Kalma
Back to home

Data Processing Agreement (DPA)

Last updated: [DATE]

This Data Processing Agreement (DPA) is provided in English, its authoritative version, which prevails in case of discrepancy.

This Data Processing Agreement (the “DPA”) forms part of the Terms and Conditions (the “Agreement”) between [LEGAL ENTITY NAME] (the “Processor”) and the customer that has accepted the Agreement (the “Controller”). It governs the Processing of Personal Data carried out by the Processor on behalf of the Controller in connection with [SERVICE NAME] (the “Service”), in accordance with the General Data Protection Regulation (GDPR). In case of conflict, this DPA prevails over the Agreement with respect to the Processing of Personal Data.

1. Definitions

Capitalized terms not defined herein have the meaning given in the GDPR. “Controller”, “Processor”, “Personal Data”, “Processing”, “Data Subject”, “Personal Data Breach” and “Supervisory Authority” have the meanings set out in Article 4 GDPR. “Sub-processor” means any processor engaged by the Processor. “SCCs” means the Standard Contractual Clauses approved by the European Commission.

2. Roles and scope of Processing

The Controller is the controller and the Processor is the processor of the Personal Data. The Processor shall Process Personal Data only on the documented instructions of the Controller, including with regard to international transfers, unless required to do otherwise by applicable law.

The subject matter, duration, nature and purpose of the Processing, the types of Personal Data and the categories of Data Subjects are set out in Annex I.

3. Processor obligations

The Processor shall: (a) Process Personal Data only on documented instructions; (b) ensure that persons authorized to Process Personal Data are bound by confidentiality; (c) not Process the Personal Data for its own purposes; and (d) inform the Controller if, in its opinion, an instruction infringes the GDPR.

4. Security

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. A description of those measures is set out in Annex II.

5. Sub-processors

The Controller grants the Processor general authorization to engage the Sub-processors listed on the Processor’s Subprocessors page. The Processor shall impose on each Sub-processor data-protection obligations substantially equivalent to those set out in this DPA.

The Processor shall inform the Controller of any intended addition or replacement of Sub-processors, giving the Controller the opportunity to object on reasonable data-protection grounds.

6. Data Subject rights

Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as possible, in responding to requests from Data Subjects exercising their rights under the GDPR.

7. Assistance to the Controller

The Processor shall assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 GDPR, including security of Processing, notification of Personal Data Breaches, data protection impact assessments and prior consultation, taking into account the nature of Processing and the information available to the Processor.

8. Personal Data Breach

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller’s Personal Data, and shall provide the information reasonably available to enable the Controller to meet its notification obligations.

9. International transfers

Where Processing involves a transfer of Personal Data to a country outside the European Economic Area, such transfer shall be subject to appropriate safeguards under the GDPR, including the SCCs, which are incorporated into this DPA by reference where applicable.

10. Audits

The Processor shall make available to the Controller information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by it, subject to reasonable prior notice and confidentiality obligations.

11. Return or deletion of data

Upon termination of the Service, the Processor shall, at the choice of the Controller, delete or return all Personal Data and delete existing copies, unless applicable law requires further storage.

12. Liability and term

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA shall remain in effect for as long as the Processor Processes Personal Data on behalf of the Controller.

13. Governing law

This DPA is governed by [GOVERNING LAW], consistent with the Agreement, without prejudice to the provisions of the GDPR and the SCCs.

Annex I — Details of Processing

Subject matter: provision of the Service. Duration: the term of the Agreement. Nature and purpose: hosting, storage and processing of Personal Data to provide BIM deliverable management features.

Types of Personal Data: account data (name, email, hashed password, preferred language), project and deliverable data, Autodesk Construction Cloud file metadata and access tokens, and technical/log data. Categories of Data Subjects: the Controller’s authorized users and the individuals participating in the Controller’s projects.

Annex II — Technical and organizational measures

Measures include, where applicable: password hashing, encryption in transit, restricted and role-based access controls, hosting on reputable cloud infrastructure providers, activity logging, and regular review of security practices. [COMPLETE / ADJUST MEASURES WITH COUNSEL].

Annex III — Sub-processors

The current list of Sub-processors is available on the Processor’s Subprocessors page and forms part of this DPA.