Free Trial Login

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) is made pursuant to and a part of the BuildTime Terms of Service that you as a customer of BuildTime, LLC (“BuildTime”) entered into with BuildTime for use of the BuildTime Service and in which this DPA is referenced (“Agreement”). This DPA defines the parties’ obligations with respect to privacy and the processing of certain Customer Personal Data.

1. DEFINITIONS

Unless otherwise defined in this DPA or the Agreement, the terms used in this DPA, such as “business,” “consumer,” “controller,” “household,” “processor,” “sale,” and “service provider,” will have the meaning given to them by applicable Data Protection Laws.

"BuildTime Service" means the BuildTime Platform and app and the support and related services provided by BuildTime under the Agreement.

“Customer Personal Data” means all Personal Data processed by BuildTime on Customer's behalf as part of the BuildTime Service as further described in Annex 1.

“Data Protection Laws” means the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act (“CPA”); the Utah Consumer Privacy Act (“UCPA”); the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”); the Tennessee Information Protection Act (“TIPA”); and similar federal, state or territorial privacy laws of the United States that impose obligations on privacy, data protection or security of Personal Data.

“Personal Data” means information that is linked or reasonably linkable to an identified or identifiable natural person, or is otherwise defined as “personally identifiable information,” “personal information, “personal data,” or a substantially similar term under Data Protection Laws.

“process” means to perform any operation or set of operations upon data, whether or not by automatic means, such as collection, accessing, processing, use, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, transmittal, alignment or combination, blocking, erasure, destruction or otherwise as set out in Data Protection Laws.

2. ROLES AND COMPLIANCE GENERALLY

2.1 COMPLIANCE

Each party shall comply with Data Protection Laws and will not knowingly cause the other party to breach Data Protection Laws. In the event of any ambiguity, the provisions of this DPA shall be interpreted in a manner that allows the parties to comply with applicable Data Protection Laws.

2.2 ROLES

When BuildTime is processing Customer Personal Data on Customer’s behalf as part of the BuildTime Service, then Customer is the controller (or the business or similar designation under Data Protection Laws) and BuildTime is the processor (or service provider, contractor, or similar designation under Data Protection Laws) regarding the Customer Personal Data. However, certain Personal Data may be processed by BuildTime as an independent data controller, meaning that BuildTime determines the purposes and means of processing that Personal Data (“Controller Personal Data”). This Controller Personal Data includes usage data and device/technical data collected by BuildTime as part of users’ interaction with the BuildTime Service and may be used by BuildTime for support, service improvement and as otherwise described in BuildTime’s privacy policy, and Customer authorizes such use.

BUILDTIME PROCESSING OF CUSTOMER PERSONAL DATA

3.1 GENERALLY

When processing Customer Personal Data on Customer’s behalf, Customer instructs BuildTime to process Customer Personal Data in accordance with this DPA and the Agreement. The description of the processing of Customer Personal Data is set out in Annex 1 to this DPA, and this description is deemed to satisfy any requirement to provide such details under any Data Protection Laws.

3.2 NO SALE; LIMITATIONS ON USE

The transfer of the Customer Personal Data to BuildTime is not to be considered a “sale” as defined in the Data Protection Laws, and the parties acknowledge that Customer is not selling or providing any Personal Data to BuildTime in return for monetary or other consideration. BuildTime shall not: (a) sell (as defined under Data Protection Laws) Customer Personal Data or share Customer Personal Data for cross-context behavioral advertising/targeted advertising (as defined under Data Protection Laws); (b) retain, use, or disclose the Customer Personal Data for any purpose other than for the specific purpose of performing the BuildTime Service; (c) retain, use, or disclose the information outside of the direct business relationship between BuildTime and Customer, or (d) combine any Customer Personal Data with personal Information that BuildTime receives from or on behalf of any other third party or collects from BuildTime’s own interactions with consumers, provided that the BuildTime may do so for a purpose permitted under Data Protection Laws if directed to do so by Customer or as otherwise expressly permitted by the Data Protection Laws. BuildTime certifies that it understands these restrictions and will comply with them.

3.3 COOPERATION

Upon Customer’s reasonable request, BuildTime shall provide necessary information to enable Customer to conduct and document data protection assessments pursuant to Data Protection Laws; to the extent such information is not already provided by BuildTime as part of its standard certificates, audits reports, or assessments, BuildTime reserves the right to charge for the time of its personnel in responding to Customer’s requests for such information. BuildTime shall notify Customer without undue delay in the event that the BuildTime is no longer able to process Customer Personal Data pursuant to Customer’s instructions within the scope of this DPA and will suspend processing of such Customer Personal Data. The parties will negotiate an appropriate workaround or other resolution. However, if the parties are unable to agree to a workaround other resolution (including any additional charges) after a reasonable period, then Customer may, as its sole remedy, terminate the applicable BuildTime Service and this DPA solely with respect to the affected processing, and if the instruction in question is within the scope of this DPA, then upon such termination BuildTime will provide a pro-rata refund of any prepaid unused fees covering the remainder of the term of the BuildTime Service after the effective date of termination.

3.4 RETURN OR DELETION

Following termination of the BuildTime Service, BuildTime will delete or, upon Customer’s written request, return Customer Personal Data as described in the Agreement, except to the extent BuildTime is required by applicable law to retain some or all of the Customer Personal Data. The terms of this DPA will continue to apply to that retained Customer Personal Data (including for regulatory, litigation or legal hold purposes).

3.5 AUDITS

With respect to any audits or inspections that Customer conducts under this DPA, any costs or fees incurred by BuildTime related to any audits requested by Customer shall be the sole responsibility of Customer. Customer shall notify BuildTime in writing at least 30 days in advance if such audit is required. Such audit shall be conducted during BuildTime’s normal business hours and no more frequently than once per calendar year, except where an additional audit is required by applicable Data Protection Laws or supervisory authority.

4. PERSONAL DATA INCIDENTS

Upon becoming aware of unauthorized access to or acquisition of computerized data that compromises the security, confidentiality, or integrity of Customer Personal Data in BuildTime’s possession or control which a party is required by Data Protection Laws to report (each a “Personal Data Incident”), BuildTime will notify Customer promptly and without undue delay and provide Customer with sufficient information to allow Customer to meet any obligations to report or inform consumers of the Personal Data Incident as required by Data Protection Laws. BuildTime shall make reasonable efforts to identify the cause of the Personal Data Incident and take those steps necessary and reasonable to remediate the cause of such Personal Data Incident to the extent the remediation is within BuildTime’s reasonable control. The obligations herein shall not apply to incidents caused by Customer.

5. SUBPROCESSORS

BuildTime may use third parties, including without limitation a subcontractors, to process Customer Personal Data (collectively “Subprocessors”). BuildTime’s current list of Subprocessors is attached as a schedule to this DPA, and Customer hereby generally authorizes BuildTime’s use of such Subprocessors. Customer further generally authorizes BuildTime to appoint additional Subprocessors, and BuildTime will provide Customer with written notice of the prospective appointment; except if BuildTime reasonably believes appointing a new Subprocessor on an expedited basis is necessary for maintaining the availability and security of the BuildTime Service, in which case BuildTime will notify Customer as soon as reasonably practicable. If Customer does not object to the appointment of the new Subprocessor within 10 days of receiving the notice (“Objection Period”), BuildTime may use the new Subprocessor. If Customer objects to the appointment of the new Subprocessor, Customer must notify BuildTime within the Objection Period, and BuildTime will have the right to cure the objection through one of the following options, at BuildTime’s discretion: (i) not use the relevant Subprocessor and will offer an alternative to provide the BuildTime Service without such Subprocessor; (ii) take corrective steps reasonably requested by Customer in its objection and proceed to use the Subprocessor; or (iii) cease to provide (temporarily or permanently) the particular aspect of the BuildTime Service that would involve the use of such Subprocessor. If the parties are unable to reach a workaround, Customer may terminate the Agreement as its sole and exclusive remedy. BuildTime shall have in place a contract in writing with each Subprocessor that imposes obligations that are (i) relevant to the services to be provided by the Subprocessors and (ii) materially similar to the rights and/or obligations granted or imposed on BuildTime under this DPA. If a Subprocessor fails to fulfill its data protection obligations with respect to Customer Personal Data, BuildTime shall be responsible for the performance of the Subprocessor.

6. SECURITY MEASURES

The BuildTime will maintain reasonable and appropriate technical and organizational security measures to ensure a level of protection appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data, as further described in Annex 2 to this DPA.

7. AMENDMENTS

A party may request in writing an amendment to this DPA if required as a result of any change in, or decision of a competent authority under, any Data Protection Laws, to continue to allow processing of Customer Personal Data without breach of that Data Protection Law. The parties shall promptly discuss the proposed amendments and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Customer’s or BuildTime’s notice as soon as is reasonably practicable. In the event that the parties are unable to reach such an agreement within a reasonable period after such notice, then either party may, by written notice to the other party, with immediate effect, terminate the BuildTime Service which are affected. Termination under this Section is without refund (but other refund rights as may be provided in this DPA or the Agreement are not affected).

8. LIABILITY

The limitations of liability set forth in the Agreement apply to this DPA and any reference to such limitation of liability means the aggregate liability under the Agreement and this DPA together.

ANNEX 1: DETAILS OF PROCESSING

CUSTOMER PERSONAL DATA:

  • Business contact information (such as name, email address, phone number, company name, job title)
  • Account information (such as login credentials)
  • Work-related data consisting of the following:
    • employee ID
    • work classifications, union membership/plan classification
    • time logs & attendance data (such as scan-in/out times, job site location, breaks, overtime)
    • work assignment records & job site details (such as project hours, shift schedules, and required labor reporting)
    • payroll & compliance data (such as hours worked, pay rates)
    • badge information including photo, QR code and the information linked with it
    • employer notes and reports regarding crew members' employment
  • Support-related data, such as support requests, tickets or other interactions with customer support for the BuildTime Service.

TYPE OF DATA SUBJECTS: Customer's crew members (employees) and users of the BuildTime Service

NATURE OF PROCESSING: Processing to provide the BuildTime Services and otherwise as described in the Agreement.

DURATION OF PROCESSING: BuildTime will process Customer Personal Data for the duration of the Agreement or until notified in writing by Customer to discontinue processing Customer Personal Data (unless otherwise required by Data Protection Laws).

ANNEX 2: DESCRIPTION OF TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

BuildTime implements the following technical and organizational measures to ensure a level of security appropriate to the risk:

1. Data Protection

  • Encryption in Transit: TLS 1.2+ required for all data transmitted between Customer systems and the BuildTime Service.
  • Key Management: Keys managed by GCP Key Management Service (KMS).

2. Access Controls

  • Authentication: Multi-factor authentication (MFA) required for BuildTime employees and for Admin/Payroll/HR users.
  • Authorization: Role-based access control (RBAC) enforced in the BuildTime Platform.
  • Least Privilege: Internal staff access is limited to job-related needs.
  • Credential Management: Passwords stored using industry-standard hashing algorithms; staff required to use approved password manager.

3. Infrastructure Security

  • Hosting Environment: BuildTime is hosted in GCP, leveraging GCP's SOC 2 and ISO 27001 certified infrastructure.
  • Network Security: Segmentation via Virtual Private Cloud (VPC); firewall and security group controls applied.
  • Patching: Critical patches applied within 7 days; other patches within 30 days.
  • Monitoring: Datadog used for infrastructure and application monitoring; anomaly detection enabled.

4. Application Security

  • Development Lifecycle: Peer-reviewed code, automated testing, and CI/CD pipeline with approval gates.
  • Vulnerability Management: Weekly vulnerability scans and automated dependency checks (e.g., GitHub Dependabot).
  • Penetration Testing: At least annually, by an independent third party.

5. Logging & Monitoring

  • Audit Logs: Key system and access events logged, with retention aligned to compliance obligations.
  • Centralized Monitoring: Datadog and GCP logging used to detect unauthorized access or anomalies.

6. Incident Response & Business Continuity

  • Incident Response: Documented playbook with defined roles; Customer is notified without undue delay of any Personal Data Incident.
  • Backups: Daily encrypted backups of Customer Personal Data; stored in geographically redundant GCP regions.
  • Recovery Objectives: RPO ≤ 24 hours; RTO ≤ 12 hours.
  • Customer Fallback: Customers instructed to maintain manual logs of crew scan-in/out during outages, to be re-entered once service is restored.

7. Vendor & Subprocessor Oversight

  • Vendor Due Diligence: All vendors processing Customer Personal Data must provide SOC 2, ISO 27001, or contractual data protection assurances.
  • Contracts: All subprocessors contractually required to implement equivalent security measures.
  • Payment Processors: BuildTime ensures all payment processors used are PCI DSS compliant and implement industry-standard security measures for payment card data.

8. Employee Security

  • Training: Mandatory onboarding and annual training covering data handling, phishing, and incident reporting.
  • Device Security: Company-managed devices required; full-disk encryption and automatic locking enabled.
  • Access Revocation: Immediate termination of access upon employee departure.
ANNEX 3: SUBPROCESSOR SCHEDULE
Subprocessor Purpose of Processing Location of Processing Types of Data Processed
Google Cloud Platform (GCP) Cloud hosting, storage, and infrastructure services for the BuildTime Platform and App United States (primary data centers) All Customer Personal Data
Intercom, Inc. Customer support, in-app chat, and messaging services United States Business contact data (Admin/Payroll/HR users), support tickets, usage metadata
Datadog, Inc. Application monitoring, diagnostics, and performance analytics United States Technical data (logs, device info, error reports, usage statistics)
Vimeo, Inc. Video hosting and playback for training and support content United States Usage metadata related to video playback (IP address, device/browser, viewing history)
Payment Processor (e.g., Stripe, Elavon, or equivalent) Payment processing for BuildTime Services United States Billing contact details (name, email, address), limited payment metadata (card type, last 4 digits, transaction records). Payment processors act as independent controllers for raw cardholder data.