Legal

Data Processing Addendum

Effective May 1, 2026 · BW-J2 Inc. d/b/a BuilderWarden

Draft pending final attorney review before signature. This DPA is for business customers (for example, builder partners licensing Builder OS) whose end-user or client personal data BuilderWarden processes on their behalf. Consumer users are covered by the Privacy Policy, not this DPA.

This Data Processing Addendum ("DPA") forms part of the agreement between BW-J2 Inc., a Delaware corporation, d/b/a BuilderWarden ("BuilderWarden") and the customer identified in the applicable agreement or order ("Customer") governing Customer's use of BuilderWarden's platform services (the "Agreement"). This DPA applies to the extent BuilderWarden processes Personal Data on Customer's behalf.

1. Definitions

"Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Personal Data Breach" have the meanings given in Applicable Data Protection Law. "Applicable Data Protection Law" means all privacy and data protection laws applicable to the Processing under the Agreement, including the California Consumer Privacy Act as amended by the CPRA ("CCPA") and, if applicable, the EU/UK GDPR. "Customer Data" means Personal Data that Customer or its users submit to the services or that BuilderWarden processes on Customer's behalf under the Agreement.

2. Roles and Scope

For Customer Data, Customer is the Controller (or "Business" under CCPA) and BuilderWarden is the Processor (or "Service Provider"). Details of Processing (subject matter, duration, nature, purposes, data categories, and Data Subjects) are set out in Annex A. Where BuilderWarden processes personal data for its own purposes as described in its Privacy Policy, for example, data of consumers who use BuilderWarden's own consumer applications, or BuilderWarden's own client, billing, and account records, BuilderWarden acts as an independent Controller, and this DPA does not apply to that processing.

3. Processing Instructions

BuilderWarden will Process Customer Data only on Customer's documented instructions, including as set out in the Agreement and this DPA, unless required by law (in which case BuilderWarden will notify Customer unless legally prohibited). As a CCPA Service Provider, BuilderWarden will not: sell or share Customer Data; retain, use, or disclose it outside the direct business relationship or for any purpose other than performing the services (or as permitted by CCPA); or combine it with other data except as permitted for the business purposes. Builder Concierge will notify Customer if it determines it can no longer meet its obligations under Applicable Data Protection Law, and Customer may take reasonable steps to stop and remediate unauthorized use.

4. Confidentiality

BuilderWarden ensures that personnel authorized to Process Customer Data are bound by confidentiality obligations and access Customer Data only as needed to perform the services.

5. Subprocessors

Customer provides general authorization for BuilderWarden to engage the subprocessors listed in Annex C. BuilderWarden will: (a) impose data protection obligations on subprocessors no less protective than this DPA; (b) remain responsible for subprocessors' performance; and (c) provide at least 90 days' notice of new subprocessors (via email to Customer's designated contact), during which Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection, Customer may terminate the affected services and receive a pro-rated refund of prepaid fees.

6. Security

BuilderWarden implements and maintains appropriate technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex B, and reviews them regularly. BuilderWarden may update the measures provided the overall security of the services is not materially diminished.

7. Personal Data Breach

BuilderWarden will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Data, and will provide information reasonably available to help Customer meet its legal obligations, cooperate in the investigation, and take reasonable steps to mitigate and remediate. BuilderWarden's notification is not an admission of fault.

8. Assistance

Taking into account the nature of the Processing, BuilderWarden will provide reasonable assistance to Customer, at Customer's expense where the assistance is material, with: (a) responding to Data Subject requests (access, correction, deletion, portability, objection, opt-out) received by Customer, and will forward to Customer, without responding except to direct the individual to Customer, any such request BuilderWarden receives directly relating to Customer Data; and (b) Customer's data protection impact assessments and regulator consultations, where required.

9. Deletion and Return

Upon termination or expiration of the Agreement, BuilderWarden will, at Customer's election made within 30 days, delete or return Customer Data (and delete existing copies), except where retention is required by law, including construction, licensing, tax, lien, and warranty record-keeping obligations, in which case BuilderWarden will protect the retained data under this DPA and delete it when the legal basis expires. Reasonable export tooling is available during the Agreement term.

10. Audits

No more than once per 12-month period (and additionally following a Personal Data Breach), Customer may audit BuilderWarden's compliance with this DPA by: first, reviewing BuilderWarden's then-current security documentation and third-party attestations; and second, if reasonably insufficient, a remote or on-site audit on at least 30 days' notice, during business hours, under confidentiality, at Customer's expense, no more intrusive than necessary, and without access to other customers' data.

11. International Transfers

Customer Data is hosted and processed in the United States. If Applicable Data Protection Law requires a transfer mechanism for data originating outside the U.S., the parties incorporate the EU Standard Contractual Clauses (Module 2: Controller to Processor) and the UK Addendum by reference, with Annexes A through C serving as the required appendices.

12. Liability and Order of Precedence

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. In case of conflict: this DPA controls over the Agreement for data-protection matters; the SCCs (if applicable) control over this DPA.

Annex A, Details of Processing

  • Subject matter & nature: Provision of the BuilderWarden platform: construction project management, client portal, lead and prospect management, document and e-signature workflows, compliance tracking, scheduling, budgeting, and communications.
  • Duration: The term of the Agreement plus the deletion/retention period in Section 9.
  • Purposes: Performing the services described in the Agreement.
  • Categories of Data Subjects: Customer's clients and prospects; Customer's personnel and authorized users; Customer's subcontractors, vendors, and their personnel.
  • Categories of Personal Data: Contact and identification data; account credentials; project, property, and contract data; design preferences and documents; communications; scheduling and task data; financial and billing data related to projects; compliance documentation (for example, licenses, insurance certificates, W-9s); e-signature records and audit trails; usage logs.
  • Sensitive data: Not intended to be submitted, except government identifiers appearing in tax/compliance documents (for example, W-9s) and financial documentation where Customer chooses to collect it through the services.

Annex B, Technical and Organizational Measures

Encryption of data in transit (TLS) and at rest; logical tenant isolation and row-level security in the database layer; role-based access control and least-privilege permissioning; secret-authenticated, idempotent service-to-service integrations with full audit logging; webhook and event logging for traceability; automated compliance tracking of subcontractor documentation (COI, license, W-9 expirations); administrative access restricted to authorized personnel; personnel confidentiality obligations; vendor due diligence for subprocessors; backup and recovery via managed database infrastructure; vulnerability management and dependency updates; breach response procedures aligned to Section 7.

Annex C, Authorized Subprocessors

SubprocessorFunctionLocation
SupabaseDatabase, authentication, storage, edge functionsUnited States
LovableApplication hosting/deploymentUnited States/EU
StripePayment processingUnited States
SignWellElectronic signaturesUnited States
DocuSignElectronic signaturesUnited States
Google (Maps Platform)Mapping and property location servicesUnited States
ResendTransactional email deliveryUnited States
OpenAIAI generation featuresUnited States
AnthropicAI generation featuresUnited States
PerplexityAI generation featuresUnited States

Contact

BW-J2 Inc. d/b/a BuilderWarden
1408 Waterloo Shore Lane, Austin, Texas 78741
legal@builderwarden.app