Skip to content
Rubo — AI Copilot for Brokers
← Back to home

Data Processing Addendum

Last updated: 24 April 2026 — Draft pending solicitor review

This Data Processing Addendum (“DPA”) forms part of the agreement between Rubo Ltd (“Rubo”, “Processor”) and the customer identified in the applicable order form or sign-up flow (“Customer”, “Controller”) under which Rubo provides the Service (the “Agreement”). It applies to Rubo’s processing of personal data on behalf of Customer and is entered into pursuant to Article 28 of the UK General Data Protection Regulation (“UK GDPR”) and equivalent requirements of the EU GDPR where applicable.

1. Definitions

Terms defined in the UK GDPR (including “controller”, “processor”, “data subject”, “personal data”, “processing”, and “personal data breach”) have the meanings given to them there. “Applicable Data Protection Law” means the UK GDPR, the Data Protection Act 2018, the EU GDPR where relevant, PECR, and any successor legislation.

2. Roles and scope

2.1 In respect of Customer Data processed through the Service, Customer is the Controller and Rubo is the Processor. Rubo processes personal data only on Customer’s documented instructions, which include the Agreement, this DPA, and any reasonable configuration choices Customer makes within the Service.

2.2 Annex A describes the subject matter, duration, nature, purpose, types of personal data, and categories of data subjects.

2.3 Rubo acts as an independent controller in respect of (a) account and billing data, (b) usage analytics relating to Customer’s administrative users, (c) data processed for security, fraud prevention, and regulatory compliance, and (d) fully anonymised data used for product improvement. Rubo’s Privacy Policy governs those activities.

3. Customer obligations

Customer warrants that it has (a) provided all required notices to data subjects, (b) obtained all necessary consents and lawful bases for the processing instructed by Customer, (c) the right to disclose personal data to Rubo, and (d) complied with its own obligations under Applicable Data Protection Law. Customer is responsible for ensuring that personal data uploaded into the Service is relevant, necessary, and lawfully obtained.

4. Rubo obligations

Rubo shall:

  1. Process personal data only on documented instructions from Customer, including with regard to international transfers, unless required to process by UK or EU law (in which case Rubo will notify Customer unless that law prohibits notice).
  2. Ensure that persons authorised to process personal data are bound by confidentiality obligations.
  3. Implement and maintain the technical and organisational measures set out in Annex B.
  4. Assist Customer, taking into account the nature of the processing, in responding to data subject rights requests.
  5. Assist Customer in complying with its obligations under Articles 32–36 of the UK GDPR (security, breach notification, DPIAs, prior consultation).
  6. Make available to Customer all information necessary to demonstrate compliance with Article 28 UK GDPR, and allow for and contribute to audits in accordance with Section 10.
  7. At Customer’s choice, delete or return all personal data at the end of the provision of services, in accordance with the Retention Policy and Section 11.
  8. Immediately inform Customer if, in its opinion, a Customer instruction infringes Applicable Data Protection Law.

5. Sub-processors

5.1 Customer grants Rubo general authorisation to engage sub-processors to assist in providing the Service. The current list of sub-processors is set out in Annex C and is mirrored in the Privacy Policy.

5.2 Rubo shall (a) enter into a written agreement with each sub-processor imposing data protection terms no less protective than those in this DPA; (b) remain liable for the acts and omissions of its sub-processors; and (c) give Customer at least 30 days’ prior notice of any intended addition or replacement of sub-processors, during which time Customer may object on reasonable data-protection grounds. If the parties cannot resolve the objection in good faith, Customer may terminate the affected part of the Service without penalty and receive a pro-rata refund of prepaid fees.

6. International transfers

6.1 Where Rubo transfers personal data from the UK or EEA to a country not covered by an adequacy decision, the transfer shall be governed by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (the “UK IDTA”) or the EU SCCs as applicable, in each case incorporated into this DPA by reference.

6.2 For transfers from the UK, the parties agree that this DPA incorporates the UK IDTA, with Rubo as data exporter (acting on Customer’s behalf) and the relevant sub-processor as data importer.

6.3 For transfers from the EEA, the parties agree that Module 3 (processor-to-processor) of the EU SCCs applies between Rubo and its sub-processors, and Module 2 (controller-to-processor) applies between Customer and Rubo where Customer is established in the EEA.

7. Security measures

Rubo shall implement and maintain appropriate technical and organisational measures as described in Annex B, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Access controls based on principle of least privilege, with 2FA enforced for administrators.
  • Row-Level Security on the Supabase database to isolate tenant data.
  • Monitoring and logging via Sentry, with access logs retained for incident investigation.
  • Vulnerability management, including regular dependency scans and at least annual third-party penetration testing once at scale.
  • Business continuity and backup with 90-day backup retention.
  • Personnel screening and training on data protection at onboarding and annually.

8. Personal data breach

8.1 Rubo shall notify Customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Data.

8.2 The notice shall, to the extent known, describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.

8.3 Rubo shall cooperate with Customer in meeting Customer’s breach-notification obligations to the ICO and data subjects, but Customer is responsible for any such notifications.

9. Data subject rights

Rubo shall, taking into account the nature of the processing, provide reasonable assistance by appropriate technical and organisational measures to enable Customer to respond to data subject rights requests (access, rectification, erasure, portability, objection, restriction). Where a data subject contacts Rubo directly, Rubo will refer them to Customer unless obliged by law to respond.

10. Audit rights

10.1 Rubo shall make available to Customer information necessary to demonstrate compliance with this DPA, including third-party audit reports (e.g. SOC 2, ISO 27001 once obtained) and the current sub-processor list.

10.2 Customer may, on 30 days’ written notice and no more than once per year (unless a breach has occurred or a regulator requires otherwise), request an audit carried out by Customer or a mutually agreed independent auditor. Audits are conducted during normal business hours, under confidentiality, without disrupting Rubo’s operations, and at Customer’s cost, except where the audit reveals a material breach of this DPA by Rubo.

11. Return and deletion on termination

Within 30 days of termination or expiry of the Agreement, Rubo shall, at Customer’s written choice, (a) export Customer Data in a standard machine-readable format or (b) delete Customer Data from live systems. Backups containing Customer Data are deleted in accordance with the Retention Policy (90 days). Rubo may retain anonymised data and data required by law.

12. Liability and precedence

The liability cap in the Agreement applies to claims under this DPA, except where Applicable Data Protection Law requires otherwise. In the event of conflict between this DPA and the Agreement, this DPA prevails in respect of processing of personal data.

Annex A — Details of processing

  • Subject matter: Provision of Rubo’s AI-assisted UK real-estate copilot Service.
  • Duration: Term of the Agreement plus retention periods in the Retention Policy.
  • Nature and purpose: Hosting, indexing, transmission, and AI-assisted analysis of real-estate documents and related communications to generate flags, summaries, and statute citations for Customer’s use.
  • Types of personal data: Names, contact details, and other identifiers of Customer’s users, clients, landlords, tenants, and counterparties to the extent they appear in uploaded documents or conversations.
  • Categories of data subjects: Customer’s staff, Customer’s broker clients, landlords, tenants, counterparties, and their representatives.

Annex B — Technical and organisational measures

Encryption (TLS 1.2+, AES-256); access controls with 2FA; Row-Level Security; network-level protection via Cloudflare WAF; Sentry monitoring; 90-day backups; quarterly restore tests; annual penetration testing (once at scale); secure SDLC; incident-response runbook; annual staff training; supplier risk review before sub-processor onboarding.

Annex C — Authorised sub-processors

See the Privacy Policy for the current list. The same table is maintained at askrubo.ai/legal/sub-processors and notified in advance of changes.

Contact

Questions? Email legal@askrubo.ai (or privacy@askrubo.ai for privacy-specific).

Draft pending solicitor review. Rubo is a software tool, not a law firm.