Data Processing Agreement


Data Processing Agreement

Last Updated on 10 Nov, 2025

Parties and Execution


Entity details:
LightWork Holding Ltd
Company number: 15027977
Registered office address: 83 Victoria Street, London,
England, SW1H 0HW
(referred to as “LightWork AI” in the Main Agreement and “LightWork AI” or “Processor” in this DPA).

Entity details:
The “Client” as set out in the Main Agreement.

(referred to as “Client” in the Main Agreement
and “Client” or “Controller” in this DPA).

Signature:
Signed in accordance with the Main Agreement.

Signature:
Signed in accordance with the Main Agreement.

Name:

Name:

Title:

Title:

Date:

Date:


Variables


Parties’ relationship

Controller to Processor

Parties’ roles

Client will act as the Controller (as defined in Section 1 of the Terms)
LightworkAI will act as the Processor (as defined in Section 1 of the Terms)

Contacts

Controller
Name:
Email:
As set out in the Notices clause (Clause 14.7) of the Main Agreement.

Processor
Name:
Email:
As set out in the Notices clause (Clause 14.7) of the Main Agreement.

Main Agreement

The Agreement entered into between LightWork and the Client in relation to the provision of the Services under and in accordance with the LightWork Pilot Agreement Terms and Conditions

Term

This DPA will commence on the Start Date as set out in the Main Agreement and will continue for the Term as set out in the Main Agreement.

Breach Notification Period

Without undue delay after becoming aware of a personal data breach

Sub-processor Notification Period

A reasonable timeframe before the new sub-processor is granted access to Personal Data

Liability Cap

Each party’s aggregate liability under this DPA will not exceed the liability caps as per the Main Agreement

Governing Law and Jurisdiction

As per the Main Agreement

Data Protection Laws

All laws, regulations and court orders which apply to the processing of Personal Data in the United Kingdom (UK). This includes the UK GDPR and the Data Protection Act 2018, each as amended from time to time.

Services related to processing

As described in the Main Agreement

Duration of processing

For the Term of this DPA

Nature and purpose of processing

Known personal data. The purpose of the personal data processing for the
identifiable in-scope personal data is:

  1. to enable the Client’s personnel to access and use the Service and for LightWork AI to provide the Service. Specifically, to automate tasks and streamline communication between parties involved in the management of residential properties. This includes the collection, storage, updating and deletion of such personal data; and

  2. to make improvements to the Service and use the personal data to train the AI models used as part of the Service (unless the parties specifically contract out of this in the Main Agreement).

Unknown personal data. Any unknown personal data is not required by LightWork AI in order to provide the Service and the Client should aim to limit the amount of unknown personal data provided to LightWork AI. To the extent that such unknown personal data is processed by LightWork AI, the purpose(s) are the same as for known personal data (above), which is primarily to enable LightWork AI to deliver the Service and if the parties have agreed that LightWork AI may use Client Data to do so in the Main Agreement, to improve its product and train its AI models.

Personal Data

Known personal data

The types of personal data processed are:

Tenants

  • Identity Data: first name, last name

  • Contact Data: email address, telephone number, residential address

Prospective tenants

  • Identity Data: first name, last name

  • Contact Data: email address (personal), telephone number

  • Financial data: details of any adverse credit, combined household income

  • Employment data: employment status, employment tenure

Contractors

  • Identity Data: first name, last name

  • Contact Data: email address (work), telephone number (personal or work)

  • Job Data: specialisation (i.e what type of certificate the Contractor services, or type of maintenance they provide), service area (i.e the geographical area the Contractor provides their services)

Landlords

  • Identity Data: first name, last name

  • Contact Data: email address (personal), telephone number

Client’s personnel

  • Identity Data: first name, last name, job title/role

  • Contact Data: email address (work)
    Unknown personal data

LightWork AI may also process the Client’s personal data that is not identifiable at the commencement of the Term in order to provide the Services, including:

  1. Any additional personal data that may be shared by:
    ○ the Client’s personnel via the user interface of the Service (specifically as input via the chat functionality), and
    ○ Tenants, Contractors or Landlords when communicating with the Service via email, SMS or WhatsApp; and

  2. Any additional personal data that may be accessed and processed by LightWork AI via its access to the Client’s:
    ○ lettings email inbox (or similar); and
    ○ Property Management System, all of which may include special categories of personal data.

all of which may include special categories of personal data.

Data subjects

The individuals whose Personal Data will be processed are:

  • Tenants

  • Prospective Tenants

  • Contractors

  • Landlords

  • Client’s personnel (including Property Managers)

Special provisions

None

Transfer Mechanism

N/A

Annex 1


Security measures. Technical and organisational measures to ensure the security of Personal Data

Technical measures

  • All workloads run on Google Cloud Platform (GCP), deployed strictly in EU regions (London or other EU zones only).

  • MongoDB (EU region) is our primary database. Data is encrypted at
    rest with AES-256 and encrypted in transit (TLS).

  • We maintain periodic automated backups of all production databases with secure storage and controlled access.

  • Qdrant (EU region) is used as our vector database, and Redis Cloud (EU region) is used for caching.

  • Access to infrastructure is restricted via IAM, MFA-enforced accounts and least-privilege roles.

  • Services run in private networks with firewalls and VPC-level isolation.

  • Monitoring, alerting and log management are handled by Datadog, configured within EU regions.

  • We use Vanta to continuously monitor our security position and maintain compliance.

  • All software is kept up-to-date and security updates are installed as soon as reasonably possible.

Organisational measures

  • Operational practices include regular patching, vulnerability scanning, and incident management processes.

  • Making all employees and third-party agents fully aware of their individual responsibilities under the GDPR.

Annex 2


Sub-processors. Current sub-processors


Name of Sub- processor

Location of Processing

Transfer mechanism

OpenAI (ChatGPT): foundational model provider

EEA

N/A

Google (Gemini) foundational model provider

EEA

N/A

Google Cloud Platform (GCP): cloud infrastructure

EEA

N/A

MongoDB Atlas: primary database

EEA

N/A

Qdrant Cloud: vector database

EEA

N/A

Redis Cloud: caching

EEA

N/A

Nylas: email service provider

EEA

N/A

Terms

1.

What is this agreement about?

1.1

Purpose. The parties are entering into this Data Processing Agreement (DPA) for the purpose of processing Personal Data (as defined above).

1.2

Definitions. Under this DPA:
(a) adequate country means a country or territory that is recognised under Data Protection Laws from time to time as providing adequate protection for processing Personal Data, and
(b) Controller, data subject, personal data breach, process/processing, Processor and supervisory authority have the same meanings as in the Data Protection Laws.

2.

What are each party’s obligations?

2.1

Controller obligations. Controller instructs Processor to process Personal Data in accordance with this DPA, and is responsible for providing all notices and obtaining all consents, licences and legal bases required to allow Processor to process Personal Data.

2.2

Processor obligations. Processor will:
(a) only process Personal Data in accordance with this DPA and Controller’s instructions (unless legally required to do otherwise),
(b) not sell, retain or use any Personal Data for any purpose other than as permitted by this DPA and the Main Agreement,
(c) inform Controller immediately if (in its opinion) any instructions infringe Data Protection Laws,
(d) use the technical and organisational measures described in Annex 1 when processing Personal Data to ensure a level of security appropriate to the risk involved,
(e) notify Controller of a personal data breach within the Breach Notification Period and provide assistance to Controller as required under Data Protection Laws in responding to it,
(f) ensure that anyone authorised to process Personal Data is committed to confidentiality obligations,
(g) without undue delay, provide Controller with reasonable assistance with:
(i) data protection impact assessments,
(ii) responses to data subjects’ requests to exercise their rights under Data Protection Laws, and
(iii) engagement with supervisory authorities,
(h) if requested, provide Controller with information necessary to demonstrate its compliance with obligations under Data Protection Laws and this DPA,
(i) allow for audits at Controller’s reasonable request, provided that audits are limited to once a year and during business hours except in the event of a personal data breach, and
(j) return Personal Data upon Controller’s written request or delete Personal Data by the end of the Term, unless retention is legally required.

2.3

Warranties. The parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the Term.

3.

Sub-processing

3.1

Use of sub-processors. Controller authorises Processor engage other processors (referred to in this section as sub-processors) when processing Personal Data. Processor’s existing sub-processors are listed in Annex 2.

3.2

Sub-processor requirements. Processor will:
(a) require its sub-processors to comply with equivalent terms as Processor’s obligations in this DPA,
(b) ensure appropriate safeguards are in place before internationally transferring Personal Data to its sub-processor, and
(c) be liable for any acts, errors or omissions of its sub-processors as if they were a party to this DPA.

3.3

Approvals. Processor may appoint new sub-processors provided that they notify Controller in writing in accordance with the Sub-processor Notification Period.

3.4

Objections. Controller may reasonably object in writing to any future sub-processor. If the parties cannot agree on a solution within a reasonable time, either party may terminate this DPA.

4.

International personal data transfers

4.1

Instructions. Processor will transfer Personal Data outside the UK, the EEA or an adequate country only on documented instructions from Controller, unless otherwise required by law.

4.2

Transfer mechanism. Where a party is located outside the UK, the EEA or an adequate country and receives Personal Data:
(a) that party will act as the data importer,
(b) the other party is the data exporter, and
(c) the relevant Transfer Mechanism will apply.

4.3

Additional measures. If the Transfer Mechanism is insufficient to safeguard the transferred Personal Data, the data importer will promptly implement supplementary measures to ensure Personal Data is protected to the same standard as required under Data Protection Laws.

4.4

Disclosures. Subject to terms of the relevant Transfer Mechanism, if the data importer receives a request from a public authority to access Personal Data, it will (if legally allowed):
(a) challenge the request and promptly notify the data exporter about it, and
(b) only disclose to the public authority the minimum amount of Personal Data required and keep a record of the disclosure.

5.

Other important information

5.1

Survival. Any provision of this DPA which is intended to survive the Term will remain in full force.

5.2

Order of precedence. In case of a conflict between this DPA and other relevant agreements, they will take priority in this order:
(a) Transfer Mechanism,
(b) DPA,
(c) Main Agreement.

5.3

Notices. Formal notices under this DPA must be in writing and sent to the Contact on the DPA’s front page as may be updated by a party to the other in writing.

5.4

Third parties. Except for affiliates, no one other than a party to this DPA has the right to enforce any of its terms.

5.5

Entire agreement. This DPA supersedes all prior discussions and agreements and constitutes the entire agreement between the parties with respect to its subject matter and neither party has relied on any statement or representation of any person in entering into this DPA.

5.6

Amendments. Any amendments to this DPA must be agreed in writing.

5.7

Assignment. Neither party can assign this DPA to anyone else without the other party's consent.

5.8

Waiver. If a party fails to enforce a right under this DPA, that is not a waiver of that right at any time.

5.9

Governing law and jurisdiction. The Governing Law applies to this DPA and all disputes will only be litigated in the courts of the Jurisdiction.