📄 Read and download the entire DPA on our trust portal here:
https://trust.buildbetter.ai/resources?s=ib6b62opxkoo5zlshrwh8f&name=international-bb-data-processing-agreement

International Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the Build Better, Inc. Master Subscription Agreement (the “Agreement”) between the customer signing this DPA (“Customer”) and Build Better, Inc. (“Company”). By executing this DPA, Customer enters into it on behalf of itself and, where applicable, its Affiliates. Unless otherwise defined herein, capitalized terms shall have the meanings assigned in the Agreement.

1. Definitions

  • Affiliate: An entity directly or indirectly controlling, controlled by, or under common control with a party.
  • Authorized Sub-Processor: A third party authorized to process Customer Personal Data under the Agreement.
  • Company Account Data: Personal data related to Customer’s account, including contacts and billing.
  • Company Usage Data: Service usage data collected for performance and abuse prevention.
  • Data Exporter: The Customer.
  • Data Importer: The Company.
  • Data Protection Laws: Includes GDPR, UK GDPR, CCPA, Swiss FADP, and other relevant regulations.
  • EU SCCs: Standard Contractual Clauses adopted in EU Commission Decision 2021/914.
  • ex-EEA/UK Transfers: Transfers of data outside the EEA or UK not covered by adequacy decisions.
  • Services: Defined in the Agreement.
  • Standard Contractual Clauses (SCCs): Includes EU SCCs and UK SCCs.

2. Processing of Data

  • Customer is a controller or processor; Company is the processor (unless otherwise specified).
  • Customer must comply with all Data Protection Laws and ensure that instructions to Company are lawful.
  • Processing details are in Exhibit A.
  • Upon service termination, Company will return or delete data unless required to retain it.
  • Under the CCPA, Company is a service provider and will not sell or misuse Customer data.

3. Confidentiality

Company personnel authorized to process data are bound by confidentiality obligations. Disclosures may be made to advisors or auditors when necessary.

4. Sub-Processors

  • Company may engage Authorized Sub-Processors (listed at https://sites.buildbetter.ai/subprocessors).
  • Customer can object within 10 days of notice. Essential sub-processors may be required for services.
  • Sub-processors are contractually obligated to maintain data protection standards.

5. Security Measures

See Exhibit C for technical and organizational measures including:
  • Encryption (in transit and at rest)
  • Access controls
  • Security audits (SOC 2 Type II)
  • Incident response and logging

6. Data Transfers

  • Company primarily processes data in the U.S.
  • Ex-EEA, ex-UK, and Swiss transfers are governed by SCCs, described in Section 6 and detailed in Exhibits B–D.
  • Supplementary measures apply, including notice of government access requests.

7. Rights of Data Subjects

  • Company will notify Customer of Data Subject Requests.
  • Customer is responsible for fulfilling those requests.
  • Company will assist, where necessary, with appropriate technical and organizational support.

8. Audits & Requests

  • Customer may audit or review certifications or perform on-site audits annually.
  • Requests must be reasonable and non-disruptive.
  • Company will assist with DPIAs and supervisory authority interactions.

9. Personal Data Breach

  • Company shall notify Customer without undue delay upon becoming aware of a Personal Data Breach.
  • Cooperation will be provided for regulatory notifications and remediation.

10. Company as a Controller

Company acts as an independent controller for Company Account Data and Usage Data for:
  • Relationship management
  • Fraud detection
  • Legal compliance
See Privacy Policy.

11. Conflict Resolution

In case of conflict:
  1. SCCs prevail
  2. This DPA
  3. The Agreement
  4. Privacy Policy

12. Execution

Company has pre-signed this DPA. Customer must:
  1. Complete and sign the signature block
  2. Fill in Exhibit B
  3. Email the signed copy to legal@buildbetter.ai

Exhibit A – Processing Details

  • Purpose: To deliver the Services under the Agreement.
  • Processing Activities: Collection, encryption, analysis, deletion, sharing.
  • Duration: As needed per the Agreement, business purposes, or law.
  • Data Subjects: Employees, contractors, agents.
  • Personal Data Types: Names, emails, job titles, device data, training records.
  • Sensitive Data: Prohibited.

Exhibit B – Transfer Details (SCC Annex I)

  • Data Exporter: The Customer
  • Data Importer: Build Better, Inc.
  • Data Categories: As defined in Exhibit A
  • Supervisory Authority: Based on Data Exporter’s jurisdiction

Exhibit C – Security Measures (SCC Annex II)

Includes encryption, access control, breach response, system logging, audit practices, and sub-processor contracts. Measures align with SOC 2 Type II and AWS best practices.

Exhibit D – UK Addendum (UK SCCs)

  • Tables 1–4: Incorporates EU SCCs as modified for UK GDPR
  • Interpretation: UK law prevails in UK Addendum
  • Revisions: Handled via ICO-approved mechanisms
  • Disputes: Resolved under UK courts
📄 Read and download the entire DPA on our trust portal here:
https://trust.buildbetter.ai/resources?s=ib6b62opxkoo5zlshrwh8f&name=international-bb-data-processing-agreement