Buildr Data Processing Agreement (DPA)
This Data Processing Agreement ("DPA") forms an integral part of the agreement executed between the parties (the "Agreement") governing the use of the Services provided by NovaRidge Commerce LLC, doing business as Buildr ("Buildr").
Capitalized terms not defined herein shall have the meanings assigned to them in the Agreement.
This DPA sets forth the parties’ respective responsibilities regarding the Processing of Personal Data during the term of the Agreement and thereafter.
1. Definitions
1.1 Affiliates
"Affiliates" means any entity controlling, controlled by, or under common control with a party.
1.2 CCPA
"CCPA" means the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§1798.100 et seq.), as amended by the California Privacy Rights Act (CPRA), including implementing regulations.
1.3 Data Protection Law Definitions
The terms "Controller," "Processor," "Data Subject," "Processing," "Personal Data Breach," and "Special Categories of Personal Data" shall have the meanings assigned under EU Data Protection Law.
The terms "Business," "Business Purpose," "Consumer," "Service Provider," "Sale," and "Share" shall have the meanings assigned under the CCPA.
"Data Subject" shall also include "Consumer" as defined under the CCPA/CPRA.
1.4 Data Protection Laws
"Data Protection Laws" means all applicable privacy and data protection laws, including:
GDPR
UK GDPR
Swiss FADP
CCPA/CPRA
Any successor or amended legislation
1.5 EEA
"EEA" means the European Economic Area.
1.6 EU Data Protection Law
Includes:
Regulation (EU) 2016/679 (GDPR)
Regulation 2018/1725
e-Privacy Directive 2002/58/EC
National implementations and successor laws
Supervisory authority guidance
1.7 Personal Data
"Personal Data" or "Personal Information" means any information relating to an identified or identifiable individual.
1.8 Security Incident
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
1.9 Standard Contractual Clauses
"SCCs" means the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
1.10 Swiss Data Protection Laws
Includes the Swiss Federal Act on Data Protection (FADP) and related ordinances.
1.11 UK GDPR
Means the GDPR as incorporated into UK law under the Data Protection Act 2018.
1.12 Shared Data
"Shared Data" means Personal Data exchanged between the parties in connection with the Services.
2. Roles and Obligations
2.1 Independent Controllers
The parties acknowledge that both Buildr (NovaRidge Commerce LLC) and the Merchant act as independent Controllers with respect to Shared Data.
Under no circumstances shall the parties be considered joint Controllers.
Each party is independently responsible for compliance with Data Protection Laws.
2.2 Purpose Limitation
Each party may Process Shared Data solely for purposes necessary to perform obligations under the Agreement.
2.3 Special Categories
If Shared Data includes Special Categories of Personal Data or Sensitive Personal Information, each party shall apply appropriate safeguards in accordance with applicable law.
2.4 Transparency
Each party shall:
Maintain a publicly accessible privacy policy
Provide required disclosures under Articles 13 and 14 GDPR
Ensure lawful basis for Processing
2.5 CCPA Status
For purposes of the CCPA, each party acts as a Business, unless otherwise agreed in writing.
Each party is independently responsible for compliance.
3. Data Subject Rights and Cooperation
3.1 Handling Requests
If one party receives a Data Subject request concerning Shared Data primarily controlled by the other party, it shall direct the Data Subject to the appropriate party.
3.2 Cooperation
The parties shall provide commercially reasonable assistance in responding to:
Data Subject requests
Supervisory Authority inquiries
3.3 Accuracy
Each party shall take reasonable steps to ensure Personal Data remains accurate and up to date.
4. Security Measures and Security Incident
4.1 Safeguards
Each party shall implement appropriate technical and organizational security measures to protect Shared Data.
4.2 Incident Notification
If a Security Incident affecting Shared Data occurs, the affected party shall notify the other without undue delay and no later than 48 hours after becoming aware.
4.3 Mitigation
The parties shall cooperate to:
Investigate the incident
Mitigate harm
Prevent recurrence
5. International Data Transfers
5.1 Transfers Outside EEA/UK/Switzerland
Where Personal Data is transferred outside the EEA, UK, or Switzerland to a non-adequate country, appropriate safeguards must be in place, including SCCs.
5.2 SCC Application
If SCCs are relied upon:
EEA transfers → Annex I–III
UK transfers → UK Addendum (Annex IV)
Swiss transfers → Swiss SCC modifications (Annex V)
6. Term and Termination
This DPA becomes effective upon execution of the Agreement and automatically terminates upon termination of the Agreement.
Obligations regarding confidentiality and data protection survive termination as required by law.
ANNEX I
Details of Personal Data (Controller-to-Controller)
A. List of Parties
Data Exporter
NovaRidge Commerce LLC (Buildr)
611 South DuPont Highway Suite 102, Dover, 19901, DE
United States
+1 (656) 259-3250
Contact: support@trybuildr.co
Role: Controller
Activities: Provision of Services under the Agreement.
Data Importer
Merchant (as identified in the Merchant Agreement)
Role: Controller
Activities: Receiving and Processing Personal Data in connection with the Services.
B. Description of Processing
Categories of Data Subjects
Merchant customers
End users of the Services
Categories of Personal Data
Name
Email address
Billing address
Phone number
Payment transaction data
Subscription details
Usage data
Sensitive data (if applicable) shall be processed with appropriate safeguards.
Nature and Purpose of Processing
Provision of Services
Payment processing
Fraud prevention
Retention
Data retained as necessary to:
Provide Services
Comply with legal obligations
Enforce agreements
C. Supervisory Authority
The competent supervisory authority shall be determined based on the Merchant’s establishment within the EEA.