Pursuant to Article 28 of the GDPR.
Parties
- Controller: the customer using the Buildmetrics Service (the “Controller”).
- Processor: BUILDMETRICS SRL, CUI 51592519, registered address: Str. Domnească 13, Bl. L, Sc. 3, Et. 1, Ap. 42, 800015 Galați, Romania (“Buildmetrics” or the “Processor”).
This Data Processing Agreement (“DPA”) forms an integral part of the Buildmetrics Terms & Conditions. By accepting the Terms, the Controller also accepts this DPA.
1. Background and purpose
The Controller uses the Buildmetrics platform to manage construction projects, tasks, quality control and related documentation. In connection with the provision of the Service, the Processor processes Personal Data on behalf of the Controller.
2. Definitions
Terms used in this DPA have the same meaning as in Regulation (EU) 2016/679 (GDPR).
3. Description of the processing (Annex I)
Subject matter and duration: provision of the Buildmetrics SaaS platform for construction project management during the term of the Controller’s use of the Service.
Nature and purpose: hosting, storage, processing, display, AI-assisted generation of task descriptions and checklists, translation, and technical support of data uploaded by the Controller and its users.
Types of Personal Data:
- Contact data (name, email, phone, company name, role)
- Identification and professional data of project participants
- Images and videos containing natural persons (photos from construction sites)
- Any other personal data included by the Controller in tasks, comments, documents or attachments
Categories of Data Subjects:
- Employees, representatives and contractors of the Controller
- Inspectors, clients and other participants of construction projects
Special categories of data: special categories of data are not intentionally requested or required for the use of the Service. The Controller is responsible for ensuring an appropriate legal basis and safeguards in case any special categories of data are uploaded.
4. Processor’s obligations
The Processor shall:
4.1 Process Personal Data only on documented instructions from the Controller (including via the Service interface), unless required to do so by Union or Member State law. 4.2 Ensure that persons authorised to process the data are bound by confidentiality. 4.3 Implement appropriate technical and organisational measures (see Section 7 / Annex II). 4.4 Not engage Sub-processors without the Controller’s prior specific or general written authorisation. The Controller grants the Processor a general written authorisation to engage the Sub-processors listed in Section 5. 4.5 Assist the Controller in fulfilling data-subject rights requests. 4.6 Notify the Controller without undue delay (and, where feasible, within 48 hours) of any Personal Data Breach. 4.7 At the choice of the Controller, delete or return all Personal Data after the end of the provision of services relating to processing, unless Union or Member State law requires storage of the Personal Data. 4.8 Make available to the Controller information reasonably necessary to demonstrate compliance with Article 28 GDPR and, where required by applicable law, contribute to audits conducted in a manner that does not unreasonably interfere with the Processor’s business operations and subject to appropriate confidentiality obligations. 4.9 Promptly inform the Controller if, in the Processor’s opinion, an instruction infringes the GDPR or other applicable data-protection laws. 4.10 Taking into account the nature of the processing and the information available to the Processor, assist the Controller in ensuring compliance with its obligations relating to data protection impact assessments (Article 35) and prior consultation of the supervisory authority (Article 36), by providing reasonable information and cooperation upon the Controller’s request.
5. Sub-processors
The Controller grants the Processor a general authorisation to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting and database | Germany / Finland (EU) |
| OpenAI, Anthropic, Google | AI task-description & checklist generation | USA |
| Cloudflare | CDN and analytics | EU / global |
| Email / SMTP provider | Notifications | EU |
Where the Processor engages a Sub-processor, it shall do so by way of a written contract that imposes on that Sub-processor the same data-protection obligations as those set out in this Agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of Regulation (EU) 2016/679. Where a Sub-processor fails to fulfil its data-protection obligations, the Processor shall remain fully liable to the Controller for the performance of that Sub-processor’s obligations.
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, giving the Controller sufficient time to object before the relevant Sub-processor is engaged. If the Controller objects on reasonable data-protection grounds within 14 days of notification, the parties shall work together in good faith to find a resolution; if none is reached, the Controller may suspend or terminate the affected part of the Service. The list of Sub-processors may be updated from time to time in accordance with this Section.
6. International data transfers
Personal Data is primarily stored in the EU (Hetzner). Transfers to the USA (AI providers) are protected by the Standard Contractual Clauses (SCCs, 2021) issued by the European Commission, supplemented by additional technical and organisational measures. Where applicable, the EU–US Data Privacy Framework may be relied upon.
7. Security measures (Annex II)
The Processor implements appropriate technical and organisational measures, including:
- Encryption in transit using industry-standard protocols
- Encryption at rest where technically feasible
- Role-based access control (RBAC)
- Audit logging of actions
- Regular backups
- Secure development practices
8. Liability
The Processor’s liability under this DPA is subject to the limitations and exclusions set out in the Buildmetrics Terms & Conditions.
9. Duration and termination
This DPA remains in effect for as long as the Processor processes Personal Data on behalf of the Controller. Upon termination, the Processor shall return or delete the data in accordance with Section 4.7.
10. Governing law
This DPA is governed by the laws of Romania. The parties submit to the exclusive jurisdiction of the courts of Romania, unless otherwise required by applicable mandatory law.
Annexes
- Annex I — Details of processing: Section 3.
- Annex II — Technical and organisational measures: Section 7.
- Annex III — List of Sub-processors: Section 5.
Acceptance
By accepting the Buildmetrics Terms & Conditions, the Controller acknowledges and agrees to this DPA.