STEMHQ

Data Processing Agreement

Last updated: 3 July 2026

1. Definitions

In this Data Processing Agreement (DPA), the following terms have the meanings given to them in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018):

  • Controller means the operator or customer who determines the purposes and means of processing personal data (you, the operator using the STEMHQ platform).
  • Processor means the entity that processes personal data on behalf of the Controller (STEMHQ Ltd, company registered in England and Wales).
  • Personal Data means any information relating to an identified or identifiable natural person.
  • Data Subject means the identified or identifiable natural person to whom personal data relates.
  • Processing means any operation or set of operations performed on personal data, including collection, recording, storage, retrieval, use, disclosure, or deletion.
  • Sub-processor means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.

This DPA forms part of and is incorporated into the STEMHQ Terms of Service. In the event of a conflict between this DPA and the Terms of Service in relation to data protection matters, this DPA shall prevail.

2. Scope and purpose

The Processor shall process personal data solely for the purpose of providing the STEMHQ platform services to the Controller, strictly in accordance with the Controller's documented instructions. The Processor shall not process personal data for any other purpose.

The categories of personal data processed under this DPA are:

  • Tenant and guarantor names and contact details (email address, phone number)
  • National Insurance numbers
  • Payment records and arrears history
  • Compliance notes and case notes entered by the Controller
  • Documents uploaded by the Controller relating to tenancies (tenancy agreements, identification copies, notices)

The categories of data subjects are:

  • Tenants managed on the STEMHQ platform by the Controller
  • Guarantors associated with tenancies managed by the Controller

The Controller acknowledges that it is the data controller of its tenants' and guarantors' personal data and is responsible for ensuring it has a lawful basis to process that data and to instruct the Processor to process it on its behalf.

3. Processor obligations

The Processor shall, in relation to any personal data processed in connection with the performance of its obligations under this DPA:

  • Process personal data only on the documented instructions of the Controller, unless required to process by applicable law, in which case the Processor shall inform the Controller of this requirement before processing (unless prohibited by law).
  • Ensure that all personnel authorised to process personal data are subject to appropriate confidentiality obligations.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in section 4.
  • Assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under UK GDPR, as further described in section 6.
  • On termination of the service agreement, delete or return all personal data to the Controller and delete existing copies, unless retention is required by applicable law, as further described in section 9.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations in UK GDPR Article 28 and allow for and contribute to audits, as further described in section 8.
  • Notify the Controller without undue delay, and in any event within 24 hours, of becoming aware of a personal data breach affecting the Controller's personal data, as further described in section 7.
  • Not engage a sub-processor without the prior specific or general written consent of the Controller, as further described in section 5.

4. Technical and organisational measures

The Processor has implemented the following technical and organisational security measures:

  • Encryption in transit: All data is encrypted in transit using TLS 1.2 or higher. HTTPS is enforced across all platform endpoints.
  • Password hashing: Account passwords are stored as one-way bcrypt hashes with a per-user salt. Plain-text passwords are never stored or logged.
  • Row-level database isolation: Tenant data belonging to the Controller is isolated from other operators at the database level using row-level security policies. No operator can access another operator's data.
  • Encrypted backups: Database backups are encrypted and stored in a separate geographic region from the primary database.
  • Access controls: Access to production systems is restricted to authorised personnel via SSH key authentication only. No password-based access to infrastructure is permitted.
  • Penetration testing: The Processor conducts regular penetration testing of the platform to identify and remediate security vulnerabilities.
  • Security practices: The Processor operates SOC2-aligned security practices including access review, change management, and incident response procedures.

The Processor shall keep these measures under review and may update them over time to maintain an appropriate level of security. The Processor will notify the Controller of any material reduction in the security measures applied.

5. Sub-processors

The Controller provides general written consent to the Processor engaging the following approved sub-processors, each of whom is bound by data processing agreements with the Processor providing at least equivalent data protection to this DPA:

Sub-processorPurposeLocation
Stripe Payments Europe LtdSubscription billing and payment processingEU / UK
Resend Inc.Transactional email deliveryUSA (Standard Contractual Clauses)
Infrastructure providerCloud hosting and database storageEU

The Processor shall notify the Controller at least 30 days before engaging any new sub-processor or making any change to the sub-processors listed above. The notification will be sent to the email address associated with the Controller's account. The Controller may object to a new sub-processor on reasonable data protection grounds by notifying the Processor within 14 days of receiving notice.

6. Data subject rights

The Processor shall assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under UK GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.

  • Where the Controller forwards a data subject rights request to the Processor, the Processor shall provide the Controller with the information or action needed to respond within 72 hours of receiving the forwarded request.
  • The Processor's built-in tenant data erasure and anonymisation tool is designed to satisfy the Controller's obligations under UK GDPR Article 17 (right to erasure) in respect of departed tenants. The Controller remains responsible for determining when and whether to exercise erasure.
  • The Processor shall promptly notify the Controller if it receives any request directly from a data subject in relation to the Controller's personal data, and shall not respond to such requests without the Controller's prior written consent except as required by law.

7. Data breach notification

The Processor shall notify the Controller without undue delay, and in any event within 24 hours of becoming aware of a personal data breach that affects, or is likely to affect, the Controller's personal data.

The notification shall include, to the extent available at the time:

  • The nature of the personal data breach, including the categories and approximate number of data subjects concerned.
  • The categories and approximate number of personal data records concerned.
  • The likely consequences of the personal data breach.
  • The measures taken or proposed to be taken by the Processor to address the breach, including measures to mitigate its possible adverse effects.

Where it is not possible to provide full information at the time of initial notification, the Processor shall provide further information in phases as it becomes available. The Processor shall cooperate with the Controller and take such steps as are reasonably requested by the Controller to assist with any notification to the ICO or to affected data subjects.

8. Audit rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with UK GDPR Article 28 and this DPA.

The Controller may request an audit of the Processor's data processing activities and security measures no more than once per calendar year. Upon receipt of a written audit request, the Processor shall provide written confirmation of its compliance with this DPA within 30 days. Where the Controller requires access to additional documentation or evidence, the parties shall agree the scope and timing of any such review.

Where an audit is required by a regulatory authority or supervisory authority, the one-per-year limitation shall not apply and the Processor shall cooperate promptly.

9. Term and termination

This DPA shall remain in force for the duration of the service agreement between the Controller and the Processor.

Upon termination or expiry of the service agreement for any reason, the Processor shall, at the choice of the Controller and within 30 days of termination:

  • Delete all personal data processed on behalf of the Controller and certify in writing that deletion has been completed; or
  • Return all personal data to the Controller in a machine-readable format and then delete existing copies.

The Processor may retain personal data beyond the 30-day period only to the extent and for the duration required by applicable law (for example, financial records retained for HMRC compliance purposes). Any such retained data shall remain subject to the confidentiality and security obligations of this DPA.

10. Governing law

This DPA and any dispute or claim arising out of or in connection with it or its subject matter shall be governed by and construed in accordance with the law of England and Wales.

The courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA.

11. Contact

For all data protection queries, requests under this DPA, or to exercise data subject rights, contact the Processor at hello@stemhq.co.uk.

Correspondence should be addressed to: Data Protection, STEMHQ Ltd, hello@stemhq.co.uk.