Data Processing Addendum

This Data Processing Addendum ("DPA") is entered into between BuildLoops, Inc. ("BuildLoops" or "Processor") and the entity identified as the Customer ("Customer" or "Controller") and is incorporated into the BuildLoops Terms of Service or other written agreement between the parties governing Customer's use of the BuildLoops platform (the "Agreement").

This DPA applies to the extent that BuildLoops processes Personal Data on behalf of Customer in connection with the Service. In the event of any conflict between this DPA and the Agreement, this DPA shall control with respect to the subject matter covered herein.

1. Definitions

"Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection ("FDPA"), the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and any other applicable national, state, or regional data protection legislation.

"Customer Personal Data" means any Personal Data that Customer submits to or that is collected through the Service on Customer's behalf, including data contained in Content, Outputs, and accumulated Context as defined in the Agreement.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

"Personal Data" has the meaning given to it (or to "personal information") under Applicable Data Protection Law.

"Process" / "Processing" has the meaning given under Applicable Data Protection Law and includes any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, and erasure.

"Standard Contractual Clauses" / "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission Implementing Decision (EU) 2021/914, as may be amended or replaced.

"Subprocessor" means any third party engaged by BuildLoops to process Customer Personal Data on behalf of Customer in connection with the Service.

2. Processing Roles and Scope

2.1 Roles

As between Customer and BuildLoops: Customer is the Controller (or Processor on behalf of its own controller) and BuildLoops is the Processor of Customer Personal Data. BuildLoops processes Customer Personal Data only on behalf of and in accordance with Customer's documented instructions.

2.2 Scope of Processing

The subject matter, duration, nature, purpose, types of Personal Data, and categories of data subjects covered by this DPA are described in Annex 1 (Processing Details) attached hereto.

2.3 Customer Obligations

Customer represents and warrants that: (a) it has obtained all necessary consents and authorizations required under Applicable Data Protection Law to permit BuildLoops to process Customer Personal Data as contemplated by this DPA; (b) its instructions to BuildLoops comply with Applicable Data Protection Law; and (c) it has provided appropriate privacy notices to data subjects whose Personal Data is submitted to the Service.

3. Processing Requirements

BuildLoops shall:

Process Customer Personal Data only in accordance with Customer's documented instructions, including as set forth in the Agreement and this DPA, unless required to do otherwise by applicable law (in which case BuildLoops will inform Customer before such processing unless prohibited by law).
Promptly notify Customer in writing if it believes an instruction from Customer infringes Applicable Data Protection Law.
Ensure that all persons authorized to process Customer Personal Data are subject to binding confidentiality obligations.
Implement and maintain the technical and organizational security measures described in Annex 2 (Security Measures).
Not process Customer Personal Data outside the scope of Customer's instructions except as required by applicable law.

4. Restrictions on Data Use

4.1 No Model Training.

BuildLoops shall not use Customer Personal Data, Content, or Outputs to train, fine-tune, or improve any machine learning or artificial intelligence models, whether owned by BuildLoops or any third party. This restriction extends to all Subprocessors, including AI model providers.

BuildLoops shall not sell, share, or disclose Customer Personal Data to any third party except as permitted under this DPA. To the extent applicable under the CCPA, BuildLoops certifies that it understands and will comply with its obligations as a "Service Provider" and will not sell or share Customer Personal Data.

4.3 No Retention by AI Providers.

BuildLoops maintains zero-retention API agreements with its AI model providers (LLM Subprocessors). Customer Personal Data sent to AI model providers for processing is processed ephemerally and is not stored, retained, or logged for human review by the AI model provider after the response is returned, except as required by applicable law.

5. Subprocessors

5.1 Authorization

Customer provides general authorization for BuildLoops to engage Subprocessors to process Customer Personal Data. The current list of Subprocessors is available at buildloops.ai/subprocessors.

5.2 Notification of Changes

BuildLoops will notify Customer by email at least 30 days before adding or replacing a Subprocessor. The notification will include the Subprocessor's name, purpose, and data processing location.

5.3 Objection Right

Customer may object to a new Subprocessor by notifying BuildLoops in writing within 15 days of receiving the notification. If Customer objects, BuildLoops shall, at its option: (a) offer a commercially reasonable alternative to provide the Service without the objected-to Subprocessor; (b) take corrective steps requested by Customer and proceed with the Subprocessor; or (c) allow Customer to terminate the affected portion of the Service without penalty. If none of these options is commercially feasible, either party may terminate the Agreement upon 30 days' written notice.

5.4 Subprocessor Obligations

BuildLoops shall ensure that each Subprocessor is bound by written obligations that provide at least the same level of data protection as this DPA, including restrictions on data use, model training, and retention.

6. Security

BuildLoops shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures are described in Annex 2 and include, at a minimum:

Encryption of Customer Personal Data in transit (TLS 1.2+) and at rest (AES-256).
Access controls limiting personnel access to Customer Personal Data on a need-to-know basis.
Regular security assessments and vulnerability testing.
Secure software development lifecycle practices.
Zero-retention agreements with AI model Subprocessors.
Logical separation of Customer data from other customers' data.

7. Data Breach Notification

BuildLoops shall notify Customer of any Data Breach without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include, to the extent available: (a) the nature of the Data Breach, including the categories and approximate number of data subjects and records affected; (b) the likely consequences of the Data Breach; (c) the measures taken or proposed to address the Data Breach; and (d) the contact point for further information. BuildLoops shall cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

8. Data Subject Rights

BuildLoops shall assist Customer in responding to requests from data subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection). BuildLoops shall promptly notify Customer if it receives a data subject request directly and shall not respond to such request except on Customer's documented instructions or as required by applicable law.

9. Data Protection Impact Assessments

BuildLoops shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Applicable Data Protection Law and to the extent such assistance relates to BuildLoops's processing of Customer Personal Data.

10. International Data Transfers

10.1 Transfer Mechanisms

To the extent that the processing of Customer Personal Data involves a transfer from the EEA, UK, or Switzerland to a country that has not been deemed to provide an adequate level of data protection, the parties agree that such transfers shall be governed by the Standard Contractual Clauses attached as Annex 3.

10.2 EU SCCs

For transfers from the EEA: where Customer is a Controller, Module 2 (Controller-to-Processor) of the EU SCCs shall apply. Where Customer is a Processor acting on behalf of a third-party Controller, Module 3 (Processor-to-Processor) of the EU SCCs shall apply. The parties agree to the following selections: Clause 7 --- the optional docking clause is included; Clause 9(a) --- Option 2 (general written authorization) is selected, with the time period for prior notice set at 30 days; Clause 11 --- the optional language is not included; Clause 17 --- Option 1 is selected, with the governing law of Ireland; Clause 18(b) --- disputes shall be resolved before the courts of Ireland.

10.3 UK Transfers

For transfers from the UK, the International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner's Office) shall apply and is incorporated by reference.

10.4 Swiss Transfers

For transfers governed by the Swiss FDPA, the EU SCCs apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner, including that the competent supervisory authority is the Swiss FDPIC and references to the GDPR are read as references to the Swiss FDPA.

11. Audit Rights

BuildLoops shall make available to Customer, upon reasonable request and no more than once per year, all information reasonably necessary to demonstrate compliance with this DPA. Customer may conduct an audit (or engage a qualified independent auditor bound by confidentiality obligations) to verify compliance, subject to reasonable advance notice (at least 30 days), scope limitations to the subject matter of this DPA, and during BuildLoops's normal business hours. BuildLoops may satisfy audit requests by providing relevant SOC 2 Type II reports, ISO 27001 certifications, or equivalent third-party audit reports.

12. Data Deletion and Return

Upon termination or expiry of the Agreement, BuildLoops shall, at Customer's election: (a) return all Customer Personal Data to Customer in a structured, machine-readable format (JSON/CSV); or (b) delete all Customer Personal Data in accordance with BuildLoops's standard deletion procedures. Customer has 90 days following termination to request return of data, after which BuildLoops will delete Customer Personal Data, except where retention is required by applicable law. BuildLoops shall confirm deletion in writing upon Customer's request.

13. U.S. State Privacy Law Compliance

To the extent that BuildLoops processes Customer Personal Data subject to U.S. State Privacy Laws (including the CCPA/CPRA, Virginia CDPA, Colorado CPA, Connecticut CTDPA, and similar laws), BuildLoops:

Shall process Customer Personal Data only for the purposes set out in this DPA and the Agreement.
Shall not sell or share Customer Personal Data as defined under applicable state law.
Shall not retain, use, or disclose Customer Personal Data outside the direct business relationship between BuildLoops and Customer.
Shall not combine Customer Personal Data with personal data received from third parties, except as permitted by applicable law.
Certifies that it understands and will comply with its obligations under applicable U.S. State Privacy Laws.
Shall grant Customer the right to take reasonable and appropriate steps to ensure BuildLoops uses Customer Personal Data in a manner consistent with Customer's obligations under applicable law.

14. Term

This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination of the Agreement, subject to Section 12 (Data Deletion and Return). The obligations of BuildLoops under this DPA with respect to Customer Personal Data that is retained after termination shall continue until such data is deleted.

15. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement, except that nothing in the Agreement or this DPA shall limit either party's liability with respect to the rights of data subjects under Applicable Data Protection Law.

Annex 1: Processing Details

Element	Description
Subject Matter	Processing of Personal Data to provide the BuildLoops AI-guided business strategy platform, including running Station loops, generating Outputs, accumulating Context across Lines, and integrating with third-party tools.
Duration	For the term of the Agreement plus the 90-day post-termination data retention period.
Nature and Purpose	AI-guided evidence synthesis, recommendation generation, context accumulation, third-party tool integration, analytics, and customer support, all for the purpose of providing the Service.
Types of Personal Data	Name, email address, IP address, device identifiers, business information (product descriptions, customer segments, pricing data, competitive intelligence, revenue metrics, marketing data), customer interview notes, survey responses, call recordings (where integrated), and analytics data from connected third-party tools.
Categories of Data Subjects	Customer's authorized users (builders, founders, team members); and individuals whose data is contained in Customer's Content (e.g., interviewees, survey respondents, prospective customers referenced in business data).
Special Categories of Data	None intentionally processed. Customer is instructed not to submit special categories of data (health, biometric, racial/ethnic, political, religious, sexual orientation, trade union) to the Service.

Annex 2: Technical and Organizational Security Measures

BuildLoops implements and maintains the following security measures:

Encryption: AES-256 encryption at rest; TLS 1.2+ encryption in transit for all data communications.
Access Control: Role-based access control with least-privilege principles; multi-factor authentication for all employee access to production systems; unique credentials for all personnel.
AI Provider Security: Zero-retention API agreements with all LLM Subprocessors; contractual prohibitions on model training, data retention, and human review of Customer data.
Network Security: Firewalls, intrusion detection/prevention systems, and network segmentation isolating production environments.
Data Isolation: Logical separation of Customer data from other customers in production databases.
Vulnerability Management: Regular vulnerability scanning and penetration testing; timely patching of identified vulnerabilities.
Employee Security: Background checks for personnel with access to Customer data; mandatory security awareness training; confidentiality agreements.
Physical Security: Cloud infrastructure hosted in SOC 2-certified data centers with physical access controls, surveillance, and environmental protections.
Incident Response: Documented incident response plan with defined roles, escalation procedures, and 72-hour breach notification commitment.
Business Continuity: Regular data backups, disaster recovery testing, and redundancy measures to ensure service availability.
Logging and Monitoring: Centralized logging and real-time monitoring of access to production systems and Customer data.
Secure Development: Secure software development lifecycle practices including code review, static analysis, and dependency management.

Annex 3: Standard Contractual Clauses

The Standard Contractual Clauses adopted by European Commission Implementing Decision (EU) 2021/914 are incorporated herein by reference and apply to international transfers of Customer Personal Data as described in Section 10. The completed Annexes to the SCCs (including the technical and organizational measures in Annex 2 of this DPA) shall serve as the relevant Annexes to the SCCs. The full text of the SCCs is available at eur-lex.europa.eu and is not reproduced here for brevity, but is legally incorporated in its entirety.