Data Processing Agreement
Last updated 26 January 2024
This DPA sets out how LoftyWorks processes and protects the data that it collects from you when providing its products and services.
Key information and definitions to get us started.
Data processing terms
Our respective rights and obligations in relation to the processing of your data.
Data security
Organisational and technical measures LoftyWorks will put in place.
Processing details
Information about the data we will process and external services we use.
Part 1 Orientation
This DPA applies whenever LoftyWorks processes personal data as part of its bookkeeping, rent processing services or property management services, or as the result of your use of the LoftyWorks Platform. They set out LoftyWorks’ commitments to you, and your commitments to LoftyWorks. This DPA supplements the applicable LoftyWorks service terms referred to in your Order Form.
Who we are What we do
We are Rentancy Limited (LoftyWorks), a UK company number 12239915. LoftyWorks’ address is Barttelot Court, Barttelot Road, Horsham, RH12 1DQ.
LoftyWorks provides bookkeeping and rent processing services, including through its SaaS platform which we refer to as the LoftyWorks Platform.
For the purposes of the General Data Protection Regulation, LoftyWorks is primarily a processor of the personal information your provide to it, as detailed below.
In order to operate the LoftyWorks Platform for you and to provide its services, LoftyWorks will collect and process certain personal data provided by you, accessed through your property management software (PMS), or uploaded onto the LoftyWorks Platform.
LoftyWorks is registered with the UK Information Commissioner’s Office under number 00010336691. For any queries or requests relating to your data, contact us at
This DPA supplements the service terms referred to in your Order Form. This DPA is part of your overall agreement with LoftyWorks and is therefore subject to the limitations of liability and liability caps in the underlying service terms.
LoftyWorks is a controller in relation to any account data it collects. Account data is data that relates to your account with LoftyWorks such as (i) the names and contact details of your personnel, (ii) your billing information, (iii) activity logs, platform usage data or similar information relating to you and your users, and (iv) data collected for identity verification. This DPA does not apply to Account Data, but LoftyWorks usually applies the same technical, organisational and security measures as are described here.
LoftyWorks is a processor of your client data (any personal information of your tenants, landlords, agents and other persons connected with your rental business), which you provide to LoftyWorks directly or via the LoftyWorks Platform, or which LoftyWorks collects from you or from your PMS. Such collection and processing will be governed by this DPA.
Words used in this DPA like controller, processor, data subject, personal data and supervisory authority have the same meanings as in the Data Protection Laws.
Data Protection Laws are EU and UK laws protecting individual rights with regard to the processing of their Personal Data. These include the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR) as retained in the UK under the European Union (Withdrawal) Act and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (and any relevant modifying legislation going forward).
European Equivalent Protection Area means: (a) countries within the European Economic Area; and (b) countries in respect of which a valid adequacy decision has been issued by the European Commission or adequacy determined in another valid method under applicable Data Protection Law.
Part 2 Data processing terms
LoftyWorks will comply with the following obligations in collecting and processing personal data that you provide to LoftyWorks. There are some important things you must do, too.
LoftyWorks’ responsibilities Your responsibilities
Collection 1
Disclose lawfully
Ensure there is a sound legal basis for you to disclose the Personal Data to LoftyWorks (including express consent where necessary).
Instructions 2
Provide instructions
Promptly notify you if LoftyWorks cannot follow your instructions (for example if your instructions are not compatible with a relevant Data Protection Law). This data processing agreement will be treated as your instructions, in the absence of any other documented instructions.
3 Processing
Process lawfully
Process Personal Data only to the extent necessary to provide access to and operate the LoftyWorks Platform and associated services, in accordance with this agreement and any written instructions from you.
Maintain a register of the types of Personal Data processed and any authorised transfers of Personal Data. Provide a copy of the register to you on request. This agreement can be treated as such a register if it already contains the full details.
Stop processing when required
When your relationship with LoftyWorks ends, cease to process Personal Data except as required for an agreed exit or transition plan. LoftyWorks will delete all Customer Data from its systems in a manner designed to render such data unrecoverable. LoftyWorks will retain Personal Data in accordance with its privacy notice, but will undertake earlier deletion if requested in writing by you.
Cease any destruction or deletion of Personal Data in response to a written request from you stating that such data or records may be relevant to anticipated litigation.
4 Disclosure and transfer
Not disclose to third parties
Not disclose or transfer any of your Personal Data to any third parties other than to permitted subprocessors.
Ensure that employees and permitted subprocessors are aware of the importance of treating the Personal Data in a confidential and secure manner and provide appropriate training.
LoftyWorks may subcontract its activities under this agreement (including the processing of personal data) to third party service providers. A list of subprocessors is provided in Part 3 of this data processing agreement.
Engage subprocessors on written contractual terms which meet the standards required by applicable law and in substance to the same standard required by this data processing agreement. LoftyWorks will remain liable for the acts and omissions of all permitted subprocessors.
LoftyWorks may update its permitted subprocessor list, at any time. LoftyWorks will notify you in advance of any material changes to the list that may significantly impact the way in which your data is processed.
Your right to object to subprocessors
In such case LoftyWorks may put in place mitigating measures. If there are no practicable mitigation measures, or you do not accept the appointment of the subprocessor despite the measures, LoftyWorks may elect to suspend or terminate the relevant services. Notify LoftyWorks in writing if you object to any appointment of a new subprocessor on reasonable grounds.
International transfers
Not transfer any Personal Data to a country or territory outside of the European Equivalent Protection Area, unless: (a) expressly permitted by you; and (b) the transfer is made to a permitted subprocessor and lawful means (such as Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021 for the transfer of personal data from the EEA (SSCs), or the International Data Transfer Addendum issued by the Information Commissioner’s Office (IDTA)) are in place to ensure that the transfer is compliant with data protection laws.
5 Data security
Responsibility and training
Appoint a designated contact responsible for data processing under this agreement [and keep you informed of any changes to that appointment].
Ensure that employees and permitted subprocessors are aware of the importance of treating the Personal Data in a confidential and secure manner and provide appropriate training.
Training will include data classification obligations, physical security controls, security practices and security incident reporting. Disciplinary processes will be appropriately applied if employees commit a security breach.
Security measures
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks present in processing Personal Data, to protect against accidental loss, destruction, alteration, unauthorised disclosure or theft of Personal Data.
Data maintenance 6 .
Inform LoftyWorks of changes
Notify LoftyWorks in a timely manner of any changes to your data.
Keep data up to date
Promptly comply with any request from you to update, amend or correct the Personal Data.
7 Compliance support
Assisting you to comply with your data controller obligations
Provide reasonable assistance to you in meeting your obligations under Data Protection Laws in relation the processing of Personal Data, the notification of Personal Data breaches and legal impact assessments.
Make available to you all information reasonably required by you to demonstrate your compliance with Data Protection Laws as a controller and LoftyWorks’ compliance as a processor.
Allow you to inspect LoftyWorks’ systems and processes to verify compliance with this data processing agreement and shall cooperate with such an inspection.
Data requests
Immediately refer to you any requests (including notices, complaints and enforcement action) relating to the Personal Data from data subjects or supervisory authorities and cooperate with you to enable you to comply with the same.
Not disclose more in response to such requests than is required by law or by a formal request of a public authority (unless otherwise agreed with you) and keep a record of the disclosure.
At your reasonable request, or if LoftyWorks has suffered a security incident, or if required by a competent data authority, permit you (or your appointed third-party auditors) to conduct an on-site audit during normal business hours and make available all information, systems and staff reasonably required for the conduct of such audit. Audits pursuant to a reasonable request are limited to once per contract year. Give reasonable prior notice of your intention to audit, and use reasonable efforts to minimise disruption to LoftyWorks’ operations. Bear your own costs of the audit.
If LoftyWorks provides to you a third party audit report, this will be regarded as adequate discharge of the above audit obligation, unless an on-site audit is required by a data authority or by law, or you consider (acting reasonably) that the audit report does not adequately evidence LoftyWorks’ compliance with this data processing agreement.
8 Security incidents
Notify you without delay of any security incident. *A security incident is any accidental, unauthorised or unlawful disclosure, alteration, corruption, loss of or damage to any Personal Data, or any physical or network security incident that is likely to give rise to such a data breach.
Provide to you in a timely manner with a detailed description of the incident including the Personal Data records impacted, the likely consequences, and measures taken or proposed to mitigate the incident.
At its own expense, investigate the incident and take measures to remedy it, mitigate its impact and prevent further incidents, and cooperate with you in doing so.
Not inform any third party without first obtaining your prior consent, except (a) as may be strictly required by law or (b) to third party advisers for the purpose of containing, investigating or responding to the incident.
Costs of responding to security incidents
Bear the cost of investigation and responding to security incidents to the extent the incident or its root cause originates from LoftyWorks’ data, facilities or systems or those of its subcontractors. Bear the cost of investigation and responses (including LoftyWorks’ costs in assisting you) to the extent the incident or its root cause originates from your systems or facilities.
Part 3 Data security
LoftyWorks will implement and maintain organisational and technical measures to ensure your data remains safe and secure. The following sets out the typical measures LoftyWorks will implement.
Information security Access controls
Implement an information security management system (ISMS) aligned with ISO 27001, covering its own personnel and permitted subprocessors who have access to Personal Data to maintain the integrity, confidentiality, resilience and availability of Personal Data, prevent unauthorized persons from gaining access to Personal Data, and to prevent systems processing Personal Data being used without authorization. Ensure that LoftyWorks personnel gain access only to Personal Data that they are entitled to access, and only for the time necessary.
Permit only authorised personnel to grant, modify or revoke access to an information system that uses or houses Personal Data.
Adopt user authentication procedures based on segregation of duties and least privilege. Unique user IDs and passwords will be required to access Personal Data. Access will be restricted to active users only.
On-site security
Maintain appropriate security systems at all LoftyWorks sites at which an information system that uses or houses Personal Data is located.
Employee checks
Take measures to ensure the reliability of its employees and permitted subprocessors prior to their engagement, with appropriate background checks and references.
Systems People
Processes Technology
Mobile devices Network and systems security
Where LoftyWorks employees will have access to Personal Data on mobile devices, ensure that the devices have password or similar protection and encryption. Maintain network security using commercially available equipment and industry standard techniques, including firewalls, intrusion detection systems, access control lists and secure routing protocols;.
Back-ups Ensure that personal data which is processed in a cloud computing environment (meaning on servers that are not owned or operated by LoftyWorks) are safeguarded applying suitable cloud computing standard data security principles.
Adopt appropriate measures to support access and restoration of data in the event of a physical or technical incident impacting data integrity or availability.
Have in place appropriate systems and procedures to ensure that Personal Data is not read, copied, modified or deleted without authorization during processing, storage and transmission.
Perform and maintain secure back-ups of all Personal Data, stored off-site.
Virus and malware controls
Ensure that LoftyWorks systems, and those of its hosting providers and permitted subcontractors, are maintained with industry standard and up-to-date anti-virus and malware protection software to check for, contain the spread of, and minimise the impact of malicious software on those systems.
Part 4 Data processing details
This section specifies the kind of data that LoftyWorks will collect and process, where it will process and store the data, and describes LoftyWorks’ use of subprocessors.
What is processed and how
Personal Data processed Name
Job title
Email address
Telephone number
Bank accounts details
Passport, Driving License and other forms of ID
Proof of Address information
Right to Study status
Right-to-Rent check status
Visa information
Employment information
Previous home addresses
References of past/current employers, landlords and agents
Documents processed
(non-exhaustive list of the kind of documents LoftyWorks will process as part of onboarding and providing its services)
Photographs and ID documents you provide as part of ID checks
Personal bank statements
Personal employment contracts
Court related papers
Communications with tenants, landlords and suppliers
Photographs of property and units
Inspection reports
Compliance documents
Contract documents
Invoices, bills, quotes, credit notes
Fire risk assessments
Insurance documents
Health and Safety reports
Method Statements
Categories of Data Subject Your personnel (employees and non-employed personnel).
Your tenants, landlords, agents and suppliers.
Other data subjects that may appear in the documents processed.
Nature and purpose of processing The provision of the services under this agreement and, where relevant, the provision of access to the LoftyWorks Platform (LoftyWorks’ cloud-based tenancy management platform).

Contacting and onboarding of your personnel onto the LoftyWorks Platform and service.

Conducting anti-money laundering checks for the above purposes.

Administering your account.

Duration of processing For the duration of our agreement and any exit or transition support agreed. Data will be retained in accordance with LoftyWorks’ privacy notice.
Point of contact for data queries and complaints
Location and subprocessors
Server locations Your data will be hosted on Amazon Web Services (AWS) servers at locations in the EU (a list of then-current locations can be provided on request). Any changes to locations notified to LoftyWorks by AWS will be promptly communicated to you). LoftyWorks will not relocate your data to a location outside of the EU without prior notice to you.
Access to data centers It is not possible for LoftyWorks to provide physical access to its cloud hosting provider’s servers or data centers. Any of your audit or inspection rights under this agreement do not extend to the systems or personnel of LoftyWorks’ cloud hosting providers or any of the permitted subprocessors listed below.
Permitted subprocessors As with most technology businesses, LoftyWorks use third parties to host its application and manage business operations. If it requires transferring data outside of the European Equivalent Protection Area, LoftyWorks makes sure that it is done under available lawful mechanisms. LoftyWorks uses the following providers which are treated as permitted subprocessors under this agreement. By using LoftyWorks’ services, you agree to the transfer of personal data outside of the European Equivalent Protection Area as the result of LoftyWorks’ use of these subprocessors.
Processor Purpose / nature of processing Server location Legal mechanism *
Google send and receive emails, manage documents USA SSCs + IDTA
Microsoft send and receive emails, manage documents Europe, USA SSCs + IDTA
Meta send and receive whatsapp messages Europe, USA SCCs
Twilio send and receive sms and whatsapp messages USA SCCs + supplementary measures
AWS hosting LoftyWorks SaaS user data Europe N/A
* Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021 for the transfer of personal data from the EEA (SSCs), or the International Data Transfer Addendum issued by the Information Commissioner’s Office (IDTA).
Designed and automated with

Please rotate your device