Data Protection Impact Assessment
Pre-filled DPIA template to support your internal data protection review of the Landworth platform. Adapt and extend as required for your organisation's processes.
1. Project Description
System Name
Landworth — Automated Desktop Valuation & Due Diligence Platform
Purpose
Landworth provides specialist property lenders with automated desktop valuations, due diligence checks, and credit paper generation. The platform aggregates property data from multiple sources, applies valuation methodologies, and produces structured outputs for human review and approval.
Data Controller
Your organisation (as the entity commissioning valuations and due diligence through the Landworth platform).
Data Processor
Landworth Ltd, registered in England and Wales. Processing is governed by a Data Processing Agreement (DPA) executed between the parties.
2. Data Types Processed
Property Data
Property addresses, title information, planning history, comparable transaction data, EPC data, flood risk assessments, and other publicly available or licensed property datasets.
Borrower & Entity Data
Borrower names, company names, company registration numbers, and directorship information as provided by the client or obtained from public registries (e.g. Companies House) for due diligence purposes.
Valuation Outputs
Generated valuation figures, comparable evidence selections, methodology explanations, due diligence check results, and credit paper content. These outputs are derived from the input data and are subject to human review.
Platform User Data
Names, email addresses, and role information of users within your organisation who access the Landworth platform.
3. Legal Basis for Processing
The legal basis for processing will depend on your organisation's specific circumstances. Common bases include:
- •Legitimate interests (Article 6(1)(f) UK GDPR): Processing property and borrower data for lending risk assessment and due diligence, where such processing is necessary for and proportionate to the legitimate business interests of the controller.
- •Contractual necessity (Article 6(1)(b) UK GDPR): Where processing is necessary for the performance of a contract with the borrower or to take steps at the borrower's request prior to entering into a contract.
- •Legal obligation (Article 6(1)(c) UK GDPR): Where processing is required to comply with regulatory obligations, such as anti-money laundering or fraud prevention requirements.
Your organisation should confirm the applicable legal basis with your Data Protection Officer or legal counsel.
4. Data Flows
Data Ingress
Data enters the platform via: (a) direct input by your organisation's users through the platform interface; (b) API integration with your existing systems; and (c) automated retrieval from licensed and public data sources.
Processing
Data is processed within the Landworth platform environment. Processing includes aggregation, comparison, valuation model application, and due diligence checks. Outputs are generated for human review.
Data Egress
Outputs are made available to authorised users within your organisation via the platform interface, API, or document export. Data is not shared with third parties other than as specified in the Data Processing Agreement.
Data Storage & Residency
Data is stored within UK/EEA jurisdiction. International transfers, if any, are governed by appropriate safeguards as detailed in the Data Processing Agreement.
5. Risk Assessment
The following risks have been identified. Your organisation should assess likelihood and severity in the context of your specific use case.
| Risk | Likelihood | Severity | Mitigation |
|---|---|---|---|
| Unauthorised access to personal data | [Assess] | [Assess] | RBAC, SSO, MFA enforcement, least privilege access, audit logging |
| Data breach during transit | [Assess] | [Assess] | TLS 1.2+ encryption, no deprecated cipher suites, certificate management |
| Inaccurate automated outputs | [Assess] | [Assess] | Human-in-the-loop review, citation of sources, override logging |
| Excessive data retention | [Assess] | [Assess] | Configurable retention policies, automated deletion, auditable deletion process |
| Loss of data availability | [Assess] | [Assess] | Cloud infrastructure redundancy, backup procedures, disaster recovery planning |
Cells marked [Assess] should be completed by your organisation based on your specific context and risk appetite.
6. Mitigation Measures Summary
The following measures are in place within the Landworth platform to mitigate identified risks:
- •Access controls: RBAC, SSO via SAML 2.0 / OpenID Connect, support for MFA at the identity provider level
- •Encryption: AES-256 at rest, TLS 1.2+ in transit
- •Audit trail: Comprehensive logging of user actions, data access, approvals, and overrides
- •Human-in-the-loop: All automated outputs are subject to human review and approval before use in lending decisions
- •Data minimisation: Only data necessary for the stated purposes is processed. Configurable retention and automated deletion
- •Data residency: Data processed and stored within UK/EEA jurisdiction
- •Incident response: Documented incident response process with notification obligations
7. DPO / Privacy Lead Sign-Off
Reviewed by
[Name / Role]
Date
[DD/MM/YYYY]
Outcome
[Approved / Approved with conditions / Referred for further review]
Notes
[Any additional notes or conditions]
Version 1.0 · Last updated: March 2026
Contact: security@landworth.ai
This page is designed to be printable. Use Ctrl+P / Cmd+P to save as PDF.