This Data Processing Addendum ("DPA") forms part of the Buildaur Master Terms of Service (the "Agreement") between Buildaur LLC ("Buildaur," "Processor," "we," "us," or "our") and the Business Client identified in the Agreement ("Customer," "Controller," "you," or "your"). It governs Buildaur's processing of personal data on Customer's behalf in connection with the Service.
In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of personal data.
1. Definitions
"Applicable Data Protection Laws" means all data protection and privacy laws applicable to the processing of personal data under the Agreement, including (as applicable) the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and other comparable U.S. state privacy laws.
"Personal Data," "Controller," "Processor," "Process / Processing," "Data Subject," "Sub-processor," "Service Provider," and "Sale" / "Share" have the meanings given to them in the Applicable Data Protection Laws.
"Customer Personal Data" means Personal Data that Buildaur processes on behalf of Customer in connection with the Service.
2. Roles of the Parties
The parties acknowledge that, with respect to Customer Personal Data, Customer is the Controller (or, where Customer is itself a processor, a Processor) and Buildaur is the Processor (or, where applicable, a Sub-processor). Under the CCPA, Buildaur is a Service Provider with respect to Customer Personal Data.
3. Processing of Customer Personal Data
3.1 Customer Instructions.
Buildaur will process Customer Personal Data only on documented instructions from Customer, including with respect to international transfers, except where required to do so by law. The Agreement (including this DPA) constitutes Customer's documented instructions.
3.2 Subject Matter, Duration, Nature, and Purpose.
The subject matter of the processing is the provision of the Service. The duration is the term of the Agreement (plus any retention period required to fulfill Buildaur's obligations or as required by law). The nature and purpose is to enable Customer to operate Buildaur-powered builders, capture End Customer order data, and use the related dashboards, integrations, and APIs.
3.3 Categories of Data Subjects.
- Customer's End Customers (people placing custom orders through Customer's builder);
- Customer's employees, contractors, and authorized users.
3.4 Categories of Personal Data.
- Identifiers (name, email, phone number, billing/shipping address);
- Order details and design content uploaded to the builder;
- Payment metadata (handled by Stripe; not stored by Buildaur);
- Online identifiers (IP address, device data, log data).
3.5 No Sale or Sharing.
Buildaur will not (a) sell or share Customer Personal Data, (b) retain, use, or disclose Customer Personal Data for any purpose other than performing the Services or as permitted by Applicable Data Protection Laws, (c) retain, use, or disclose Customer Personal Data outside the direct business relationship between Buildaur and Customer, or (d) combine Customer Personal Data with personal data received from another source, except as expressly permitted by the CCPA.
4. Confidentiality and Security
4.1 Confidentiality.
Buildaur ensures that personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
4.2 Security Measures.
Buildaur implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption in transit, access controls, vendor due diligence, regular review, and incident response procedures. A summary of measures is provided on request.
5. Sub-processors
5.1 General Authorization.
Customer provides general authorization for Buildaur to engage Sub-processors to perform certain processing activities. Buildaur maintains a current list of Sub-processors at buildaur.app/subprocessors (the "Subprocessor List").
5.2 Sub-processor Obligations.
Buildaur enters into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA, and remains liable for the acts and omissions of its Sub-processors.
5.3 Notice and Objection.
Buildaur will notify Customer at least thirty (30) days before adding or replacing a Sub-processor (by email or by updating the Subprocessor List with a public changelog). If Customer reasonably objects on data protection grounds, the parties will work in good faith to find a resolution; if no resolution is reached, Customer may terminate the affected portion of the Service for cause.
6. Assistance to Customer
Taking into account the nature of processing, Buildaur will assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligations to:
- Respond to Data Subject requests (access, correction, deletion, portability, objection, opt-out);
- Conduct data protection impact assessments and prior consultations with regulators;
- Notify regulators and Data Subjects of personal data breaches.
If a Data Subject contacts Buildaur directly with a request related to Customer Personal Data, Buildaur will, without undue delay, forward the request to Customer and will not respond to the Data Subject except to confirm receipt and to redirect the Data Subject to Customer.
7. Personal Data Breaches
Buildaur will notify Customer without undue delay (and where feasible within 72 hours) after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include, to the extent then known: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, the measures taken or proposed, and a contact point for further information.
8. Deletion or Return of Customer Personal Data
Upon termination of the Agreement, Buildaur will, at Customer's choice, delete or return all Customer Personal Data, except to the extent retention is required by Applicable Data Protection Laws. Where retention is required, Buildaur will continue to protect the data in accordance with this DPA.
9. Audits
Customer may, on reasonable prior written notice and not more than once per twelve (12) month period (except where required by a regulator or following a personal data breach), request information necessary to demonstrate compliance with this DPA. Buildaur may satisfy this obligation by providing summary documentation of its security and compliance program. On-site audits, where required by Applicable Data Protection Laws, will be conducted during normal business hours, with reasonable prior notice, and at Customer's cost.
10. International Transfers
10.1 Transfers Generally.
To the extent Buildaur processes Customer Personal Data subject to GDPR, UK GDPR, or Swiss data protection law in a jurisdiction not the subject of an adequacy decision, the transfer is governed by the European Commission Standard Contractual Clauses (Module 2 — Controller to Processor, or Module 3 — Processor to Processor, as applicable), the UK International Data Transfer Addendum, and / or the Swiss equivalents (collectively, the "Transfer Mechanisms"), each of which is incorporated into this DPA by reference.
10.2 Selected Options.
The parties select the optional clauses as follows: docking clause — included; redress — option (i); audits — Module 2 / 3 standard; governing law and forum — as set out in the Agreement, except where the Transfer Mechanisms require otherwise.
11. CCPA-Specific Provisions
To the extent Buildaur processes Customer Personal Data subject to the CCPA, Buildaur acts as a Service Provider. Buildaur certifies that it understands the obligations of a Service Provider under the CCPA and will comply with them. Buildaur will not (a) Sell or Share personal information; (b) retain, use, or disclose personal information outside the direct business relationship; (c) combine personal information received from Customer with personal information from another source, except as permitted by the CCPA. Buildaur will notify Customer if it determines it can no longer meet its obligations under the CCPA.
12. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement.
13. Order of Precedence
In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to processing of Personal Data. In the event of a conflict between this DPA and the Transfer Mechanisms, the Transfer Mechanisms prevail.
14. Contact
Privacy and DPA-related inquiries may be sent to:
Buildaur LLC
Email: support@buildaur.app
Website: buildaur.app