Data Processing Agreement (DPA)

Capitalised terms not defined here have the meaning given in the Agreement or in UK GDPR.

• "Applicable Data Protection Laws" means UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and where applicable EU GDPR.
• "Customer Personal Data" means any Personal Data the Processor processes on behalf of the Controller under the Agreement.
• "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Controller", and "Processor" have the meanings given in UK GDPR.
• "Sub-processor" means any third party engaged by the Processor to process Customer Personal Data.

For the purposes of this DPA, the parties acknowledge that:

• The Controller is the controller of Customer Personal Data
• The Processor is the processor of Customer Personal Data

The Processor will process Customer Personal Data only on the documented instructions of the Controller, including with regard to transfers to a third country, unless required to do so by law (in which case the Processor will inform the Controller of that legal requirement before processing, unless that law prohibits notification on important grounds of public interest).

The Agreement, this DPA, and the Controller's use of the Service constitute the Controller's complete and final documented instructions to the Processor.

Subject matter. Provision of the YieldKey Service to the Controller.

Duration. For the term of the Agreement, plus the retention periods described in Section 9.

Nature and purpose. AI-assisted lead response, qualification, guest messaging, deal sourcing, communications routing, and related operational support.

Types of Personal Data:

• Names
• Contact details (email, phone, address)
• Property preferences, criteria, and enquiry content
• Communications history (messages, replies, timestamps)
• Booking and viewing details
• Other data the Controller chooses to submit through the Service

Categories of Data Subjects:

• Property prospects, leads, buyers, sellers, tenants, landlords
• Short-term rental guests
• Property investor partners and contacts (Source product)
• Controller's employees and authorised users of the Service

Special category data. The Processor does not require special category Personal Data (UK GDPR Article 9) to provide the Service. The Controller agrees not to submit special category data through the Service unless expressly agreed in writing.

The Processor will:

1. Process Customer Personal Data only on the Controller's documented instructions.
2. Ensure that personnel authorised to process Customer Personal Data are bound by appropriate obligations of confidentiality.
3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Annex 2).
4. Engage Sub-processors only in accordance with Section 6.
5. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller's obligation to respond to requests from Data Subjects exercising their rights under UK GDPR Chapter III.
6. Assist the Controller in ensuring compliance with the Controller's obligations under UK GDPR Articles 32 to 36 (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to the Processor.
7. At the choice of the Controller, delete or return all Customer Personal Data at the end of the provision of services, and delete existing copies unless retention is required by law (see Section 9).
8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (see Section 8).

The Processor will immediately inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Laws.

The Controller warrants and undertakes that:

1. It has a valid lawful basis under UK GDPR for the processing it instructs the Processor to perform.
2. It has provided all notices and obtained all consents required by Applicable Data Protection Laws.
3. Its instructions to the Processor comply with Applicable Data Protection Laws.
4. It is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it acquired the data.
5. It will not submit any data through the Service that the Service is not designed to process.
6. It will provide reasonable cooperation to the Processor as needed to comply with this DPA.

The Controller provides general written authorisation for the Processor to engage Sub-processors, subject to the conditions in this Section 6.

A current list of Sub-processors is maintained at /sub-processors (or otherwise made available to the Controller on request to privacy@yieldkey.ai). At the effective date of this DPA, the list includes:

The Processor will:

1. Impose written data protection obligations on each Sub-processor that are no less protective than those in this DPA.
2. Remain liable to the Controller for the acts and omissions of Sub-processors.
3. Notify the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days before the change takes effect. The Controller has the right to object to such changes on reasonable data protection grounds. If the parties cannot resolve such an objection, the Controller may terminate the Agreement for the affected Service on written notice without penalty, subject to its other obligations under the Agreement.

Where Customer Personal Data is transferred outside the UK, the Processor will ensure that the transfer is made under an appropriate transfer mechanism, including:

• UK adequacy regulations where the destination country is approved
• The International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses, where required
• Other safeguards permitted under UK GDPR Article 46

The Controller authorises the Processor to enter into transfer mechanisms with Sub-processors on the Controller's behalf for this purpose.

The Processor will make available to the Controller, on reasonable request and not more than once per 12-month period (except where required following a Personal Data Breach or by a supervisory authority), information reasonably necessary to demonstrate compliance with this DPA.

Where the Controller reasonably requires further verification:

1. The Controller may conduct an audit, at the Controller's expense, on at least 30 days' written notice, during normal business hours, in a manner that does not unreasonably interfere with the Processor's operations.
2. The Processor may satisfy audit obligations by providing recent independent third-party audit reports (such as SOC 2 or ISO 27001), where available.
3. Each party will bear its own costs in connection with such audits except where the audit identifies material non-compliance by the Processor, in which case the Processor will bear reasonable costs.

On termination or expiry of the Agreement, the Processor will, at the Controller's choice:

1. Return Customer Personal Data to the Controller in a structured, commonly used, machine-readable format; or
2. Delete Customer Personal Data from production systems within 30 days of the Controller's request or 90 days after termination, whichever is sooner.

Limited copies of Customer Personal Data may persist in encrypted backups for up to 30 further days before being securely overwritten in the ordinary course of backup rotation. The Processor will not actively access such backup copies during this period.

The Processor may retain Customer Personal Data to the extent required by applicable law, in which case the Processor will continue to protect it in accordance with this DPA.

The Processor will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in responding to requests from Data Subjects exercising their rights under UK GDPR.

If a Data Subject contacts the Processor directly with a request relating to Customer Personal Data, the Processor will, without undue delay, forward the request to the Controller and will not respond directly except to acknowledge receipt and direct the Data Subject to the Controller, unless instructed otherwise by the Controller.

The Processor will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known:

• The nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records concerned
• Likely consequences
• Measures taken or proposed to address the breach and mitigate adverse effects

The Processor will cooperate with the Controller and provide reasonable assistance to support the Controller's obligation to notify the ICO under UK GDPR Article 33 and to notify affected Data Subjects under Article 34 where required.

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement, except where Applicable Data Protection Laws require otherwise.

If there is any conflict between this DPA and the Agreement on a data protection matter, this DPA prevails. If there is any conflict between this DPA and any annex, this DPA prevails unless the annex expressly states otherwise.

This DPA continues for the duration of the Agreement. Provisions that by their nature should survive (security, breach notification, return or deletion, audit, liability) will continue to apply.

This DPA is governed by the laws of England and Wales.