← Back to Struxen

Data Processing Addendum.

How Struxen processes Personal Data on behalf of our customers, and the commitments that govern it.

Effective May 25, 2026 · Struxen, Inc.

This Data Processing Addendum (“DPA”) supplements the Struxen Terms of Service or other written or electronic agreement (the “Agreement”) between Struxen, Inc. (“Struxen”, “we”, “us”) and the customer entity that has accepted the Agreement (“Customer”, “you”). It governs the Processing of Personal Data by Struxen on Customer’s behalf in connection with the Service. By using the Service, Customer accepts this DPA.


1. Parties and Roles

For the purposes of GDPR and equivalent data-protection laws, Customer is the Data Controller and Struxen is the Data Processor. For the purposes of the CCPA, Customer is the “Business” and Struxen is the “Service Provider”. Each party will comply with the obligations applicable to it under Data Protection Laws.


2. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person, as defined under GDPR Art. 4(1).
  • “Processing” means any operation performed on Personal Data, as defined under GDPR Art. 4(2).
  • “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
  • “Sub-processor” means any third party engaged by Struxen to Process Personal Data on Customer’s behalf.
  • “Data Protection Laws” means GDPR, UK GDPR, CCPA/CPRA, and other applicable privacy and data-protection laws.
  • “Personal Data Breach” has the meaning given in GDPR Art. 4(12).
  • “Standard Contractual Clauses” or “SCCs” means the European Commission’s SCCs (Decision 2021/914) for transfers of Personal Data to third countries.

3. Subject Matter and Duration of Processing

The subject matter of the Processing is the provision of the Struxen construction-intelligence Service to Customer under the Agreement. Processing will continue for the term of the Agreement and for any post-termination period during which Struxen retains Personal Data in accordance with Section 15 below.


4. Nature and Purpose of Processing

Struxen Processes Personal Data solely to: (a) provide and operate the Service; (b) deliver AI-generated insights requested by Customer or Customer’s authorized users; (c) provide support, security, and fraud prevention; (d) comply with Customer’s documented written instructions, including those given through the Service’s configuration; and (e) comply with applicable law. Struxen will not Process Personal Data for any other purpose.

Customer Content (including Personal Data and project materials uploaded by Customer or its authorized users) is not used to train, fine-tune, or otherwise improve Struxen’s AI models or any third-party foundation models. Struxen configures its AI inference Sub-processors with zero-day-retention or equivalent commercial settings such that Customer Content is not retained by, logged by, or used for model training by the underlying foundation-model provider.


5. Aggregated and De-identified Data

Struxen may generate and use aggregated, anonymized, or de-identified data derived from the operation of the Service, including usage statistics and performance telemetry, provided that such data is sufficiently transformed that it cannot reasonably be used, alone or in combination with other information, to identify any Data Subject or to re-derive Customer’s confidential project content. Struxen will not attempt to re-identify any de-identified data and will obligate its Sub-processors to the same standard.


6. Special Category and Restricted Data

Customer agrees not to upload, submit, or otherwise cause Struxen to Process: (a) “special categories” of Personal Data within the meaning of GDPR Article 9 (e.g. data concerning health, racial or ethnic origin, religious or political beliefs, biometric or genetic data); (b) protected health information regulated by HIPAA; (c) payment-card data subject to PCI-DSS beyond the billing metadata processed by the merchant of record; (d) data of children under sixteen (16); or (e) information classified by any government authority, in each case unless the parties have entered into a separate written agreement specifically permitting such Processing. The Service is not designed for, and Struxen has not been audited against, the controls required for these data categories.


7. Categories of Personal Data and Data Subjects

7.1 Categories of Data Subjects

  • Customer’s authorized users (employees, contractors, project collaborators)
  • Customer’s clients, vendors, and project counterparties referenced in uploaded materials
  • Individuals identified within construction documents (e.g. RFIs, submittals, drawings)

7.2 Categories of Personal Data

  • Account information: name, email address, phone number, company, job title
  • Authentication metadata: hashed credentials, MFA enrollment state, session identifiers, IP addresses
  • Project content: documents, drawings, schedules, specifications, photographs uploaded by users
  • AI usage data: prompts submitted, model outputs, token counts, timestamps
  • Billing data: billing address and payment-method metadata (processed by Stripe as merchant of record)
  • Audit and log data: service interactions, error logs, security events

8. Obligations of the Processor

Struxen shall:

  • Process Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do so by applicable law;
  • Ensure that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations;
  • Implement appropriate technical and organizational security measures (see Section 11);
  • Engage Sub-processors only in accordance with Section 9;
  • Assist Customer, taking into account the nature of Processing, in fulfilling Customer’s obligations to respond to requests from Data Subjects (Section 13);
  • Make available to Customer all information necessary to demonstrate compliance with this DPA and Article 28 GDPR.

9. Sub-processors

Customer provides general written authorization for Struxen to engage Sub-processors. Struxen will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable to Customer for the acts and omissions of its Sub-processors.

The current Sub-processors as of the effective date are:

Sub-processorPurposeLocation
Amazon Web Services, Inc.Cloud infrastructure: compute, storage, database, identity, AI inference, and transactional emailUnited States
Amazon Web Services, Inc. (Amazon Bedrock)AI inference platform: prompts and outputs routed through BedrockUnited States
Anthropic, PBCAI model provider (Claude); routed via Bedrock. Anthropic does not train on customer dataUnited States
Google LLC (Google Gemini)AI model provider for select model invocations; Google does not train on customer data via the APIUnited States
GitHub, Inc.Source-code hosting and version controlUnited States
Docker, Inc.Container image registry and runtime toolingUnited States
Anthropic, PBC (Claude Code)AI-assisted internal engineering and content tooling used by Struxen staff; customer project data is not submitted as part of normal operationUnited States
Grafana LabsMetrics dashboards and observabilityUnited States
Functional Software, Inc. (Sentry)Application error and performance monitoringUnited States
Slack Technologies, LLCInternal team communicationUnited States
Microsoft Corporation (Microsoft Teams)Video conferencing and external meetingsUnited States
Zoom Communications, Inc.Video conferencing and external meetingsUnited States
Google LLC (Google Workspace)Business email, calendar, and document collaborationUnited States
Twilio Inc.SMS and voice notificationsUnited States
Intercom, Inc. (Fin)AI-powered customer supportUnited States
Stripe, Inc.Merchant of record for subscription billing, tax, and payment-method handlingUnited States
Autodesk, Inc.Optional construction-platform integration (only when Customer connects an Autodesk account)United States

Struxen will provide notice of any intended addition or replacement of Sub-processors, giving Customer an opportunity to object on reasonable data-protection grounds. To object, or to request the most current Sub-processor list, contact dpa@struxen.io.


10. International Transfers

Personal Data may be transferred to and Processed in the United States and other jurisdictions where Struxen or its Sub-processors operate. Where such transfers involve Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland, the parties agree that the European Commission’s Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated by reference and shall govern such transfers. Customer is the data exporter; Struxen is the data importer. The UK International Data Transfer Addendum to the EU SCCs is incorporated by reference for transfers from the United Kingdom; transfers from Switzerland are governed by the SCCs as adapted under guidance from the Swiss Federal Data Protection and Information Commissioner.


11. Security Measures

Struxen implements and maintains technical and organizational measures appropriate to the risk, including:

  • Encryption in transit (TLS 1.2+) and at rest (AWS KMS-managed keys, AES-256)
  • Identity and access management with least-privilege IAM roles and short-lived credentials
  • Multi-factor authentication available for all user accounts; required for administrative roles
  • Network isolation via Amazon VPCs, security groups, and private subnets for data-tier resources
  • Centralized audit logging of administrative actions and authentication events
  • Vulnerability scanning, dependency monitoring, and timely patching
  • Background checks and confidentiality obligations for personnel with access to Personal Data
  • Documented incident-response procedures and regular review of security controls

12. Personal Data Breach Notification

Struxen will notify Customer without undue delay, and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will describe the nature of the breach, the categories and approximate volume of data and Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.


13. Data Subject Rights Assistance

Taking into account the nature of the Processing, Struxen will assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligations to respond to Data Subject requests for access, rectification, erasure, restriction, portability, and objection. Where a Data Subject contacts Struxen directly, Struxen will, without undue delay, forward the request to Customer and will not respond on Customer’s behalf unless authorized.


14. Audit Rights

Struxen will make available to Customer, upon reasonable written request and not more than once per year, information necessary to demonstrate compliance with this DPA. Where available, Struxen will provide third-party audit reports (e.g. SOC 2 Type II, once issued) in lieu of on-site audits. Where such reports are not sufficient to demonstrate compliance, Customer may request a written audit at its own expense, conducted under reasonable conditions of confidentiality and on no less than thirty (30) days’ notice.


15. Return and Deletion of Personal Data

Upon termination or expiration of the Agreement, Struxen will, at Customer’s election, return or delete all Personal Data Processed on Customer’s behalf within thirty (30) days, except where retention is required by applicable law. Backup copies will be deleted on the standard backup-rotation schedule, not to exceed ninety (90) days from the date of primary deletion.


16. Government and Law-Enforcement Requests

Struxen will not disclose Customer Personal Data to any government, regulatory, or law-enforcement authority except where compelled by valid legal process. Where legally permitted, Struxen will (a) provide Customer with prompt notice of the request so Customer may seek a protective order or other appropriate remedy; (b) challenge requests that are overbroad, unlawful, or inconsistent with applicable Data Protection Laws; and (c) disclose only the minimum Personal Data required to comply.


17. CCPA / CPRA Service-Provider Commitments

To the extent Struxen Processes Personal Information of California residents on Customer’s behalf, Struxen acts as a “Service Provider” as defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”). Struxen will not: (a) sell or share such Personal Information; (b) retain, use, or disclose it for any purpose other than the specific business purpose of providing the Service to Customer, or as otherwise permitted by the CCPA/CPRA; (c) retain, use, or disclose it outside of the direct business relationship between the parties; or (d) combine such Personal Information with Personal Information received from or on behalf of any other person, except as permitted under 11 C.C.R. § 7050(b). Struxen will notify Customer if it determines it can no longer meet its obligations under the CCPA/CPRA.


18. Liability and Indemnity

Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable law.


19. Order of Precedence

In the event of any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA prevails. Where the Standard Contractual Clauses apply, those clauses prevail over any conflicting term in this DPA or the Agreement.


20. Changes to this DPA

Struxen may update this DPA from time to time. For material changes that adversely affect Customer’s rights, Struxen will provide reasonable advance notice through the Service or to the administrative contact on file. Continued use of the Service after the effective date of an updated DPA constitutes acceptance of the changes; non-material changes (e.g. typographical corrections, Sub-processor list updates handled under Section 9) take effect on posting.


21. Contact

Questions, Sub-processor objections, audit requests, and other DPA-related correspondence should be sent to:

Struxen, Inc.

1300 South Blvd STE 33695
Charlotte, NC 28203

Data Protection: dpa@struxen.io

General support: support@struxen.io