BuildForce Data Processing Agreement

1. Parties and scope

This Data Processing Agreement ('DPA') is entered into between BuildForce ('Processor') and the customer organization ('Controller') that has agreed to the BuildForce Terms of Service. This DPA covers all personal data processed by BuildForce on behalf of the Controller through the BuildForce platform and related services.

2. Definitions

The following definitions apply to this DPA, aligned with GDPR, CCPA, and other applicable data protection frameworks:

• Personal Data: Any information relating to an identified or identifiable natural person, including names, email addresses, user identifiers, and usage data.
• Processing: Any operation performed on personal data, including collection, recording, organization, storage, retrieval, use, disclosure, or deletion.
• Data Subject: An identified or identifiable natural person whose personal data is processed.
• Sub-processor: A third-party entity engaged by BuildForce to process personal data on behalf of the Controller.
• Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

3. Data processing details

BuildForce processes personal data as follows:

• Categories of data subjects: Customer employees and administrators, platform end-users whose metadata is referenced in connected platforms.
• Types of personal data: Names, email addresses, user IDs, platform connection metadata, usage logs, AI conversation history, and account configuration data.
• Purpose of processing: Providing AI-native SaaS management services as described in the BuildForce Terms of Service, including health checks, deployment automation, AI consulting, and data management.
• Duration of processing: For the term of the service agreement, plus the data retention period described in the BuildForce Privacy Policy.

4. Processor obligations

BuildForce, as the Processor, commits to the following obligations:

• Process personal data only on documented instructions from the Controller, unless required by applicable law.
• Ensure that all personnel authorized to process personal data have committed to confidentiality obligations.
• Implement appropriate technical and organizational security measures to protect personal data (detailed in Section 6 and on our Security page at /security).
• Assist the Controller in fulfilling data subject rights requests, including access, correction, deletion, and data portability, within 30 days of receiving a request.
• Delete or return all personal data to the Controller upon termination of services, at the Controller's election, subject to any legal retention requirements.
• Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

5. Sub-processors

BuildForce engages the following sub-processors to deliver its services. The Controller authorizes the use of these sub-processors:

• Supabase (database hosting, authentication, and edge functions) — United States.
• Vercel (application hosting and content delivery) — United States and global edge network.
• OpenRouter (AI model routing and inference) — United States.
• Cloudflare (edge workers, DNS, and DDoS protection) — Global.
• Stripe (payment processing and billing) — United States.
• BuildForce will notify the Controller of any new sub-processors at least 30 days before they begin processing personal data. The Controller may object to a new sub-processor in writing within 14 days of notification.

6. Security measures

BuildForce implements enterprise-grade security measures to protect personal data. A detailed description is available on our Security page at /security. Key measures include:

• Encryption at rest using AES-256 for all stored data, including OAuth tokens and credentials.
• Encryption in transit using TLS 1.3+ for all data transmissions.
• Role-based access control (RBAC) with least-privilege principles for all internal systems.
• Multi-factor authentication (MFA) for administrative access.
• Continuous vulnerability scanning, dependency monitoring, and automated threat detection.
• Incident response procedures with defined escalation paths and 24/7 monitoring capabilities.

7. Data breach notification

In the event of a personal data breach, BuildForce will:

• Notify the Controller without undue delay, and where feasible within 72 hours, after becoming aware of a personal data breach.
• Include in the notification: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences of the breach, and measures taken or proposed to address the breach.
• Cooperate with the Controller in investigating and mitigating the breach, and in fulfilling any notification obligations the Controller may have to supervisory authorities or data subjects.
• Document all data breaches, including the facts, effects, and remedial actions taken, regardless of whether notification to the Controller is required.

8. International data transfers

BuildForce processes data primarily in the United States. For international data transfers:

• Data is processed on servers located in the United States and delivered globally through Vercel and Cloudflare edge networks.
• For EU/EEA data transfers: Standard Contractual Clauses (SCCs) as approved by the European Commission are available upon request to ensure adequate data protection for cross-border transfers.
• For UK data transfers: The International Data Transfer Agreement (IDTA) or UK Addendum to SCCs is available upon request.
• Contact legal@buildforce.io to request execution of applicable transfer mechanisms.

9. FERPA addendum (education sector)

For customer organizations in the education sector, the following additional terms apply:

• BuildForce does not intentionally access, process, or store student education records as defined by the Family Educational Rights and Privacy Act (FERPA).
• The BuildForce platform operates at the metadata and configuration level of connected platforms, not at the individual student record level.
• If the Controller determines that FERPA-protected data may be involved in its use of BuildForce, BuildForce will execute a FERPA-specific supplemental agreement upon request.
• BuildForce will not re-disclose any education records to third parties except as directed by the Controller or as required by law.
• The Controller remains the sole owner and custodian of all student education records and is responsible for determining what data is shared with BuildForce.

10. Audit rights

The Controller may verify BuildForce's compliance with this DPA:

• The Controller may request an audit of BuildForce's data processing practices upon reasonable written notice, no more than once per calendar year, during normal business hours.
• BuildForce may satisfy audit requests by providing relevant third-party audit reports (such as SOC 2 Type II reports, when available) or by facilitating remote audit procedures.
• The Controller bears the cost of any audit it initiates, unless the audit reveals a material breach of this DPA by BuildForce.
• BuildForce will cooperate reasonably with audit requests and provide access to relevant documentation, systems information, and personnel as necessary.

11. Term and termination

This DPA is effective for the duration of the service agreement between BuildForce and the Controller:

• This DPA automatically terminates when the underlying service agreement terminates or expires.
• Data processing obligations under this DPA survive termination until all personal data has been deleted or returned to the Controller.
• Upon termination, BuildForce will delete all personal data within 90 days unless retention is required by applicable law or the Controller requests data return.

12. Contact

For questions about this Data Processing Agreement, data protection practices, or to exercise rights under this DPA, contact BuildForce at:

• Data protection inquiries: privacy@buildforce.io
• Legal and DPA execution: legal@buildforce.io
• Security incidents: security@buildforce.io
• General support: support@buildforce.io