Data Processing Agreement

Effective Date: 7 March 2026
Last Updated: 7 March 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between you (“Controller”, “Landlord”) and Elm & Co. Limited, a company incorporated in the Isle of Man (Company Number: 136494C) (“Processor”, “RentFolder”, “we”, “us”).

This DPA applies to the processing of personal data by the Processor on behalf of the Controller in connection with the RentFolder web application (the “Service”), and is designed to meet the requirements of Article 28 of the UK GDPR, the Isle of Man GDPR, and equivalent international data protection frameworks.

1. Definitions

Unless otherwise defined herein, capitalised terms have the meanings given to them in the Agreement or in applicable Data Protection Laws.

• “Data Protection Laws” means the UK GDPR, the Data Protection Act 2018, the Isle of Man Data Protection Act 2018, the EU GDPR (to the extent applicable), PIPEDA (Canada), the Australian Privacy Act 1988, the New Zealand Privacy Act 2020, and all other applicable data protection and privacy legislation.
• “Personal Data” means any information relating to an identified or identifiable natural person that the Processor processes on behalf of the Controller via the Service.
• “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

2. Scope & Roles

• Controller: The Landlord who registers for a RentFolder account and inputs or uploads tenant personal data.
• Processor: Elm & Co. Limited, which processes tenant personal data solely on the Controller’s instructions for the purpose of providing the Service.

3. Subject Matter & Duration of Processing

3.1 Subject Matter

The Processor processes Personal Data on behalf of the Controller for the purpose of providing the RentFolder property management service, including storing tenancy records, facilitating maintenance requests via secure token-based links, and enabling document storage.

3.2 Duration

Processing will continue for the duration of the Agreement and for such period thereafter as is necessary to fulfil legal retention obligations (see Section 10).

4. Nature & Purpose of Processing

The Processor processes Personal Data to:

1. Store and manage tenant records (names, contact details, tenancy information) as directed by the Controller;
2. Store lease documents uploaded by the Controller and make them available to tenants via secure, time-limited access links;
3. Receive, store, and display maintenance requests and associated photographs submitted by tenants;
4. Store inspection photographs and property event records;
5. Generate financial summaries and ledger reports for the Controller’s use.

5. Types of Personal Data Processed

6. Categories of Data Subjects

• Tenants of the Controller’s rental properties, including current and former tenants.

7. Processor Obligations

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law (in which case the Processor shall, where legally permitted, inform the Controller before processing);
2. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 8);
4. Not engage another processor (Sub-processor) without the prior general written authorisation of the Controller (see Section 9);
5. Assist the Controller, taking into account the nature of processing, in responding to requests from data subjects exercising their rights under Data Protection Laws (access, rectification, erasure, portability, restriction, and objection);
6. Assist the Controller in ensuring compliance with obligations relating to security of processing, notification of Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities;
7. At the Controller’s choice, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless storage is required by applicable law (see Section 10);
8. Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits (see Section 11).

8. Security Measures

The Processor implements the following technical and organisational measures:

• Encryption at rest for all stored Personal Data (Cloudflare R2 and D1 databases);
• Encryption in transit using TLS 1.2+ (HTTPS) for all data transmissions;
• Access controls: Tenant data is isolated per Landlord account. File access is restricted via time-limited, cryptographically signed (presigned) URLs;
• Authentication: Secure password hashing (bcrypt), session-based authentication for Landlords, and cryptographic token validation for tenant portal access;
• Infrastructure security: Cloudflare edge security including DDoS mitigation, Web Application Firewall (WAF), and bot management;
• No-index, no-referrer headers on tenant portal pages to prevent accidental search engine exposure;
• Rate limiting on public-facing API endpoints to prevent abuse.

9. Sub-processors

9.1 General Authorisation

The Controller grants the Processor a general written authorisation to engage the Sub-processors listed below. The Processor shall inform the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object. If the Controller objects on reasonable data protection grounds, and the Processor cannot reasonably accommodate the objection, either party may terminate the Agreement.

9.2 Current Sub-processors

9.3 Sub-processor Obligations

The Processor shall impose on each Sub-processor, by way of contract, data protection obligations no less onerous than those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor’s obligations.

10. Data Retention & Deletion

10.1 During the Agreement

Personal Data is retained for the duration of the Controller’s active account and for as long as necessary to provide the Service.

10.2 On Termination

Upon termination of the Agreement:

1. The Controller may request export of their data before account deletion;
2. The Processor shall delete the Controller’s Personal Data within 30 days of receiving a valid deletion request;
3. Financial ledger data may be retained for up to seven (7) years after account closure to comply with tax and legal record-keeping obligations;
4. Anonymised or aggregated data that no longer constitutes Personal Data may be retained indefinitely for analytical purposes.

11. Audits & Compliance Verification

The Processor shall make available to the Controller, upon reasonable written request (no more than once per calendar year), information necessary to demonstrate compliance with this DPA. This may include:

• Completion of a written security questionnaire or audit checklist provided by the Controller;
• Provision of relevant certifications, audit reports, or summaries of independent security assessments, where available.

Given the nature and scale of the Service (a multi-tenant SaaS platform), on-site audits are not available. The Processor shall cooperate in good faith to address reasonable compliance enquiries via written correspondence.

12. Data Breach Notification

In the event of a Data Breach affecting the Controller’s Personal Data, the Processor shall:

1. Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach;
2. Provide the Controller with sufficient information to enable the Controller to meet its own breach notification obligations, including:
   • The nature of the breach;
   • The categories and approximate number of data subjects affected;
   • The likely consequences of the breach;
   • The measures taken or proposed to address the breach, including mitigation measures.
3. Cooperate with and assist the Controller in investigating and remediating the breach.

13. International Data Transfers

Personal Data may be processed in countries other than the Controller’s country of residence due to the global nature of Cloudflare’s infrastructure. Where such transfers occur, the Processor ensures that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) between the Processor and its Sub-processors;
• Reliance on adequacy decisions issued by relevant data protection authorities;
• Binding contractual obligations requiring Sub-processors to protect data to standards equivalent to those required by applicable Data Protection Laws.

14. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party’s liability for any matter for which liability cannot be lawfully limited or excluded.

15. Governing Law & Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the Isle of Man. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of the Isle of Man.

16. Contact

For questions or requests relating to this DPA, including data subject rights requests, Data Breach notifications, or Sub-processor changes, please contact:

Elm & Co. Limited
Isle of Man
Email: privacy@rentfolder.com