TLP Audits Data Processing Agreement

Last updated 12 November 2025

Part 1: Orientation

About this document

This Data Processing Agreement (DPA) sets out how The Letting Partnership processes and protects the data that it collects from you when you buy a TLP Audit. This DPA contains the following sections:

  • Part 1: Orientation - Key information and definitions to get you started.
  • Part 2: Data processing terms - Our respective rights and obligations in relation to the processing of your data.
  • Part 3: Data security - Organisational and technical measures TLP has in place.
  • Part 4: Processing details - Information about the data TLP will process and external services TLP uses.

This DPA applies whenever TLP processes personal data as the result of you requesting an Audit (HealthCheck, Client Money Audit, Quality Assurance Audit, Tenancy Deposit Audit, Tenancy Deposit Risk Assessment, TDS Review, Acquisition Audit, Accountant's Report or any other similar audit). The DPA sets out TLP's commitments to you, and your commitments to TLP. This DPA supplements the Audit Service Terms.

Important note: 

This DPA is part of your overall agreement with TLP and is therefore subject to the limitations of liability and liability caps in the Audit Service Terms.

Audits referred to throughout are not statutory audits conducted under the Companies Act 2006 or in accordance with UK auditing standards.

Who we are 

We are The Lettings Partnership, a UK company number 04906228. TLP's address is Second Floor, 3 Liverpool Gardens, Worthing, West Sussex, BN11 1TF.

TLP is registered with the UK Information Commissioner's Office under number Z8961940. For any queries or requests relating to your data, contact us at enquiries@thelettingpartnership.co.uk

What we do

TLP provides outsourced client accounting and client money audit services to letting agents across the UK, helping them manage rents, deposits, and compliance efficiently. Client money audits can take the form of a HealthCheck, Client Money Audit, Quality Assurance Audit, Tenancy Deposit Audit, Tenancy Deposit Risk Assessment, TDS Review, Acquisition Audit, Accountant's Report or any other similar audit. Each one gives agents and/or CMP schemes, TDP schemes and regulatory bodies independent assurance that client money is being handled properly. 

In order to carry out an Audit, TLP will collect and process certain personal data provided by you through the TLP websites and via an Audit Questionnaire. We use this data to enable us to carry out a due diligence and risk assessment of your business using our proprietary analytics software, to stress test your answers against data from bank statements and to provide a risk report.

For the purposes of the General Data Protection Regulation:

  • TLP is a processor of your client data (any personal information of your landlords, their tenants and their transactional data such as rents and deposits), which you provide to TLP. Collection and processing of client data will be governed by this DPA.
  • TLP is a controller of your account data.  Account data is data that relates to you registering and paying for the Audit (i) your name and contact details, (ii) your billing information, (iii) data collected for identity verification, and (iv) logs of your activity on our platform.  This DPA does not apply to account data, but TLP applies substantially the same technical, organisational and security measures as are described here. The way we process your account data is described in our Privacy Notice.

* Terminology

Words used in this DPA like controller, processor, data subject, personal data and supervisory authority have the same meanings as in the Data Protection Laws. Data Protection Laws are EU and UK laws protecting individual rights with regard to the processing of their PersonalData. These include the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR) as retained in the UK under the European Union (Withdrawal) Act and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (and any relevant modifying legislation going forward).

Part 2: Data processing terms

TLP will comply with the following obligations in collecting and processing personal data that you provide to TLP. There are some important things you must do, too.

Your responsibilities

  1. Disclose lawfully. You must ensure there is a sound legal basis for you to disclose the client money account data and other Personal Data you provide to TLP.
  2. Provide instructions. This DPA will be treated as your instructions, in the absence of any other documented instructions.
  3. Inform TLP of changes. You must notify TLP in a timely manner of any changes to your data.

TLP's responsibilities

  1. Instructions. TLP will promptly notify you if TLP cannot follow your instructions (for example if your instructions are not compatible with a relevant Data Protection Law).
  2. Process lawfully. TLP will process Personal Data only to the extent necessary to provide access to and undertake the Audit, in accordance with this DPA. TLP maintains a register of the types of Personal Data processed and any authorised transfers of Personal Data and will provide a copy of the register to you on request. This agreement can be treated as such a register if it already contains the full details.
  3. Stop processing when the Audit is completed. When the Audit is complete (e.g. your Audit report is delivered), TLP will cease to process the Personal Data. TLP will retain some categories of Personal Data for legal, regulatory and tax reasons, and in case you have queries about the Audit service we have provided you. TLP will only retain Personal Data to the extent reasonably necessary for these purposes. Further information about retention periods is provided in the Privacy Notice on our website.  
  4. Deletion. When any retention periods are over, TLP will delete Personal Data from its systems in a manner designed to render such data unrecoverable. TLP will cease any destruction or deletion of Personal Data in response to a written request from you stating that such data or records may be relevant to anticipated litigation.

    TLP may retain data for technical reasons where deletion is not possible (for example the data is stored in backup archives), in which case TLP will isolate your data from further processing until deletion is possible.

  5. Not disclose to third parties. TLP will not disclose or transfer any of your Personal Data to any third parties other than to (a) permitted subprocessors, and (b) relevant stakeholders as authorised under in the Service Terms which might include:
    1. Deposit Protection Scheme or Client Money Protection Scheme providers, to request details relating to your registration;
    2. other third parties to verify the information and documents provided by you;
    3. your scheme provider (Redress Scheme, Deposit Protection Scheme, Client Money Protection Scheme) where the type of Audit requires it;
    4. to any letting industry regulator, franchisor, HMRC, National Trading Standards or to the Police if we find evidence of material irregularities or fraud.

    TLP will ensure that employees and permitted subprocessors are aware of the importance of treating the Personal Data in a confidential and secure manner and provide appropriate training.

  6. Subprocessors. TLP may subcontract its activities under this DPA (including the processing of personal data) to third party service providers. A list of subprocessors is provided in Part 3 of this DPA.  TLP will engage subprocessors on written contractual terms which meet the standards required by applicable law and this DPA. TLP will remain liable for the acts and omissions of all permitted subprocessors.

    TLP may update its permitted subprocessor list, at any time. TLP will notify you in advance of any material changes to the list that could significantly impact the way in which your data is processed. 

  7. Right to object to subprocessors. You must notify TLP in writing if you object to any new subprocessor on reasonable grounds. If we cannot agree on a solution, TLP may suspend or terminate the Audit or part of it.
  8. International transfers. TLP will not transfer any Personal Data to a country or territory outside of the European Equivalent Protection Area, unless (a) the transfer is made to a permitted subprocessor, and (b) lawful means. 

    Lawful means will usually be the Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021 for the transfer of personal data from the EEA (SSCs), or the International Data Transfer Addendum issued by the Information Commissioner's Office (IDTA). 

    European Equivalent Protection Area means: (a) countries within the European Economic Area (EEA); and (b) countries in respect of which a valid adequacy decision has been issued by the European Commission or adequacy determined in another valid method under applicable Data Protection Law.

  9. Responsibility and training. TLP will appoint a designated contact responsible for data processing under this DPA. TLP will ensure that employees and permitted subprocessors are aware of the importance of treating the Personal Data in a confidential and secure manner and provide appropriate training. Training will include data classification obligations, physical security controls, security practices and security incident reporting.  Disciplinary processes will be appropriately applied if employees commit a security breach.
  10. Security measures. TLP will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks present in processing Personal Data, to protect against accidental loss, destruction, alteration, unauthorised disclosure or theft of Personal Data. TLP's may update the security measures from time to time, provided that such updates do not degrade or diminish the overall security of the Audit.
  11. Keep data up to date. TLP will promptly comply with any request from you to update, amend or correct the Personal Data, to the extent it is relevant to (a) an ongoing Audit, (b) account data we retain after an Audit is complete.
  12. Assisting you to comply with your data controller obligations. TLP will provide reasonable assistance to help you comply with your obligations as Controller under data protection laws, in particular with data protection impact assessments, responding to data subject requests and responding to supervisory authorities. If requested, TLP will provide you with information to demonstrate TLPs compliance with this DPA. 
  13. Data requests. TLP will immediately refer to you any requests (including notices, complaints and enforcement action) relating to the Personal Data from data subjects or supervisory authorities and cooperate with you to enable you to comply with the same. TLP will not disclose more in response to such requests than is required by law or by a formal request of a public authority (unless otherwise agreed with you) and will keep a record of the disclosure.
  14. Your right to audit TLP. If TLP has suffered a security incident (as defined below), or if required by a competent data authority, TLP will permit you (or your appointed third-party auditors) to conduct an audit during normal business hours on reasonable prior notice.

    If TLP provides to you a third party audit report, this will be regarded as adequate discharge of the above audit obligation, unless an on-site or remote audit is required by a data authority or by law, or you consider (acting reasonably) that the audit report does not adequately evidence TLP's compliance with this data processing agreement.

  15. Security incidents. TLP will notify you without delay of any security incident. A security incident is any accidental, unauthorised or unlawful disclosure, alteration, corruption, loss of or damage to any of your Personal Data, or any physical or network security incident that is likely to give rise to such a data breach.

    TLP will provide to you in a timely manner with a detailed description of the incident including the Personal Data records impacted, the likely consequences, and measures taken or proposed to mitigate the incident. TLP will at its own expense, investigate the incident and take measures to remedy it, mitigate its impact and prevent further incidents, and cooperate with you in doing so. TLP will not inform any third party without first obtaining your prior consent, except (a) as may be strictly required by law or (b) to third party advisers for the purpose of containing, investigating or responding to the incident.

Part 3: Data security

TLP will implement and maintain organisational and technical measures to ensure your data remains safe and secure. The following sets out the typical measures TLP will implement. 

Systems:

  1. Information security. Implement an information security management system covering its own personnel and permitted subprocessors who have access to personal data to maintain the integrity, confidentiality, resilience and availability of personal data, prevent unauthorized persons from gaining access to personal data, and to prevent systems processing personal data being used without authorization.
  2. On-site security. Maintain appropriate security systems at all TLP sites at which an information system that uses or houses Personal Data is located.

People: 

  1. Access controls. Ensure that TLP personnel gain access only to Personal Data that they are entitled to access, and only for the time necessary. 

    Permit only authorised personnel to grant, modify or revoke access to an information system that uses or houses Personal Data.

    Adopt user authentication procedures based on segregation of duties and least privilege. Unique user IDs and passwords will be required to access Personal Data. Access will be restricted to active users only.

  2. Employee checks. Take measures to ensure the reliability of its employees and permitted subprocessors prior to their engagement, with appropriate background checks and references.

Processes:

  1. Back-ups. Adopt appropriate measures to support access and restoration of data in the event of a physical or technical incident impacting data integrity or availability. Perform and maintain secure back-ups of all Personal Data, stored off-site.

Technology:

  1. Network and systems security. Maintain network security using commercially available equipment and industry standard techniques, including firewalls, intrusion detection systems, access control lists and secure routing protocols.

    Ensure that personal data which is processed in a cloud computing environment (meaning on servers that are not owned or operated by TLP) are safeguarded applying suitable cloud computing standard data security principles.

    Have in place appropriate systems and procedures to ensure that Personal Data is not read, copied, modified or deleted without authorization during processing, storage and transmission.

  2. Virus and malware controls. Ensure that TLP systems, and those of its hosting providers and permitted subcontractors, are maintained with industry standard and up-to-date anti-virus and malware protection software to check for, contain the spread of, and minimise the impact of malicious software on those systems.

Part 4: Data processing details

This section specifies the kind of data that TLP will collect and process, where it will process and store the data, and describes TLP' use of subprocessors.

  1. What we process and how

    Personal Data processed

    • Personal data appearing in tenant transaction data, such as landlord and tenant names and reference numbers.
    • Bank details of any bank account held by you that is used for client money
    • Directors' names
    • Directors' dates of birth (in some cases only)
    • Information regarding any bankruptcies, receiverships or liquidations
    • Details where a Principal, Partner or Director has been struck off by Companies House
    • Personal data in records of your Redress Schemes, Deposit Protection Schemes, Client Money Protection Schemes, and other industry regulatory and trade body memberships
    • Personal data appearing in records of insurance cover held
    • Personal data appearing in records of your company's current residential letting portfolio
    • Name, email address and phone number of person completing the Audit Questionnaire.

    Documents processed

    The following is a non-exhaustive list of the kind of documents TLP will process as part of onboarding you and providing the Audit:

    • Bank statements (uploaded by you or accessed by TLP via GoCardless or other open banking feed)
    • Documents from your Scheme Providers relating to your Deposit Protection Scheme or Client Money Protection Scheme
    • Other documents you upload or send to TLP pursuant to the Audit Questionnaire
    • Identity and other documents provided pursuant to identity verification.

    Categories of Data Subject

    • Your clients (landlords) and their tenants
    • Other data subjects that may appear in the documents processed.

    Nature and purpose of processing

    • The provision of the Audit and delivery of Audit Reports to authorised parties.
    • Conducting identity checks for the above purposes.
    • Creating anonymised aggregated datasets (combining the data in your Audit application and reports generated using that data) with other users' data, for improving TLP's service and technology, generating reports, and spotting trends. The anonymisation process will comply with GDPR requirements, and any data remaining identifiable or re-identifiable remains personal data subject to the protections under this DPA.

    Duration of processing

    As described in Part 2 above.

    Point of contact for data queries and complaints

    enquiries@thelettingpartnership.co.uk

  2. Location and subprocessors

    Server locations

    Your data will be hosted on Amazon Web Services (AWS) servers at locations in the EU (a list of then-current locations can be provided on request). Any changes to locations notified to TLP by AWS will be communicated to you. TLP will not relocate your data to a location outside of the EU without prior notice to you.

    Access to data centers

    It is not possible for TLP to provide physical access to its cloud hosting provider's servers or data centers. Any of your audit or inspection rights under this agreement do not extend to the systems or personnel of TLP's cloud hosting providers or any of the permitted subprocessors listed below.

    Permitted subprocessors

    As with most technology businesses, TLP uses third parties to host its application and manage business operations. If it requires transferring data outside of the European Equivalent Protection Area, TLP makes sure that it is done under available lawful mechanisms. TLP uses the following providers which are treated as permitted subprocessors under this agreement. By using TLP's services, you agree to the transfer of personal data outside of the European Equivalent Protection Area (as indicated below) as the result of TLP's use of these subprocessors.

    Processor

    Purpose / nature of processing

    Server location

    Legal mechanism*

    Microsoft

    Send and receive emails, manage documents.

    Europe, USA

    SSCs + IDTA

    AWS

    Hosting user account data and data and documents submitted for the purposes of the Audit.

    Europe

    N/A

    Formstack 

    Webform technology used for submitting the Audit request.

    USA

    EU-US Data Privacy Framework & Swiss-US DPF (see Formstack privacy terms)

    GoCardless

    Retrieval of bank statements and transactional data of tenants via the GoCardless live bank feed API.

    Europe, worldwide

    Lawful means as described in the GoCardless privacy centre

    Stripe

    Processing payment of the Audit fee.

    Europe, USA

    EU-US Data Privacy Framework & Swiss-US DPF (see Stripe privacy terms para 6) 

    OpenAI

    Process and convert uploaded bank statements into CSV files (if you do not connect your GoCardless account).

    Europe, USA

    SCCs + IDTA

    LoftyWorks

    Operates TLPs platform and integration with GoCardless.

    Europe, USA

    N/A for data processed by LoftyWorks on its platform.

    SSCs + IDTA to the extent LoftyWorks uses any subprocessors.

    Moatable Inc. (parent company of TLP)

    Processing of your billing and subscription data through a centralised group finance system.

    USA

    SCCs + IDTA under an intra-group data processing agreement.

    *Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021 for the transfer of personal data from the EEA (SSCs), or the International Data Transfer Addendum issued by the Information Commissioner's Office (IDTA).