Data Processing Addendum.
How Struxen processes Personal Data on behalf of our customers, and the commitments that govern it.
Effective May 25, 2026 · Struxen, Inc.
This Data Processing Addendum (“DPA”) supplements the Struxen Terms of Service or other written or electronic agreement (the “Agreement”) between Struxen, Inc. (“Struxen”, “we”, “us”) and the customer entity that has accepted the Agreement (“Customer”, “you”). It governs the Processing of Personal Data by Struxen on Customer’s behalf in connection with the Service. By using the Service, Customer accepts this DPA.
1. Parties and Roles
For the purposes of GDPR and equivalent data-protection laws, Customer is the Data Controller and Struxen is the Data Processor. For the purposes of the CCPA, Customer is the “Business” and Struxen is the “Service Provider”. Each party will comply with the obligations applicable to it under Data Protection Laws.
2. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined under GDPR Art. 4(1).
- “Processing” means any operation performed on Personal Data, as defined under GDPR Art. 4(2).
- “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
- “Sub-processor” means any third party engaged by Struxen to Process Personal Data on Customer’s behalf.
- “Data Protection Laws” means GDPR, UK GDPR, CCPA/CPRA, and other applicable privacy and data-protection laws.
- “Personal Data Breach” has the meaning given in GDPR Art. 4(12).
- “Standard Contractual Clauses” or “SCCs” means the European Commission’s SCCs (Decision 2021/914) for transfers of Personal Data to third countries.
3. Subject Matter and Duration of Processing
The subject matter of the Processing is the provision of the Struxen construction-intelligence Service to Customer under the Agreement. Processing will continue for the term of the Agreement and for any post-termination period during which Struxen retains Personal Data in accordance with Section 15 below.
4. Nature and Purpose of Processing
Struxen Processes Personal Data solely to: (a) provide and operate the Service; (b) deliver AI-generated insights requested by Customer or Customer’s authorized users; (c) provide support, security, and fraud prevention; (d) comply with Customer’s documented written instructions, including those given through the Service’s configuration; and (e) comply with applicable law. Struxen will not Process Personal Data for any other purpose.
Customer Content (including Personal Data and project materials uploaded by Customer or its authorized users) is not used to train, fine-tune, or otherwise improve Struxen’s AI models or any third-party foundation models. Struxen configures its AI inference Sub-processors with zero-day-retention or equivalent commercial settings such that Customer Content is not retained by, logged by, or used for model training by the underlying foundation-model provider.
5. Aggregated and De-identified Data
Struxen may generate and use aggregated, anonymized, or de-identified data derived from the operation of the Service, including usage statistics and performance telemetry, provided that such data is sufficiently transformed that it cannot reasonably be used, alone or in combination with other information, to identify any Data Subject or to re-derive Customer’s confidential project content. Struxen will not attempt to re-identify any de-identified data and will obligate its Sub-processors to the same standard.
6. Special Category and Restricted Data
Customer agrees not to upload, submit, or otherwise cause Struxen to Process: (a) “special categories” of Personal Data within the meaning of GDPR Article 9 (e.g. data concerning health, racial or ethnic origin, religious or political beliefs, biometric or genetic data); (b) protected health information regulated by HIPAA; (c) payment-card data subject to PCI-DSS beyond the billing metadata processed by the merchant of record; (d) data of children under sixteen (16); or (e) information classified by any government authority, in each case unless the parties have entered into a separate written agreement specifically permitting such Processing. The Service is not designed for, and Struxen has not been audited against, the controls required for these data categories.
7. Categories of Personal Data and Data Subjects
7.1 Categories of Data Subjects
- Customer’s authorized users (employees, contractors, project collaborators)
- Customer’s clients, vendors, and project counterparties referenced in uploaded materials
- Individuals identified within construction documents (e.g. RFIs, submittals, drawings)
7.2 Categories of Personal Data
- Account information: name, email address, phone number, company, job title
- Authentication metadata: hashed credentials, MFA enrollment state, session identifiers, IP addresses
- Project content: documents, drawings, schedules, specifications, photographs uploaded by users
- AI usage data: prompts submitted, model outputs, token counts, timestamps
- Billing data: billing address and payment-method metadata (processed by Stripe as merchant of record)
- Audit and log data: service interactions, error logs, security events
8. Obligations of the Processor
Struxen shall:
- Process Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do so by applicable law;
- Ensure that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations;
- Implement appropriate technical and organizational security measures (see Section 11);
- Engage Sub-processors only in accordance with Section 9;
- Assist Customer, taking into account the nature of Processing, in fulfilling Customer’s obligations to respond to requests from Data Subjects (Section 13);
- Make available to Customer all information necessary to demonstrate compliance with this DPA and Article 28 GDPR.
9. Sub-processors
Customer provides general written authorization for Struxen to engage Sub-processors. Struxen will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable to Customer for the acts and omissions of its Sub-processors.
The current Sub-processors as of the effective date are:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure: compute, storage, database, identity, AI inference, and transactional email | United States |
| Amazon Web Services, Inc. (Amazon Bedrock) | AI inference platform: prompts and outputs routed through Bedrock | United States |
| Anthropic, PBC | AI model provider (Claude); routed via Bedrock. Anthropic does not train on customer data | United States |
| Google LLC (Google Gemini) | AI model provider for select model invocations; Google does not train on customer data via the API | United States |
| GitHub, Inc. | Source-code hosting and version control | United States |
| Docker, Inc. | Container image registry and runtime tooling | United States |
| Anthropic, PBC (Claude Code) | AI-assisted internal engineering and content tooling used by Struxen staff; customer project data is not submitted as part of normal operation | United States |
| Grafana Labs | Metrics dashboards and observability | United States |
| Functional Software, Inc. (Sentry) | Application error and performance monitoring | United States |
| Slack Technologies, LLC | Internal team communication | United States |
| Microsoft Corporation (Microsoft Teams) | Video conferencing and external meetings | United States |
| Zoom Communications, Inc. | Video conferencing and external meetings | United States |
| Google LLC (Google Workspace) | Business email, calendar, and document collaboration | United States |
| Twilio Inc. | SMS and voice notifications | United States |
| Intercom, Inc. (Fin) | AI-powered customer support | United States |
| Stripe, Inc. | Merchant of record for subscription billing, tax, and payment-method handling | United States |
| Autodesk, Inc. | Optional construction-platform integration (only when Customer connects an Autodesk account) | United States |
Struxen will provide notice of any intended addition or replacement of Sub-processors, giving Customer an opportunity to object on reasonable data-protection grounds. To object, or to request the most current Sub-processor list, contact dpa@struxen.io.
10. International Transfers
Personal Data may be transferred to and Processed in the United States and other jurisdictions where Struxen or its Sub-processors operate. Where such transfers involve Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland, the parties agree that the European Commission’s Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated by reference and shall govern such transfers. Customer is the data exporter; Struxen is the data importer. The UK International Data Transfer Addendum to the EU SCCs is incorporated by reference for transfers from the United Kingdom; transfers from Switzerland are governed by the SCCs as adapted under guidance from the Swiss Federal Data Protection and Information Commissioner.
11. Security Measures
Struxen implements and maintains technical and organizational measures appropriate to the risk, including:
- Encryption in transit (TLS 1.2+) and at rest (AWS KMS-managed keys, AES-256)
- Identity and access management with least-privilege IAM roles and short-lived credentials
- Multi-factor authentication available for all user accounts; required for administrative roles
- Network isolation via Amazon VPCs, security groups, and private subnets for data-tier resources
- Centralized audit logging of administrative actions and authentication events
- Vulnerability scanning, dependency monitoring, and timely patching
- Background checks and confidentiality obligations for personnel with access to Personal Data
- Documented incident-response procedures and regular review of security controls
12. Personal Data Breach Notification
Struxen will notify Customer without undue delay, and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will describe the nature of the breach, the categories and approximate volume of data and Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.
13. Data Subject Rights Assistance
Taking into account the nature of the Processing, Struxen will assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligations to respond to Data Subject requests for access, rectification, erasure, restriction, portability, and objection. Where a Data Subject contacts Struxen directly, Struxen will, without undue delay, forward the request to Customer and will not respond on Customer’s behalf unless authorized.
14. Audit Rights
Struxen will make available to Customer, upon reasonable written request and not more than once per year, information necessary to demonstrate compliance with this DPA. Where available, Struxen will provide third-party audit reports (e.g. SOC 2 Type II, once issued) in lieu of on-site audits. Where such reports are not sufficient to demonstrate compliance, Customer may request a written audit at its own expense, conducted under reasonable conditions of confidentiality and on no less than thirty (30) days’ notice.
15. Return and Deletion of Personal Data
Upon termination or expiration of the Agreement, Struxen will, at Customer’s election, return or delete all Personal Data Processed on Customer’s behalf within thirty (30) days, except where retention is required by applicable law. Backup copies will be deleted on the standard backup-rotation schedule, not to exceed ninety (90) days from the date of primary deletion.
16. Government and Law-Enforcement Requests
Struxen will not disclose Customer Personal Data to any government, regulatory, or law-enforcement authority except where compelled by valid legal process. Where legally permitted, Struxen will (a) provide Customer with prompt notice of the request so Customer may seek a protective order or other appropriate remedy; (b) challenge requests that are overbroad, unlawful, or inconsistent with applicable Data Protection Laws; and (c) disclose only the minimum Personal Data required to comply.
17. CCPA / CPRA Service-Provider Commitments
To the extent Struxen Processes Personal Information of California residents on Customer’s behalf, Struxen acts as a “Service Provider” as defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”). Struxen will not: (a) sell or share such Personal Information; (b) retain, use, or disclose it for any purpose other than the specific business purpose of providing the Service to Customer, or as otherwise permitted by the CCPA/CPRA; (c) retain, use, or disclose it outside of the direct business relationship between the parties; or (d) combine such Personal Information with Personal Information received from or on behalf of any other person, except as permitted under 11 C.C.R. § 7050(b). Struxen will notify Customer if it determines it can no longer meet its obligations under the CCPA/CPRA.
18. Liability and Indemnity
Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable law.
19. Order of Precedence
In the event of any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA prevails. Where the Standard Contractual Clauses apply, those clauses prevail over any conflicting term in this DPA or the Agreement.
20. Changes to this DPA
Struxen may update this DPA from time to time. For material changes that adversely affect Customer’s rights, Struxen will provide reasonable advance notice through the Service or to the administrative contact on file. Continued use of the Service after the effective date of an updated DPA constitutes acceptance of the changes; non-material changes (e.g. typographical corrections, Sub-processor list updates handled under Section 9) take effect on posting.
21. Contact
Questions, Sub-processor objections, audit requests, and other DPA-related correspondence should be sent to:
Struxen, Inc.
1300 South Blvd STE 33695
Charlotte, NC 28203
Data Protection: dpa@struxen.io
General support: support@struxen.io