Data Processing Agreements (DPAs) — Sub-Processor Compliance
Data Processing Agreements (DPAs) — Sub-Processor Compliance
NurtureHub processes personal data on behalf of property agents and their contacts. To comply with UK GDPR Article 28, a written Data Processing Agreement (DPA) must be in place with every third-party service (data processor) that handles personal data.
This page documents the DPA requirements identified under supply chain control SCR-16 and provides guidance on how to remediate the compliance gap.
What Is a DPA?
A Data Processing Agreement is a legally binding contract between a data controller (the agency using NurtureHub) and a data processor (any third-party service NurtureHub uses to process personal data on your behalf). Under UK GDPR Article 28, this agreement must:
- Define the subject matter and duration of processing
- Specify the nature and purpose of the processing
- State the type of personal data and categories of data subjects
- Set out the obligations and rights of both parties
Without a DPA, the use of a processor — regardless of how securely data is transmitted or stored — is non-compliant under UK GDPR.
Current Compliance Gap (SCR-16)
As identified in control SCR-16, no DPAs are currently documented or executed for any of the 10+ services that process personal data within the NurtureHub platform. This applies to all environments (production, staging, and development where real data is used).
This is a high-severity compliance gap and must be remediated by the data controller (the agency or platform operator) before personal data is transmitted to these services.
Sub-Processors Requiring DPAs
The following table lists all services currently identified as data processors, the categories of personal data they handle, and where their standard DPA can be obtained.
Email & Communications
| Service | Personal Data Processed | DPA / Legal Reference |
|---|---|---|
| Resend | Recipient names, email addresses, email content | resend.com/dpa |
| Twilio | Phone numbers, SMS message content | twilio.com/legal/data-protection-addendum |
AI Processing
| Service | Personal Data Processed | DPA / Legal Reference |
|---|---|---|
| OpenAI | Contact names, property details, and other data included in prompts | openai.com/enterprise-privacy |
Advertising Platforms
| Service | Personal Data Processed | DPA / Legal Reference |
|---|---|---|
| Meta Ads | Hashed PII for custom audience matching | business.facebook.com/legal/terms/dataprocessing |
| Google Ads | Hashed PII for customer match | business.safety.google/adsprocessorterms/ |
Data Sourcing
| Service | Personal Data Processed | DPA / Legal Reference |
|---|---|---|
| Apify | Scraped personal data | Contact Apify directly for DPA |
CRM Integrations
| Service | Personal Data Processed | DPA / Legal Reference |
|---|---|---|
| agentOS | Full contact records, tenancy data | Contact agentOS directly for DPA |
| Reapit | Full contact records | Contact Reapit directly for DPA |
| Alto | Full contact records | Contact Alto directly for DPA |
| Street | Full contact records | Contact Street directly for DPA |
| Loop | Full contact records | Contact Loop directly for DPA |
Infrastructure
| Service | Personal Data Processed | DPA / Legal Reference |
|---|---|---|
| AWS / Tigris | Documents and files containing personal data | Consult AWS Data Processing Addendum / Tigris terms |
| Inngest | Event payloads containing contact IDs and associated data | Contact Inngest directly for DPA |
Remediation Steps
This is an out-of-code business and legal action. The steps below must be completed by the data controller.
Step 1 — Execute DPAs
For each processor in the table above:
- Navigate to the DPA link provided.
- Complete the vendor's DPA process (many are self-service online sign-ups; others require a signed addendum).
- Retain a copy of the executed agreement.
Step 2 — Update the Sub-Processor Register
Maintain an internal sub-processor register recording:
- Processor name
- Services provided (what the processor does with the data)
- Categories of personal data transferred
- Country of processing (note: transfers outside the UK require additional safeguards under UK GDPR Chapter V)
- DPA execution date
- DPA version or reference number
- Next review date
Step 3 — Include Sub-Processors in Your Privacy Notice
Your agency's Privacy Notice must list or link to the current sub-processor register so that data subjects (contacts) are informed of who processes their data.
Step 4 — Ongoing Monitoring
- Review DPAs when vendor terms change.
- Assess new processors for DPA requirements before they are onboarded.
- Trigger a sub-processor register review at least annually.
Regulatory Reference
| Item | Detail |
|---|---|
| Regulation | UK GDPR |
| Article | Article 28 — Processor |
| Control | SCR-16 (Supply Chain Compliance) |
| ICO Guidance | ico.org.uk — Contracts and liabilities between controllers and processors |
Note: The absence of a DPA does not imply that data is insecure — NurtureHub applies encryption, access controls, and other technical measures throughout. However, the legal requirement for a written DPA exists independently of technical safeguards. Both must be in place for full UK GDPR compliance.