Data Processing Addendum

Version 1.0 · Last updated April 21, 2026

For business customers

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Struxcor Inc. and the business customer ("Customer") and applies whenever Struxcor processes personal data on Customer's behalf. By entering into the Terms, Customer accepts this DPA.

If Customer requires a DPA executed as a separate document, contact legal@struxcor.com with the subject line "DPA Execution Request."

1. Definitions

Capitalized terms not defined here have the meanings given in the Terms of Service, GDPR, UK GDPR, or CCPA/CPRA, as applicable.

  • "Customer Data" means data Customer or its users submit to the Service, including any Personal Data.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is contained in Customer Data.
  • "Data Protection Laws"means all privacy and data protection laws applicable to the parties' processing of Personal Data under this DPA, including GDPR, UK GDPR, the Swiss FADP, CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, OCPA, TDPSA, FDBR, MCDPA, and equivalent laws.
  • "Sub-processor" means any third party engaged by Struxcor to process Personal Data in connection with the Service.
  • "SCCs"means the European Commission's Standard Contractual Clauses approved by Decision 2021/914/EU, as updated from time to time.
  • "UK IDTA" means the UK International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner.

2. Roles of the Parties

  • Under GDPR/UK GDPR, Customer is the Controller (or Processor acting on behalf of another Controller) and Struxcor is the Processor (or Sub-processor).
  • Under CCPA/CPRA, Customer is the Business and Struxcor is a Service Provider.
  • Struxcor will process Personal Data only on documented instructions from Customer, as set out in the Terms, the Service's documentation, this DPA, or other written instructions that Customer issues and Struxcor accepts.
  • Struxcor will not: (i) sell or share Personal Data; (ii) retain, use, or disclose Personal Data for any purpose other than the business purposes specified in the Terms; (iii) retain, use, or disclose Personal Data outside the direct business relationship with Customer; or (iv) combine Personal Data with personal information from other sources, except as permitted under CCPA/CPRA.

3. Subject Matter, Duration, Nature, and Purpose (Art. 28(3))

Subject matterProcessing of Customer Data to provide the Struxcor Service.
DurationTerm of the Terms of Service plus any retention period permitted under applicable law or this DPA.
Nature and purposeHosting, storage, backup, transmission, authentication, access control, search, reporting, document generation, AI-assisted drafting, billing, and support.
Categories of dataIdentification data (name, email), employment data (role, employer, classification, wage rate, hours worked), project data (inspections, reports, photos, signatures), device and usage data.
Data subjectsCustomer's personnel, contractors, field workers, inspectors, agency staff, and other project participants whose data Customer inputs.

4. Processor Obligations

Struxcor will:

  • process Personal Data only on Customer's documented instructions (including regarding international transfers), unless required by law;
  • ensure persons authorized to process Personal Data are subject to an appropriate obligation of confidentiality;
  • implement and maintain the technical and organizational measures described in Annex II below (Security Measures);
  • assist Customer in fulfilling its obligations to respond to data subject rights requests (Arts. 12–23 GDPR) taking into account the nature of the processing;
  • assist Customer with data protection impact assessments and prior consultations (Arts. 35–36 GDPR) where reasonably required;
  • notify Customer of a confirmed personal data breach without undue delay and in any event within 72 hours of confirmation;
  • upon termination of the Service, delete or return Personal Data as described in Section 8;
  • make available to Customer information necessary to demonstrate compliance with Art. 28 GDPR and allow for audits per Section 9.

5. Sub-processors

Customer provides a general authorization for Struxcor to engage Sub-processors, subject to this Section. The current list is published in Section 5 of the Privacy Policy.

  • Struxcor imposes on each Sub-processor, by written contract, data protection obligations that provide a level of protection no less than those in this DPA.
  • Struxcor remains fully liable to Customer for the performance of any Sub-processor's obligations.
  • Struxcor will give Customer at least 30 days' advance notice (by email or in-product notice) before engaging a new Sub-processor with access to Personal Data. Customer may object on reasonable data-protection grounds by emailing legal@struxcor.com. If the parties cannot agree on a resolution, Customer's exclusive remedy is to terminate the affected Service with a pro-rated refund of prepaid fees.

6. International Data Transfers

To the extent Struxcor processes Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland in a country that does not benefit from an adequacy decision:

  • the parties incorporate the SCCs by reference. Module 2 (Controller-to-Processor) applies where Customer is a Controller. Module 3 (Processor-to-Processor) applies where Customer is itself a Processor acting for another Controller.
  • For transfers from the United Kingdom, the UK IDTA is incorporated and modifies the SCCs as set out therein.
  • For transfers from Switzerland, the SCCs apply with the amendments required by the Swiss FADP (including references to the Swiss supervisory authority and FADP).
  • Clause-level choices for the SCCs are set out in Annex I below.
  • Struxcor conducts transfer impact assessments, monitors developments in destination-country laws, and implements supplementary measures (encryption, pseudonymization, access controls) where appropriate.

7. Data Subject Requests

Taking into account the nature of the processing, Struxcor will, by appropriate technical and organizational measures, assist Customer in responding to requests from data subjects to exercise their rights. Where a data subject contacts Struxcor directly, Struxcor will promptly forward the request to Customer and not respond substantively unless legally required.

8. Return or Deletion of Personal Data

On termination of the Service, Customer may export Personal Data for 90 days using the Service's built-in tools. After that period, Struxcor will delete Personal Data from active systems and from backups within the next backup rotation cycle (typically no later than 90 days), except where longer retention is required by law. On written request, Struxcor will confirm deletion in writing.

9. Audits

Struxcor will make available to Customer, on reasonable request and subject to confidentiality obligations, copies of relevant third-party certifications, audit reports, and summaries of penetration-test findings (e.g., SOC 2 Type II reports once obtained). Where those materials are insufficient to demonstrate compliance, Customer may conduct an audit once per 12-month period, on at least 30 days' written notice, during normal business hours, at Customer's expense, and subject to a mutually acceptable scope and NDA. Audits must not unreasonably disrupt the Service and must not access other customers' data.

10. Liability

Each party's liability arising out of or related to this DPA (including the SCCs and UK IDTA, where applicable) is subject to the limitations of liability in the Terms of Service. Nothing in this DPA limits any data subject's rights under Data Protection Laws against either party.

11. Order of Precedence

In case of conflict between documents, the order of precedence is: (1) the SCCs and UK IDTA (for transfers subject to them), (2) this DPA, (3) the Terms of Service, and (4) any order form, except that any explicit derogation in a signed order form prevails over the rest.

Annex I — SCC Particulars

A. List of Parties

Data exporter:the Customer, whose legal name, address, contact details, and role are those recorded in Customer's Struxcor account or order form.

Data importer: Struxcor Inc., a Delaware corporation. Contact: legal@struxcor.com. Role: Processor (Module 2) or Processor engaged by another Processor (Module 3).

B. Description of Transfer

  • Categories of data subjects: as described in Section 3.
  • Categories of Personal Data: as described in Section 3.
  • Sensitive data: not intentionally processed. If Customer nonetheless uploads sensitive data, Struxcor applies the same security measures as for other Personal Data.
  • Frequency of transfer: continuous, as part of providing the Service.
  • Nature of processing: hosting, storage, transmission, computation, AI-assisted analysis, reporting, and deletion.
  • Purpose: providing the Service to Customer.
  • Retention period: duration of the Terms plus the periods described in Section 8 and the Privacy Policy.
  • Onward transfers: to the Sub-processors listed in the Privacy Policy, bound by equivalent obligations.

C. Competent Supervisory Authority

For Module 2 and Module 3 transfers, the competent supervisory authority is determined pursuant to Clause 13 of the SCCs based on the data exporter's establishment. For UK transfers, the UK Information Commissioner's Office is the competent authority. For Swiss transfers, the Swiss Federal Data Protection and Information Commissioner is the competent authority.

D. Clause-Level Options

  • Clause 7 (docking clause): not included.
  • Clause 9 (sub-processor authorization):Option 2 — general written authorization, with at least 30 days' advance notice of changes.
  • Clause 11 (redress): the optional language on independent dispute resolution is not selected.
  • Clause 17 (governing law): the law of Ireland.
  • Clause 18 (forum and jurisdiction): the courts of Ireland.

Annex II — Technical and Organizational Security Measures

Struxcor implements and maintains the following measures, proportionate to the risk of processing:

  • Encryption: TLS 1.2+ in transit; AES-256 at rest for database and object storage; short-lived signed URLs for files.
  • Access control: role-based access, Postgres row-level security scoped by organization, MFA-capable authentication, least-privilege service roles, access reviews, prompt deprovisioning on personnel change.
  • Network security: private networking between application and database layers; egress controls; DDoS mitigation via Vercel and upstream providers.
  • Application security: secure SDLC, code review, dependency scanning, content security policy, CSRF protection, input validation, output encoding, automated vulnerability scanning.
  • Logging and monitoring: authentication and administrative actions logged; Sentry error monitoring; anomaly alerts; audit trail for destructive actions.
  • Incident response: documented response plan; 72-hour breach notification to affected customers; post-incident reviews.
  • Resilience: managed Postgres backups (point-in-time recovery), multi-region CDN, PWA offline support for field use.
  • Personnel: confidentiality obligations, security training, background checks where permitted by law.
  • Vendor management: Sub-processor due diligence and written contracts imposing equivalent obligations.
  • Data handling: data minimization in analytics, pseudonymization for internal testing, deletion on termination subject to Section 8.

Annex III — List of Sub-processors

The current list of Sub-processors with their purpose and location is maintained in Section 5 of the Privacy Policy.

Terms of ServicePrivacy PolicyAcceptable UseRefund PolicyAI DisclosureBack to Home