Data Processing Agreement
Last updated: June 2026
1. Parties & Scope
This Data Processing Agreement (DPA) governs how BasePro processes personal data on behalf of its customers. BasePro acts as the data processor; the customer acts as the data controller. This agreement applies to all personal data processed through the BasePro platform in connection with the delivery of property management and asset intelligence services.
2. Processing Details
BasePro processes the following categories of personal data on behalf of the controller: account and contact information (names, emails, roles); property and tenancy records; financial transaction data; and operational records entered by the controller's users. Processing is conducted for the purpose of delivering the contracted platform services. The duration of processing corresponds to the active subscription term, plus any legally required retention period.
3. Controller Instructions
BasePro processes personal data only on documented instructions from the controller. No independent processing occurs beyond what is required to deliver the contracted service, maintain security, or comply with applicable law. If BasePro is required by law to process personal data beyond these instructions, it will inform the controller before doing so, unless prohibited by law.
4. Security Measures
BasePro maintains technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include 256-bit SSL encryption in transit, row-level security at the database layer, two-factor authentication, immutable audit trails, and role-based access controls. Full detail is available at /platform/security. BasePro reviews and updates these measures as the threat landscape evolves.
5. Sub-processor Management
BasePro engages sub-processors to deliver parts of the service. A current list of sub-processors is published at /legal/sub-processors. BasePro provides at least 30 days' advance notice before adding or materially changing a sub-processor. All sub-processors are bound by data processing obligations equivalent to those in this DPA. The controller may object to a new sub-processor within the notice period; if the parties cannot resolve the objection, either party may terminate the relevant service on written notice.
6. Data Subject Rights
BasePro assists the controller in fulfilling data subject rights requests, including requests for access, rectification, erasure, restriction, and portability under GDPR or ARCO statutory requirements. BasePro will forward any data subject request received directly to the controller without undue delay. Response timelines are the controller's responsibility; BasePro provides the technical means to respond within statutory timeframes.
7. Breach Notification
Upon becoming aware of a confirmed personal data breach, BasePro will notify the responsible controller without undue delay, and in any case within 72 hours of awareness. The notification will include the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it. BasePro will cooperate fully with any regulatory notification the controller is required to make.
8. Data Return & Deletion
On termination or expiry of the subscription, BasePro will, at the controller's election, either return all personal data in a portable format or securely delete it within 30 days. The controller may export data at any time during the subscription using the platform's export tools. Deletion is irreversible; BasePro recommends completing any required export before the 30-day window closes. Queries: privacy@basepro.io.