In plain language

Landlord acts as your Data Processor under GDPR Article 28. We are a US entity, so EU/UK → US transfers are covered by the 2021 Standard Contractual Clauses, Module 2, embedded in this DPA. We do not retain conversation content; sub-processors (listed below) handle voice, LLM inference, payments, and messaging under their own published DPAs, each explicitly incorporated into our commercial terms with them.

How customers accept this DPA.

Customers based in the European Economic Area, the United Kingdom, or Switzerland are presented with this DPA inside the Landlord app at first login and on any material update. They must scroll through it and tick the acceptance checkbox to proceed. Landlord records each acceptance with timestamp, the accepting user’s email, the entity name, the IP address, the user agent, and a SHA-256 hash of the exact DPA text that was accepted. This satisfies GDPR Article 28(9), which requires the DPA to be “in writing, including in electronic form.” Customers can retrieve the exact text they accepted at any time inside their Landlord account settings.

This Data Processing Agreement (DPA) is entered into between The Customer identified in the Order Form or signup record (the Controller) and DeepRent LLC, a Delaware limited liability company, DBA Landlord, having its registered office at 1207 Delaware Ave #3446, Wilmington, DE 19806, United States (the Processor). Each a Party and together the Parties.

This DPA forms part of, and is incorporated by reference into, the Commercial Terms or Master Subscription Agreement between the Parties (the Principal Agreement). By accepting the Principal Agreement, the Controller accepts this DPA. The Processor accepts this DPA by making the Service available to the Controller.

1. Background and purpose

1.1 In the course of providing the Landlord AI Sales Employee service (the Service), the Processor will Process Personal Data on behalf of the Controller. This DPA sets out the Parties’ rights and obligations under Article 28 of Regulation (EU) 2016/679 (GDPR), and, where applicable, the UK GDPR and the Data Protection Act 2018, and the relevant national implementing law of the Controller’s jurisdiction.

1.2 The European Commission’s 2021 Standard Contractual Clauses for the transfer of personal data to third countries, Module 2 (Controller to Processor) (SCCs), are incorporated into this DPA by reference and govern the transfer of Personal Data from the Controller in the EEA, the United Kingdom, or Switzerland to the Processor in the United States. Where the Controller is established in the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs applies. In the event of a conflict between this DPA and the SCCs, the SCCs prevail.

2. Definitions

Terms not defined in this DPA have the meaning given to them in the GDPR. Personal Data, Processing, Data Subject, Sub-processor, Supervisory Authority, and Personal Data Breach have the meanings in Articles 4 and 33 GDPR.

3. Scope and instructions

3.1 The Processor will Process Personal Data only on the documented instructions of the Controller, including with regard to transfers to a third country, unless required to do so by Union, Member State, or UK law.

3.2 The Controller’s initial instructions are set out in Annex I (Description of Processing) and the Principal Agreement. The Controller may issue further instructions in writing (including by email or through the Service’s administrative interface) during the term.

3.3 The Processor will inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.

4. Subject matter, duration, nature and purpose, categories of data and Data Subjects

These are described in Annex I (Description of Processing).

5. Confidentiality

The Processor ensures that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation survives termination of the Principal Agreement.

6. Security

The Processor implements and maintains the technical and organisational measures described in Annex II (Technical and Organisational Measures) to ensure a level of security appropriate to the risk, pursuant to Article 32 GDPR.

7. Sub-processors

7.1 The Controller grants the Processor a general authorisation to engage the Sub-processors listed in Annex III (Sub-processors) as updated from time to time at this page.

7.2 The Processor will inform the Controller of any intended addition or replacement of Sub-processors at least 30 days in advance, giving the Controller the opportunity to object. If the Controller objects on reasonable data-protection grounds, the Parties will discuss in good faith; if no resolution is reached, the Controller may terminate the Principal Agreement without penalty pro rata to the unused term.

7.3 Each Sub-processor’s own Data Processing Agreement is explicitly incorporated into the commercial terms between the Processor and that Sub-processor, and includes the SCCs where applicable. Links to each Sub-processor’s DPA are provided in Annex III.

7.4 The Processor imposes on each Sub-processor data-protection obligations no less protective than those in this DPA.

8. Assistance with Data Subject rights

The Processor will, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to requests for exercising Data Subject rights under Chapter III GDPR.

9. Assistance with Controller obligations

The Processor will assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of the Processing and the information available to the Processor.

10. Personal Data Breach notification

The Processor will notify the Controller without undue delay and in any event within 48 hours after becoming aware of a Personal Data Breach. The notification will contain the information required by Article 33(3) GDPR to the extent then known, with updates as further information becomes available.

11. Deletion or return of Personal Data

At the choice of the Controller, the Processor will delete or return all the Personal Data to the Controller after the end of the provision of services relating to Processing, and delete existing copies, unless Union, Member State, or UK law requires storage of the Personal Data.

12. Audit

12.1 The Processor will make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR.

12.2 The Processor will allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, on reasonable prior notice (at least 30 days), no more than once per year (except where required by a Supervisory Authority or following a Personal Data Breach), at the Controller’s cost, subject to reasonable confidentiality safeguards.

12.3 The Processor may satisfy the audit obligation by providing relevant third-party certifications when available.

13. International transfers - SCCs

13.1 The Parties incorporate the 2021 SCCs Module 2 (Controller to Processor) into this DPA. The Controller is the data exporter; the Processor is the data importer.

13.2 The following optional SCC choices apply:

Docking clause (Clause 7): applicable.
Sub-processor authorisation (Clause 9): Option 2 (general written authorisation), 30 days’ notice.
Redress (Clause 11): independent dispute-resolution body option not selected.
Governing law (Clause 17): the law of the EU Member State of the Controller’s establishment, or, where the Controller is established outside the EU, the law of Ireland.
Forum (Clause 18): the courts of the same jurisdiction.
Annex I, II, III of the SCCs: as set out in this DPA’s Annexes I, II, III.
Supervisory authority (Annex I.C): the Supervisory Authority of the Controller’s establishment.

13.3 Where the Controller is established in the United Kingdom, the UK International Data Transfer Addendum (issued by the ICO under section 119A of the Data Protection Act 2018) is incorporated by reference and supplements the SCCs.

13.4 The Parties acknowledge the Transfer Impact Assessment summary at Annex IV.

14. Acceptance and form

14.1 In accordance with Article 28(9) GDPR, this DPA is in writing in electronic form.

14.2 Controllers established in the European Economic Area, the United Kingdom, or Switzerland accept this DPA inside the Landlord application at first login and on any material update. The Processor records each acceptance with timestamp, accepting user, entity name, IP address, user agent, and a SHA-256 hash of the exact DPA text accepted. The Controller can retrieve the exact text it accepted at any time from its Landlord account settings.

15. Term and termination

This DPA enters into force on the date the Controller accepts the Principal Agreement and continues until the Principal Agreement is terminated, except for clauses which by their nature survive (confidentiality, deletion, audit for the relevant retention period).

16. Liability

Liability under this DPA is governed by the limitation-of-liability provisions of the Principal Agreement.

17. Order of precedence

In the event of conflict: (1) the SCCs prevail over this DPA in relation to international transfers; (2) this DPA prevails over the Principal Agreement on data-protection matters.

18. Updates to this DPA

The Processor may update this DPA from time to time. Material changes will be notified to active Controllers through the Landlord application at least 30 days before they take effect, with a renewed in-product acceptance prompt. The exact version a Controller has accepted, and any version it has previously accepted, remains available to that Controller through its Landlord account settings.

Annex I - Description of Processing (and SCC Annex I)

A. List of Parties

Data exporter (Controller): the legal entity identified in the Order Form or signup record.
Data importer (Processor): DeepRent LLC, USA. Contact: Hunter Webb, support@uselandlord.com.

B. Description of transfer

Categories of Data Subjects	Prospective and existing customers of the Controller; individuals contacting the Controller via phone, WhatsApp, SMS, iMessage, or email
Categories of Personal Data	Name; phone number; email address; content of inbound communications; unit-rental inquiry data (size, location, dates); transactional payment-link metadata (not card data)
Special-category data	None
Frequency of transfer	Continuous (real-time per interaction)
Nature of processing	Receiving inbound communications; generating responses via LLM; booking units; sending payment links; following up on stale leads; writing back to Controller’s PMS/CRM
Purpose	Provision of the Landlord AI Sales Employee service to the Controller
Retention	Real-time processing only; no Landlord-side database of conversation content. Sub-processor retention per their published policies (see Annex III). Operational metadata (account configuration, audit logs) retained for the term of the Principal Agreement
Transfers to (sub-)processors	See Annex III

C. Competent Supervisory Authority

The Supervisory Authority of the Controller’s place of establishment (for example, Datatilsynet for Norway, the Information Commissioner’s Office for the United Kingdom, the CNIL for France, the Data Protection Commission for Ireland).

Annex II - Technical and Organisational Measures (and SCC Annex II)

The Processor implements the following measures:

Encryption in transit - TLS 1.2+ on all API endpoints and channel integrations.
Encryption at rest - AES-256 on operational metadata held in managed cloud datastores.
Access control - Role-based access control; least privilege; MFA mandatory on all administrative and engineering accounts.
Personnel security - All employees and contractors bound by written confidentiality obligations; background checks where local law permits.
No persistent conversation storage - Landlord’s architecture is stateless with respect to conversation content; the agent retrieves data from authorised Controller systems on demand and does not maintain a Landlord-side conversation database.
Sub-processor due diligence - Sub-processors must publish a GDPR-compliant DPA and offer the 2021 SCCs.
Logging and monitoring - Application and access logs retained for incident investigation only.
Backup - Operational metadata only; no conversational backups.
Incident response - Documented procedure; 48-hour Controller notification on confirmed Personal Data Breach.
Vulnerability management - Patching of managed services per vendor cadence; dependency scanning on application code.
Business continuity - Multi-region failover for production sub-processors where available.
Physical security - All Processor infrastructure is hosted on managed cloud (Sub-processors); no Processor-operated data centres.

Annex III - Sub-processors (and SCC Annex III)

Each sub-processor’s DPA is explicitly incorporated into Landlord’s commercial terms with that provider and links above. We notify Customers of any change to this list at least 30 days in advance through the Landlord app.

#	Sub-processor	Entity & location	Service	DPA / SCCs link
1	Anthropic, PBC	San Francisco, USA	LLM inference (Claude API) - agent reasoning, email and chat generation	privacy.claude.com DPA auto-incorporated into commercial terms; SCCs Module 2 included; no model training on inputs by default; zero-retention available.
2	OpenAI, L.L.C. (when their models are used)	San Francisco, USA	LLM inference (OpenAI API) - agent reasoning, email and chat generation	openai.com/policies/data-processing-addendum SCCs Module 2 included; no training on API inputs by default; zero data retention available.
3	Google LLC (when their models are used)	Mountain View, USA	LLM inference (Gemini API) - agent reasoning, email and chat generation	cloud.google.com/terms/data-processing-addendum Cloud DPA with SCCs Module 2 included; customer data not used to train models.
4	ElevenLabs Inc.	Delaware, USA	Voice synthesis and telephony agent	elevenlabs.io/dpa
5	Stripe Payments Europe Ltd.	Dublin, Ireland	Payment links	stripe.com/legal/dpa
6	Twilio Ireland Ltd. (when SMS is used)	Dublin, Ireland	SMS routing	twilio.com/legal/data-protection-addendum
7	Meta Platforms Ireland Ltd.	Dublin, Ireland	WhatsApp Business API transport	facebook.com/legal/terms/dataprocessingterms
8	Amazon Web Services EMEA SARL (eu-west-1)	Luxembourg	Hosting of operational metadata	aws.amazon.com/compliance/gdpr-center/

Sub-processor change log

No changes to date. This list is the initial sub-processor set effective from 29 May 2026.

Annex IV - Transfer Impact Assessment summary

Transfer route: EEA / UK / Switzerland → United States (Delaware).
Mechanism: 2021 SCCs Module 2 (and, for UK exporters, the UK International Data Transfer Addendum).
Nature of data: contact and inquiry data of self-storage prospects; no special-category data; no children’s data; no public-figure or activist exposure.
US surveillance risk under FISA 702 / EO 12333: The Processor is not an “electronic communications service provider” within the meaning of 50 U.S.C. § 1881(b)(4) for the purposes of bulk collection. No requests under FISA 702 or National Security Letters received to date.

Supplementary measures:

End-to-end TLS on all transport.
No Landlord-side database of conversation content (data-minimisation by architecture).
Sub-processor short-retention and zero-retention configurations where supported.
Contractual obligations under SCC Clauses 14 and 15 (challenge government access; transparency).

Conclusion: The Parties conclude that the transfer offers a level of protection essentially equivalent to that guaranteed by the GDPR.