Data Processing Agreement (DPA)
This document is the Data Processing Agreement between your organization (data controller) and Rentcla (data processor), pursuant to Article 28 of the GDPR. It applies automatically to all customers processing personal data of EU residents through Rentcla.
Last updated: 1 de junio de 2026
1. Subject
Rentcla processes personal data on behalf of the customer with the sole purpose of providing the contracted service. The scope, nature, and purpose of processing are described in the Terms of Service and Privacy Policy.
2. Types of data
Rentcla may process: (a) identifying data of tenants, owners, and contacts (name, ID, address, email, phone); (b) financial data (rent, deposits, receipts); (c) platform usage data. Special categories of data (health, ideology, etc.) are not processed unless the customer voluntarily enters them, in which case it's the customer's responsibility to have obtained adequate consent.
3. Rentcla's obligations
Rentcla undertakes to: (a) process data only for the service purpose; (b) ensure staff confidentiality; (c) implement the technical and organizational measures described in Annex I; (d) notify the customer of any security breach in under 48 hours; (e) help the customer fulfill data subject rights; (f) make available to the customer all information necessary to demonstrate compliance.
4. Sub-processors
Rentcla uses the sub-processors listed at rentcla.com/privacy/subprocessors. Any significant change (addition or replacement) will be communicated to the customer at least 30 days in advance, giving them the opportunity to object on grounded grounds.
5. International transfers
Data is processed in the European Economic Area. If a sub-processor requires a transfer outside the EEA, Rentcla ensures a valid legal basis exists (adequacy decision, EU Standard Contractual Clauses, or Binding Corporate Rules).
6. Security measures
Technical and organizational measures implemented include: (a) TLS 1.3 encryption in transit; (b) AES-256 encryption at rest; (c) multi-factor authentication available; (d) network segmentation; (e) encrypted daily backups; (f) role-based access controls; (g) immutable audit log; (h) annual penetration tests by independent third party; (i) staff training on data protection.
7. Audit
The customer may request one audit per year of the security measures, with 30 days notice. Rentcla may replace the on-site audit with: (a) independent audit reports (SOC 2, ISO 27001 when available); (b) response to a detailed questionnaire. The customer bears the audit cost unless non-compliance is demonstrated.
8. Return and deletion
Upon termination of the service, Rentcla will return to the customer all personal data in a standard format (CSV/JSON) or delete it, at the customer's choice. Deletion will be completed within 90 days, unless the law requires retention.
9. Liability
Each party is liable for damages caused by breach of its data protection obligations. Rentcla's total liability under this DPA is governed by the limits set in the Terms of Service, except for willful misconduct or gross negligence.
10. Governing law
This DPA is governed by the GDPR and by the Spanish law on personal data protection and digital rights (LOPDGDD).
Documentos relacionados