Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between HAIVN Property Management Ltd ("HAIVN", "Processor") and the Customer ("Customer", "Controller") for the Customer's use of the HAIVN Service (the "Principal Agreement", set out in our Terms of Service and any subscription or management agreement you sign with us).

It sets the terms on which HAIVN processes personal data on the Customer's behalf under Article 28 of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018. By using the Service to process personal data of which the Customer is the Controller, the Customer accepts this DPA. If the Customer requires a counter-signed paper copy, email legal@haivn-property.ai.

The Customer is the Controllerof personal data it submits to the Service (including data about tenants, applicants, contractors, and other individuals connected to the Customer's lettings business). HAIVN is the Processor of that data and processes it solely on the documented instructions of the Customer, set out in this DPA, the Principal Agreement, and the Service interface itself.

This DPA applies for as long as HAIVN processes Customer personal data and survives termination of the Principal Agreement for as long as is necessary to perform the obligations in clause 8.

Subject matter:Personal data the Customer submits or generates through the Service in the course of managing the Customer's rental properties and tenancies.

Nature + purpose: Hosting, organising, retrieving, displaying, analysing, transmitting, and (where the Service includes such features) automatically generating communications or compliance assessments. The purpose is to provide the Service to the Customer.

Categories of data subjects, categories of personal data, and other Article 28(3) particulars are set out in Annex 1 below.

HAIVN will:

• process Customer personal data only on the Customer's documented instructions (including this DPA), except where UK or EU law requires otherwise — in which case HAIVN will tell the Customer about that legal requirement before processing, unless the law forbids it;
• ensure that persons authorised to process Customer personal data are under a duty of confidentiality;
• implement and maintain the technical and organisational measures (TOMs) described in Annex 2 that are appropriate to the risk to data subjects;
• assist the Customer, taking the nature of the processing into account and so far as is technically feasible, with the Customer's obligations to respond to data subject rights requests, to carry out data protection impact assessments, and to consult with the ICO;
• tell the Customer without undue delay if HAIVN believes a Customer instruction infringes the UK GDPR or other data protection law;
• keep records of all processing activities carried out on the Customer's behalf and make those available to the Customer or the ICO on request.

The Customer gives HAIVN general written authorisation to engage sub-processors to provide parts of the Service (for example: cloud hosting, email delivery, KYC providers, banking- feed providers, AI model providers). A current list is kept at Annex 3.

HAIVN will give the Customer at least 14 days' notice of any change to the sub-processor list — by email and/or in-product notice. The Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection within a further 14 days, the Customer may terminate the affected part of the Service without penalty.

HAIVN imposes obligations on each sub-processor that are substantially the same as those in this DPA (including confidentiality, security, audit, and assistance obligations) and remains liable to the Customer for sub-processor performance.

HAIVN stores and processes Customer personal data primarily in the United Kingdom and the European Economic Area. Where any sub-processor processes data outside the UK or EEA in a country not subject to a UK adequacy decision, the transfer is made under the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or another valid Article 46 UK GDPR safeguard.

HAIVN will notify the Customer without undue delay — and in any event within 72 hours of becoming aware — of any personal data breach affecting Customer personal data. The notification will include (to the extent then known) the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, the measures HAIVN has taken or proposes to take, and a contact point. HAIVN will cooperate with the Customer's investigation and any notification the Customer is required to make to the ICO or to affected data subjects.

On reasonable written request, HAIVN will make available all information necessary to demonstrate compliance with this DPA and Article 28 UK GDPR. The Customer may audit HAIVN's processing once in any 12-month period (or more frequently if required by the ICO or following a personal data breach) on at least 30 days' written notice, during normal business hours, and without unreasonably disrupting HAIVN's operations. Audits may be carried out by the Customer or by an independent auditor mutually agreed in good faith; auditors are subject to confidentiality obligations.

HAIVN may instead satisfy an audit request by providing up-to-date third-party certifications, attestations, or penetration-test summaries where they cover the audit's scope.

On termination of the Principal Agreement, the Customer may within 30 days request an export of its data via the Service's standard export feature or by emailing support@haivn-property.ai. After that period, HAIVN will delete or anonymise Customer personal data within 90 days, except where UK or EU law (including HMRC anti-money-laundering record-retention rules and statutory record-keeping for client money) requires HAIVN to retain it for longer. In that case HAIVN will retain only the minimum necessary data for the minimum necessary period and will apply this DPA to it for as long as it is retained.

Each party's liability under or in connection with this DPA is subject to the limitations of liability set out in the Principal Agreement (see clause 12 of our Terms of Service), except where the law does not permit those limitations to apply.

This DPA is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the courts of England and Wales, in line with the Principal Agreement.

Categories of data subjects:

• Tenants and prospective tenants of the Customer's properties
• Tenancy guarantors
• Maintenance contractors and service providers
• Other individuals the Customer interacts with in connection with its lettings business

Categories of personal data: contact details (name, address, email, phone); identity-verification data (e.g. documents uploaded for KYC checks); right-to-rent / right-to-work documents; financial information for affordability and rent payment (bank details, transaction history where the Customer has connected a banking feed); tenancy correspondence and messages; property condition photographs and maintenance reports that may include personal data; arrears records and dispute history.

Special category data: the Service is not designed to process special category data (Article 9 UK GDPR). The Customer should not upload special category data unless and until a written variation to this DPA is agreed.

Duration: for the term of the Principal Agreement plus the retention period described in clause 8.

HAIVN maintains, at minimum:

• Encryption in transit — TLS 1.2+ on all Service traffic, including data exchanged with sub-processors.
• Encryption at rest — managed database encryption for the primary data store; AES-256-GCM with envelope-key rotation for OAuth tokens and other secrets.
• Access control — least-privilege role-based access for HAIVN staff; admin actions logged to an immutable audit trail; multi-factor authentication required for all HAIVN production access.
• Network controls — production environments behind authenticated edges; secrets stored in a dedicated secrets manager.
• Backups — point-in-time recovery for the primary database; backup retention aligned to the data- retention policy in clause 8 and the privacy policy.
• Vulnerability management — dependency-update monitoring; production-platform security patches applied on a regular cadence; significant CVEs assessed within 7 days.
• Incident response — written incident response process aligned to the 72-hour breach-notification obligation in clause 6.
• Staff confidentiality — all HAIVN personnel with access to Customer personal data are bound by written confidentiality obligations.

HAIVN reviews these measures annually and updates them commensurate with the state of the art. Material changes to TOMs are communicated to Customers through this page.

HAIVN uses the following sub-processors to provide the Service. We notify Customers of changes per clause 4.

• Cloud hosting + application platform — Vercel Inc. (United States; transfers under UK IDTA)
• Primary database — Neon (United States, EEA region available; UK IDTA where applicable)
• Authentication — Clerk Inc. (United States; UK IDTA)
• Object storage — Cloudflare R2 (United Kingdom + global edge)
• Transactional email — Resend (United States; UK IDTA)
• KYC / identity verification — Credas Technologies Ltd (United Kingdom)
• Open Banking / banking feed — Finexer (United Kingdom)
• Accounting integration — FreeAgent Central Ltd and/or Xero (UK / EEA / United States as the Customer chooses)
• AI / large language model providers — Anthropic PBC (United States; UK IDTA; no training on Customer data per Anthropic API enterprise terms)
• Tenancy deposit scheme — Tenancy Deposit Scheme (TDS) (United Kingdom)
• Social publishing (optional, per Customer configuration) — LinkedIn Corporation, Meta Platforms Ireland Ltd, GitHub Inc. (United States / Ireland; UK IDTA where applicable)