BLDX AI

Data Processing Agreement

EnterpriseGDPR Article 28Last Updated: August 2025

This Data Processing Agreement ("DPA") forms part of the Master Service Agreement between BuildX AI (the "Processor") and the Customer (the "Controller") for the provision of BuildX AI services.

SOC 2 CompliantISO 27001Enterprise Ready

Important Notice

This DPA is designed for Enterprise customers and requires execution by authorized representatives of both parties. For standard service terms, please refer to our Privacy Policy and Terms of Service.

1. Definitions and Interpretation

Key Definitions

  • "Controller" means the entity that determines the purposes and means of processing Personal Data
  • "Processor" means BuildX AI, processing Personal Data on behalf of the Controller
  • "Data Subject" means an identified or identifiable natural person
  • "Personal Data" means any information relating to a Data Subject
  • "Processing" means any operation performed on Personal Data
  • "Sub-processor" means any third party engaged by Processor to process Personal Data

2. Scope and Application

Agreement Coverage

  • This DPA applies to all Processing of Personal Data by BuildX AI on behalf of Customer
  • This DPA supplements and forms part of the Master Service Agreement
  • In case of conflict, this DPA prevails over the Master Service Agreement for data protection matters
  • This DPA applies to all BuildX AI services unless explicitly excluded

3. Data Processing Details

Nature and Purpose

  • Processing necessary to provide construction management and AI services
  • Data analytics and reporting for project insights
  • Storage and backup of project data
  • Technical support and service improvement

Categories of Data

  • Contact information (names, emails, phone numbers)
  • Project data and construction documents
  • Financial and billing information
  • Usage data and system logs
  • Communications and support tickets

Categories of Data Subjects

  • Customer employees and contractors
  • Customer clients and partners
  • End users of the BuildX AI platform
  • Individuals mentioned in project documentation

4. Processor Obligations

BuildX AI Shall

  • Process Personal Data only on documented instructions from Controller
  • Ensure persons authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist Controller in responding to data subject requests
  • Make available all information necessary to demonstrate compliance
  • Delete or return all Personal Data at the end of services
  • Maintain records of all processing activities

5. Controller Responsibilities

Customer Shall

  • Provide lawful instructions for data processing
  • Ensure legal basis for processing Personal Data
  • Comply with all applicable data protection laws
  • Obtain necessary consents from Data Subjects
  • Inform BuildX AI of any data protection requirements
  • Review and approve Sub-processors as needed

6. Security Measures

Technical Measures

  • Encryption of data in transit and at rest (AES-256)
  • Multi-factor authentication for system access
  • Regular security patches and updates
  • Network segmentation and firewall protection
  • Intrusion detection and prevention systems
  • Regular penetration testing and vulnerability assessments

Organizational Measures

  • Access control on need-to-know basis
  • Background checks for personnel with data access
  • Regular security training for employees
  • Incident response procedures
  • Business continuity and disaster recovery plans
  • Regular security audits and compliance reviews

7. Sub-processors

Current Sub-processors

  • Amazon Web Services (AWS) - Cloud infrastructure
  • Google Cloud Platform - Additional compute and storage
  • Stripe - Payment processing
  • SendGrid - Email delivery
  • Datadog - System monitoring
  • Current list available at: buildxai.com/sub-processors

Adding New Sub-processors

  • BuildX AI will notify Customer 30 days before adding Sub-processors
  • Customer may object to new Sub-processors within 14 days
  • If objection cannot be resolved, Customer may terminate affected services
  • BuildX AI remains liable for Sub-processor compliance

8. International Transfers

Transfer Mechanisms

  • Standard Contractual Clauses (SCCs) for EU/EEA transfers
  • Adequacy decisions where applicable
  • Additional safeguards as required by law
  • Data localization options for Enterprise customers

Transfer Locations

  • Primary processing in United States
  • Backup and disaster recovery in multiple regions
  • Support may be provided from global locations
  • All transfers comply with applicable data protection laws

9. Data Subject Rights

Assistance with Rights

  • Access to Personal Data
  • Rectification of inaccurate data
  • Erasure (right to be forgotten)
  • Restriction of processing
  • Data portability
  • Objection to processing
  • Rights related to automated decision-making

Response Process

  • BuildX AI will assist within 5 business days of request
  • Provide necessary tools and interfaces for data management
  • Document all requests and responses
  • Notify Controller of direct requests from Data Subjects

10. Data Breach Management

Breach Notification

  • Notify Controller within 48 hours of becoming aware
  • Provide details of breach nature and impact
  • Estimated number of affected Data Subjects
  • Categories of Personal Data involved
  • Measures taken to address the breach
  • Recommendations for mitigation

Breach Response

  • Immediate containment and investigation
  • Preserve evidence for analysis
  • Implement remediation measures
  • Support regulatory notifications
  • Provide ongoing updates to Controller
  • Post-incident review and improvements

11. Audits and Compliance

Audit Rights

  • Annual audits permitted with 30 days notice
  • Access to relevant compliance certifications
  • SOC 2 Type II reports available
  • ISO 27001 certification maintained
  • Reasonable assistance with regulatory audits

Compliance Evidence

  • Processing records and logs
  • Security assessment reports
  • Sub-processor agreements
  • Training records
  • Incident response documentation

12. Liability and Indemnification

Limitation of Liability

  • Each party's liability limited as per Master Service Agreement
  • Exceptions for gross negligence or willful misconduct
  • Regulatory fines excluded from liability caps
  • Direct damages only unless otherwise specified

Indemnification

  • Each party indemnifies for its own violations
  • Controller indemnifies for lawful processing instructions
  • Processor indemnifies for unauthorized processing
  • Cooperation in defense of claims

13. Term and Termination

Duration

  • DPA effective for duration of Master Service Agreement
  • Survives termination for processing obligations
  • Data retention per legal requirements

Data Return and Deletion

  • Export tools available during service term
  • 30-day grace period for data retrieval after termination
  • Secure deletion after grace period
  • Certificate of deletion provided upon request
  • Legal hold exceptions apply

Execute This Agreement

To execute this Data Processing Agreement for your organization, please contact our legal team with your company details and authorized signatory information.

Legal Department

legal@buildxai.com

1-800-BUILD-AI

Data Protection Officer

dpo@buildxai.com

privacy.buildxai.com

© 2025 BuildX AI. All rights reserved.

This Data Processing Agreement complies with GDPR Article 28 requirements.