1. Parties
This Data Processing Agreement ("DPA") is entered into between:
Data Controller: The Client ("Controller"), being the estate agency or letting agency that has entered into a service agreement with Yield.
Data Processor: Deploy IQ Ltd (Yield), a company registered in England and Wales ("Processor").
This DPA forms part of the Terms of Service between the Controller and Processor and governs the processing of personal data by the Processor on behalf of the Controller.
2. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person processed under this Agreement.
"Data Subject" means the individual to whom Personal Data relates, including property buyers, sellers, landlords, tenants, and website visitors.
"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"UK GDPR" means the UK General Data Protection Regulation as incorporated into UK law.
"Data Protection Laws" means UK GDPR, the Data Protection Act 2018, and any other applicable data protection legislation.
3. Subject Matter and Scope
3.1 Nature of Processing
The Processor provides an AI-powered conversational chatbot service ("Yield") that engages with website visitors on behalf of estate and letting agencies. The chatbot collects and processes enquiries, qualifies leads, and books appointments.
3.2 Categories of Data Subjects
- Property buyers and prospective buyers
- Property sellers and prospective sellers
- Landlords and prospective landlords
- Tenants and prospective tenants
- Website visitors making enquiries
3.3 Types of Personal Data
- Name and contact details (email, phone number)
- Property requirements and preferences
- Conversation transcripts and enquiry content
- IP addresses and device information
- Appointment booking details
3.4 Duration
Processing shall continue for the duration of the service agreement and for such period thereafter as required for compliance with legal obligations or legitimate business purposes.
4. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law;
- Ensure that persons authorised to process Personal Data have committed themselves to confidentiality;
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest;
- Not engage another processor without prior written authorisation of the Controller;
- Assist the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws;
- Assist the Controller in ensuring compliance with obligations relating to security, breach notification, and data protection impact assessments;
- At the choice of the Controller, delete or return all Personal Data upon termination of the service agreement;
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits.
5. Controller Obligations
The Controller shall:
- Ensure that the processing of Personal Data has a lawful basis under Data Protection Laws;
- Provide clear and accurate instructions to the Processor regarding the processing of Personal Data;
- Ensure that appropriate privacy notices are displayed on their website informing Data Subjects of the use of chatbot technology and data processing;
- Respond to Data Subject requests and inform the Processor of any requests that require the Processor's assistance.
6. Sub-processors
6.1
The Controller provides general authorisation for the Processor to engage Sub-processors, subject to the conditions in this section.
6.2
The Processor shall maintain a list of current Sub-processors, which shall be made available to the Controller upon request.
6.3
The Processor shall notify the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object.
6.4 Current Sub-processors:
The following table sets out the Sub-processors currently engaged by the Processor, including the purpose of processing, categories of data processed, hosting region, and retention approach.
| Sub-processor | Purpose | Data Categories | Region | Retention |
|---|---|---|---|---|
| Anthropic | AI model provider — powers conversational chat generation and lead qualification | Conversation transcripts, enquiry content, property preferences | United States | Transient (not retained after processing) |
| OpenAI | AI model provider — semantic enrichment, embeddings generation, and text processing of property-derived data | Property listing text, address data, conversation content for enrichment | United States | Transient (zero data retention API usage) |
| Supabase | Database and edge functions — stores and processes synced and enriched property data | Property listings, contact details, conversation transcripts, enriched data, lead records | EU (Frankfurt) | Duration of service agreement + 30 days |
| Amazon Web Services (AWS) | Cloud hosting infrastructure | All categories as described in Section 3.3 | EU/UK regions | Duration of service agreement + 30 days |
| DigitalOcean | Runtime host — executes data sync scripts and handles data in process, log, and runtime context | Property data in transit during sync operations, runtime logs | EU (London/Amsterdam) | Transient in runtime; logs retained 30 days |
| Google Maps Platform | Places API and Geocoding — processes location queries and address context for property enrichment and search resolution | Property addresses, location search queries | United States/EU | Transient (not retained after processing) |
| Stripe | Payment processing — manages subscription billing and invoicing | Controller billing details, payment information | United States/EU | As required by financial regulations |
6.5 Legal Basis for International Transfers
Where Sub-processors are located outside the UK, transfers are safeguarded by one or more of the following mechanisms: UK International Data Transfer Agreement (UK IDTA), Standard Contractual Clauses (SCCs) as supplemented for UK transfers, or reliance on a UK adequacy decision where applicable. Details of the specific safeguard in place for each Sub-processor are available upon request.
6.6 Sub-processor Change Notification
The Processor shall give the Controller no less than 14 days' prior written notice of any intended addition or replacement of Sub-processors, providing the Controller with the opportunity to object to such changes. If the Controller objects on reasonable data protection grounds and the parties cannot resolve the objection, the Controller may terminate the affected services without penalty.
7. International Data Transfers
7.1
Where Personal Data is transferred outside the UK, the Processor shall ensure that appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK Information Commissioner's Office or reliance on an adequacy decision.
7.2
The Processor shall inform the Controller of any transfers to third countries and the safeguards implemented.
8. Security Measures
The Processor implements the following technical and organisational measures:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
- Access controls and authentication mechanisms
- Regular security testing and vulnerability assessments
- Employee training on data protection and security
- Incident response and business continuity procedures
- Secure development practices
9. Data Breach Notification
9.1
The Processor shall notify the Controller without undue delay, and in any event within 48 hours, upon becoming aware of a Personal Data breach.
9.2
The notification shall include: the nature of the breach, categories of Data Subjects affected, likely consequences, and measures taken to address the breach.
10. Termination and Data Return
10.1
Upon termination of the service agreement, the Processor shall, at the Controller's choice, return or delete all Personal Data within 30 days.
10.2
The Processor may retain Personal Data where required by applicable law, subject to appropriate confidentiality and security measures.
11. Liability
Each party shall be liable for damages caused by processing that infringes Data Protection Laws in accordance with Article 82 of UK GDPR. Liability shall be subject to the limitations set out in the main service agreement.
12. General Provisions
12.1 Governing Law
This DPA shall be governed by the laws of England and Wales.
12.2 Amendments
This DPA may be amended by written agreement between the parties or by the Processor updating its standard terms with reasonable notice to the Controller.
12.3 Conflict
In the event of conflict between this DPA and the main service agreement, this DPA shall prevail with respect to data protection matters.
Version 2.0 — February 2026