UK GDPR Compliance: Register of Processing Activities (ROPA) & Data Processing Agreements (DPAs)
UK GDPR Compliance: ROPA & Data Processing Agreements
Release: v1.0.267 | Framework: GDPR | Status: Action Required
Overview
As part of our ongoing commitment to UK GDPR compliance, release v1.0.267 identifies a requirement to formally document a Register of Processing Activities (ROPA) and maintain executed Data Processing Agreements (DPAs) with all sub-processors.
This affects how personal data — including landlord details, National Insurance Numbers, property finance records, and HMRC submission data — is recorded, processed, and safeguarded across the platform.
What Is a ROPA?
A Register of Processing Activities is a written internal record required by UK GDPR Article 30. It documents every way your organisation processes personal data. It is not a public document, but it must be available to the Information Commissioner's Office (ICO) on request.
Required ROPA Fields
| Field | Description |
|---|---|
| Controller details | Name and contact of the data controller |
| Purpose of processing | Why the data is being processed |
| Legal basis | e.g. contractual necessity, legitimate interest, legal obligation |
| Data categories | Types of personal data processed (e.g. financial, identity) |
| Data subject categories | e.g. landlords, tenants, HMRC representatives |
| Recipients | Internal teams and third-party sub-processors |
| International transfers | Countries data is transferred to and the safeguard mechanism used |
| Retention periods | How long each category of data is kept |
| Security measures | High-level description of technical and organisational controls |
Sub-Processors Requiring Executed DPAs
The following third-party sub-processors handle personal data on behalf of the platform. A signed DPA must be in place with each:
| Sub-Processor | Role | Transfer Risk |
|---|---|---|
| Neon | PostgreSQL database hosting | Assess data residency |
| Vercel | Application and API hosting | Assess data residency |
| TrueLayer | Open banking / financial transaction import | UK/EU regulated |
| Resend | Transactional email delivery | Assess data residency |
| Twilio | SMS and communications | US-based — SCCs required |
| Inngest | Background job and event processing | Assess data residency |
| Sentry | Error tracking and monitoring | US-based — SCCs required |
Note: Where a sub-processor is based outside the UK/EEA, Standard Contractual Clauses (SCCs) or another approved transfer mechanism must be in place and documented in the ROPA.
What Needs to Be Done
1. Create the ROPA
- Document all processing activities across the platform (e.g. HMRC MTD submissions, transaction imports from AgentOS, user authentication, error logging).
- For each activity, record the fields listed in the table above.
- Store the ROPA as an internal compliance document; review and update it whenever a new sub-processor is added or processing changes.
2. Execute DPAs with All Sub-Processors
- Contact each sub-processor listed above and obtain their standard DPA.
- Review the DPA to ensure it meets UK GDPR requirements (particularly Article 28).
- Sign and store executed copies securely.
- For US-based processors (e.g. Twilio, Sentry), ensure SCCs are incorporated into or annexed to the DPA.
3. Update the Privacy Policy
- The privacy policy (
src/app/privacy/page.tsx) should be updated to reference:- The existence of a ROPA (even if internal)
- That DPAs are maintained with all sub-processors
- The specific international transfer mechanisms in use
Why This Matters
This platform processes sensitive financial and identity data, including:
- National Insurance Numbers (required for HMRC MTD submissions)
- Property income and expense records
- Bank transaction data imported via TrueLayer / AgentOS
- HMRC submission history
Failure to maintain a ROPA or executed DPAs is a breach of UK GDPR Article 30 and Article 28 respectively, and can result in enforcement action by the ICO.