Data Processing Agreement (DPA / AVV)

Last updated: January 20, 2026

1. Definitions

For the purposes of this DPA:

• "Controller" means the customer who determines the purposes and means of processing personal data
• "Processor" means Builddesk, acting on behalf of the Controller
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on personal data (collection, storage, use, disclosure, deletion)
• "GDPR" means the General Data Protection Regulation (EU) 2016/679
• "Data Subject" means the individual whose personal data is processed

2. Roles and Responsibilities

Controller (Customer): You determine what personal data is uploaded to the platform and how it is used. You are responsible for ensuring lawful processing and compliance with GDPR.

Processor (Builddesk): We process personal data on your behalf solely to provide the Builddesk platform. We follow your instructions and implement appropriate security measures.

3. Scope and Subject Matter

3.1 Subject Matter

Provision of the Builddesk SaaS platform for project execution and financial control.

3.2 Duration

This DPA remains in effect for the duration of your subscription and until all personal data is deleted or returned.

3.3 Nature and Purpose of Processing

Builddesk processes personal data to:

• Provide access to the platform and its features
• Store and manage project data, documents, and communications
• Enable collaboration between team members and external stakeholders
• Deliver notifications and updates
• Provide customer support

4. Categories of Data and Data Subjects

4.1 Categories of Data Subjects

Personal data may relate to:

• Your employees, contractors, and team members
• Your clients and external stakeholders
• Third-party contacts (vendors, subcontractors)

4.2 Categories of Personal Data

The platform may process:

• Identification Data: Names, email addresses, phone numbers, job titles
• Professional Data: Company name, role, project assignments
• Communication Data: Messages, comments, notifications
• Usage Data: Login times, activity logs, IP addresses
• Files and Documents: Photos, drawings, contracts, reports (may contain personal data)

5. Processor Obligations

5.1 Processing Instructions

Builddesk will process personal data only in accordance with your documented instructions, which include:

• These Terms of Service and DPA
• Your use of the platform features (uploading, storing, sharing data)
• Support requests and configuration settings

If we believe an instruction violates GDPR or other applicable laws, we will inform you immediately.

Legal Obligation Exception: Builddesk shall not process personal data for any purpose other than providing the Service, unless required by Union or Member State law, in which case Builddesk shall inform the Controller prior to processing, unless prohibited by law.

5.2 Confidentiality

All Builddesk personnel with access to personal data are bound by confidentiality obligations.

Access to personal data is limited to authorized personnel who require access to perform their duties and who have received appropriate data protection training.

5.3 Security Measures

Builddesk implements appropriate technical and organizational measures to protect personal data, including:

• Encryption in transit (TLS 1.2+) and at rest
• Access controls and authentication
• Regular security audits and updates
• Data backup and disaster recovery
• Multi-tenant data isolation

The technical and organizational measures implemented by Builddesk are described in more detail on the Security & Compliance page, which forms an integral part of this DPA.

6. Sub-Processors

Builddesk engages the following categories of sub-processors to support service delivery:

• Cloud Infrastructure: Cloudflare (hosting, CDN, security)
• Payment Processing: Stripe (subscription billing)
• Email Services: Resend (transactional emails)

Sub-Processor Authorization: By accepting this DPA, you authorize Builddesk to engage these sub-processors. All sub-processors are contractually bound by data protection obligations equivalent to those in this DPA.

Changes to Sub-Processors: We will notify you at least 30 days before adding or replacing sub-processors. If you object to a new sub-processor, you may terminate your subscription.

A current list of sub-processors, including their processing locations, is available upon request at privacy@builddesk.io.

7. International Data Transfers

Builddesk is operated from Germany, and data is primarily stored within the European Union. However, some sub-processors (e.g., Stripe) may transfer data outside the EU.

For transfers to countries without an adequacy decision, we rely on:

• EU Standard Contractual Clauses (SCCs)
• Approved certification mechanisms
• Other lawful transfer mechanisms under GDPR

8. Assistance with Data Subject Rights

Builddesk will assist you in responding to data subject requests (DSRs) under GDPR, including:

• Right of Access: Provide access to personal data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Delete data ("right to be forgotten")
• Right to Restriction: Limit processing of data
• Right to Data Portability: Export data in a structured format
• Right to Object: Object to certain types of processing

Process: If you receive a DSR from a data subject whose data is processed through Builddesk, contact us at privacy@builddesk.io within 5 business days. We will provide reasonable assistance to help you respond within the legally required timeframe (typically 30 days).

9. Data Breach Notification

In the event of a personal data breach, Builddesk will:

• Notify you without undue delay and within 72 hours of becoming aware of the breach
• Provide details about the nature of the breach, affected data, and potential consequences
• Describe measures taken or proposed to mitigate the breach
• Provide a point of contact for further information

You are responsible for determining whether the breach requires notification to data protection authorities or data subjects.

10. Data Deletion and Return

Upon termination or expiration of your subscription:

• Data Retention Period: Your data remains accessible in view-only mode for 30 days
• Data Export: You can export your data at any time during this period
• Deletion: After 30 days, all personal data is permanently deleted from our active systems
• Backup Deletion: Data in backups is automatically overwritten within 90 days

Return of Data: If you request data return before deletion, we will provide your data in a structured, machine-readable format (JSON or CSV export). Contact support@builddesk.io for data return requests.

11. Audit Rights

Builddesk will make available to you all information necessary to demonstrate compliance with this DPA.

Audit Process: Upon reasonable written notice (at least 30 days), you or an independent auditor may conduct audits or inspections to verify compliance with this DPA, subject to:

• Audits limited to once per year (unless required by a data protection authority)
• Confidentiality obligations for the auditor
• Reasonable notice and cooperation requirements
• Reimbursement of Builddesk's costs if the audit is excessively burdensome

Audits shall be conducted in a manner that does not compromise the confidentiality, security, or availability of data belonging to other customers.

12. Cooperation with Authorities

Builddesk will cooperate with data protection authorities and assist in investigations or inquiries related to personal data processing under this DPA.

13. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.

If a party is held liable for a GDPR violation caused by the other party's actions, the responsible party will indemnify the other party for any fines, penalties, or damages incurred.

14. Term and Termination

This DPA remains in effect for the duration of your subscription and until all personal data has been deleted or returned. Termination of the Terms of Service automatically terminates this DPA, subject to data retention obligations.

15. Changes to This DPA

We may update this DPA to reflect changes in GDPR requirements, data protection guidance, or our processing practices. Material changes will be communicated via email at least 30 days before taking effect.

16. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service, the provisions of this DPA shall prevail with respect to data protection matters.

17. Contact Information

For questions or requests related to this DPA, please contact us: