Data Processing Agreement | ApartmentRentals.ai

This Data Processing Agreement ("DPA") is entered into pursuant to Art. 28 of the General Data Protection Regulation (GDPR) between the property owner ("Controller") and Urban Ground GmbH, Rheinsberger Str. 76/77, 10115 Berlin, Germany ("Processor"). ApartmentRentals.ai is a product of Urban Ground GmbH. Nimmi AI is a brand of Urban Ground GmbH.

1. Subject Matter & Duration

The Processor processes personal data on behalf of the Controller in connection with the provision of the ApartmentRentals.ai platform and Nimmi AI leasing assistant.

Nature of processing: Automated screening of rental applicants via phone conversations, data extraction, qualification, and viewing scheduling
Purpose: Lead qualification and viewing management on behalf of the property owner
Duration: For the duration of the service agreement between the Controller and the Processor

2. Types of Personal Data Processed

Applicant names and contact details (phone number, email address)
Household information (number of adults, children, pets)
Income indicators (income range relative to rent)
Move-in date preferences
Screening results and qualification status
Voice conversation recordings and structured summaries. Recordings are processed solely for documentation of the screening conversation content (Art. 6(1)(a) GDPR with Applicant consent). Voice data is not processed for biometric identification, speaker recognition, or voice profiling and therefore does not constitute special category data under Art. 9 GDPR. Recordings are not available for download and are automatically deleted after the configured retention period (default: 90 days). No training is performed on voice data.

3. Categories of Data Subjects

Rental applicants who contact the Controller's property listings
Property owners / platform users (account and billing data)

4. Controller Obligations

The Controller is responsible for ensuring a lawful basis for the processing of personal data, informing data subjects about the processing, and responding to data subject rights requests (with the Processor's assistance as described in Section 7).

5. Processor Obligations (Art. 28(3) GDPR)

The Processor shall:

(a) Process personal data only on documented instructions from the Controller, unless required by EU or Member State law
(b) Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
(c) Take all measures required pursuant to Art. 32 GDPR (see Annex: Technical and Organisational Measures)
(d) Respect the conditions for engaging sub-processors as set out in Section 6
(e) Assist the Controller in responding to data subject rights requests (Art. 15–22 GDPR)
(f) Assist the Controller in ensuring compliance with Arts. 32–36 GDPR (security, breach notification, DPIA)
(g) At the Controller's choice, delete or return all personal data after the end of the provision of services (see Section 8)
(h) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits

6. Sub-Processors

The Controller grants general written authorisation for the engagement of sub-processors. The following sub-processors are currently engaged:

Sub-Processor	Purpose	Location
Stripe, Inc.	Payment processing	Ireland, EU
Twilio, Inc.	Telephony, messaging, and email delivery	EU
Google	AI processing, authentication, and cloud infrastructure	Frankfurt, EU
Langfuse GmbH	AI observability	EU
Usercentrics GmbH	Cookie consent management	Munich, DE
PostHog, Inc.	Product analytics (consent-gated, EU Cloud, IP disabled, input masking)	Frankfurt, DE

The Processor shall inform the Controller of any intended changes to the list of sub-processors, giving the Controller the opportunity to object to such changes within 14 days. If the Controller objects, the Processor shall refrain from engaging the new sub-processor for the Controller's data or the Controller may terminate the agreement.

7. Data Subject Rights Assistance

The Processor shall assist the Controller in fulfilling data subject requests under Arts. 15–22 GDPR. The Processor shall promptly forward any data subject request received directly to the Controller and shall not respond independently unless instructed by the Controller.

8. Deletion & Return of Data

Upon termination of the service agreement, the Processor shall, at the Controller's choice, delete or return all personal data within 30 days and delete existing copies unless EU or Member State law requires storage of the personal data. Applicant screening data is automatically deleted after the configured retention period (default: 90 days).

9. Audit Rights

The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. Audits shall be conducted with reasonable prior notice and during normal business hours. All costs associated with audits initiated by the Controller, including travel, personnel, and third-party auditor fees, shall be borne by the Controller. The Processor may provide relevant audit certifications or reports from independent auditors as an alternative to on-site inspections.

10. International Data Transfers

All primary data processing occurs within the EU (Google Cloud Frankfurt). Where sub-processors are located outside the EU, the Processor ensures appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR and supplementary measures where necessary.

11. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a personal data breach. The notification shall include the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach. Where required under Art. 33 GDPR, the Processor shall also notify the competent supervisory authority. The responsible authority for Urban Ground GmbH is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information), Friedrichstr. 219, 10969 Berlin.

Annex: Technical and Organisational Measures (TOMs)

The Processor implements the following measures pursuant to Art. 32 GDPR to ensure the security of processing:

Access Control

Role-Based Access Control (RBAC) with principle of least privilege: 8 distinct roles with granular permissions
JWT-based authentication with token rotation on privilege changes
Multi-factor authentication (MFA) mandatory for administrative roles
Account lockout after 5 failed login attempts within 15 minutes

Encryption

Data in transit: TLS 1.3 for all communications, mTLS for inter-service communication
Data at rest: AES-256 encryption via Google Cloud managed encryption keys

Pseudonymisation

All personally identifiable information is replaced with anonymised identifiers before AI/LLM processing
IP addresses are pseudonymised (truncated to /24 subnet) after 14 days

Data Minimisation

All database queries use explicit column selection, no SELECT * on PII tables
Inter-service API payloads contain only fields required by the receiving service, enforced by GDPR purpose tags

Availability & Resilience

Multi-zone deployment on Google Kubernetes Engine (GKE) in Frankfurt (europe-west3)
Automated daily backups with point-in-time recovery (Cloud SQL)
Circuit breakers and retry with exponential backoff for all external service integrations

Monitoring & Audit Trail

All state-changing operations are logged in an append-only audit log with actor, timestamp, action, and resource identifiers
OpenTelemetry distributed tracing across all services for full interaction chain reconstruction

Incident Response

72-hour breach notification process with defined escalation paths
Incident response playbook with roles, communication templates, and post-mortem procedures

Data Processing Agreement (AVV)