BuildOps Customer Data Processing Addendum
This Data Protection Addendum (“DPA”) is entered into as of the Effective Date (defined below)between BuildOps, Inc. (“BuildOps”) and the entity outlined in the Agreement (“Customer”). BuildOps and Customer may each be referred to as a “Party” or collectively referred to as the“Parties”. This DPA supplements and forms part of any formal agreement for BuildOps’ provision of Services (defined below) to Customer (the “Agreement”) and replaces any prior contractual obligations between the Parties regarding any privacy, security, confidentiality, or data protection obligations relevant to the Personal Information (defined below) covered by this DPA. To the extent of any conflict or inconsistency between this DPA and the rest of the terms of the Agreement, this DPA will govern. The “Effective Date” of this DPA shall be the later date between (i) the Effective Date of the Agreement; or (ii) the “Last Updated” date below.
1) Definitions
1.1. “Applicable Law” means all laws, regulations and other legal requirements applicable to either (i) BuildOps as provider of the Services or (ii) Customer as user of the Services. For example, to the extent applicable, this includes Canada’s Personal Information Protection and Electronic Documents Act, SC 2000, c.5; British Columbia’s Personal Information Protection Act, SBC 2003, c 63; Alberta’s Personal Information Protection Act, SA 2003, c P-6.5; and the California Consumer Privacy Act, as amended by the California Privacy Rights Act and together with associated regulations(“CCPA”); as well as U.S. state laws similar to the CCPA, such as the Virginia Consumer Data Protection Act; the Colorado Privacy Act and related regulations; the Connecticut Act Concerning Personal Data Privacy and Online Monitoring; the Utah consumer Privacy Act; Texas Data Privacy and Security Act; the Oregon Consumer Privacy Act; Florida Digital Bill of Rights; Montana Consumer Data Privacy Act, the Iowa Consumer Privacy Act; Tennessee Information Protection Act; the Indiana Consumer Data Protection Act, the New Jersey Privacy Act, the New Hampshire Privacy Act; Delaware Personal Data Privacy Act, Kentucky Consumer Data Protection Act, Nebraska Data Privacy Act, Minnesota Consumer Data Privacy Act, Maryland Online Data Privacy Act, and Rhode Island Data Transparency and Privacy Protection Act(together with the CCPA, as they become effective, the “U.S. State Privacy Laws”)
1.2. “Personal Information” means the subset of Customer Data that identifies an individual as defined and protected by Applicable Law. Personal Information does not include the Parties’ business contact information (specifically, business addresses, phone numbers, and email addresses, including a Party’s contact persons’ names used solely to facilitate the Parties’ communications for administration of the Agreement).
1.3. “Privacy Breach” means a breach of security leading to the loss of, unauthorized access to or unauthorized disclosure of Personal Information.
1.4. “Process” or “Processing” means to collect, use, modify, retrieve, disclose, retain, store, delete or manage.
1.5. “Services” means the services provided by BuildOps pursuant to the Agreement.
1.6. “Subprocessor” means a subcontractor engaged by BuildOps for the Processing of Personal Information.
2) Data Processing and Security Responsibilities
2.1. Customer and BuildOps shall each comply with all Applicable Laws that apply to it in relation to any Personal Information Processed under the Agreement (including this Addendum), as set out in the Data Processing Particulars at Annex A to this Addendum.
2.2. In the course of Processing Personal Information on behalf of Customer, BuildOps shall:
a) except as otherwise permitted herein, only Process Personal Information for the purpose of rendering the Services as described in Annex A and as otherwise instructed by Customer in writing from time to time or as required or permitted by applicable law;
b) not transfer or disclose any Personal Information to any third party except as (i)permitted under the Agreement, (ii) otherwise authorized by the Customer, including service integrations requested by Customer, or (iii) required under applicable law;
c) not retain, use, or disclose Personal Information outside of the direct business relationship between BuildOps and Customer within the meaning of the CCPA;
d) not “sell” the Personal Information within the meaning of U.S. State Privacy Laws, and not “share” the Personal Information within the meaning of the CCPA;
e) not combine the Personal Information that BuildOps receives from, or on behalf of, Customer with personal information that BuildOps receives from, or on behalf of, another person or persons, or that BuildOps collects from any interaction between it and a data subject unless (i) permitted under this DPA; and (ii) BuildOps complies with any applicable restrictions under Applicable Laws;
f) where any transfer or disclosure of Personal Information is required by a governmental authority or applicable law, provide reasonable notice to Customer of such compelled disclosure (except where legally prohibited from providing such notice) so that Customer has an opportunity to take such steps as it desires to challenge or contest such disclosure or seek a protective order;
g) provide reasonable assistance and cooperation to enable Customer to comply with Applicable Laws, including but not limited to Customer’s obligation to (1)respond to requests by data subjects (or their lawful representatives) to exercise their rights under Applicable Laws with regard to their Personal Information; and (ii)perform any required data protection impact assessment of Processing or proposed Processing of Personal Information;
h) maintain throughout the term of the Agreement an information security program designed to meet Applicable Laws. BuildOps agrees that such program includes reasonable security procedures and practices including administrative, technical, and physical safeguards appropriate to the nature of the personal information designed to protect Personal Information against loss, theft, damage and unauthorized or unlawful access, use, disclosure, modification or destruction;
i) notify Customer if BuildOps determines that it can no longer meet its obligations with respect to Personal Information under the CCPA;
j) provide the same level of privacy protection for Personal Information as is required of Customer under the CCPA;
k) authorize access to Personal Information by its employees and agents only if they need to have access to the Personal Information in connection with performing BuildOps’ rights or obligations as set out in the Agreement (including this DPA) and they have agreed in writing, or are otherwise legally bound, to protect the confidentiality and security of Personal Information; and
l) be permitted to generate anonymized or otherwise de-identified data from personal information for its, business purposes, including, without limitation, for improving and enhancing BuildOps products and services, research analytics, or model training purposes; for the avoidance of doubt, the Processing of anonymized data shall not be subject to the terms of this DPA.
2.3. Customer represents and warrants that it:
a) has obtained and provided, and shall continue to obtain and provide, all necessary consents and notices, and otherwise has and continues to have all necessary authority, to permit BuildOps to perform its obligations and exercise its rights in connection with the Processing of Personal Information under the Agreement (including this DPA), and shall inform BuildOps immediately if any such consents or authority are withdrawn or can no longer be relied upon;
b) has ensured and shall continue to ensure that all Personal Information Processed by BuildOps is accurate and up-to-date, and limited to what is necessary to enable BuildOps to perform its obligations and exercise its rights under the Agreement(including this DPA);
c) shall not provide BuildOps with access to “protected health information” for which Customer (or Customer’s customer) is subject to the U.S. Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”) without first deidentifying such information in compliance with the HIPAA deidentification standard, such that it no longer is “protected health information”; and
d) shall not provide BuildOps with “sensitive” Personal Information as such term issued in Applicable Law.
3) Audit Rights
3.1 BuildOps shall provide to Customer reasonably requested information as necessary to demonstrate BuildOps’ compliance with this DPA. Without limiting the foregoing, Customer has the right, upon providing reasonable notice to BuildOps, to ensure that BuildOps uses the Personal Information in a manner consistent with the Customer’s obligations under Applicable Laws and to take reasonable and appropriate steps to stop and remediate any use of Personal Information by BuildOps that is in violation of this DPA
4) Subprocessing
4.1. Customer acknowledges and agrees that BuildOps will use Subprocessors(including BuildOps affiliates) to Process Personal Information. BuildOps shall enter into a written agreement with each such Subprocessor that imposes obligations on the Subprocessor that are substantially similar to those imposed on BuildOps under this DPA. BuildOps’ list of Subprocessors can be found here: https://trust.buildops.com/subprocessors.
4.2. Except in event of an emergency or exigent circumstances, prior to appointing any new Subprocessor in addition to or in lieu of those listed in Annex B, BuildOps shall notify Customer of such appointment or change, whereupon Customer shall have thirty(30) days to object to such appointment or change by providing detailed reasons inwriting to BuildOps provided, however, that notice may be shorter where reasonably necessary, such as engaging a new Subprocessor for security purposes. If BuildOps does not receive such an objection within the thirty (30) day objection period, Customer will be deemed to have given consent to the appointment of or change to the Subprocessor.
4.3. In the event Customer objects in writing to the Subprocessor, BuildOps will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Information by the objected-to new Subprocessor without unreasonably burdening BuildOps. If BuildOps is unable to make available such change within sixty (60) days, either Party may terminate without penalty those Services that cannot be provided by BuildOps without the use of the objected-to new Subprocessor by providing written notice to the other Party.
4.4. BuildOps remains liable for its Subprocessors’ acts and omissions to the same extent BuildOps is liable for its own, consistent with the limitations of liability set forth in the Agreement.
5) Privacy Breach Notification
5.1 BuildOps shall notify Customer in writing without undue delay, and in any event within 72 hours, upon BuildOps becoming aware of a Privacy Breach. BuildOps shall use commercially reasonable efforts to address the Privacy Breach in a timely manner.
6) Return or Destruction
6.1 Upon the termination of the Agreement BuildOps warrants that it will continue to protect the confidentiality of the Personal Information in accordance with applicable law so long as such Personal Information is in BuildOps’ possession or control.
7) Survival
7.1 The provisions of this DPA survive the termination or expiration of the Agreement for so long as BuildOps or its Subprocessors Process Personal Information.
ANNEX A
DATA PROCESSING DESCRIPTION
Duration of the Processing.
As between Customer and BuildOps, the duration of the processing is the term of the Agreement plus any period after the termination or expiry of the Agreement during which BuildOps will process Customer Personal Data in accordance with the Agreement.
Nature and purposes of the Processing.
The nature of the Processing is: The provision of the Services as described in the Agreement and initiated by the Customer from time to time. Personal Information is Processed for the following purposes:
- BuildOps will process Customer Personal Information as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Data Categories.
The following types of Personal Information will be Processed:
- Any Customer Personal Information submitted to the Services under Customer's BuildOps account.
