The DPA, in standard form.

This DPA is between RealHQ (the “Processor”), operated by BrainFeed Solutions of Ahmedabad, India, and the Agency subscribed to the RealHQ service (the “Controller”). It supplements the Terms of Service and applies whenever Processor handles personal data on behalf of Controller.

“Personal Data”, “Processing”, “Controller”, “Processor”, “Sub-Processor”, and “Data Subject” have the meanings given in applicable data protection law (including GDPR, UK GDPR, and the Australian Privacy Act, as applicable).

• Subject matter — provision of the RealHQ service per the Terms.
• Duration — for as long as the subscription is active, plus the retention period for closure (30 days).
• Nature and purpose — hosting, storing, retrieving, and transmitting personal data to deliver the service.
• Types of data — contact details, agency metadata, listing data, appointment records, notes, tasks.
• Categories of data subjects — Agency staff, Agency contacts (buyers, sellers, tenants, applicants).

• Process personal data only on documented instructions from Controller (including via the product UI)
• Maintain appropriate technical and organisational security measures (see Security)
• Ensure personnel with access are bound by confidentiality
• Assist Controller in responding to data-subject requests
• Notify Controller without undue delay (within 72 hours) of any personal-data breach
• Make available all information necessary to demonstrate compliance, and contribute to audits

Controller authorises Processor to engage the sub-processors listed in the Privacy Policy. Processor will notify Controller of any intended addition or replacement of sub-processors with at least 30 days’ advance notice. Controller may object on reasonable grounds; if unresolved, Controller may terminate the affected service.

Each sub-processor is bound by contract to obligations no less protective than those in this DPA.

Personal data is stored in the region matched to the Controller’s primary market (Mumbai for India, Sydney for AU/UK). Where personal data is transferred across borders to a sub-processor, transfer mechanisms include Standard Contractual Clauses, Adequacy Decisions, or equivalent under applicable law.

• TLS 1.3 in transit, AES-256 at rest
• Postgres row-level security per agency_id on every table
• Auth.js v5 with role-based access control
• Audit logs for production data access by Processor personnel
• Daily automated backups, 30-day point-in-time recovery
• Annual review and penetration testing (planned)

Processor provides Controller with the tools to fulfil data subject access, correction, erasure, restriction, portability, and objection requests directly from the product. Where Processor receives a request directly, it will redirect the request to Controller without responding to it (except as required by law).

Processor will make available to Controller, on reasonable request and subject to reasonable confidentiality undertakings, the information necessary to demonstrate compliance with this DPA, including the latest audit report (when available) and responses to security questionnaires.

On termination of the service, Processor will, at Controller’s choice, return or delete all personal data within 30 days, unless Union or Member State law requires further storage. The Privacy Policy and Terms describe the export mechanisms.

Liability under this DPA is subject to the limitations and exclusions in the Terms. Nothing in this DPA limits any liability that cannot be excluded under applicable law.

For a countersigned copy of this DPA, email legal@realhq.io with your Agency name and registered legal entity. We’ll return a signed PDF within one business day.