Effective Date: 9 April 2026
Last Updated: 9 April 2026
Version: 1.0
01 Introduction
1.1 Parties
This Data Processing Agreement ("DPA") is entered into between:
Data Controller: The entity identified in the applicable Order Form or Terms of Service ("Customer" or "Controller"); and
Data Processor: Vanti Ltd, a company incorporated in England and Wales (Company No. 00650255), with its registered office at 10 Bonhill St, London EC2A 4PE, trading as "Smart Core" ("Vanti" or "Processor").
1.2 Background
This DPA governs the processing of Personal Data by Vanti on behalf of the Customer in connection with the Smart Core platform and services, as described in the Terms of Service and applicable Order Form(s).
1.3 Incorporation
This DPA is incorporated into and forms part of the Terms of Service between the parties. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail in respect of data protection matters.
1.4 Applicable Law
This DPA is governed by the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the Privacy and Electronic Communications Regulations 2003 (PECR).
02 Definitions
In this DPA, the following terms shall have the meanings ascribed to them below. Capitalised terms not defined herein shall have the meanings given in the Terms of Service or UK GDPR.
"Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, PECR, and any successor legislation, together with all applicable guidance and codes of practice issued by the Information Commissioner's Office (ICO).
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
"International Data Transfer" means a transfer of Personal Data to a country outside the United Kingdom.
"Personal Data" has the meaning given in the UK GDPR.
"Personal Data Breach" has the meaning given in the UK GDPR (Article 4(12)).
"Processing" has the meaning given in the UK GDPR (Article 4(2)).
"Sub-Processor" means any third party engaged by Vanti to process Personal Data on behalf of the Customer.
"Technical and Organisational Measures" ("TOMs") means the security measures described in Annex C.
03 Scope of processing
3.1 Subject Matter
The processing concerns the provision of the Smart Core platform, comprising:
Smart Core Connect (cloud-hosted building management platform)
SC-BOS (Building Operating System — on-premises or edge deployment)
Associated APIs, mobile applications, integrations, and support services
3.2 Duration
Processing shall continue for the duration of the Subscription Term as specified in the applicable Order Form, plus the Data Retrieval Period (30 days post-termination) and any legally required retention periods.
3.3 Nature and Purpose of Processing
Vanti processes Personal Data for the following purposes:
Service delivery
Operating and maintaining the Smart Core platform, processing building data, executing automation rules
Access management
Authenticating users, managing roles and permissions, controlling building access
Monitoring and alerting
Processing sensor data, generating alerts, monitoring building systems
Data storage
Storing Customer Data including building telemetry, access logs, and user accounts
Analytics
Providing dashboards, reports, and insights to the Customer
Integration
Connecting with Customer's building systems (BACnet, MQTT, OPC-UA) and third-party services
Support
Providing technical support and troubleshooting
Security
Detecting and preventing security threats, maintaining audit logs
3.4 Types of Personal Data
The categories of Personal Data processed include:
Category A — User Account and Identity Data:
Full names, display names, usernames
Email addresses, telephone numbers
Job titles, department, company/organisation
Password hashes (cryptographically hashed)
Authentication credentials (WebAuthn, 2FA tokens)
Account metadata (creation date, login history, role assignments)
Profile pictures
Associated vehicle data (vehicle registration mark)
Category B — Access Control and Security Data:
Building access records (entry/exit events, times, locations, granted/denied)
Actor/cardholder identifiers (badge ID, employee ID, external system IDs)
Access credentials (entry codes, QR codes)
Security events (access denied, incorrect PIN, duress, tamper, door forced open)
Alert acknowledgement records (author name, email, timestamp)
Category C — Occupancy and Movement Data:
Zone/floor occupancy counts with timestamps
Entry/exit sensor events
Desk and meeting room utilisation data
Category D — Vehicle Data:
Automatic Number Plate Recognition (ANPR) captures
Vehicle registration numbers
Vehicle make, model, colour, year
Location and timestamp of capture
Category E — Visitor Data:
Visitor names, company affiliations
Host details, purpose of visit
Associated vehicle information
Check-in/check-out timestamps
Category F — IoT and Environmental Data (where identifiable):
Device interaction logs linked to identified users
Environmental preferences linked to user profiles
Category G — Technical Data:
IP addresses, device identifiers
Browser/OS information
API request logs
3.5 Categories of Data Subjects
Customer's employees
Employees who use the Smart Core platform
Building occupants
Individuals who occupy, work in, or regularly visit Customer's buildings
Visitors
Individuals who visit Customer's buildings on a temporary basis
Contractors and service providers
Third-party workers operating in Customer's buildings
Vehicle owners/drivers
Individuals whose vehicles are captured by ANPR systems
Customer's administrators
Users who manage the Smart Core platform on behalf of Customer
04 Controller obligations
4.1 Lawfulness
The Customer warrants that:
a) it has determined and documented a lawful basis for the processing of Personal Data through the Services;
b) it has provided appropriate privacy notices to Data Subjects in accordance with Articles 13 and 14 of UK GDPR;
c) where the legal basis is consent, it has obtained valid consent and maintains records of consent;
d) it has conducted a Data Protection Impact Assessment (DPIA) where required by Article 35 of UK GDPR, particularly in respect of systematic monitoring (CCTV, occupancy tracking) and ANPR processing;
e) all instructions given to Vanti for the processing of Personal Data are lawful and comply with Data Protection Laws.
4.2 Data Subject Notices
Customer is responsible for ensuring that building occupants, visitors, and other Data Subjects are informed about the processing of their Personal Data through the Smart Core platform, including:
a) the identity of the Data Controller;
b) the purposes and legal basis for processing;
c) categories of Personal Data processed;
d) retention periods;
e) their data protection rights;
f) the right to complain to the ICO.
4.3 Processing Instructions
Customer shall provide Vanti with documented instructions regarding the processing of Personal Data. The Terms of Service, this DPA, and Customer's configuration of the Services constitute Customer's initial instructions. Additional instructions shall be provided in writing and may be subject to additional charges if they require material changes to the Services.
05 Processor obligations
5.1 Processing in Accordance with Instructions
Vanti shall:
a) process Personal Data only on the documented instructions of the Customer, unless required to do so by UK law, in which case Vanti shall inform the Customer of that legal requirement before processing (unless prohibited from doing so);
b) immediately inform the Customer if, in Vanti's opinion, a processing instruction infringes Data Protection Laws;
c) not process Personal Data for any purpose other than to provide the Services.
5.2 Confidentiality
Vanti shall ensure that all persons authorised to process Personal Data:
a) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
b) process Personal Data only in accordance with Customer's instructions.
5.3 Security (Article 28(3)(c))
Vanti shall implement and maintain appropriate Technical and Organisational Measures to ensure a level of security appropriate to the risk, as described in Annex C.
5.4 Sub-Processing (Article 28(3)(d))
a) Customer provides general written authorisation for Vanti to engage Sub-Processors to process Personal Data, subject to the conditions in this Section 5.4.
b) Vanti shall maintain a current list of Sub-Processors ("Sub-Processor List") and make it available to Customer upon request and via the Smart Core documentation portal.
c) Vanti shall notify Customer of any intended changes to Sub-Processors (additions or replacements) at least thirty (30) days before the change takes effect.
d) Customer may object to a new Sub-Processor by providing written notice to Vanti within fourteen (14) days of notification. If Customer objects on reasonable data protection grounds, the parties shall discuss in good faith. If the parties cannot resolve the objection, Customer may terminate the affected Services without penalty.
e) Vanti shall impose contractual obligations on each Sub-Processor that are no less protective than those in this DPA, including obligations regarding security, confidentiality, and international transfers.
f) Vanti shall remain fully liable for the acts and omissions of its Sub-Processors.
5.5 Data Subject Rights (Article 28(3)(e))
Vanti shall assist the Customer by appropriate technical and organisational measures in fulfilling its obligation to respond to Data Subject requests, including requests for access, rectification, erasure, restriction, portability, and objection.
Where Vanti receives a Data Subject request directly, it shall:
a) promptly redirect the request to the Customer;
b) not respond to the request unless instructed to do so by the Customer or required by law; and
c) provide the Customer with reasonable assistance in responding.
5.6 DPIA and Prior Consultation (Article 28(3)(f))
Vanti shall provide reasonable assistance to the Customer in conducting Data Protection Impact Assessments and any prior consultations with the ICO, taking into account the nature of the processing and the information available to Vanti.
5.7 Deletion and Return (Article 28(3)(g))
Upon termination of the Services:
a) Vanti shall make Customer Data available for export in a standard machine-readable format (JSON, CSV, or as agreed) during the Data Retrieval Period (30 days post-termination);
b) following the Data Retrieval Period, Vanti shall delete all Personal Data processed on behalf of the Customer, unless retention is required by applicable law;
c) Vanti shall certify deletion in writing upon Customer's request;
d) deletion shall be performed in accordance with NIST SP 800-88 guidelines or equivalent.
5.8 Audit (Article 28(3)(h))
a) Vanti shall make available to the Customer all information necessary to demonstrate compliance with this DPA and Data Protection Laws.
b) Vanti shall allow for and contribute to audits and inspections conducted by the Customer or a third-party auditor mandated by the Customer, subject to:
reasonable advance notice (at least thirty (30) days, except in the case of a Personal Data Breach investigation);
the audit being conducted during normal business hours;
the auditor being bound by confidentiality obligations;
the scope of the audit being limited to data protection compliance matters; and
a maximum of one (1) audit per twelve-month period (except where required by a supervisory authority, regulator, or applicable regulatory framework to which the Customer is subject, or following a Personal Data Breach).
c) Where Vanti holds current ISO 27001, SOC 2 Type II, or equivalent certifications, these may be provided to the Customer in lieu of an on-site audit, at Vanti's discretion.
06 Personal data breach
6.1 Notification
Vanti shall notify the Customer without undue delay, and in any event within twenty-four (24) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Customer. Vanti shall provide sufficient preliminary information within this period to enable the Customer to begin its assessment of whether notification to the ICO is required under Article 33 UK GDPR.
6.2 Content of Notification
The notification shall include, to the extent reasonably available:
a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records affected;
b) the name and contact details of Vanti's Data Protection Officer;
c) a description of the likely consequences of the breach;
d) a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects;
e) where relevant, the assistance Vanti will provide to the Customer in meeting its notification obligations to the ICO and affected Data Subjects.
6.3 Cooperation
Vanti shall:
a) cooperate fully with the Customer in investigating and remediating the breach;
b) take reasonable steps to mitigate the effects of the breach;
c) preserve evidence and maintain a detailed record of the breach; and
d) not communicate with Data Subjects, the ICO, or the media about the breach without Customer's prior written consent (unless required by law).
6.4 Customer Obligations
Customer acknowledges that it is responsible for:
a) determining whether the breach must be reported to the ICO under Article 33 UK GDPR (within 72 hours of becoming aware);
b) determining whether affected Data Subjects must be notified under Article 34 UK GDPR;
c) making such notifications in accordance with Data Protection Laws.
07 International data transfers
7.1 Primary Processing Location
Personal Data shall be processed and stored in the United Kingdom using Microsoft Azure UK South and UK West data centres.
7.2 Transfers Outside the UK
Where a Sub-Processor processes data outside of the UK, the Customer consents to transfer of Personal Data for listed purposes, subject to the following controls: Vanti shall not transfer Personal Data outside the United Kingdom , unless:
a) the transfer is to a country, territory, sector, or international organisation recognised by the UK Secretary of State as providing an adequate level of data protection; or
b) appropriate safeguards are in place, including:
the UK International Data Transfer Agreement (UK IDTA); or
the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (UK Addendum).
Vanti shall notify the Customer no less than 14 days in advance of any proposed changes international data transfers.
The Customer retains the right to withdraw consent for international data transfer at any time upon giving of no less that 21 days notice of such withdrawal. Customer acknowledges that where features or functions of the Smart Core platform and services rely on that transfer, those features or functions may no longer be available to them.
7.3 Sub-Processor Transfers
Where a Sub-Processor processes Personal Data outside the UK:
a) Vanti shall inform the Customer of the transfer as part of the Sub-Processor notification process;
b) Vanti shall ensure that an appropriate transfer mechanism is in place;
c) Vanti shall conduct a Transfer Impact Assessment and make it available to the Customer upon request.
7.4 Notification of Access Requests
If Vanti receives a request or order from a government authority for access to Personal Data, Vanti shall:
a) promptly notify the Customer (unless prohibited by law);
b) challenge the request if there are reasonable grounds;
c) provide the minimum amount of data required by law; and
d) provide the Customer with information to enable it to seek protective measures.
08 Data retention
8.1 Default Retention Periods
Unless otherwise agreed in writing, Personal Data shall be retained for the following default periods:
Account data (Category A)
Duration of Subscription Term + Data Retrieval Period
Access control logs (Category B)
12 months from event
Occupancy data (Category C)
24 months from collection
ANPR vehicle data (Category D)
90 days from capture
Visitor data (Category E)
3 months from visit – or such period as may be requested by the Customer
IoT data linked to individuals (Category F)
24 months from collection
Technical logs (Category G)
6 months from generation
Security events
36 months from event
Alert acknowledgements
12 months from acknowledgement
8.2 Customer-Specific Periods
Customer may specify different retention periods by written instruction (via platform configuration or written agreement), subject to applicable law.
8.3 Post-Termination
Following the Data Retrieval Period, Vanti shall delete all Personal Data in accordance with Section 5.7, and provide certification upon request.
09 Records of processing
Vanti shall maintain records of all processing activities carried out on behalf of the Customer, in accordance with Article 30(2) UK GDPR, including:
a) the name and contact details of Vanti and the Customer;
b) the categories of processing carried out;
c) transfers of Personal Data to third countries (where applicable);
d) a general description of Technical and Organisational Measures (Annex C).
010 General
10.1 Liability
Each party's liability under this DPA shall be subject to the limitations set out in the Terms of Service, except that neither party's liability for a breach of Data Protection Laws shall be limited to the extent that such limitation would be unlawful.
10.2 Governing Law
This DPA shall be governed by and construed in accordance with the laws of England and Wales.
10.3 Amendments
This DPA may be amended by mutual written agreement. Vanti may update the Annexes to reflect changes in its Sub-Processors, security measures, or processing activities, provided such changes do not materially diminish the protections afforded to Personal Data.
10.4 Insurance
Vanti maintains appropriate insurance coverage, including professional indemnity insurance and cyber liability insurance. Details of coverage types and limits are available to the Customer upon written request to legal@vanti.co.uk.
10.5 Data Isolation
The Smart Core Connect platform operates a multi-tenant architecture with strict logical data isolation. All Customer Data is sandboxed at both the platform level and the individual building level. No Customer may access another Customer's data. Data isolation controls are enforced through the application layer, database-level access controls, and network segmentation.
10.6 Certifications
Vanti holds Cyber Essentials Plus certification. Where Vanti obtains additional certifications (e.g., ISO 27001, SOC 2 Type II), details of these shall be made available to the Customer upon request.
10.7 Severability
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
Annex A - Description of processing
Controller
The Customer identified in the Order Form
Processor
Vanti Ltd (Company No. 00650255)
Subject matter
Smart Core building management platform
Duration
Subscription Term + 30-day Data Retrieval Period
Nature of processing
Collection, storage, organisation, retrieval, use, alignment, restriction, erasure, transmission
Purpose
Provision of building management, IoT integration, access control, monitoring, and analytics services
Types of Personal Data
As specified in Section 3.4 (Categories A through G)
Categories of Data Subjects
As specified in Section 3.5
Annex B - Sub-processor register
Vanti maintains a current Sub-Processor List as a standalone document, updated in accordance with the notification obligations in Section 5.4 of this DPA. The Sub-Processor List is available to the Customer upon written request to legal@vanti.co.uk and via the Smart Core documentation portal. Vanti shall notify the Customer of any changes to the Sub-Processor List in accordance with Section 5.4(c).
Annex C - Technical and organisational measures
C.1 Encryption
Encryption in transit
TLS 1.2+ for all communications (HTTPS, gRPC, MQTT over TLS)
Encryption at rest
AES-256 for stored data; Azure Storage Service Encryption
Certificate management
X.509 PKI for inter-node communication; automated certificate rotation
Key management
Azure Key Vault for cryptographic key management
C.2 Access Control
Authentication
Multi-factor authentication (2FA), WebAuthn/passkeys, JWT tokens
Authorisation
Role-Based Access Control (RBAC) via CASL; Open Policy Agent (OPA) for SC-BOS
Least privilege
Principle of least privilege enforced across all systems
Access reviews
Quarterly access reviews for production systems
Password policy
Minimum 10 characters; cryptographic hashing (bcrypt-equivalent)
Service accounts
OAuth2 client credentials with secret rotation capability
C.3 Infrastructure Security
Network segmentation
Virtual network isolation; network security groups
Firewall
Azure Firewall and network security rules
DDoS protection
Azure DDoS Protection
Monitoring
Azure Application Insights; centralised logging
Vulnerability scanning
Regular automated vulnerability scanning
Patch management
Timely application of security patches
C.4 Operational Security
Incident response
Documented incident response plan; 24-hour breach notification
Business continuity
Regular backups; disaster recovery procedures; geo-redundant storage
Change management
Controlled deployment pipeline with testing and approval stages
Logging
Comprehensive audit logging of authentication, authorisation, and data access
Staff security
Background checks; confidentiality agreements; security awareness training
C.5 Physical Security
Data centres
Microsoft Azure UK data centres (ISO 27001, SOC 1/2, CSA STAR certified)
Physical access
Biometric and multi-factor access controls at data centres
Environmental controls
Fire suppression, climate control, redundant power
C.6 Data Minimisation and Retention
Data minimisation
Processing limited to what is necessary for service delivery
Retention enforcement
Automated retention policies with configurable periods
Secure deletion
NIST SP 800-88 compliant data destruction
Anonymisation
Aggregation and anonymisation for benchmarking and analytics
This Data Processing Agreement was prepared on 9 April 2026 and should be reviewed by qualified legal counsel before execution.