Legal
Data Processing Addendum
Effective: May 1, 2026
Applies across builderwarden.live, builderwarden.dev, and builderwarden.live.
This Data Processing Addendum ("DPA") forms part of the agreement between BW-J2 Inc., a Delaware corporation, d/b/a BuilderWarden ("BuilderWarden") and the customer identified in the applicable agreement or order ("Customer") governing Customer's use of BuilderWarden's platform services (the "Agreement"). This DPA applies to the extent BuilderWarden processes Personal Data on Customer's behalf.
§1Definitions
"Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Personal Data Breach" have the meanings given in Applicable Data Protection Law. "Applicable Data Protection Law" means all privacy and data protection laws applicable to the Processing under the Agreement, including the California Consumer Privacy Act as amended by the CPRA ("CCPA") and, if applicable, the EU/UK GDPR. "Customer Data" means Personal Data that Customer or its users submit to the services or that BuilderWarden processes on Customer's behalf under the Agreement.
§2Roles and Scope
For Customer Data, Customer is the Controller (or "Business" under CCPA) and BuilderWarden is the Processor (or "Service Provider"). Details of Processing are set out in Annex A. Where BuilderWarden processes personal data for its own purposes as described in its Privacy Policy — for example, data of consumers who use BuilderWarden's own consumer applications, or BuilderWarden's own client, billing, and account records — BuilderWarden acts as an independent Controller, and this DPA does not apply to that processing.
§3Processing Instructions
BuilderWarden will Process Customer Data only on Customer's documented instructions, including as set out in the Agreement and this DPA, unless required by law (in which case BuilderWarden will notify Customer unless legally prohibited). As a CCPA Service Provider, BuilderWarden will not: sell or share Customer Data; retain, use, or disclose it outside the direct business relationship or for any purpose other than performing the services (or as permitted by CCPA); or combine it with other data except as permitted for the business purposes. BuilderWarden will notify Customer if it determines it can no longer meet its obligations, and Customer may take reasonable steps to stop and remediate unauthorized use.
§4Confidentiality
BuilderWarden ensures that personnel authorized to Process Customer Data are bound by confidentiality obligations and access Customer Data only as needed to perform the services.
§5Subprocessors
Customer provides general authorization for BuilderWarden to engage the subprocessors listed in Annex C. BuilderWarden will: (a) impose data protection obligations on subprocessors no less protective than this DPA; (b) remain responsible for subprocessors' performance; and (c) provide at least 90 days' notice of new subprocessors (via email to Customer's designated contact), during which Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection, Customer may terminate the affected services and receive a pro-rated refund of prepaid fees.
§6Security
BuilderWarden implements and maintains appropriate technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex B, and reviews them regularly. BuilderWarden may update the measures provided the overall security of the services is not materially diminished.
§7Personal Data Breach
BuilderWarden will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Data, and will provide information reasonably available to help Customer meet its legal obligations, cooperate in the investigation, and take reasonable steps to mitigate and remediate. BuilderWarden's notification is not an admission of fault.
§8Assistance
Taking into account the nature of the Processing, BuilderWarden will provide reasonable assistance to Customer, at Customer's expense where the assistance is material, with: (a) responding to Data Subject requests (access, correction, deletion, portability, objection, opt-out) received by Customer — and will forward to Customer, without responding except to direct the individual to Customer, any such request BuilderWarden receives directly relating to Customer Data; and (b) Customer's data protection impact assessments and regulator consultations, where required.
§9Deletion and Return
Upon termination or expiration of the Agreement, BuilderWarden will, at Customer's election made within 30 days, delete or return Customer Data (and delete existing copies), except where retention is required by law — including construction, licensing, tax, lien, and warranty record-keeping obligations — in which case BuilderWarden will protect the retained data under this DPA and delete it when the legal basis expires. Reasonable export tooling is available during the Agreement term.
§10Audits
No more than once per 12-month period (and additionally following a Personal Data Breach), Customer may audit BuilderWarden's compliance with this DPA by: first, reviewing BuilderWarden's then-current security documentation and third-party attestations; and second, if reasonably insufficient, a remote or on-site audit on at least 30 days' notice, during business hours, under confidentiality, at Customer's expense, no more intrusive than necessary, and without access to other customers' data.
§11International Transfers
Customer Data is hosted and processed in the United States. If Applicable Data Protection Law requires a transfer mechanism for data originating outside the U.S., the parties incorporate the EU Standard Contractual Clauses (Module 2: Controller→Processor) and the UK Addendum by reference, with Annexes A–C serving as the required appendices.
§12Liability and Order of Precedence
Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. In case of conflict: this DPA controls over the Agreement for data-protection matters; the SCCs (if applicable) control over this DPA.
Annex A — Details of Processing
- Subject matter & nature
- Provision of the BuilderWarden platform: construction project management, client portal, lead and prospect management, document and e-signature workflows, compliance tracking, scheduling, budgeting, and communications.
- Duration
- The term of the Agreement plus the deletion/retention period in Section 9.
- Purposes
- Performing the services described in the Agreement.
- Data Subjects
- Customer's clients and prospects; Customer's personnel and authorized users; Customer's subcontractors, vendors, and their personnel.
- Personal Data
- Contact and identification data; account credentials; project, property, and contract data; design preferences and documents; communications; scheduling and task data; financial and billing data related to projects (budgets, invoices, payment applications); compliance documentation (licenses, insurance certificates, W-9s); e-signature records and audit trails; usage logs.
- Sensitive data
- Not intended to be submitted, except government identifiers appearing in tax/compliance documents (e.g., W-9s) and financial documentation where Customer chooses to collect it through the services.
Annex B — Technical and Organizational Measures
- Encryption of data in transit (TLS) and at rest
- Logical tenant isolation and row-level security in the database layer
- Role-based access control and least-privilege permissioning
- Secret-authenticated, idempotent service-to-service integrations with full audit logging
- Webhook and event logging for traceability
- Automated compliance tracking of subcontractor documentation (COI, license, W-9 expirations)
- Administrative access restricted to authorized personnel
- Personnel confidentiality obligations
- Vendor due diligence for subprocessors
- Backup and recovery via managed database infrastructure
- Vulnerability management and dependency updates
- Breach response procedures aligned to Section 7
Annex C — Authorized Subprocessors
| Subprocessor | Function | Location |
|---|---|---|
| Supabase | Database, authentication, storage, edge functions | United States |
| Lovable | Application hosting / deployment | United States |
| Stripe | Payment processing | United States |
| SignWell | Electronic signatures | United States |
| DocuSign | Electronic signatures | United States |
| Google (Maps Platform) | Mapping and property location services | United States / EU |
| Resend | Transactional email delivery | United States |
| OpenAI | AI generation features | United States |
| Anthropic | AI generation features | United States |
| Perplexity | AI generation features | United States |
This list is maintained here as our public subprocessors registry. Material changes are notified per Section 5.
