Register of Processing Activities
Published under UK GDPR Article 30 — Last updated: 26 March 2025
Data Controller Details
- Controller Name
- AgentOS Ltd
- Territory
- United Kingdom
- Data Protection Contact
- privacy@agentos.com
- Applicable Legislation
- UK GDPR; Data Protection Act 2018
What is this document?
UK GDPR Article 30 requires organisations that process personal data to maintain a written record of all processing activities. This Register of Processing Activities (ROPA) documents each distinct processing activity carried out by AgentOS Ltd, including its purpose, legal basis, data categories involved, data subjects affected, recipients, retention periods, international transfer mechanisms, and security measures applied. This document is reviewed and updated whenever a new processing activity is introduced or an existing one materially changes.
Personal Data Breach Notification Procedure (UK GDPR Art. 33)
AgentOS Ltd operates a documented incident response procedure in compliance with UK GDPR Article 33. In the event of a personal data breach likely to result in risk to individuals, we will notify the ICO within 72 hours of detection. Our breach detection sources, severity classification matrix, DPO escalation procedure, 72-hour ICO notification decision tree, and affected-user notification template are documented in our Incident Response Runbook ↗. Breach incidents are automatically triaged via the breach/incident-created event pipeline — see processing activity PA-011 below. To report a suspected breach, contact privacy@agentos.com immediately.
Processing Activities
PA-001
User Account Registration & Authentication
- Purpose
- Create and manage user accounts; authenticate users when they sign in to the service.
- Legal Basis
- Contract (Art. 6(1)(b))
- Data Categories
- Full name
- Email address
- Hashed password
- Data Subjects
- Landlords and their organisation members
- Recipients / Sub-processors
- Neon Inc. (database)
- Vercel Inc. (hosting)
- Upstash Inc. / Vercel KV (distributed rate limiting — user IDs and IP addresses as rate-limit keys)
- Retention Period
- Duration of account + 30 days post-deletion
- International Transfers
- Neon (US — SCCs/IDTA); Vercel (US/EU edge — SCCs/IDTA); Upstash (US — SCCs/IDTA)
- Security Measures
- AES-256-GCM at rest; TLS 1.2+ in transit; bcrypt password hashing; rate-limit keys are hashed identifiers only — no personal data values stored
PA-002
HMRC MTD Quarterly Income Tax Submissions
- Purpose
- Collect National Insurance Numbers and HMRC OAuth tokens; submit quarterly income and expense updates to HMRC under the Making Tax Digital for Income Tax Self Assessment (MTD ITSA) regime.
- Legal Basis
- Legal Obligation (Art. 6(1)(c)); Contract (Art. 6(1)(b))
- Data Categories
- National Insurance Number (NINO)
- HMRC OAuth access token (encrypted)
- HMRC OAuth refresh token (encrypted)
- Financial transaction data (income & expenses)
- Property portfolio data
- Data Subjects
- Landlords subject to MTD ITSA
- Recipients / Sub-processors
- HMRC (statutory recipient — UK)
- Neon Inc. (database)
- Vercel Inc. (hosting)
- Retention Period
- NINO: Duration of account. Financial records & submissions: 7 years (HMRC statutory requirement).
- International Transfers
- HMRC: UK (no transfer). Neon (US — SCCs/IDTA); Vercel (US/EU edge — SCCs/IDTA).
- Security Measures
- NINO encrypted with separate AES-256-GCM key; tokens encrypted at rest; decrypted on-demand only; never logged or exposed in URLs
PA-003
Property Portfolio Management
- Purpose
- Store, display, and manage landlord property addresses and portfolio details to associate financial transactions and MTD submissions with the correct property.
- Legal Basis
- Contract (Art. 6(1)(b))
- Data Categories
- Property addresses
- Property descriptions
- Portfolio metadata
- Data Subjects
- Landlords
- Recipients / Sub-processors
- Neon Inc. (database)
- Vercel Inc. (hosting)
- Retention Period
- Duration of account; 7 years for records linked to HMRC submissions
- International Transfers
- Neon (US — SCCs/IDTA); Vercel (US/EU edge — SCCs/IDTA)
- Security Measures
- Row-level security (RLS) on database; RBAC enforced at every API endpoint; TLS 1.2+ in transit
PA-004
AgentOS Letting Agent Data Import
- Purpose
- Import property, tenancy, and financial transaction data from the landlord's letting or estate agent via the AgentOS API to pre-populate the MTD service.
- Legal Basis
- Contract (Art. 6(1)(b))
- Data Categories
- Tenant names and tenancy dates
- Rental income and agent fee data
- Property addresses
- Data Subjects
- Landlords; tenants (limited transaction/tenancy metadata)
- Recipients / Sub-processors
- AgentOS Ltd (data source — UK)
- Neon Inc. (database)
- Vercel Inc. (hosting)
- Retention Period
- 7 years from transaction date (HMRC statutory requirement)
- International Transfers
- AgentOS: UK (no transfer). Neon (US — SCCs/IDTA); Vercel (US/EU edge — SCCs/IDTA).
- Security Measures
- AgentOS API key encrypted at rest; tenant data minimised to names and dates; RLS on database
PA-005
Open Banking Data Import via TrueLayer
- Purpose
- With user consent, connect to the landlord's bank account via the TrueLayer Open Banking API to import bank transaction data for reconciliation with property income and expenses.
- Legal Basis
- Contract (Art. 6(1)(b)); Consent (Art. 6(1)(a)) for bank account connection
- Data Categories
- Bank account details (account number, sort code, IBAN — stored encrypted)
- Bank transaction history (amounts, merchants, dates)
- TrueLayer OAuth access token (encrypted)
- TrueLayer OAuth refresh token (encrypted)
- Data Subjects
- Landlords who opt in to Open Banking
- Recipients / Sub-processors
- TrueLayer Ltd (Open Banking provider — UK/EEA)
- Neon Inc. (database)
- Vercel Inc. (hosting)
- Retention Period
- Bank tokens: until revoked or account deletion. Transaction data: 7 years from transaction date.
- International Transfers
- TrueLayer: UK/EEA (no restricted transfer). Neon (US — SCCs/IDTA); Vercel (US/EU edge — SCCs/IDTA).
- Security Measures
- Bank account PII and tokens encrypted with dedicated AES-256-GCM key; consent obtained before connection; revocable at any time
PA-006
Transactional Email Delivery
- Purpose
- Send service notifications including HMRC submission confirmations, deadline reminders, bank consent expiry warnings, and system alerts.
- Legal Basis
- Contract (Art. 6(1)(b)); Legitimate Interests (Art. 6(1)(f)) for security alerts
- Data Categories
- Email address
- Name (for personalisation)
- Data Subjects
- Landlords and organisation members
- Recipients / Sub-processors
- Resend Inc. (email delivery — US)
- Retention Period
- Email logs retained by Resend per their data retention policy (typically 30 days)
- International Transfers
- Resend: US — SCCs/IDTA applied
- Security Measures
- TLS in transit; no sensitive financial data included in email body
PA-007
SMS and WhatsApp Notification Delivery
- Purpose
- Send urgent service notifications via SMS or WhatsApp, including critical deadline reminders and submission failure alerts.
- Legal Basis
- Contract (Art. 6(1)(b)); Consent (Art. 6(1)(a)) for WhatsApp
- Data Categories
- Mobile phone number
- Data Subjects
- Landlords who opt in to SMS/WhatsApp notifications
- Recipients / Sub-processors
- Twilio Inc. (SMS/WhatsApp — US)
- Retention Period
- Message logs retained by Twilio per their data retention policy
- International Transfers
- Twilio: US — SCCs/IDTA applied
- Security Measures
- No sensitive financial data transmitted via SMS/WhatsApp; consent obtained before opt-in
PA-008
Background Job Orchestration
- Purpose
- Orchestrate scheduled and event-driven background tasks including bank sync, HMRC obligation polling, and quarterly deadline reminders via Inngest.
- Legal Basis
- Contract (Art. 6(1)(b))
- Data Categories
- Organisation IDs and user IDs (job routing metadata)
- Minimal event payloads (e.g. submission IDs, dates)
- Data Subjects
- Landlords
- Recipients / Sub-processors
- Inngest Inc. (job orchestration — US)
- Retention Period
- Job execution logs retained by Inngest per their data retention policy (typically 7 days)
- International Transfers
- Inngest: US — SCCs/IDTA applied
- Security Measures
- Event payloads minimised to IDs; no NINO, tokens, or financial data in job payloads; Inngest signing key used for payload verification
PA-009
Security Monitoring & Error Tracking
- Purpose
- Detect, record, and alert on application errors, security incidents, and performance anomalies to maintain the security and reliability of the service.
- Legal Basis
- Legitimate Interests (Art. 6(1)(f))
- Data Categories
- IP addresses
- Browser/device metadata
- Stack traces (sanitised — no PII in error messages)
- Error context (e.g. route, action, non-sensitive metadata)
- Organisation IDs and operational metadata (incident webhook payloads)
- Data Subjects
- All users
- Recipients / Sub-processors
- SaaS Factory platform (error ingestion — UK/US)
- Salesforce / Slack Inc. (incident alerting — US, where SLACK_INCIDENT_WEBHOOK_URL is configured)
- Retention Period
- Error events: 90 days. Audit logs: 3 years.
- International Transfers
- SaaS Factory platform: UK (no restricted transfer where UK-hosted); Vercel (US/EU edge — SCCs/IDTA). Slack: US — SCCs/IDTA applied.
- Security Measures
- PII scrubbing applied before transmission; NINO and tokens never included in error context; Slack webhook payloads contain org IDs and operational metadata only — no NINO, passwords, or financial data; legitimate interests balancing test documented
PA-010
Audit Logging
- Purpose
- Record all data-modifying operations within the service (create, update, delete) for security, fraud prevention, and dispute resolution purposes.
- Legal Basis
- Legitimate Interests (Art. 6(1)(f))
- Data Categories
- User ID and name
- IP address
- Action performed
- Resource type and ID
- Timestamp
- Data Subjects
- Landlords and organisation members
- Recipients / Sub-processors
- Neon Inc. (database)
- Vercel Inc. (hosting)
- Upstash Inc. / Vercel KV (distributed rate limiting — user IDs and IP addresses as rate-limit keys on audit endpoints)
- Retention Period
- 3 years
- International Transfers
- Neon (US — SCCs/IDTA); Vercel (US/EU edge — SCCs/IDTA); Upstash (US — SCCs/IDTA)
- Security Measures
- Audit log is append-only; accessible only to system administrators and the org owner; RLS enforced; rate-limit keys use hashed user IDs — raw PII values are not stored in KV
PA-011
Personal Data Breach Incident Management
- Purpose
- Detect, classify, triage, and document personal data breaches in compliance with UK GDPR Article 33. Notify the DPO within the required timeframe to enable 72-hour ICO notification decisions. Record breach incidents as an immutable audit trail.
- Legal Basis
- Legal Obligation (Art. 6(1)(c)) — UK GDPR Art. 33 / DPA 2018
- Data Categories
- Incident metadata (severity, affected data categories, estimated user count)
- Audit log entries for the detected breach
- DPO notification records (email delivery timestamps)
- Data Subjects
- Data subjects potentially affected by the breach; DPO
- Recipients / Sub-processors
- DPO / Data Protection contact (internal)
- ICO (if notification required under Art. 33)
- Affected individuals (if high-risk breach under Art. 34)
- Neon Inc. (audit log storage)
- Resend Inc. (DPO email notification)
- Inngest Inc. (automated triage orchestration)
- Retention Period
- Breach records: minimum 3 years (ICO enforcement guidance); audit log: 3 years
- International Transfers
- ICO: UK authority (no restricted transfer). Resend (US — SCCs/IDTA); Inngest (US — SCCs/IDTA); Neon (US — SCCs/IDTA).
- Security Measures
- Breach incident records are append-only audit log entries; DPO notifications sent via encrypted TLS; no NINO or financial data included in breach triage payloads
PA-012
Distributed Rate Limiting
- Purpose
- Enforce per-user and per-IP request rate limits across all authenticated API endpoints to prevent abuse, credential stuffing, and denial-of-service attacks. Rate-limit state is stored in a distributed Redis store (Vercel KV, backed by Upstash) so limits are shared across all serverless function instances.
- Legal Basis
- Legitimate Interests (Art. 6(1)(f))
- Data Categories
- User IDs (as rate-limit key identifiers for authenticated requests)
- IP addresses (as rate-limit key identifiers for unauthenticated requests)
- Data Subjects
- All users
- Recipients / Sub-processors
- Upstash Inc. / Vercel KV (distributed rate-limit state store — US)
- Retention Period
- Rate-limit counters expire automatically after 2× the rate-limit window (typically 2–10 minutes). No long-term retention.
- International Transfers
- Upstash (US — SCCs/IDTA applied via Vercel's DPA with Upstash)
- Security Measures
- Only hashed identifiers (user ID or IP) stored — no names, emails, or financial data; short automatic TTLs; TLS 1.2+ in transit; keys are scoped to namespace:identifier and cannot be used to reconstruct original user records
Sub-processor Data Processing Agreement Register
All sub-processors are required to enter into a Data Processing Agreement (DPA) with AgentOS Ltd before any personal data is transferred to them. The table below records each sub-processor, their role, data location, and the transfer mechanism used for international transfers outside the UK.
| Sub-processor | Role | Data Location | Transfer Mechanism | DPA Reference |
|---|---|---|---|---|
| Neon Inc. | Managed PostgreSQL database | US (AWS us-east-1) / EU (configurable) | SCCs (Module 2) / UK IDTA | View DPA ↗ |
| Vercel Inc. | Application hosting, edge compute, CDN | US / EU edge PoPs | SCCs (Module 2) / UK IDTA | View DPA ↗ |
| TrueLayer Ltd. | Open Banking connectivity | UK / EEA | UK/EEA — no restricted transfer | View DPA ↗ |
| Resend Inc. | Transactional email delivery | US | SCCs (Module 2) / UK IDTA | View DPA ↗ |
| Twilio Inc. | SMS and WhatsApp notifications | US | SCCs (Module 2) / UK IDTA | View DPA ↗ |
| Inngest Inc. | Background job orchestration | US | SCCs (Module 2) / UK IDTA | View DPA ↗ |
| Upstash Inc. / Vercel KV | Distributed rate limiting — stores user IDs and IP addresses as short-lived rate-limit keys on every authenticated API request | US (AWS us-east-1) | SCCs (Module 2) / UK IDTA (via Vercel DPA with Upstash) | View DPA ↗ |
| Salesforce / Slack Inc. | Incident alerting — receives org IDs, error context, and operational metadata via the platform incident webhook (SLACK_INCIDENT_WEBHOOK_URL) for P0/P1 engineering alerts | US (Slack infrastructure) | SCCs (Module 2) / UK IDTA | View DPA ↗ |
| AgentOS Ltd. | Letting agent data source (property, tenancy, transactions) | UK | UK — no restricted transfer | DPA incorporated in AgentOS service agreement |
| HMRC | Statutory recipient of MTD quarterly updates | UK | UK — statutory authority, no restricted transfer | View DPA ↗ |
SCCs = Standard Contractual Clauses (UK-approved). IDTA = UK International Data Transfer Agreement. Module 2 = controller-to-processor transfer.
Note on org_id classification: Organisation IDs transmitted in Slack incident webhook payloads may constitute personal data under UK GDPR where an organisation is operated by an individual (sole trader or single-person LLC). In such cases org_id is treated as personal data and its transmission to Slack is covered by this register. Where org_id refers to a multi-person legal entity only, it is treated as non-personal operational metadata.
Data Subject Rights & Contact
To exercise your rights under UK GDPR (access, rectification, erasure, portability, restriction, or objection), or to request a copy of any executed DPA, please contact our Data Protection lead at privacy@agentos.com. Full details of your rights are set out in our Privacy Policy.