Data Processing Agreement

Buildr Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms an integral part of the agreement executed between the parties (the "Agreement") governing the use of the Services provided by NovaRidge Commerce LLC, doing business as Buildr ("Buildr").

Capitalized terms not defined herein shall have the meanings assigned to them in the Agreement.

This DPA sets forth the parties’ respective responsibilities regarding the Processing of Personal Data during the term of the Agreement and thereafter.

1. Definitions

1.1 Affiliates

"Affiliates" means any entity controlling, controlled by, or under common control with a party.

1.2 CCPA

"CCPA" means the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§1798.100 et seq.), as amended by the California Privacy Rights Act (CPRA), including implementing regulations.

1.3 Data Protection Law Definitions

The terms "Controller," "Processor," "Data Subject," "Processing," "Personal Data Breach," and "Special Categories of Personal Data" shall have the meanings assigned under EU Data Protection Law.

The terms "Business," "Business Purpose," "Consumer," "Service Provider," "Sale," and "Share" shall have the meanings assigned under the CCPA.

"Data Subject" shall also include "Consumer" as defined under the CCPA/CPRA.

1.4 Data Protection Laws

"Data Protection Laws" means all applicable privacy and data protection laws, including:

  • GDPR

  • UK GDPR

  • Swiss FADP

  • CCPA/CPRA

  • Any successor or amended legislation

1.5 EEA

"EEA" means the European Economic Area.

1.6 EU Data Protection Law

Includes:

  • Regulation (EU) 2016/679 (GDPR)

  • Regulation 2018/1725

  • e-Privacy Directive 2002/58/EC

  • National implementations and successor laws

  • Supervisory authority guidance

1.7 Personal Data

"Personal Data" or "Personal Information" means any information relating to an identified or identifiable individual.

1.8 Security Incident

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

1.9 Standard Contractual Clauses

"SCCs" means the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

1.10 Swiss Data Protection Laws

Includes the Swiss Federal Act on Data Protection (FADP) and related ordinances.

1.11 UK GDPR

Means the GDPR as incorporated into UK law under the Data Protection Act 2018.

1.12 Shared Data

"Shared Data" means Personal Data exchanged between the parties in connection with the Services.

2. Roles and Obligations

2.1 Independent Controllers

The parties acknowledge that both Buildr (NovaRidge Commerce LLC) and the Merchant act as independent Controllers with respect to Shared Data.

Under no circumstances shall the parties be considered joint Controllers.

Each party is independently responsible for compliance with Data Protection Laws.

2.2 Purpose Limitation

Each party may Process Shared Data solely for purposes necessary to perform obligations under the Agreement.

2.3 Special Categories

If Shared Data includes Special Categories of Personal Data or Sensitive Personal Information, each party shall apply appropriate safeguards in accordance with applicable law.

2.4 Transparency

Each party shall:

  • Maintain a publicly accessible privacy policy

  • Provide required disclosures under Articles 13 and 14 GDPR

  • Ensure lawful basis for Processing

2.5 CCPA Status

For purposes of the CCPA, each party acts as a Business, unless otherwise agreed in writing.

Each party is independently responsible for compliance.

3. Data Subject Rights and Cooperation

3.1 Handling Requests

If one party receives a Data Subject request concerning Shared Data primarily controlled by the other party, it shall direct the Data Subject to the appropriate party.

3.2 Cooperation

The parties shall provide commercially reasonable assistance in responding to:

  • Data Subject requests

  • Supervisory Authority inquiries

3.3 Accuracy

Each party shall take reasonable steps to ensure Personal Data remains accurate and up to date.

4. Security Measures and Security Incident

4.1 Safeguards

Each party shall implement appropriate technical and organizational security measures to protect Shared Data.

4.2 Incident Notification

If a Security Incident affecting Shared Data occurs, the affected party shall notify the other without undue delay and no later than 48 hours after becoming aware.

4.3 Mitigation

The parties shall cooperate to:

  • Investigate the incident

  • Mitigate harm

  • Prevent recurrence

5. International Data Transfers

5.1 Transfers Outside EEA/UK/Switzerland

Where Personal Data is transferred outside the EEA, UK, or Switzerland to a non-adequate country, appropriate safeguards must be in place, including SCCs.

5.2 SCC Application

If SCCs are relied upon:

  • EEA transfers → Annex I–III

  • UK transfers → UK Addendum (Annex IV)

  • Swiss transfers → Swiss SCC modifications (Annex V)

6. Term and Termination

This DPA becomes effective upon execution of the Agreement and automatically terminates upon termination of the Agreement.

Obligations regarding confidentiality and data protection survive termination as required by law.

ANNEX I

Details of Personal Data (Controller-to-Controller)

A. List of Parties

Data Exporter

NovaRidge Commerce LLC (Buildr)

611 South DuPont Highway Suite 102, Dover, 19901, DE

United States

+1 (656) 259-3250

Contact: support@trybuildr.co

Role: Controller

Activities: Provision of Services under the Agreement.

Data Importer

Merchant (as identified in the Merchant Agreement)

Role: Controller

Activities: Receiving and Processing Personal Data in connection with the Services.

B. Description of Processing

Categories of Data Subjects

  • Merchant customers

  • End users of the Services

Categories of Personal Data

  • Name

  • Email address

  • Billing address

  • Phone number

  • Payment transaction data

  • Subscription details

  • Usage data

Sensitive data (if applicable) shall be processed with appropriate safeguards.

Nature and Purpose of Processing

  • Provision of Services

  • Payment processing

  • Fraud prevention

Retention

Data retained as necessary to:

  • Provide Services

  • Comply with legal obligations

  • Enforce agreements

C. Supervisory Authority

The competent supervisory authority shall be determined based on the Merchant’s establishment within the EEA.