This DPA forms part of the buildvia.ai Master Services Agreement and governs how we process customer personal data on your behalf. It satisfies GDPR Article 28 and the equivalent provisions of UK GDPR and CCPA.
For the purposes of this DPA, the terms “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Sub-processor” have the meanings given in the GDPR. “Customer Personal Data” means any Personal Data that buildvia.ai processes on behalf of Customer in connection with the Services. “Services” means the buildvia.ai products and APIs made available to Customer under the Master Services Agreement.
This DPA applies to Processing of Customer Personal Data by buildvia.ai as Processor on behalf of Customer as Controller, in connection with the provision of the Services. The duration of Processing is for the term of the underlying agreement. The nature and purpose of Processing is to deliver, operate, secure, and support the Services Customer has subscribed to.
Categories of Data Subjects typically include Customer’s employees, contractors, end-users, and (where Customer has imported them) records sourced from Customer’s third-party CRMs and connected systems.
Categories of Personal Data typically include name, business contact information, role, authentication identifiers, and any other Personal Data Customer chooses to load into Salesforce or connected systems Customer integrates with the Services.
Customer is the Controller of Customer Personal Data and is responsible for the lawfulness of the Processing it instructs. buildvia.ai is the Processor and processes Customer Personal Data solely in accordance with Customer’s documented instructions.
buildvia.ai shall Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers to a third country, unless required to do so by applicable law. Customer’s documented instructions include: (a) the Master Services Agreement, (b) this DPA, (c) Customer’s use of the Services through its administrators and end-users, and (d) any additional written instructions provided to legal@buildvia.ai. buildvia.ai will inform Customer if, in its opinion, an instruction infringes applicable data protection law.
buildvia.ai ensures that persons authorized to Process Customer Personal Data are subject to written confidentiality undertakings and receive appropriate data-protection training. Access is granted on a need-to-know basis and revoked promptly when no longer required.
buildvia.ai implements and maintains the technical and organizational measures described in Annex II (Security Measures). At a minimum these include:
Customer authorizes buildvia.ai to engage Sub-processors to deliver the Services. The current list of authorized Sub-processors is published at /compliance and forms part of this DPA. buildvia.ai will impose data-protection obligations on Sub-processors that are no less protective than those in this DPA.
buildvia.ai will provide Customer with at least thirty (30) days’ prior written notice (via email and the in-app trust center) of any intended changes to its Sub-processor list. Customer may object to a Sub-processor change in writing within fifteen (15) days; if buildvia.ai cannot accommodate the objection, Customer may terminate the affected Services as a sole and exclusive remedy.
Where buildvia.ai transfers Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a third country that has not been deemed by the European Commission (or competent UK authority) to provide an adequate level of protection, the parties agree that such transfers shall be governed by the Standard Contractual Clauses (Module Two, Controller-to-Processor) incorporated by reference, together with any UK Addendum applicable to UK transfers.
Customers in regulated jurisdictions may elect, in writing, to pin Processing to a specific region (US, EU, or APAC) as part of an Enterprise subscription.
To the extent legally permitted, buildvia.ai will promptly notify Customer of any request received from a Data Subject. Taking into account the nature of the Processing, buildvia.ai shall assist Customer by appropriate technical and organizational measures to fulfill Customer’s obligation to respond to requests for the exercise of Data-Subject rights (access, rectification, erasure, restriction, portability, and objection).
buildvia.ai will notify Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification will include, to the extent known at the time, a description of the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.
buildvia.ai makes available to Customer all information necessary to demonstrate compliance with this DPA. Customer’s right to audit shall be primarily satisfied by buildvia.ai’s then-current SOC 2 Type II report and the security documentation made available through the trust center. Customer may, no more than once per twelve (12) months, request additional written information; on-site audits are available to Enterprise customers subject to a mutually agreed scope and at Customer’s cost.
On termination of the Services, buildvia.ai will, at Customer’s choice, return or delete all Customer Personal Data within thirty (30) days, unless retention is required by applicable law. Customer may request export of Customer Personal Data via the Services or via the public API at any time during the term.
Each party’s liability arising out of or related to this DPA shall be subject to the limitations of liability set out in the Master Services Agreement. Nothing in this DPA limits any liability that cannot be limited under applicable law.
This DPA is effective for the term of the Master Services Agreement and shall terminate automatically upon termination of that agreement, except that the obligations relating to the return or deletion of Customer Personal Data, confidentiality, and survival of pending claims shall survive termination.
This DPA is incorporated by reference into the Master Services Agreement and is deemed signed by the parties upon execution of the underlying agreement. Customers requiring a separately countersigned copy may request one at legal@buildvia.ai.