Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

• The Customer ("Controller", "you", or "your") — the entity that has agreed to the RealiQ Terms of Service and is the data controller for personal data processed through the Service.
• Hillway Holdings Limited trading as Hillway ("Processor", "we", "us", or "our") — the operator of the RealiQ platform and data processor acting on behalf of the Controller.

This DPA forms part of, and is subject to, the RealiQ Terms of Service. It sets out the terms on which we process personal data on your behalf in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given in the UK GDPR or the Terms of Service.

• "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• "Sub-processor" means any third-party processor engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• "Service" means the RealiQ platform and all related services provided under the Terms of Service.

3. Scope and Purpose

The Processor processes Personal Data on behalf of the Controller for the purpose of providing the RealiQ property intelligence service. The categories of Personal Data processed include:

• Investor contact data (names, email addresses, phone numbers, company affiliations)
• Property data (addresses, ownership details, tenant information)
• Document content (investment brochures, research papers, and property documents uploaded to the Service)
• User account data (names, email addresses, roles)

The Data Subjects include the Controller's employees, clients, investors, tenants, and other individuals whose data is contained within documents or records uploaded to the Service.

Processing activities include: extraction of structured data from documents using AI, investor-property matching and scoring, storage and retrieval of property records, generation of AI commentary and analysis, and transactional communications.

4. Processor Obligations

The Processor shall:

• Documented instructions: Process Personal Data only on documented instructions from the Controller, unless required to do so by law. The Terms of Service and this DPA constitute the Controller's documented instructions.
• Confidentiality: Ensure that all personnel authorised to process Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
• Security measures: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Section 5.
• Sub-processors: Not engage another processor without prior specific or general written authorisation of the Controller. The current list of Sub-processors is set out in Section 6.
• Data subject requests: Assist the Controller, by appropriate technical and organisational measures, in fulfilling the Controller's obligation to respond to requests for exercising Data Subject rights.
• Breach notification: Notify the Controller without undue delay after becoming aware of a Data Breach, as further described in Section 9.
• Deletion: At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless applicable law requires storage of the Personal Data.
• Audit: Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, as further described in Section 11.

5. Security Measures

The Processor implements the following technical and organisational security measures to protect Personal Data:

• Row-level security (RLS): All database tables are protected by row-level security policies ensuring strict multi-tenant data isolation. Users can only access data belonging to their own organisation.
• Encryption in transit: All data transmitted between clients and servers is encrypted using TLS 1.2 or higher. All API endpoints are served exclusively over HTTPS.
• Encryption at rest: Database storage is encrypted at rest using AES-256 encryption provided by the infrastructure provider.
• Data residency: Primary data storage is located in the United Kingdom (Supabase eu-west-2, London region).
• Access controls: Role-based access control with principle of least privilege. API key authentication using SHA-256 hashing. Multi-factor authentication available for user accounts.
• Rate limiting: API rate limiting to prevent abuse and denial-of-service attacks.
• Audit logging: Sensitive operations are logged with timestamps, user identifiers, and action details for accountability and incident investigation.
• Bot protection: Signup forms are protected by Cloudflare Turnstile to prevent automated abuse.
• Regular reviews: Security measures are reviewed and updated periodically to address emerging threats and vulnerabilities.

6. Sub-processors

The Controller provides general authorisation for the Processor to engage the following Sub-processors. The Processor will inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes.

7. International Transfers

The Controller's primary data is stored and processed in the United Kingdom (eu-west-2, London). Where Personal Data is transferred to Sub-processors located outside the United Kingdom, the Processor ensures that appropriate safeguards are in place, including:

• UK Adequacy Decisions: Transfers to countries or territories that the UK Secretary of State has determined provide an adequate level of data protection.
• Standard Contractual Clauses (SCCs): For transfers to the United States and other countries without an adequacy decision, the Processor relies on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, as approved by the Information Commissioner's Office.

The Processor will not transfer Personal Data to any country or territory outside the United Kingdom without ensuring that the transfer is subject to appropriate safeguards in accordance with UK data protection law.

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under the UK GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

Where the Processor receives a request from a Data Subject directly, it shall promptly inform the Controller and shall not respond to the request without the Controller's instructions, unless required to do so by law.

The Controller can exercise these rights on behalf of Data Subjects by contacting us at hello@realiq.uk.

9. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed under this DPA, the Processor shall:

• Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the Data Breach.
• Provide the Controller with sufficient information to enable the Controller to meet its obligations under Articles 33 and 34 of the UK GDPR, including:
  • A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records concerned
  • The likely consequences of the Data Breach
  • A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects
• Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

10. Data Retention and Deletion

Personal Data is retained for the duration of the Controller's subscription to the Service. The specific retention periods are:

• Account data and property records: retained for the lifetime of the subscription
• AI chat conversations and activity logs: automatically cleaned up after 12 months
• Audit logs: retained for 12 months
• Billing records: retained for 7 years to comply with UK tax and accounting requirements

Upon termination of the subscription, the Processor shall delete or return all Personal Data within 30 days, unless applicable law requires further retention. The Controller may request a data export prior to termination.

Backup copies of Personal Data will be deleted in accordance with the Processor's standard backup rotation schedule, which does not exceed 90 days.

11. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audits shall be conducted with reasonable prior notice (not less than 30 days) and during normal business hours. The Controller shall ensure that any auditor is bound by appropriate confidentiality obligations. The Processor may charge reasonable costs for audit assistance beyond standard reporting.

The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the UK GDPR or other applicable data protection provisions.

12. Liability

Each party's liability under this DPA is subject to the exclusions and limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability to Data Subjects or to the Information Commissioner's Office under applicable data protection law.

13. Term and Termination

This DPA shall remain in effect for the duration of the Controller's subscription to the Service and shall automatically terminate when the Terms of Service are terminated or expire. The obligations relating to data deletion, audit rights, and confidentiality shall survive termination of this DPA.

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.