Data Processing Addendum

This Data Processing Addendum (the "DPA") supplements the Nineflat Terms of Service whenever a Nineflat customer (the "Controller") uses the Service to process personal data on behalf of their own end users — for example, Property Management Companies processing personal data of landlord clients, tenants, building residents, and technicians.

1. Roles

The Customer acts as the Data Controller in respect of personal data of its own clients (landlords, tenants, estate agents, building managers, technicians). Nineflat acts as the Data Processor. Where a resource is shared across multiple Customer accounts, each Customer remains a joint Controller for the personal data they contributed.

2. Categories of data

• Identity data: names, ΑΦΜ / tax IDs, contact details.
• Property data: addresses, ownership, lease terms.
• Financial data: rent amounts, payment records, payout accounts.
• Operational data: maintenance tickets, communications.

3. Field-level access controls

Nineflat enforces field-level redaction based on the Customer's resource share configuration. Building managers, technicians, and estate agents see only the resource fields explicitly permitted by their bundle and overrides. The Customer is responsible for configuring shares in accordance with their GDPR minimisation obligations.

4. Sub-processors

• AWS (EU-central-1) — hosting and object storage.
• Stripe — payment processing.
• AWS SES — transactional email.
• Clerk — identity and authentication.
• Infobip — SMS / Viber notifications (opt-in).

5. Data residency

Primary data stores are located in AWS EU-central-1 (Frankfurt). Stripe payment data may transit US infrastructure under standard contractual clauses.

6. Security measures

• Encryption at rest (AES-256) for all primary stores.
• Encryption in transit (TLS 1.2+) for all external endpoints.
• Least-privilege access with audit logging.
• Signed backups retained 30 days.

7. Deletion on contract end

On termination the Customer may export all data as CSV / JSON for 30 days. Thereafter, data is hard-deleted from primary stores. Backup rotations retire over 30 additional days.

This plain-English summary is provided for convenience. The legally binding DPA is executed separately on a signed copy — contactlegal@nineflat.com.