Data processing agreement

This page is COHO’s data processing agreement. It’s the contract that covers what we do with personal data when you use COHO to manage other people’s information.

It works alongside our terms and conditions and any subscription terms you’ve agreed to. If anything here clashes with those, this page wins for anything to do with handling personal data on your behalf.

Effective date: 22nd May 2026

Who this is between

This is between you, the person or organisation using COHO, and COHO (Company For Life Ltd), a company registered in England and Wales (company number 12078021), with its registered office at COHO @ The Kiln, 2 Copenhagen Street, Worcester, WR1 2HB.

Who’s doing what

When you use COHO to manage properties, you might enter personal information about other people such as tenants, applicants, guarantors, your team, and so on.

  • You are the data controller for that information. You decide whose data goes in and what it’s used for.
  • We are your data processor. We hold and handle the data on your behalf, following what you tell us to do.

We’ll both stick to our respective sides of UK data protection law.

What we process and why

We only use the data to deliver COHO to you. That covers:

  • running the software you’ve subscribed to;
  • storing, hosting, and moving the data so the platform works;
  • supporting you when you ask for help;
  • diagnosing and fixing problems;
  • doing what the law makes us do.

We hold the data for as long as your subscription is running, plus any short period afterwards needed to wind things down or that the law requires.

Whose data, and what kind

The data you upload to COHO might be about:

  • current and former tenants;
  • applicants and prospective tenants;
  • guarantors;
  • household members and emergency contacts;
  • landlords, agents, and contractors;
  • viewing attendees;
  • members of your own team.

It might include names, contact details, ID documents, right-to-rent records, referencing results, communications, tenancy and lease details, and payment or bank information.

Some of what you upload might be special category data, things like health information shared for accessibility, or right-to-rent verification documents. You’re responsible for making sure you have the right legal basis for handling that kind of information.

Your instructions to us

We only process your data on your documented instructions, unless the law tells us to do something different.

Your documented instructions are:

  • how you use the platform under our terms and conditions and your subscription terms;
  • the settings and choices you make in your account;
  • anything else you tell us in writing, including emails to our support team.

If we think one of your instructions breaks UK data protection law, we’ll tell you.

Confidentiality

We keep your data confidential. The people who handle it for us — staff and contractors — are under proper confidentiality obligations.

Security

We use sensible technical and organisational measures to keep your data safe. We summarise our approach on our security summary, and we share detailed information about our controls with customers on request under appropriate confidentiality terms.

Sub-processors

We use third-party service providers, called sub-processors, to help us deliver COHO. By agreeing to this, you’re giving us general written authorisation to use them.

The current sub-processor list includes what each one does, where they’re based, and the safeguard for international transfers.

We publish changes to that list in advance of them taking effect, typically with at least 14 days’ notice. We don’t operate a notification list, so please check that page periodically.

If you’re not happy with a change for data protection reasons, you can stop using the affected service. That’s the only remedy this agreement gives you for a sub-processor change.

Every sub-processor we use is held to data protection obligations at least as strong as the ones in this agreement. We’re still responsible to you for what they do.

International transfers

Some of our sub-processors are based outside the UK. Where that’s the case, we use a UK-recognised safeguard for the transfer,  for example, UK adequacy regulations, the UK Extension to the EU-US Data Privacy Framework, the UK International Data Transfer Agreement, the EU Standard Contractual Clauses with the UK Addendum, or a sub-processor’s Binding Corporate Rules.

The specific safeguard for each sub-processor is listed in the sub-processor list.

How we help you meet your own obligations

You have your own duties as a data controller. We’ll help you with them, taking into account the nature of the processing and the information available to us:

  • if someone exercises a right over their data (access, deletion, rectification, portability, restriction, objection), we’ll help you respond;
  • we’ll help you keep the data secure;
  • if there’s a data breach, we’ll help you handle it, including telling the ICO or affected individuals where you need to;
    we’ll help with data protection impact assessments and any prior consultations with the ICO.

Your account is the first place to look. Most of the personal data we process on your behalf is visible and exportable to you directly through COHO; tenant and applicant profiles, tenancies, uploaded documents, referencing records, messages, notes, payments, maintenance records, and the like. When you respond to a data subject rights request, you are responsible for gathering this data yourself from the platform and for making the controller decisions that go with it (verifying the requester’s identity, redacting third-party personal data, applying exemptions, deciding what to disclose).

What we help with. Our assistance is focused on data we hold that you cannot reasonably reach through the platform, for example, system audit and access logs, soft-deleted records, or backend telemetry. We’ll provide that data to you in a usable form so you can include it in your response.

Requests for our help. When you need our help with a data subject rights request, please send the request to support@coho.life with: confirmation that you have verified the data subject’s identity, the data subject’s identifier (email address), the relevant property, the date range, and a description of what you cannot extract yourself. We’ll respond in time for you to meet your statutory deadline, provided you give us reasonable notice within that window.

Manifestly unfounded or excessive requests. If a request you pass to us is manifestly unfounded or excessive, for example, because it is repetitive, we may either charge a reasonable fee for handling it or refuse to act on it. We will tell you which and why.

Costs. Standard help, such as answering questions about how COHO processes data, pointing you to where data lives in the platform, and providing the system-only data described above is included in your subscription. Where you ask us to do work that goes beyond that, including but not limited to bulk extracts, bespoke reports, in-depth breach investigation work driven by your own systems rather than ours, or assistance with DPIAs that requires significant input from our team, we may charge our reasonable time costs. We will tell you the expected cost before doing the work and you can decide whether to proceed.

Personal data breaches

If we find out about a personal data breach involving your data, we’ll tell you without undue delay, and in any event within 48 hours of becoming aware. We’ll give you the information you need to meet your own breach notification duties, providing further information as it becomes available where the initial notification is incomplete.

Showing we’re compliant

We’ll give you the information you need to show you’re using a compliant processor.

In most cases we can answer your audit questions by giving you our security summary, sub-processor list, completed questionnaires, or third-party reports we already have. If those don’t cover what you’re asking, we’ll agree a sensible way to go further.

You can audit us, or get a qualified third party to audit us on your behalf, in relation to our compliance with this DPA. Audits may take place on reasonable prior written notice (not less than 30 days), no more than once in any 12-month period.

Beyond the information we make available as standard, you bear the reasonable costs of any audit you mandate.

When you stop using COHO

When your access to a service ends, you can:

  • keep the data in your account during any agreed wind-down period; or
  • ask us in writing to delete or return it — your choice.

The only exception is data we have to keep by law. Where that applies, we’ll only keep it for as long as the law requires, and we’ll keep it protected.

Your responsibilities

You confirm that you only put data into COHO that you have the right to handle. You’re responsible for:

  • making sure your instructions to us are clear and lawful;
  • keeping the data you upload accurate;
  • having the right basis for any special category or sensitive information you upload;
  • meeting your own duties under UK data protection law, including telling the people whose data you upload that you’re using COHO to handle it.

Liability

The same liability rules that apply to the rest of your agreement with us apply here.

If this DPA and the rest of your agreement disagree

If anything in this DPA conflicts with the rest of your agreement, this DPA wins — but only for things to do with handling personal data on your behalf.

Governing law

This agreement is governed by the laws of England and Wales, and the courts of England and Wales have jurisdiction.

Changes

We may update this page from time to time. The effective date at the top shows when it was last changed. Please check this page periodically as we don’t notify you of changes.

Get in touch

If you have any questions about this agreement please email us at support@coho.life.

For our regulator details, see our security summary. We’re registered with the ICO under registration number ZA749111.

Changes to this agreement

22nd May 2026

  • Clarified that when responding to a data subject rights request you should first gather the data you can extract through COHO yourself, and that our help is focused on data you cannot reach through the platform (for example, system audit logs).
  • Added a process for requesting our help with data subject rights requests, including the information we need from you.
  • Added that we may charge a reasonable fee for, or refuse, requests that are manifestly unfounded or excessive.
  • Added that work beyond standard help — such as bulk extracts, bespoke reports, or significant input into your DPIAs — may be chargeable at our reasonable time costs, with the expected cost agreed before we start.
  • Committed to notifying you of a personal data breach within 48 hours of becoming aware (previously: “without undue delay”).
  • Tightened the audit clause: audits are now expressly scoped to our compliance with this DPA, require at least 30 days’ written notice, and are capped at one in any 12-month period.

12th May 2026 – separated from terms and conditions

  • The processor terms that previously sat within our terms and conditions were moved into this standalone Data Processing Agreement, restructured
    for clarity and to make the controller/processor relationship easier to reference. No change to the substance of how we process your data.