BlocBack to Bloc

Legal

Data Processing Agreement

Effective date: 12 May 2026Processor: Percy Real Estate Ltd (trading as Bloc)Regulation: UK GDPR / DPA 2018

This Data Processing Agreement (“DPA”) is incorporated by reference into the Bloc Terms of Service and applies automatically to all business customers who use the Bloc Platform to store or process personal data. It sets out the terms on which Percy Real Estate Ltd, trading as Bloc (“Processor”), processes personal data on behalf of the customer (“Controller”).

1. Background

Percy Real Estate Ltd (trading as “Bloc”), Company Number 15525233, registered at 25 Cabot Square, Canary Wharf, London E14 4QZ (“Processor”, “we”, “us”), provides a property CRM Platform to estate agencies and property professionals (“Controller”, “you”).

In the course of providing the Platform, the Processor will process personal data on behalf of the Controller. The parties agree that this DPA is necessary to comply with Article 28 of the UK GDPR, which requires a written contract to be in place between a controller and any processor it engages.

This DPA applies from the date the Controller accepts the Terms of Service (or such earlier date as processing begins) and continues for the duration of the agreement. It supersedes any prior data processing terms between the parties.

Defined terms not defined in this DPA have the meaning given to them in the Terms of Service.

2. Definitions

Controller

The entity that determines the purposes and means of processing personal data. In this DPA, the Controller is the estate agency or property business that has purchased a Subscription to the Platform.

Processor

Percy Real Estate Ltd (trading as Bloc), which processes personal data on behalf of and under the instructions of the Controller.

Sub-processor

Any third-party engaged by the Processor to carry out specific processing activities on behalf of the Controller.

Personal Data

Any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the UK GDPR.

Processing

Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.

Data Subject

The individual to whom Personal Data relates (e.g. a vendor, buyer, landlord, tenant, or applicant managed within the Controller's Workspace).

UK GDPR

The UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

DPA 2018

The Data Protection Act 2018.

Applicable Law

All applicable data protection and privacy legislation in force from time to time in the UK, including the UK GDPR and DPA 2018.

CRM Data

Personal data relating to the Controller's own clients (vendors, buyers, landlords, tenants, applicants, and any other natural persons) that is uploaded to or generated within the Platform by the Controller.

Technical and Organisational Measures (TOMs)

The security and operational safeguards implemented by the Processor as described in Section 9.

3. Subject Matter, Nature and Purpose of Processing

Subject Matter

The Processor will process Personal Data contained within CRM Data on behalf of the Controller for the purpose of providing the Bloc Platform, including all features and services described in the Terms of Service.

Duration

Processing will commence on the effective date of the Terms of Service and continue until the earlier of: (a) termination or expiry of the Terms of Service; or (b) the Controller notifies the Processor in writing to cease processing.

Nature of Processing

  • Storage of CRM Data on the Platform database and associated infrastructure.
  • Retrieval and display of CRM Data to authorised users within the Controller's Workspace.
  • AI-assisted data enrichment, summarisation, and matching where the Controller enables those features.
  • Automated communications (email, WhatsApp) sent by the Platform on the Controller's behalf.
  • Export, reporting, and analytics performed on CRM Data within the Platform.
  • Backup, archiving, and restoration of CRM Data in accordance with the Processor's infrastructure procedures.

Purpose of Processing

The Processor processes CRM Data solely to provide and improve the Platform as instructed by the Controller. The Processor will not process CRM Data for its own commercial purposes, for advertising, or for any purpose not described in the Terms of Service or this DPA, except where required by Applicable Law.

4. Description of Personal Data and Data Subjects

Categories of Data Subjects

  • Residential and commercial property vendors and sellers.
  • Residential and commercial property buyers and applicants.
  • Residential and commercial landlords and property owners.
  • Residential and commercial tenants and prospective tenants.
  • Any other natural persons whose details the Controller chooses to store in its Workspace (e.g. solicitors, contractors, referrers).

Types of Personal Data

  • Identification data: full name, date of birth (where provided).
  • Contact data: email address, phone number(s), postal address.
  • Property-related data: current and desired property details, budget, chain position, viewing history.
  • Communication records: emails, WhatsApp messages, call notes, and other correspondence managed through the Platform.
  • Financial indicators: declared budget, mortgage status, deposit amount (not full financial account details).
  • Preference and requirement data: property criteria, lifestyle preferences, match scores.
  • Any additional data fields the Controller creates or populates within the Platform.

Controller's responsibility

The Controller is responsible for ensuring it has a lawful basis under Applicable Law for all CRM Data uploaded to or stored in the Platform. The Processor does not verify whether the Controller's use of Personal Data is lawful and relies on the Controller's confirmation that it is.

The Processor does not intentionally collect or process special category data (Article 9 UK GDPR) through the Platform. The Controller must not upload special category data unless it has obtained explicit consent or can otherwise rely on a condition under Article 9(2), and must notify the Processor before doing so at [email protected].

5. Controller Obligations

The Controller represents, warrants, and undertakes that:

  • It has and will maintain throughout the term all necessary rights, consents, lawful bases, and permissions to provide CRM Data to the Processor for processing as described in this DPA.
  • It has provided, and will maintain, an adequate privacy notice to all Data Subjects whose data is uploaded to the Platform, explaining how their data is processed and their rights.
  • It will promptly notify the Processor if any instruction given by the Controller would, in the Controller's reasonable opinion, cause the Processor to infringe Applicable Law.
  • It will not instruct the Processor to process Personal Data in a manner that would result in a breach of Applicable Law.
  • It is responsible for responding to Data Subject rights requests in respect of CRM Data and will promptly pass to the Processor any requests that the Processor needs to assist with.
  • It will ensure that all users given access to its Workspace are authorised to access the Personal Data within it, and that access credentials are not shared.
  • It will notify the Processor promptly if it becomes aware of any actual or suspected unauthorised access to, or misuse of, CRM Data.

6. Processor Obligations

Processing only on Instructions

The Processor will only process CRM Data on the documented instructions of the Controller, as set out in this DPA and the Terms of Service, unless required to do so by Applicable Law. If Applicable Law requires the Processor to process CRM Data for any other purpose, the Processor will notify the Controller before doing so (unless prohibited by law).

Confidentiality

The Processor will ensure that all personnel authorised to process CRM Data are subject to appropriate confidentiality obligations, whether contractual or statutory, and have received appropriate data protection training.

Assistance to the Controller

The Processor will, taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures where possible, insofar as this is possible, in the fulfilment of the Controller's obligations to respond to Data Subject rights requests (Section 8), to comply with its security obligations under Article 32 UK GDPR (Section 9), to notify Personal Data Breaches (Section 10), and to carry out DPIAs (Section 11).

Sub-processors

The Processor will not engage sub-processors except as described in Section 7.

Notification of Unlawful Instructions

If the Processor reasonably believes that an instruction from the Controller infringes Applicable Law, the Processor will promptly inform the Controller and may refuse to act on that instruction until the Controller confirms it is lawful.

7. Sub-processors

The Controller grants general written authorisation for the Processor to engage sub-processors to assist in providing the Platform. The Processor's current list of sub-processors is set out below. The Processor will enter into a written agreement with each sub-processor that imposes data protection obligations at least equivalent to those in this DPA.

Sub-processorPurposeLocationTransfer Mechanism
Vercel / AWS / HetznerCloud hosting and infrastructureEEA / UK / USUK IDTA / SCCs
Neon / Supabase (PostgreSQL)Primary database hostingEEAUK adequacy
Upstash (Redis)Session and cache layerEEAUK adequacy
Resend / SendGridTransactional email deliveryUSUK IDTA / SCCs
StripePayment processing (billing data only)EEA / USUK IDTA / SCCs
Meta (WhatsApp Business API)WhatsApp messaging integrationUSUK IDTA / SCCs
OpenAI / AnthropicAI feature processing (no training on customer data)USUK IDTA / SCCs
PostHogProduct analytics (aggregated, no CRM data)EEAUK adequacy

Changes to Sub-processors

The Processor will give the Controller at least 14 days' prior written notice of any intended addition or replacement of a sub-processor by updating this DPA and notifying the Controller by email to the address on the Controller's account. If the Controller reasonably objects to the change on data protection grounds, it must notify the Processor in writing within 14 days of notification. The parties will work in good faith to resolve the objection. If the objection cannot be resolved, the Controller may terminate the affected services on written notice, with a pro-rata refund of any prepaid fees.

8. Data Subject Rights

The Controller is the primary point of contact for Data Subjects exercising rights under Applicable Law in respect of CRM Data. The Processor will:

  • Promptly forward to the Controller any Data Subject rights request received directly by the Processor that relates to CRM Data, where the Processor is able to identify the relevant Controller.
  • Provide the Controller with reasonable technical assistance to respond to Data Subject rights requests, including the ability to export, rectify, restrict, or delete CRM Data within the Platform.
  • Not respond to a Data Subject rights request relating to CRM Data except on the Controller's documented instructions (or as required by Applicable Law).

Where the Controller needs assistance beyond what is available through the Platform's self-service tools, it should contact [email protected]. The Processor may charge a reasonable fee for assistance that goes materially beyond what is technically necessary to operate the Platform.

9. Security Measures (Technical and Organisational Measures)

The Processor will implement and maintain the following technical and organisational measures to protect CRM Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures represent the Processor's current standard; the Processor may update them over time to reflect improvements in best practice, provided the overall level of security is not reduced.

Encryption in transit

TLS 1.2 or higher on all network connections between clients, APIs, and databases.

Encryption at rest

AES-256 encryption for all stored personal data, including database volumes and backups.

Access controls

Role-based access control (RBAC) with least-privilege principles. Workspace isolation ensures no cross-tenant data access.

Authentication

Multi-factor authentication (MFA) enforced for all Bloc staff with access to production systems.

Pseudonymisation

Where technically feasible, personal data used in analytics and logging is pseudonymised or anonymised.

Audit logging

All access to personal data by Bloc staff is logged with timestamps, user identity, and action type.

Vulnerability management

Regular automated dependency scanning, annual penetration testing by an independent third party, and a responsible disclosure policy.

Backup and recovery

Daily automated backups with point-in-time recovery capability. Backup integrity tested quarterly.

Incident response

Documented incident response plan with defined escalation paths, breach notification procedures, and post-incident reviews.

Staff training

Annual data protection training for all staff with access to personal data, covering UK GDPR obligations and secure handling.

Supplier due diligence

All sub-processors are assessed before onboarding and reviewed annually for security posture and contractual compliance.

Physical security

All Bloc staff work remotely on managed devices with full-disk encryption, endpoint detection, and remote-wipe capability.

The Controller acknowledges that it is responsible for ensuring that the security measures it applies to its own devices, networks, and user credentials are appropriate for the nature of the CRM Data it processes through the Platform.

10. Personal Data Breaches

Notification by Processor

If the Processor becomes aware of a Personal Data Breach affecting CRM Data, it will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification will include, to the extent known at the time:

  • A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected.
  • The name and contact details of the Processor's data protection contact.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach, including to mitigate its possible adverse effects.

Where it is not possible to provide all information within 72 hours, the Processor will provide an initial notification with the information available and follow up with additional detail as soon as reasonably practicable.

Controller's Reporting Obligations

The Controller is responsible for determining whether the breach must be reported to the Information Commissioner's Office (ICO) and for notifying affected Data Subjects where required under Applicable Law. The Processor will provide reasonable assistance to the Controller in making those assessments and notifications.

Notification by Controller

The Controller must promptly notify the Processor at [email protected] if it becomes aware of any suspected or actual security incident that may affect CRM Data or the Platform.

11. Data Protection Impact Assessments

Where the Controller is required to conduct a Data Protection Impact Assessment (DPIA) under Article 35 of the UK GDPR in relation to processing activities that involve CRM Data on the Platform, the Processor will provide reasonable assistance and information to enable the Controller to conduct the DPIA.

The Controller should contact [email protected] to request DPIA assistance, providing a description of the processing activities under assessment. The Processor may provide relevant information about its security measures, sub-processors, and data flows to assist the Controller. The Processor may charge a reasonable fee for assistance that involves significant effort.

Where the outcome of a DPIA indicates that a high risk cannot be mitigated without prior consultation with the ICO, the Controller is responsible for carrying out that consultation.

12. Audits and Inspections

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audit requests must be made in writing to [email protected] with at least 30 days' notice. The Controller agrees that:

  • Audits will be conducted during normal business hours and in a manner that minimises disruption to the Processor's operations.
  • Auditors must sign a reasonable confidentiality undertaking before accessing any Processor information.
  • Audits may be conducted no more than once per calendar year unless a Personal Data Breach or material non-compliance has been confirmed.
  • The Controller bears the cost of any third-party auditor engaged by the Controller.

The Processor may, at its discretion, satisfy audit requests by providing a current third-party security certification (e.g. ISO 27001, SOC 2 Type II) or penetration test report in lieu of an on-site inspection. The Controller may not unreasonably reject such an alternative.

13. International Transfers

The Processor will not transfer CRM Data outside the UK except where permitted by Applicable Law and where one of the following safeguards is in place:

  • A UK adequacy decision in respect of the destination country (e.g. EEA countries, following the UK adequacy regulations).
  • A UK International Data Transfer Agreement (IDTA), or a transfer subject to an addendum to the EU Standard Contractual Clauses approved for UK use, between the Processor and the relevant sub-processor.
  • The UK-US Data Bridge where applicable.
  • Any other transfer mechanism permitted under Chapter V of the UK GDPR.

The Controller acknowledges and authorises the international transfers described in the sub-processor table in Section 7. Where the Processor adds a new sub-processor that involves an international transfer, it will follow the change notification process in Section 7. The Controller may request copies of the relevant transfer mechanisms at [email protected].

14. Term, Termination, and Data Return

Term

This DPA comes into force on the effective date of the Terms of Service and remains in force until the Terms of Service are terminated or expire.

Effect of Termination

On termination or expiry of the Terms of Service, the Processor will:

  • At the Controller's written request, provide a full export of CRM Data in a standard machine-readable format (CSV or JSON) within 14 days of the request. Export requests must be made before the expiry of the post-termination retention period.
  • Securely delete or destroy all CRM Data (including copies held by sub-processors) within 30 days of the later of: (a) the termination date; or (b) the provision of the CRM Data export, unless Applicable Law requires the Processor to retain the data for a longer period.
  • Provide written confirmation to the Controller that deletion has been completed, if requested.

Survival

Obligations in this DPA that by their nature should survive termination (including confidentiality, data deletion confirmation, audit rights in respect of the termination period, and liability provisions) will survive termination or expiry of this DPA.

15. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be limited or excluded by Applicable Law.

Where both parties are held liable to a Data Subject or supervisory authority for a breach of Applicable Law in respect of the same processing activity, each party is responsible for the portion of any resulting fine or compensation attributable to its own fault. The parties agree to cooperate in good faith to apportion liability fairly.

The Processor will not be liable for a breach of this DPA that results from the Controller's failure to fulfil its own obligations under Applicable Law, or where the breach arises solely from the Controller's instructions.

16. Governing Law and Disputes

This DPA is governed by the laws of England and Wales. Any dispute arising from this DPA will be subject to the exclusive jurisdiction of the courts of England and Wales, unless mandatory Applicable Law requires otherwise.

For any queries about this DPA, including requests for a countersigned copy or for assistance with your data protection obligations, please contact:

Bloc Data Protection Team

Email: [email protected]

Legal enquiries: [email protected]

Percy Real Estate Ltd (trading as Bloc)

25 Cabot Square, Canary Wharf, London E14 4QZ

Privacy PolicyTerms of ServiceService Level AgreementGDPR Notice

This DPA is drafted in accordance with Article 28 of the UK GDPR and the Data Protection Act 2018.

This DPA is governed by the laws of England and Wales.

Percy Real Estate Ltd — Registered in England and Wales. Company Number: 15525233.