Data Processing Agreement — LetSense

1. Definitions

In this agreement:

Controller — the letting agency or organisation that has signed up to LetSense and determines the purposes and means of processing personal data of its tenants and landlord clients.
Processor — LetSense Ltd, which processes personal data on behalf of the Controller in order to provide the LetSense platform.
Data Subjects — tenants, landlord clients, and other individuals whose personal data is stored in LetSense by the Controller.
UK GDPR — the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018.

2. Roles and responsibilities

The Controller is the Data Controller under UK GDPR. The Controller determines what personal data is entered into LetSense and for what purpose. The Controller is responsible for having a lawful basis for processing personal data of its tenants and landlord clients.

LetSense Ltd is the Data Processor. It processes personal data only on the documented instructions of the Controller (i.e. to provide the LetSense service) and does not process data for any other purpose.

3. What data LetSense processes on your behalf

As Processor, LetSense processes the following categories of personal data that the Controller enters into the platform:

Tenant data: full name, email address, phone number, portal access tokens, tenancy dates, rent payment history, maintenance requests, documents uploaded to their portal.
Landlord client data (Agency Pro): name, email address, company name, phone number, portal login credentials, property and financial information.
Property data: addresses, certificate dates, inspection reports, compliance records — which may indirectly identify individuals.

LetSense does not process special category data (health, biometric, financial account numbers) unless explicitly uploaded by the Controller as a document attachment.

4. Instructions and purpose limitation

LetSense processes personal data solely to provide the platform services described in the Terms of Service. LetSense will not process personal data for any other purpose without the Controller's prior written instruction, except where required by UK law.

If LetSense is required by law to process data in a way that conflicts with the Controller's instructions, LetSense will notify the Controller before processing unless prohibited from doing so by law.

5. Confidentiality

LetSense ensures that all personnel with access to personal data are subject to binding confidentiality obligations. Access is restricted to those who need it to provide the service.

6. Security measures

LetSense implements and maintains appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. Current measures include:

HTTPS encryption in transit for all data
Bcrypt password hashing (factor 12)
Role-based access controls — users can only access data within their organisation
Document storage in Cloudflare R2 with presigned URLs expiring after 1 hour
Database access restricted to application layer — no direct public access
Tenant portal access via 128-bit UUID tokens
Rate limiting on authentication endpoints

7. Sub-processors

LetSense uses the following sub-processors to deliver the service. By agreeing to this DPA, the Controller provides general authorisation for LetSense to engage these sub-processors:

Sub-processor	Purpose	Location
Vercel Inc.	Application hosting and serverless compute	US (EU region available)
Cloudflare R2	Document and file storage	EU / US (configurable)
Resend	Transactional email delivery	US
Stripe Inc.	Payment processing (no tenant data shared)	US
Google LLC	OAuth sign-in (if used by Controller staff)	US
Neon / PostgreSQL host	Database hosting	EU
Firma.dev	Electronic signature processing (e-sig features only)	EU

LetSense will notify the Controller of any intended changes to sub-processors (additions or replacements) by email and by updating this page, giving the Controller reasonable opportunity to object. All sub-processors are subject to data protection obligations equivalent to those in this DPA.

8. International transfers

Some sub-processors (Vercel, Resend, Stripe, Google) are based in the United States. These transfers are made under the UK International Data Transfer Agreement (IDTA) or the UK addendum to the EU Standard Contractual Clauses, as applicable. Each sub-processor's transfer mechanism is documented in their published DPA.

9. Data subject rights

Where LetSense receives a request directly from a data subject exercising their rights under UK GDPR (access, rectification, erasure, restriction, portability, objection), LetSense will forward the request to the Controller within 5 business days. The Controller is responsible for responding to data subject rights requests.

LetSense will provide reasonable technical assistance to help the Controller fulfil data subject rights requests (e.g. exporting or deleting a tenant's data on request).

10. Data breach notification

LetSense will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach affecting the Controller's data. Notification will be sent to the email address registered on the Controller's LetSense account and will include:

The nature of the breach and categories of data affected
Approximate number of data subjects affected
Likely consequences of the breach
Measures taken or proposed to address the breach

The Controller is responsible for notifying the ICO and affected data subjects where required under UK GDPR Articles 33–34.

11. Data protection impact assessments

LetSense will provide reasonable assistance to the Controller in carrying out data protection impact assessments (DPIAs) and prior consultations with the ICO where required by UK GDPR Article 35.

12. Deletion and return of data

Upon termination of the Controller's LetSense account:

The Controller may export their data at any time before account closure via the account settings export function
LetSense will delete all personal data belonging to the Controller within 30 days of account closure, except where LetSense is legally required to retain records (e.g. financial records for 6 years under UK law)
Upon written request, LetSense will confirm in writing that deletion has been completed

13. Audit rights

The Controller has the right to audit LetSense's compliance with this DPA no more than once per year, on 30 days' written notice. Audits will be conducted at the Controller's expense. LetSense may satisfy audit requests by providing its most recent third-party security assessment or SOC 2 report (where available) in lieu of an on-site audit.

14. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. LetSense's liability is limited to direct losses caused by its failure to fulfil its obligations as Processor under this DPA.

15. Governing law

This DPA is governed by the laws of England and Wales. Any disputes arising from this DPA will be subject to the exclusive jurisdiction of the courts of England and Wales.

16. Changes to this agreement

LetSense will provide 30 days' notice of material changes to this DPA by email to the Controller's registered address. Continued use of the service after the notice period constitutes acceptance of the updated DPA. If the Controller objects to a material change, they may terminate their account within the notice period.

17. Contact

For data protection queries, requests, or breach notifications, contact LetSense at hello@letsense.co.uk.

LetSense Ltd (company no. 17217228, registered in England & Wales) is registered with the Information Commissioner's Office (ICO) as a Data Controller under registration number C1932184.