BuildFetch

Data Processing Addendum

Last Updated: June 11, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service (the “Agreement”) between the entity identified as “Customer” in the Agreement (“Customer” or “Controller”) and BuildFetch Inc. (“Processor”). Capitalized terms not defined in this DPA have the meanings given in the Agreement.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Processor on behalf of Customer in connection with the Services.
  • “Processing” (and “Process”) means any operation or set of operations performed on Personal Data, whether or not by automated means.
  • “Sub-processor” means any third party engaged by Processor to Process Personal Data on behalf of Customer.
  • “Services” means the cloud services provided by Processor under the Agreement.
  • “Customer Data” has the meaning set forth in the Agreement and includes Personal Data.
  • “Data Protection Laws” means all applicable data protection and privacy laws and regulations, including the GDPR, UK GDPR, and CCPA/CPRA.

2. Scope and Roles

2.1 This DPA applies to all Processing of Personal Data by Processor on behalf of Customer in connection with the Services.

2.2 Customer is the Controller of Personal Data. Processor is the Processor of Personal Data. Where required by applicable law, Processor acts as a “service provider” under the CCPA/CPRA and will not sell or share Personal Data except as necessary to provide the Services or as otherwise permitted under this DPA or the Agreement.

3. Subject Matter, Nature, Purpose, and Duration of Processing

3.1 Subject matter: The Processing of Personal Data in connection with Customer’s use of the Services.

3.2 Nature and purpose: Processor will Process Personal Data solely to provide, maintain, secure, and improve the Services, including hosting, storage, transmission, caching, analysis, and related technical operations.

3.3 Duration: Processor will Process Personal Data for the Term of the applicable Subscription(s) and thereafter only as necessary to comply with legal obligations or as set forth in this DPA.

4. Categories of Personal Data and Data Subjects

4.1 Categories of Personal Data: Personal Data contained in Customer Data, which may include identifiers (such as usernames, email addresses, and IP addresses), authentication data, metadata, logs, and other content processed through the Services.

4.2 Categories of Data Subjects: Customer’s employees, contractors, end users, and other individuals whose Personal Data is included in Customer Data.

5. Obligations of Processor

Processor shall:

(a) Process Personal Data only on documented instructions from Customer (including those in the Agreement and this DPA), unless otherwise required by applicable law;

(b) Ensure that persons authorized to Process Personal Data are subject to appropriate confidentiality obligations;

(c) Implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage;

(d) Assist Customer, to the extent reasonably possible and at Customer’s expense, in responding to data subject requests and ensuring compliance with Customer’s obligations under Data Protection Laws;

(e) Notify Customer without undue delay after becoming aware of a Personal Data Breach and provide reasonable information and cooperation to assist Customer in investigating and mitigating the Breach;

(f) Upon termination or expiration of the Agreement or upon Customer’s written request, delete or return all Personal Data and delete existing copies, except to the extent retention is required by applicable law; and

(g) Make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for audits as set forth in Section 11.

6. Sub-processors

6.1 Customer provides general written authorization for Processor to engage Sub-processors. Processor maintains a current list of its Sub-processors available at https://buildfetch.com/subprocessors.

6.2 Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA and shall remain fully liable to Customer for the performance of its Sub-processors.

6.3 Processor shall provide Customer with at least fifteen (15) days’ prior notice of any intended addition or replacement of a Sub-processor that Processes Personal Data. Customer may object to such change on reasonable data protection grounds by providing written notice within ten (10) days. If the parties cannot resolve the objection, Customer may terminate the affected Services.

7. International Data Transfers

Processor may transfer Personal Data outside the European Economic Area, United Kingdom, or Switzerland only where appropriate safeguards are in place, including Standard Contractual Clauses (or the UK Addendum), an adequacy decision, or another lawful transfer mechanism. Upon request, Processor will provide reasonable information regarding such safeguards.

8. Security Measures

Processor shall implement and maintain industry-standard technical and organizational security measures appropriate to the risks presented by the Processing of Personal Data, including encryption in transit and at rest, access controls, and regular security testing. Upon request, Processor will provide a high-level summary of its security measures or relevant certifications.

9. Data Subject Requests and Assistance

Processor shall, to the extent legally permitted and at Customer’s reasonable expense, promptly notify Customer if it receives a request from a data subject exercising rights under Data Protection Laws and reasonably assist Customer in responding to such requests.

10. Personal Data Breach Notification

Processor shall notify Customer without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach affecting Customer Data. The notification shall include, to the extent known, a description of the nature of the Breach, the categories and approximate number of data subjects and Personal Data records concerned, the likely consequences, and the measures taken or proposed to address the Breach.

11. Audits and Compliance

11.1 Information and Reports. Upon Customer’s reasonable written request, Processor shall make available to Customer all information reasonably necessary to demonstrate compliance with its obligations under this DPA and applicable Data Protection Laws. Processor may satisfy this obligation by providing Customer with a current summary of its most recent independent third-party audit report (such as a SOC 2 Type II report or equivalent), together with any additional information reasonably requested by Customer, subject to appropriate confidentiality obligations.

11.2 Right to Audit. Where Data Protection Laws grant Customer an audit right, and to the extent the information provided under Section 11.1 is not reasonably sufficient for Customer to verify Processor’s compliance, Customer (or its designated independent auditor) may conduct an audit of Processor’s policies, procedures, and records relevant to the Processing of Personal Data under this DPA.

Any such audit shall be subject to the following conditions:

(a) Frequency. Audits may be conducted no more than once in any twelve (12) month period, unless (i) required by a competent supervisory authority or regulatory body, or (ii) reasonably necessary due to a Personal Data Breach affecting Customer Data.

(b) Notice and Timing. Customer shall provide Processor with at least thirty (30) days’ prior written notice of any proposed audit. The parties shall cooperate in good faith to agree on a mutually convenient date, scope, duration, and security and confidentiality controls for the audit. Audits shall be conducted during Processor’s normal business hours and in a manner designed to minimize disruption to Processor’s business operations.

(c) Independent Auditor. Any audit shall be conducted by Customer or by a nationally recognized independent third-party auditor that is not a competitor of Processor and that has entered into confidentiality obligations reasonably acceptable to Processor. Processor may reasonably object to any proposed auditor that does not meet these criteria, in which case Customer shall appoint an alternative auditor.

(d) Scope and Access. The scope of any audit shall be limited to what is reasonably necessary to verify compliance with this DPA. Audits shall not include access to Processor’s production systems, source code, or the Personal Data of Processor’s other customers, except to the extent strictly necessary and agreed in writing in advance.

(e) Cost. Customer shall bear all costs and expenses associated with any audit it initiates, including Processor’s reasonable costs of facilitating the audit (which Processor shall notify Customer of in advance where practicable).

(f) Findings. Customer shall provide Processor with a written summary of any material findings from the audit. Any information obtained during an audit shall be treated as Processor’s Confidential Information.

11.3 Remediation. If an audit reveals material non-compliance with this DPA, Processor shall, at its own expense and within a reasonable timeframe agreed with Customer, take appropriate remedial actions to address such non-compliance.

12. Deletion and Return of Personal Data

Upon termination or expiration of the Agreement or upon Customer’s written request (subject to Section 12 of this DPA and ToS Section 12.3(c)), delete or return all Personal Data to Customer and delete existing copies, using commercially reasonable efforts to complete such deletion or return within thirty (30) calendar days, except to the extent that Processor is required by applicable law to retain such Personal Data. Processor shall confirm deletion or return in writing upon Customer’s request.

13. Term and Termination

This DPA shall remain in effect for as long as Processor Processes Personal Data on behalf of Customer under the Agreement. Sections 5(f), 7, 10, 11, and 12 shall survive termination.

14. Miscellaneous

14.1 In the event of any conflict between this DPA and the Agreement, this DPA shall control with respect to the Processing of Personal Data.

14.2 This DPA is governed by the laws specified in the Agreement’s governing law provision, except that applicable Data Protection Laws (including the GDPR) shall apply to the extent they govern the Processing of Personal Data.

14.3 This DPA, together with the Agreement and any appendices or referenced policies, constitutes the entire agreement between the parties with respect to the subject matter hereof.

14.4 Processor may update this DPA from time to time to reflect changes in law or Sub-processors. Material changes will be notified in accordance with the notice provisions of the Agreement.