Back

Data Processing Agreement

Last updated: 24 February 2026

1. Parties and roles

This Data Processing Agreement ("DPA") applies between you ("Data Controller") and FRK Holdings LTD (company no. 15615224), trading as BrikkPM ("Data Processor").

As a landlord, you decide what personal data to enter about your tenants, contractors, and letting agents. That makes you the data controller under UK GDPR. BrikkPM processes that data on your instructions — we store, display, and export it, but we don't use it for our own purposes.

2. What data we process

We process the following categories of personal data on your behalf:

  • Tenant names, contact details, tenancy dates, and rent amounts
  • Right to Rent check dates and document expiry dates
  • Letting agent names, contact details, and fee structures
  • Contractor names and contact details (when added to maintenance items)
  • Any free-text notes you add to properties, tenants, or maintenance records
3. Our obligations as processor

BrikkPM will:

  • Process personal data only on your documented instructions (i.e. your use of the app)
  • Not sell, rent, or share personal data with third parties for their own purposes
  • Implement appropriate technical and organisational security measures (see Section 5)
  • Notify you without undue delay if we become aware of a personal data breach
  • Delete all personal data when you delete your account, within 30 days
  • Make data available for export at any time via the GDPR export feature in Settings
4. Sub-processors

We use the following sub-processors to deliver the service:

  • Railway (railway.app) — application hosting and PostgreSQL database. Infrastructure runs on Google Cloud Platform.
  • Google OAuth — authentication only. We receive your name, email, and profile picture when you sign in with Google.
  • Microsoft Azure AD — authentication only. We receive your name, email, and profile picture when you sign in with Microsoft.
  • Stripe — payment processing for paid subscriptions. We share your email address with Stripe to create a customer record. Stripe handles all card details directly.

We will notify you before adding new sub-processors by updating this page. If you object to a new sub-processor, you may delete your account.

5. Security measures
  • All data in transit is encrypted via TLS (HTTPS)
  • Database connections use SSL
  • Sensitive HMRC identifiers (UTR and NINO) are encrypted at rest using AES-256-GCM
  • Authentication uses OAuth 2.0 with JWT sessions — we never store passwords
  • All API routes enforce user-scoped access (no cross-tenant data leakage)
  • Security headers: CSP, HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff
6. Data breach notification

If we discover a breach of personal data processed on your behalf, we will notify you by email within 72 hours, including:

  • The nature of the breach and the categories of data affected
  • The approximate number of records affected
  • The measures taken or proposed to address the breach
7. Data deletion

When you delete your account via the Settings page, all associated data is permanently removed using cascading database deletes. This includes properties, tenants, rent payments, compliance records, maintenance items, documents, notifications, landlord profile, and regulatory obligations.

Deletion is completed within 30 days. We do not retain backup copies of deleted accounts.

8. Your obligations as controller

As the data controller, you are responsible for:

  • Having a lawful basis for collecting tenant personal data
  • Informing tenants about how their data is stored and processed
  • Responding to data subject access requests from your tenants
  • Ensuring any Right to Rent data is collected lawfully under the Immigration Act 2014
9. Contact

For questions about this DPA or data processing, email us at getbrikkpm@gmail.com or use our contact form.