procedure

In the event of a Personal Data breach, PropPack.ai shall:

• Notify the Controller without undue delay (within 24 hours of discovery)
• Provide details of the breach, affected data, and potential consequences
• Describe measures taken to address the breach
• Recommend actions for the Controller to take
• Cooperate with the Controller's investigation

7.2 Breach Information

Notification shall include:

• Nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

8.1 International Transfers

Personal Data is primarily stored in the EU (Frankfurt). Any transfers outside the EU/EEA are protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Additional safeguards as required by GDPR

9.1 Audit Rights

The Controller may:

• Request annual compliance reports and certifications
• Conduct audits with 30 days notice (maximum once per year)
• Engage third-party auditors (subject to confidentiality agreements)

9.2 Compliance Documentation

PropPack.ai provides:

• SOC 2 Type II reports (when available)
• ISO 27001 certification (when available)
• Security questionnaire responses
• Sub-processor compliance documentation

10.1 Upon Termination

At the end of the subscription, PropPack.ai shall:

• Provide 30 days for the Controller to export all Personal Data
• Delete all Personal Data from production systems within 30 days
• Delete all backup copies within 90 days
• Provide written confirmation of deletion upon request

10.2 Exceptions

Data may be retained longer if:

• Required by applicable law
• Necessary for legal claims or disputes
• Stored in encrypted backups (deleted per backup retention schedule)