Data Processing Addendum — Ploxit
Effective 20 May 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Ekofi Capital LLC ("Processor", "we"), and you ("Controller", "you") and applies to the extent we process personal data on your behalf in connection with Ploxit. Capitalised terms used and not defined here have the meaning given in UK GDPR.
1. Roles
1.1 You are the Controller of tenant personal data uploaded to or generated through your Ploxit account. We are the Processor, acting only on your documented instructions recorded in the Terms, this DPA and the configuration of your account.
1.2 We will inform you if, in our opinion, an instruction infringes UK GDPR or other applicable data protection law.
2. Scope of processing
2.1 Subject matter: provision of the Ploxit service.
2.2 Purpose: delivery of the Renters' Rights Act 2025 Information Sheet, recording delivery, open and acknowledgment events, and generating audit logs.
2.3 Duration: the subscription term, plus retention required by law (we retain audit logs for 6 years from the relevant event by default).
2.4 Data subjects: tenants and other recipients identified by you.
2.5 Data categories: name, email address, optional postal address, send / open / bounce / acknowledgment event metadata (timestamp, IP, user agent), and the Information Sheet version served.
2.6 Special category data: none. You will not upload special category data through Ploxit.
3. Confidentiality
We will ensure that personnel authorised to process personal data are bound by a duty of confidentiality (whether contractual or statutory) and are trained on their obligations.
4. Security (TOMs)
We maintain technical and organisational measures appropriate to the risk, including:
- TLS 1.2+ encryption in transit and AES-256 (or equivalent) encryption at rest;
- password hashing using a modern adaptive algorithm (bcrypt or stronger);
- role-based access controls with least-privilege defaults;
- session cookies marked httpOnly, secure and SameSite=Lax;
- tamper-evident audit logs of administrative and tenant-facing events;
- vulnerability monitoring and timely application of security patches;
- encrypted backups with restricted access and tested restore procedures;
- access reviews and offboarding procedures for personnel;
- vendor security review before engaging a new sub-processor.
We may update these measures provided that the overall level of security is not reduced.
5. Sub-processors
5.1 You authorise the sub-processors listed below. We will give you at least 14 days' notice (by email or in-product message) before engaging a new sub-processor. If you reasonably object on data-protection grounds, you may terminate your subscription without penalty before the new sub-processor goes live.
5.2 Each sub-processor is bound by a written contract imposing materially the same data protection obligations as in this DPA.
| Sub-processor | Purpose | Region | Transfer safeguard |
|---|---|---|---|
| MongoDB Atlas | Encrypted database hosting for landlord and tenant records and audit events | EU / UK region | Intra-UK / EEA; UK IDTA where applicable |
| Resend | Transactional email delivery and open / bounce tracking | United States | UK IDTA / EU SCCs with UK Addendum |
| Stripe | Payments and subscription billing (no card data stored by Ploxit) | United States / global | UK IDTA / EU SCCs with UK Addendum |
| Application hosting provider | Application runtime, edge delivery, DDoS protection | UK / EU region preferred where supported | UK IDTA / EU SCCs with UK Addendum where applicable |
6. International transfers
Where personal data is transferred outside the United Kingdom to a country without UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses together with the UK International Data Transfer Addendum, is incorporated into this DPA by reference as the appropriate safeguard.
7. Personal data breach
7.1 We will notify you without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting your data, with the information required by Article 33(3) UK GDPR to the extent then available.
7.2 We will assist you to comply with your own breach-notification obligations (taking into account the nature of processing and the information available to us).
8. Data subject requests
Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures to respond to requests by data subjects to exercise their rights under UK GDPR. We will forward to you, without responding, any request received directly from a data subject in relation to your tenants.
9. Records and audit
9.1 We maintain records of processing as required by Article 30 UK GDPR.
9.2 We will make available to you the information reasonably necessary to demonstrate compliance with our obligations. You may audit our compliance once per twelve-month period on 30 days' written notice, during business hours, subject to confidentiality and reasonable scope. We may satisfy this obligation by providing relevant third-party certifications or independent assurance reports.
10. Return or deletion
On termination, you may export your audit-log PDFs for 30 days. After that period, and at your election, we will return or delete the personal data we process for you within 90 days, except where retention is required by law (in which case we will isolate and protect the data for the remainder of the retention period).
11. Liability
Each party's liability under this DPA is subject to the limitations of liability in the Terms. Nothing in this DPA varies any allocation of liability between data controllers and data processors under UK GDPR.
12. Conflict
In the event of a conflict between this DPA and the Terms in relation to the processing of personal data, this DPA prevails.