Data Processing Agreement

Last updated: January 15, 2025

Introduction

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between BIM Frame, LLC. (“Processor”, “we”, “us”, or “our”) and the entity or person agreeing to our Terms of Service (“Controller”, “Customer”, “you”, or “your”) to reflect the parties’ agreement with regard to the Processing of Personal Data.

This DPA shall apply to all Personal Data processed by Frame on behalf of the Customer in connection with the provision of our BIM analytics platform and related services.

1. Definitions

“Affiliate” means any entity that controls, is controlled by, or is under common control with a party.

“Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data, including GDPR, CCPA, and other relevant data protection laws.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

“GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).

“Personal Data” means any information relating to an identified or identifiable natural person.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

“Processing” means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, or deletion.

“Processor” means the entity which processes Personal Data on behalf of the Controller.

“Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Relationship of Parties and Data Processing

2.1 Roles and Responsibilities

The parties acknowledge and agree that:

  • Customer is the Controller of Personal Data
  • Frame is the Processor of Personal Data
  • Frame will process Personal Data only on documented instructions from Customer
  • Each party shall comply with its respective obligations under Applicable Data Protection Law

2.2 Customer Instructions

Frame shall process Personal Data only in accordance with Customer’s documented instructions, unless:

  • Required by applicable law (Frame shall notify Customer unless prohibited)
  • Processing is necessary for the provision of the Services
  • Customer has given prior written consent

2.3 Details of Processing

The subject matter, duration, nature, and purpose of processing, types of Personal Data, and categories of Data Subjects are described in Exhibit A.

3. Authorized Sub-processors

3.1 Authorization

Customer provides general authorization for Frame to engage Sub-processors to process Personal Data, subject to the requirements in this section.

3.2 Current Sub-processors

Customer acknowledges and agrees to the engagement of the following Sub-processors:

Sub-processorPurposeLocation
Vercel Inc.Hosting & InfrastructureUnited States
TursoBackendUnited States
SupabaseAuthentication ServicesUnited States
Autodesk Platform ServicesFile ProcessingUnited States
StripePayment ProcessingUnited States
OpenAIAIUnited States

Important: Sub-processors used for file processing do not store original design files or customer-generated reports. Only processed derivatives and extracted data are retained. Customer reports remain the property of the customer.

3.3 New Sub-processors

Frame shall:

  • Notify Customer of intended changes concerning addition or replacement of Sub-processors
  • Provide Customer with at least 30 days to object to such changes
  • Ensure Sub-processors are bound by data protection obligations no less protective than this DPA
  • Remain fully liable for Sub-processor compliance

4. Security of Personal Data

4.1 Technical and Organizational Measures

Frame shall implement and maintain appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption of Personal Data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Physical security of data centers
  • Employee training on data protection
  • Incident response and disaster recovery procedures
  • Regular backups and data redundancy
  • Network security and firewalls
  • Audit logging and monitoring

4.2 Security Incidents

In the event of a Personal Data Breach, Frame shall:

  • Notify Customer without undue delay and within 72 hours of becoming aware
  • Provide details of the breach, affected data, and potential consequences
  • Take immediate steps to mitigate the breach
  • Cooperate with Customer in investigating and remediating the breach
  • Document all breaches and responses

5. International Data Transfers

5.1 Transfer Mechanisms

Where Personal Data is transferred outside the EEA or to countries without adequate data protection, Frame shall ensure appropriate safeguards through:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions where applicable
  • Other valid transfer mechanisms under Applicable Data Protection Law

5.2 Supplementary Measures

Frame implements supplementary measures to ensure effective protection of transferred data, including:

  • Technical measures such as encryption and pseudonymization
  • Organizational measures including access restrictions
  • Contractual commitments from Sub-processors

6. Rights of Data Subjects

6.1 Assistance with Requests

Frame shall assist Customer in responding to Data Subject requests regarding:

  • Access to Personal Data
  • Rectification or erasure of Personal Data
  • Restriction of processing
  • Data portability
  • Objection to processing
  • Rights related to automated decision-making

6.2 Response Procedures

If Frame receives a request from a Data Subject:

  • Frame will promptly notify Customer
  • Frame will not respond directly unless authorized by Customer
  • Frame will provide necessary information to enable Customer’s response

7. Audits and Compliance

7.1 Audit Rights

Customer has the right to verify Frame’s compliance with this DPA through:

  • Review of Frame’s security certifications and audit reports
  • Written questions and requests for information
  • On-site audits with reasonable notice (maximum once per year)

7.2 Cooperation

Frame shall:

  • Cooperate with supervisory authorities
  • Assist with data protection impact assessments
  • Maintain records of processing activities
  • Provide evidence of compliance upon request

8. Data Return and Deletion

8.1 Upon Termination

Upon termination of the Services, Frame shall, at Customer’s option:

  • Return all Personal Data to Customer in a structured, commonly used format
  • Delete all Personal Data and existing copies
  • Provide certification of deletion

8.2 Retention Requirements

Frame may retain Personal Data only:

  • As required by applicable law
  • For legitimate business purposes with Customer consent
  • In anonymized or aggregated form

9. Liability and Indemnification

9.1 Liability

Each party’s liability arising out of or related to this DPA shall be subject to the limitations of liability in the Terms of Service.

9.2 Indemnification

Each party shall indemnify the other against losses resulting from its breach of this DPA or Applicable Data Protection Law.

10. General Provisions

10.1 Amendments

Amendments to this DPA require written agreement between the parties, except where required by changes in Applicable Data Protection Law.

10.2 Conflict

In case of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

10.3 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.

10.4 Governing Law

This DPA shall be governed by the same law as the Terms of Service, except where Applicable Data Protection Law requires otherwise.

Exhibit A: Details of Processing

Subject Matter of Processing

Processing of Personal Data in connection with Frame’s provision of BIM analytics platform services, including:

  • Processing of uploaded files through third-party services to generate derivatives
  • Data extraction and analysis from processed derivatives
  • Visualization and reporting based on extracted data (reports remain customer property)
  • Account management and user authentication
  • Storage of report templates (Frame’s intellectual property)

Important: Original design files (such as .rvt, .nwd, .ifc) and customer-generated reports are not stored. Only processed derivatives, extracted metadata, and report templates are retained.

Duration of Processing

For the duration of the Customer’s subscription and any applicable retention period thereafter.

Nature and Purpose of Processing

  • Providing BIM analytics and visualization services through processed derivatives
  • Analyzing extracted data from building information models
  • Facilitating customer creation of reports and dashboards (which remain customer property)
  • Maintaining report templates (Frame’s intellectual property)
  • Facilitating collaboration between users through shared analytics
  • Account management and authentication
  • Customer support and service improvement
  • AI-powered analytics (without using customer data for model training)

Categories of Data Subjects

  • Customer’s employees and contractors
  • Customer’s clients and partners (if applicable)
  • End users of Customer’s services
  • Individuals whose data is contained in BIM files

Types of Personal Data

  • Identification data (name, email, phone number)
  • Professional data (company, title, department)
  • Account credentials and authentication data
  • Usage data and activity logs
  • Communication data (support tickets, messages)
  • Project and file metadata
  • Any personal data contained within uploaded BIM files

Exhibit B: Technical and Organizational Measures

Physical Security

  • Data centers with 24/7 security monitoring
  • Biometric access controls
  • Security cameras and intrusion detection
  • Environmental controls (temperature, humidity, fire suppression)

System Security

  • Firewalls and network segmentation
  • Intrusion detection and prevention systems
  • Regular security patches and updates
  • Anti-malware and antivirus protection
  • DDoS protection

Data Security

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Key management systems
  • Data loss prevention controls
  • Regular automated backups

Access Controls

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA)
  • Regular access reviews and audits
  • Principle of least privilege
  • Session management and timeout controls

Organizational Measures

  • Data protection training for all employees
  • Confidentiality agreements
  • Background checks for personnel
  • Incident response procedures
  • Regular security awareness training
  • Data protection officer appointment

Monitoring and Logging

  • Comprehensive audit logging
  • Real-time security monitoring
  • Log retention and analysis
  • Anomaly detection systems
  • Regular security assessments

Contact Information

For questions about this Data Processing Agreement or data protection matters:

Email: contact@bimframe.com

Response Time: We aim to respond to all terms-related inquiries within 30 days.