Data Processing Agreement (DPA)
This Data Processing Agreement (“Agreement”) forms part of, and is subordinate to, the main agreement (Terms of Service / subscription) between the parties for the use of Tesoro CRM (“the Service”). In case of conflict regarding the processing of personal data, this Agreement prevails.
Parties
- Controller — the customer (real estate agency) using an account on the Service, as identified in the main agreement (“Controller”).
- Processor — Codificamos S.L., CIF B02641900, established at Calle Meliso 10, 03739, Jávea, Alicante, Spain, registered in the Registro Mercantil de Alicante, Tomo 4329, Folio 65, Hoja A-171807 (“Processor” / “Tesoro”).
1. Definitions
Terms such as “personal data”, “processing”, “data subject”, “controller”, “processor”, “sub-processor” and “data breach” have the meaning set out in the GDPR (Regulation (EU) 2016/679). “Sub-processor” = a third party engaged by the Processor to process personal data.
2. Subject matter, nature and purpose
2.1 The Processor processes personal data solely on behalf of and on the instructions of the Controller, for the purpose of providing the Service (a CRM for real estate professionals).
2.2 The nature, purpose, categories of data subjects and personal data, and the duration are specified in Annex 1.
2.3 The Controller is and remains the controller; it warrants that a valid legal basis exists for the processing it carries out via the Service.
3. Instructions (art. 28(3)(a))
3.1 The Processor processes the personal data only on documented instructions from the Controller, including this Agreement and the use of the Service in accordance with the documentation.
3.2 The Processor informs the Controller if, in its opinion, an instruction infringes the GDPR, save where prohibited by law.
3.3 If the Processor processes on the basis of a Union or Member State legal obligation outside the instructions, it notifies this in advance, unless that law prohibits this.
4. Confidentiality (art. 28(3)(b))
The Processor ensures that persons with access to the personal data are bound to confidentiality.
5. Security (art. 28(3)(c) in conjunction with art. 32)
5.1 The Processor takes appropriate technical and organizational measures; the current measures are set out in Annex 3.
5.2 The measures are evaluated periodically (see the semi-annual GDPR audit) and may change, provided the level of protection is not lowered.
6. Sub-processors (art. 28(3)(d) in conjunction with (2))
6.1 The Controller gives general authorization for engaging the sub-processors in Annex 2.
6.2 The Processor imposes on each sub-processor, by contract, the same data protection obligations as in this Agreement.
6.3 In the event of an intended change (new or replacement sub-processor), the Processor informs the Controller at least 30 days in advance, so that it can object. In the event of a justified objection, the parties seek a reasonable solution; if this fails, the Controller can cancel the relevant service.
6.4 The Processor remains fully liable to the Controller for its sub-processors.
7. International transfers (Chapter V)
7.1 The core data is stored and processed within the EEA (database, files, email, telephony/recordings, AI — see Annex 2).
7.2 For sub-processors with a US parent company (Cloudflare, Twilio, Mailgun/Sinch, and the services Mapbox and Pusher to be phased out before the end of October 2026), insofar as incidental access from a third country may take place, the EU-US Data Privacy Framework and/or standard contractual clauses (SCCs) apply. A copy of the safeguards is available on request.
8. Assistance to the Controller
8.1 Data subject rights (art. 28(3)(e)): the Processor assists the Controller with appropriate measures in responding to requests from data subjects (access, rectification, erasure, restriction, portability, objection). Requests received directly by the Processor are forwarded.
8.2 Security, data breaches and DPIA (art. 28(3)(f) in conjunction with 32-36): the Processor provides assistance with security, notification of data breaches and data protection impact assessments.
8.3 Data breach notification: the Processor reports a data breach without undue delay and at the latest within 72 hours of discovery, with the information referred to in art. 33(3) insofar as available.
9. Return and deletion (art. 28(3)(g))
9.1 After termination the Processor deletes or returns, at the Controller’s choice, all personal data.
9.2 The Controller can export its data for 30 days after termination. Thereafter the Processor deletes the personal data within 30 days, except for backups that are erased on a rolling cycle of 90 days and data that must be retained by law.
10. Audits (art. 28(3)(h))
10.1 The Processor makes available on request the information necessary to demonstrate compliance, including the outcomes of the semi-annual internal GDPR audit and any certifications.
10.2 The Controller may carry out an audit at most once per year (and after a data breach), with reasonable prior notice, during office hours, without disproportionately disrupting operations.
11. Liability and term
11.1 Liability follows the main agreement, subject to art. 82 GDPR (mandatory law).
11.2 This Agreement applies for as long as the Processor processes personal data on behalf of the Controller.
11.3 This Agreement applies in its then-current version, which forms the basis of the arrangements between the parties. Codificamos may amend the content, provided the level of protection for data subjects does not decrease and subject to the change mechanism for sub-processors (§6.3). The current version applies.
12. Applicable law
Spanish law; competent court Alicante, without prejudice to mandatory jurisdiction rules.
Signing
Thus agreed. The Controller accepts this Agreement by signing below, or by accepting the main agreement upon registration.
Annex 1 — Processing details
| Subject matter | Provision of the Tesoro CRM to the Controller |
| Duration | Term of the main agreement + the retention period of art. 9 |
| Nature | Collecting, recording, organizing, storing, consulting, using, transmitting (within the Service), erasing |
| Purpose | Relationship/lead/deal management, property matching, communication (email/phone/WhatsApp), customer portal |
Categories of data subjects: end clients of the agent (buyers, sellers, owners, leads, portal users); business relations/contact persons.
Categories of personal data:
- Identity & contact: name, email, phone, WhatsApp number, address, language
- Location: geolocation of a contact (if entered)
- Profile/preferences: search profile, budget, deal history, favorite properties
- Financial: commission, deal value, bid amounts, credit terms (relations)
- Communication content: emails (+ attachments), WhatsApp messages (+ media), call recordings (audio), notes, comments
- Portal account: login credentials (hashed), last login
- Free text: descriptions/notes (may incidentally contain special data — see policy)
Special categories (art. 9): not structurally collected. The Controller is requested not to enter art. 9 data in free-text fields, unless it has a valid legal basis for doing so.
Annex 2 — Sub-processors (as at 2026-06-30)
Customer-linked mail integrations (Gmail/Outlook/Zoho/IMAP) are not sub-processors of Tesoro: the Controller links its own account and is itself responsible for it.
Annex 3 — Technical and organizational measures (art. 32)
- Data residency: core data within the EEA (see Annex 2).
- Encryption: TLS for transport; encryption-at-rest at MongoDB Atlas and Cloudflare R2.
- Access management: role-based access (admin/employee), multi-tenant separation per
company. - Authentication: passwords hashed with bcrypt; JWT sessions.
- Webhooks: HMAC-SHA256-signed.
- Logging/monitoring: technical logs with limited retention; internal semi-annual GDPR audit.