Legal

Data Processing Addendum

Last updated: April 2026 · Placeholder draft

This Data Processing Addendum ("DPA") forms part of the agreement between the customer (the "Controller") and Ospis AI Ltd (the "Processor"). It sets out the parties' obligations under the UK GDPR and the Data Protection Act 2018 in relation to personal data processed via the Ospis platform.

1. Subject matter

The Processor will process personal data on behalf of the Controller solely to provide the Ospis service: property management, compliance, maintenance, tenant communications, financial operations and reporting.

2. Categories of data subjects

Tenants and prospective tenants of the Controller
Landlords and property owners
Contractors engaged by the Controller
Employees of the Controller using the platform

3. Categories of personal data

Identifiers (name, email, phone)
Address and tenancy information
Financial data necessary for rent processing
Right-to-rent and referencing data
Communications content (WhatsApp, email, SMS)

4. Processor obligations

Process personal data only on documented instructions from the Controller.
Ensure persons authorised to process the data are bound by confidentiality.
Implement appropriate technical and organisational security measures.
Assist the Controller with data-subject requests, DPIAs, and breach notifications.
Notify the Controller of personal data breaches without undue delay.
Delete or return personal data at the end of the service.

5. Sub-processors

The Controller authorises the use of sub-processors necessary to operate the service (cloud hosting, AI inference, email and SMS gateways, analytics). A current list of sub-processors is provided on request. We will notify the Controller of any intended changes and offer a reasonable opportunity to object.

6. International transfers

Personal data is primarily processed within the UK and EEA. Where transfers are necessary, they are made under UK International Data Transfer Agreement (IDTA) or equivalent safeguards.

7. Security measures

Encryption in transit (TLS 1.2+) and at rest (AES-256)
Role-based access control and audit logging
Least-privilege production access; periodic access reviews
Regular backups and tested recovery procedures
Annual security review and penetration testing (planned)

8. Audit rights

The Controller may request reasonable information to demonstrate compliance with this DPA. On-site audits may be carried out by mutual agreement subject to confidentiality and notice.

9. Contact

Data protection enquiries: dpo@ospis.ai (placeholder — to be configured).
Postal: Ospis AI Ltd, London, United Kingdom.

Note: This is a placeholder DPA template for the beta phase. A signed, lawyer-reviewed DPA — including a current sub-processor list and security questionnaire — is provided to all pilot customers as part of onboarding. Please request a copy via your demo call.