Sales Progressor

Data Processing Agreement

UK GDPR Article 28 agreement between an estate agency (data controller) and us (data processor).

Last updated 25 May 2026 · Version 1.0

Opens your browser’s print dialog — choose “Save as PDF” as the destination.

Parties

This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the Terms of Service between:

  • The Controller— the estate agency that uses the Sales Progressor platform and enters its clients’ personal data (“you”, “the Agency”); and
  • The ProcessorThe Sales Progressor Ltd, company number [Company number], registered office [Registered office address] (“we”, “us”).

It applies where we process personal data on the Agency’s behalf in providing the platform. It takes effect when the Agency accepts our Terms of Service.

1. Definitions

Terms such as “personal data”, “processing”, “controller”, “processor”, “data subject”, and “personal data breach” have the meanings given in UK GDPR and the Data Protection Act 2018(“Data Protection Law”). “Sub-processor” means any third party we engage to process personal data on the Agency’s behalf.

2. Roles

The Agency is the Controller of the personal data of its clients (buyers, sellers, solicitors, and other transaction parties) that it enters into the platform. We are the Processorof that data. We process it only to provide the platform, and only on the Agency’s documented instructions — which include these terms, the Terms of Service, and the Agency’s use of the platform’s features.

For our own platform-account and billing data, we are a separate controller — that processing is governed by our Privacy Policy, not this DPA.

3. Our obligations as processor

We will:

  • Process only on your instructions — and tell you if we believe an instruction breaches Data Protection Law, or if we are legally required to process beyond your instructions.
  • Keep data confidential — ensuring anyone we authorise to process it is bound by confidentiality.
  • Secure the data — maintaining appropriate technical and organisational measures (set out in Schedule C).
  • Use sub-processors responsibly — only as permitted in section 5.
  • Assist you — with responding to data-subject requests, with security and breach obligations, and with any data protection impact assessments, taking into account the nature of the processing and the information available to us.
  • Notify you of breaches — without undue delay after becoming aware of a personal data breach affecting your data, with the information you need to meet your own obligations.
  • Delete or return data — at the end of our services, delete or return the personal data as you choose, except where law requires us to retain it (see Schedule A retention).
  • Demonstrate compliance — make available the information reasonably needed to show we meet these obligations, and allow for audits as set out in section 6.

4. Your obligations as controller

You warrant that:

  • You have a lawful basis and any necessary consents to enter your clients’ personal data into the platform.
  • You have provided your clients with the privacy information Data Protection Law requires (including that a processor — us — handles their data on your behalf).
  • Your instructions to us comply with Data Protection Law.
  • You will not enter special category personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic or biometric data, health information, or data concerning sex life or sexual orientation) into the platform’s free-text or other fields. The platform is not designed to process special category data.

You are responsible for responding to your clients’ data-subject requests. Where a buyer or seller contacts us directly, we will direct them to you and assist you in responding.

5. Sub-processors

You give us general authorisation to engage sub-processors to help provide the platform. Our current sub-processors are listed in Schedule B. We impose data protection obligations on each sub-processor substantially equivalent to those in this DPA, and we remain responsible for their performance.

We will give you reasonable notice of any intended addition or replacement of a sub-processor, giving you the opportunity to object on reasonable data protection grounds.

6. Audit

We will make available to you the information reasonably necessary to demonstrate compliance with this DPA, including relevant third-party audit reports or security documentation where available. Where you reasonably require further information, we will discuss in good faith how to provide appropriate assurance, balancing your audit rights against the security and confidentiality of our systems and other customers’ data.

7. International transfers

Where providing the platform involves transferring personal data outside the UK, we ensure an appropriate safeguard is in place — the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs) — as reflected in our sub-processor arrangements (Schedule B).

8. Liability and term

Our liability under or in connection with this DPA is subject to the same limitations and exclusions (including the liability cap and the non-excludable carve-out) as set out in our Terms of Service. This DPA remains in force for as long as we process personal data on your behalf, and the obligations that by their nature should survive termination (confidentiality, deletion or return of data, and breach cooperation) continue to apply after it ends.

Schedule A — Details of processing

Subject matterProvision of the Sales Progressor property transaction management platform
DurationFor the term of the Agency’s use of the platform, plus retention as set out below
Nature and purposeTracking residential property transactions; sending progress updates and chase communications; providing buyers and sellers with a transaction portal; generating AI-assisted message drafts for the Agency’s review
Types of personal dataNames, email addresses, phone numbers, and transaction roles of buyers, sellers, solicitors, and other transaction parties; property addresses; transaction milestone data; communication logs
Categories of data subjectThe Agency’s clients and their representatives — buyers, sellers, solicitors, brokers, and other parties to a transaction
Special category dataNone. The platform is not designed to process special category data, and Agencies warrant under section 4 that they will not enter it.
RetentionTransaction data retained for 7 years after completion or cancellation (to meet estate-agency record-keeping obligations under anti-money-laundering regulations and HMRC tax-record requirements); otherwise deleted or returned at the end of services. See Privacy Policy.

Schedule B — Sub-processors

Current as of 25 May 2026:

Sub-processorPurposeLocation / transfer safeguard
SupabaseDatabase and file storageEU
VercelApplication hostingUS (SCCs + UK IDTA)
SendGrid (Twilio)Transactional emailUS (SCCs + UK IDTA)
AnthropicAI-assisted message drafting (limited data — see Terms §5)US (SCCs + UK IDTA)
StripePayment processing (Agency billing only)US (SCCs + UK IDTA)
UpstashRate limiting / infrastructureEU
PostHogAnalytics (consent-gated)EU
SentryError monitoringEU

Schedule C — Technical and organisational measures

We maintain measures appropriate to the risk, including:

  • Encryption of personal data in transit and at rest
  • Access control — role-based access, least-privilege, authentication including two-factor step-up for administrative access
  • Audit logging of administrative actions
  • Network protection — rate limiting and abuse protection on authentication and public endpoints
  • Error monitoring to detect and respond to faults
  • Sub-processor diligence — data protection terms imposed on each sub-processor
  • Breach response — procedures to detect, investigate, and notify personal data breaches

Contact

Questions about this DPA or data processing: support@thesalesprogressor.co.uk