International Data Processing Addendum
DPA for Build Better, Inc.
π Read and download the entire DPA on our trust portal here:
https://trust.buildbetter.ai/resources?s=ib6b62opxkoo5zlshrwh8f&name=international-bb-data-processing-agreement
International Data Processing Addendum
This Data Processing Addendum (βDPAβ) supplements the Build Better, Inc. Master Subscription Agreement (the βAgreementβ) between the customer signing this DPA (βCustomerβ) and Build Better, Inc. (βCompanyβ). By executing this DPA, Customer enters into it on behalf of itself and, where applicable, its Affiliates.
Unless otherwise defined herein, capitalized terms shall have the meanings assigned in the Agreement.
1. Definitions
- Affiliate: An entity directly or indirectly controlling, controlled by, or under common control with a party.
- Authorized Sub-Processor: A third party authorized to process Customer Personal Data under the Agreement.
- Company Account Data: Personal data related to Customerβs account, including contacts and billing.
- Company Usage Data: Service usage data collected for performance and abuse prevention.
- Data Exporter: The Customer.
- Data Importer: The Company.
- Data Protection Laws: Includes GDPR, UK GDPR, CCPA, Swiss FADP, and other relevant regulations.
- EU SCCs: Standard Contractual Clauses adopted in EU Commission Decision 2021/914.
- ex-EEA/UK Transfers: Transfers of data outside the EEA or UK not covered by adequacy decisions.
- Services: Defined in the Agreement.
- Standard Contractual Clauses (SCCs): Includes EU SCCs and UK SCCs.
2. Processing of Data
- Customer is a controller or processor; Company is the processor (unless otherwise specified).
- Customer must comply with all Data Protection Laws and ensure that instructions to Company are lawful.
- Processing details are in Exhibit A.
- Upon service termination, Company will return or delete data unless required to retain it.
- Under the CCPA, Company is a service provider and will not sell or misuse Customer data.
3. Confidentiality
Company personnel authorized to process data are bound by confidentiality obligations. Disclosures may be made to advisors or auditors when necessary.
4. Sub-Processors
- Company may engage Authorized Sub-Processors (listed at https://sites.buildbetter.ai/subprocessors).
- Customer can object within 10 days of notice. Essential sub-processors may be required for services.
- Sub-processors are contractually obligated to maintain data protection standards.
5. Security Measures
See Exhibit C for technical and organizational measures including:
- Encryption (in transit and at rest)
- Access controls
- Security audits (SOC 2 Type II)
- Incident response and logging
6. Data Transfers
- Company primarily processes data in the U.S.
- Ex-EEA, ex-UK, and Swiss transfers are governed by SCCs, described in Section 6 and detailed in Exhibits BβD.
- Supplementary measures apply, including notice of government access requests.
7. Rights of Data Subjects
- Company will notify Customer of Data Subject Requests.
- Customer is responsible for fulfilling those requests.
- Company will assist, where necessary, with appropriate technical and organizational support.
8. Audits & Requests
- Customer may audit or review certifications or perform on-site audits annually.
- Requests must be reasonable and non-disruptive.
- Company will assist with DPIAs and supervisory authority interactions.
9. Personal Data Breach
- Company shall notify Customer without undue delay upon becoming aware of a Personal Data Breach.
- Cooperation will be provided for regulatory notifications and remediation.
10. Company as a Controller
Company acts as an independent controller for Company Account Data and Usage Data for:
- Relationship management
- Fraud detection
- Legal compliance
See Privacy Policy.
11. Conflict Resolution
In case of conflict:
- SCCs prevail
- This DPA
- The Agreement
- Privacy Policy
12. Execution
Company has pre-signed this DPA. Customer must:
- Complete and sign the signature block
- Fill in Exhibit B
- Email the signed copy to legal@buildbetter.ai
Exhibit A β Processing Details
- Purpose: To deliver the Services under the Agreement.
- Processing Activities: Collection, encryption, analysis, deletion, sharing.
- Duration: As needed per the Agreement, business purposes, or law.
- Data Subjects: Employees, contractors, agents.
- Personal Data Types: Names, emails, job titles, device data, training records.
- Sensitive Data: Prohibited.
Exhibit B β Transfer Details (SCC Annex I)
- Data Exporter: The Customer
- Data Importer: Build Better, Inc.
- Data Categories: As defined in Exhibit A
- Supervisory Authority: Based on Data Exporterβs jurisdiction
Exhibit C β Security Measures (SCC Annex II)
Includes encryption, access control, breach response, system logging, audit practices, and sub-processor contracts. Measures align with SOC 2 Type II and AWS best practices.
Exhibit D β UK Addendum (UK SCCs)
- Tables 1β4: Incorporates EU SCCs as modified for UK GDPR
- Interpretation: UK law prevails in UK Addendum
- Revisions: Handled via ICO-approved mechanisms
- Disputes: Resolved under UK courts
π Read and download the entire DPA on our trust portal here:
https://trust.buildbetter.ai/resources?s=ib6b62opxkoo5zlshrwh8f&name=international-bb-data-processing-agreement