Data Processing Agreement

Definitions and roles

In this DPA, "controller", "processor", "personal data", "processing", and "data subject" have the meanings given under applicable data protection law. "Subprocessor" means any third party engaged by Bildstak to process personal data on the Controller's behalf.

The parties acknowledge that, with respect to Customer Data containing personal data processed through the Service, the Controller is the controller and Bildstak is the processor. Bildstak processes personal data only on documented instructions from the Controller.

Scope and instructions

Bildstak will process personal data only to provide and support the Service and otherwise in accordance with the Controller's documented instructions, including those set out in the agreement and this DPA. The subject matter is the provision of the construction-intelligence platform; the duration is the term of the agreement.

The nature and purpose of processing include hosting, structuring, analyzing, and presenting connected project data. The types of personal data and categories of data subjects are determined by the Controller through the data it connects or uploads. Bildstak will inform the Controller if, in its opinion, an instruction infringes applicable law.

Confidentiality

Bildstak will ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations and are trained to handle personal data in accordance with this DPA. Access to personal data is limited to those who need it to deliver and support the Service.

Security measures

Bildstak will implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, taking into account the state of the art and the risks of the processing.

• Encryption of personal data in transit and at rest;
• Role-based access controls and least-privilege access;
• Network segmentation and secure configuration of systems;
• Logging, monitoring, and alerting for security-relevant events;
• Regular review and testing of security controls; and
• Measures to support resilience and timely restoration of access to data.

Subprocessors

The Controller provides general authorization for Bildstak to engage subprocessors to support the Service. Bildstak maintains a current list of subprocessors and will provide a mechanism to receive notice of intended changes, giving the Controller the opportunity to object on reasonable data-protection grounds.

Bildstak will impose data-protection obligations on each subprocessor that are substantially consistent with those in this DPA (flow-down) and remains responsible for the performance of its subprocessors.

Assistance with data-subject requests

Taking into account the nature of the processing, Bildstak will provide reasonable assistance, through appropriate technical and organizational measures, to help the Controller respond to requests from data subjects to exercise their rights, such as access, rectification, erasure, restriction, portability, and objection.

If Bildstak receives a request directly from a data subject relating to Controller personal data, it will, where permitted, direct the data subject to the Controller rather than respond independently.

Personal data breach notification

Bildstak will notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller personal data, and will provide information reasonably available to assist the Controller in meeting its own notification and reporting obligations, including under the GDPR and PIPEDA.

Bildstak will take reasonable steps to investigate, contain, and remediate the breach and to mitigate its possible adverse effects.

International transfers

Where processing of personal data subject to the GDPR involves a transfer outside the EU/EEA, the parties will rely on a valid transfer mechanism, such as the European Commission's Standard Contractual Clauses, together with any supplementary measures required, which are incorporated by reference into this DPA.

Self-hosted deployments enable the Controller to determine the location of its data and may avoid such transfers entirely.

Audit

Bildstak will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable notice, confidentiality obligations, and limits designed to protect the security and continuity of the Service and other customers' data.

Deletion or return of data

On termination or expiry of the agreement, Bildstak will, at the Controller's choice, delete or return personal data and delete existing copies, unless retention is required by applicable law. Bildstak will provide the Controller a reasonable opportunity to export Customer Data before deletion.

Liability and governing law

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the agreement. This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, except where applicable data protection law requires otherwise. In the event of conflict between this DPA and the agreement regarding the processing of personal data, this DPA controls.