This Data Processing Addendum (“DPA”) reflects the parties’ obligations under Article 28 of the GDPR and, where applicable, the UK GDPR, when BIModular processes personal data on behalf of the Customer.
This DPA forms part of the Terms of Service or other agreement between BIModular EIRL (“Provider”) and the customer entity agreeing to the Terms (“Customer”).
1. Subject matter
Provider processes Personal Data on behalf of Customer in connection with the provision of the BOMSync platform (the “Services”).
2. Roles of the parties
- Customer is the Controller (or Processor on documented instructions from another controller, as applicable).
- Provider is the Processor with respect to processing performed for the Services.
- Sub-processors engaged by Provider process personal data on Provider’s instructions, in accordance with this DPA.
3. Customer instructions
Provider shall process Personal Data only in accordance with documented instructions from Customer (including via the Services configuration), to provide the Services, or to comply with legal obligations binding on Provider.
4. Confidentiality
Provider shall ensure persons authorised to process Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
5. Security
Provider shall implement technical and organisational measures appropriate to the risk, including encryption, access controls, monitoring, and regular testing, as described in Provider’s security practices and this DPA.
6. Sub-processors
Customer authorises Provider to engage the Sub-processors listed in Schedule B. Provider shall impose data protection obligations on Sub-processors no less protective than this DPA.
Advance notice. Provider will give Customer at least 30 days’ prior notice of any intended addition or replacement of a Sub-processor by posting an update to this page and/or notifying Customer’s admin contact. Customer may object on reasonable grounds related to data protection by notifying Provider in writing within that 30-day period. If the Parties cannot reach a resolution, Customer may suspend the affected Service or terminate the relevant order for convenience, with a pro-rata refund of prepaid fees for the remaining term of the terminated portion, where such refund is provided for under the main agreement.
7. International transfers
Where Personal Data is transferred outside the European Economic Area (“EEA”) or outside the United Kingdom (“UK”), Provider shall ensure that appropriate safeguards are in place as required under GDPR Chapter V and UK data protection law (for example, EU Standard Contractual Clauses, the UK International Data Transfer Agreement / Addendum, or adequacy decisions).
8. Assistance
Provider shall assist Customer with responding to data subject requests, data protection impact assessments, and supervisory authority consultations, taking into account the nature of processing and information available to Provider, as required by applicable Data Protection Laws.
9. Audit
Provider shall make available information reasonably necessary to demonstrate compliance with this DPA and shall allow for audits, including inspections, by Customer or an auditor mandated by Customer, no more than once annually except where mandatory law or a supervisory authority requires otherwise, subject to reasonable confidentiality and security arrangements.
10. Breach notification
Provider shall notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer’s data, and shall provide information reasonably required for Customer to meet its obligations under Data Protection Laws.
11. Return or deletion
Upon termination of Services, Provider shall delete or return Personal Data to Customer, unless retention is required by applicable law.
12. Liability
Liability under this DPA is subject to the limitations of the main agreement, without prejudice to liability under Data Protection Laws where such limitation is not permitted.
13. Governing law
This DPA is governed by the laws of the French Republic, without prejudice to mandatory provisions of Data Protection Laws applicable to processing in the EEA or UK.
14. Notices
Notices under this DPA (including Sub-processor updates) will be provided via Customer’s admin email and/or posted at /legal/dpa. Customer is responsible for keeping its admin contact details current.
Schedule A – Data processing details
- Data subjects: Employees, contractors, clients, vendors, project participants, and other individuals whose data Customer uploads or causes to be processed in the Services.
- Categories: Names, emails, contact details, role information, BIM/BOM identifiers, authentication and audit logs, and similar data processed through the platform.
- Special categories: None intentionally processed; Customer shall not instruct Provider to process special categories unless the parties have agreed in writing.
- Purpose: SaaS delivery, project collaboration, authentication, support, and service improvement in line with the Terms and Privacy Policy.
- Retention: For the term of the agreement plus any legally required period, unless otherwise agreed in writing.
Schedule B – Sub-processors
| Sub-processor | Location(s) | Purpose | Data categories | Safeguards |
|---|---|---|---|---|
| Microsoft Azure | EU (France Central, West Europe); global regions (fallback) | Cloud hosting, storage, databases, backup, monitoring | Account data, project data, files, logs | EU SCCs, Microsoft DPA, ISO 27001, SOC 2 |
| Syncfusion Inc. | United States (with EU CDN endpoints where applicable) | UI components, reporting engine, document rendering | UI usage, rendered report data (often transient) | EU SCCs, contractual DPA |
| Azure Communication Services | EU (France Central, West Europe); global regions (fallback) | Email, SMS, chat, voice, real-time communication | Contact data (names, emails, phone numbers), message metadata | EU SCCs, Microsoft DPA, ISO 27001, SOC 2 |
| Stripe, Inc. (and Stripe Payments Europe Ltd where applicable) | United States; Ireland (EU payment entity) where applicable | Payment processing, subscriptions, Checkout Sessions, fraud prevention; API and webhooks | Billing contact details, customer and subscription identifiers, payment metadata (card data processed by Stripe under PCI DSS, not stored by Provider as full PAN) | Stripe Data Processing Agreement, PCI DSS, SCCs / transfer mechanisms as applicable |
We will update this list as sub-processors change. Customers will be notified in advance as described in Section 6.