Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between:

Effective Date: This DPA takes effect on the later of (a) the date Customer first processes personal data via the Buildynx Services, or (b) the date both parties execute this agreement electronically or in writing.

Legal Framework Alignment

This DPA incorporates requirements from:

• UK UK GDPR + Data Protection Act 2018, Article 28
• EU EU GDPR (Regulation 2016/679), Article 28 + Standard Contractual Clauses (Module Two: Controller to Processor)
• UAE Federal Decree-Law No. 45 of 2021 (PDPL) + applicable free zone regulations

Capitalized terms not defined herein have the meanings given in the Terms of Service. For purposes of this DPA:

Term	Definition
Applicable Data Protection Law	UK GDPR, EU GDPR, UAE PDPL, and other applicable data protection laws and regulations in force from time to time
Controller Instructions	Customer's documented instructions to Buildynx regarding Processing of Personal Data, including via the Services interface, written agreements, or support tickets
Personal Data	Any information relating to an identified or identifiable natural person that is processed by Buildynx on behalf of Customer via the Services
Processing	Any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction
Security Incident	Any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed
Subprocessor	Any third party engaged by Buildynx to assist in providing the Services, including cloud infrastructure, analytics, support, or AI model providers

Buildynx shall process Personal Data only in accordance with this DPA and Customer's documented instructions. Specifically, Buildynx agrees to:

📋 Processing Scope & Purpose

• Process Personal Data only to provide the Services, improve functionality (subject to Customer privacy settings), ensure security, and comply with legal obligations
• Not process Personal Data for any purpose outside the scope of the Services without Customer's prior written consent
• Ensure that persons authorized to process Personal Data are committed to confidentiality or under appropriate statutory obligation

🔐 Security of Processing

Buildynx shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Annex B: Security Measures. These measures include:

🤖 AI-Specific Processing Safeguards

When AI features process Personal Data on Customer's behalf:

• Customer Input and AI Output are processed solely to deliver the requested functionality
• By default, Personal Data is not used to train foundational AI models. If Customer opts into model improvement programs, data is anonymized/aggregated per Annex A
• AI processing occurs in secure, isolated environments with audit logging
• Customer retains ownership of Output; Buildynx claims no rights over Customer Personal Data

Customer acknowledges and agrees that Buildynx may engage Subprocessors to assist in providing the Services. Buildynx shall:

Subprocessor Authorization

• Maintain an up-to-date list of authorized Subprocessors at /trust-center
• Provide Customer with ≥30 days' prior notice of any new Subprocessor that will process Personal Data
• Allow Customer to object to a new Subprocessor on reasonable grounds; if unresolved, Customer may terminate the affected Services with pro-rated refund

Subprocessor Obligations

Buildynx shall ensure each Subprocessor is bound by written contractual terms that provide substantially the same level of data protection as this DPA, including:

• Processing only on documented instructions from Buildynx (flowing from Customer)
• Implementing appropriate security measures per Annex B
• Assisting Buildynx in fulfilling Customer's data subject rights requests
• Returning or deleting Personal Data upon termination

Current Subprocessors (Summary)

Subprocessor	Purpose	Location	Transfer Mechanism
AWS / Google Cloud	Cloud infrastructure, hosting, storage	EU/UK/UAE regions available	SCCs / IDTA / Adequacy
Stripe	Payment processing	Global (PCI-DSS compliant)	SCCs
Plausible Analytics	Privacy-focused usage analytics	EU (Germany)	Adequacy / SCCs
Intercom	Customer support messaging	US/EU	SCCs + data residency options
AI Model Providers	AI inference for platform features	Varies (documented per feature)	SCCs + technical safeguards

View the complete, real-time Subprocessor List with contact details and data flow diagrams at our Trust Center.

Where Personal Data is transferred outside the UK, EEA, or UAE to jurisdictions without an adequacy decision, Buildynx shall ensure appropriate safeguards are in place:

Transfer Impact Assessments

Buildynx conducts regular assessments of third-country laws and practices that may impact the effectiveness of transfer safeguards. Where risks are identified, we implement supplementary measures (e.g., encryption, pseudonymization, contractual commitments) and notify Customer of material changes.

Buildynx shall assist Customer, through appropriate technical and organizational measures, in fulfilling its obligations to respond to requests from individuals exercising their rights under Applicable Data Protection Law.

Supported Rights

Right	Buildynx Assistance
Access / Portability	Provide Customer with tools to export Personal Data in structured, commonly used format (JSON, CSV)
Rectification	Enable Customer to update/correct Personal Data via platform interface or API
Erasure ("Right to be forgotten")	Provide secure deletion workflows; confirm completion within statutory timeframes
Restriction of Processing	Support flagging accounts/data for restricted processing pending verification
Objection	Assist Customer in evaluating and implementing objections to processing

Request Handling Process

1. Customer receives a data subject request and verifies the individual's identity
2. Customer submits a request to Buildynx via privacy@buildynx.com or the platform's admin console
3. Buildynx processes the request within statutory timeframes (typically 30 days)
4. Buildynx provides Customer with confirmation and any required data for fulfillment

Buildynx shall notify Customer without undue delay if it receives a data subject request directly, and shall not respond except upon Customer's instruction or as required by law.

In the event Buildynx becomes aware of a Security Incident affecting Personal Data processed under this DPA, Buildynx shall:

Notification Timeline

• Initial Notice: Notify Customer without undue delay, and in any event within 72 hours of confirmation (or as required by UAE PDPL)
• Follow-up Updates: Provide timely updates as investigation progresses, including root cause, scope, and remediation steps
• Final Report: Deliver a written report upon resolution, including lessons learned and preventive measures

Notification Content

Each notification shall include, to the extent known:

• Nature of the Security Incident and categories of Personal Data affected
• Approximate number of data subjects and records concerned
• Likely consequences and risks to individuals
• Measures taken or proposed to address the incident and mitigate adverse effects
• Contact details of Buildynx's incident response lead for further information

Customer Cooperation

Customer shall cooperate with Buildynx's investigation and response efforts, including providing necessary information to assess impact and fulfill regulatory notification obligations. Buildynx shall not admit liability or make public statements regarding the incident without Customer's prior consent, except where required by law.

Customer may verify Buildynx's compliance with this DPA through the following mechanisms:

Standard Compliance Documentation

Buildynx shall make available to Customer, upon request and under confidentiality:

• Current SOC 2 Type II report (or equivalent independent audit)
• ISO 27001 certification status and scope
• Penetration testing summaries (redacted for security)
• Subprocessor due diligence questionnaires
• Information security policies (high-level summary)

Customer-Initiated Audits

For Enterprise customers processing high-volume or sensitive Personal Data:

• Audits may be requested no more than once per 12-month period
• Customer shall provide ≥30 days' written notice and scope definition
• Audits shall be conducted during business hours, remotely or on-site, at Customer's expense
• Buildynx personnel shall accompany auditors; proprietary information may be redacted
• Audit reports shall be treated as confidential and used solely for compliance verification

Regulatory Inspections

If a supervisory authority (e.g., UK ICO, EU DPA, UAE Data Office) requests information about Buildynx's processing on Customer's behalf, Buildynx shall notify Customer promptly (unless legally prohibited) and cooperate in good faith to facilitate the inquiry.

Upon termination or expiration of the Services, or at Customer's written instruction during the term, Buildynx shall:

Customer Options

Action	Timeline	Method
Export Data	Within 30 days of request	Self-service export via platform; API access; secure download link
Delete Data	Within 90 days of termination	Secure erasure per NIST 800-88; certificate of destruction available
Retain for Legal Hold	As required by law	Isolated storage with access restrictions; deleted once obligation ends

Exceptions

Buildynx may retain copies of Personal Data only to the extent required by Applicable Data Protection Law or other legal obligations (e.g., tax records, fraud prevention). Such retained data shall remain protected under this DPA and not be used for any other purpose.

Regulatory Fines Allocation

To the extent a supervisory authority imposes a fine or penalty on Customer solely due to Buildynx's breach of this DPA or Applicable Data Protection Law:

• Buildynx shall indemnify Customer for the amount of such fine, subject to the liability cap in the Terms of Service
• Customer shall notify Buildynx promptly, allow Buildynx to participate in the defense, and not admit liability without Buildynx's consent
• This indemnity does not apply to fines arising from Customer's instructions, negligence, or breach of its own obligations

Third-Party Claims

Each party shall indemnify the other against third-party claims arising from its breach of this DPA or negligent processing of Personal Data, subject to the liability limitations in the Terms of Service.

Carve-Outs

Nothing in this DPA limits liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be excluded under Applicable Data Protection Law.

Term & Termination

This DPA remains in effect for as long as Buildynx processes Personal Data on Customer's behalf. Either party may terminate this DPA if the other materially breaches its data protection obligations and fails to cure within 30 days of written notice.

Amendments

Buildynx may update this DPA to reflect changes in law, regulation, or Services. Material changes will be communicated ≥30 days in advance. Continued use of the Services after the effective date constitutes acceptance. Customer may object to material changes by terminating the affected Services.

Severability

If any provision is held invalid or unenforceable, the remaining provisions shall remain in full force, and the invalid provision shall be replaced by a valid provision reflecting the original intent as closely as permitted by law.

Governing Law

This DPA shall be governed by the same law as the Terms of Service (England & Wales for UK customers; Ireland for EU customers; UAE federal law for UAE customers), without regard to conflict of laws principles. Mandatory consumer protections of Customer's jurisdiction apply where applicable.

Notices

All notices under this DPA shall be sent to:

• To Buildynx: legal@buildynx.com (with copy to dpo@buildynx.com)
• To Customer: The email address associated with the account administrator, or as otherwise designated in writing

The following annexes form an integral part of this DPA. They may be updated by Buildynx with notice to Customer as described in Section 11.

This DPA is incorporated into the Terms of Service and becomes binding when Customer first processes Personal Data via the Buildynx Services. For Enterprise customers requiring a separately executed agreement:

Electronic Execution

Buildynx accepts electronic signatures and clickwrap acceptance. By:

1. Checking "I agree to the Data Processing Agreement" during account setup, or
2. Continuing to use the Services after being notified of DPA updates, or
3. Signing a separate written agreement referencing this DPA

Customer acknowledges acceptance of this DPA on behalf of the Controller entity.