Effective date: September 22, 2025

This Data Processing Agreement (“DPA”) is entered into between:

AIBuildrs (“Processor”) — privacy@aibuildrs.com
and
Client (“Controller”) — as identified in the applicable Statement of Work, Proposal or Order.

This DPA forms part of the agreement under which Processor provides services to Controller (the “Agreement”) and sets out the terms under which Processor will process personal data on behalf of Controller. The parties agree as follows.

1. Definitions

Capitalized terms not otherwise defined have the meanings given in the Agreement.

• “Applicable Law” means all data protection and privacy laws that apply to the processing of Personal Data under this DPA, including, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the UK GDPR, and any national implementing laws, and other privacy/regulatory laws relevant to the parties (e.g., CCPA/CPRA for California residents).

• “Personal Data” means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller under the Agreement.

• “Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

• “Subprocessor” means any processor engaged by Processor to process Personal Data on behalf of the Controller.

• “Data Subject” means an identified or identifiable natural person whose Personal Data is processed under the Agreement.

2. Roles and Scope

• Controller determines the purposes and means of processing Personal Data.

• Processor processes Personal Data only on documented instructions from Controller, including those set out in Annex A (Processing Details). Processing outside documented instructions requires Controller’s prior written authorization.

3. Processing Details

Annex A attached to this DPA describes: (i) categories of Data Subjects, (ii) categories of Personal Data, (iii) processing operations, (iv) purpose(s) of processing, (v) duration of processing, and (vi) Controller’s contact details. Annex A may be updated by written agreement as the services evolve.

4. Controller Instructions

• Processor shall process Personal Data only on Controller’s documented instructions. If Processor believes an instruction violates Applicable Law, Processor will notify Controller promptly. If Processor is legally compelled to process or disclose Personal Data by law, it will (to the extent legally permitted) notify Controller and provide reasonable assistance to limit the disclosure.

5. Confidentiality

Processor shall ensure that persons authorized to process Personal Data (including employees, contractors and Subprocessors) are bound by confidentiality obligations and have received appropriate data protection training.

6. Subprocessors

• Controller authorizes Processor to engage Subprocessors as necessary to provide the Services. Processor maintains a current list of Subprocessors and will publish it or make it available upon request.

• Prior notice: Processor will notify Controller of the addition or replacement of any Subprocessor (via email or the published list) with reasonable advance notice. Controller may, within 10 business days of such notice, object in writing for reasonable cause. If Controller reasonably objects and the parties cannot agree on a resolution, either party may suspend or terminate the affected services (subject to the Agreement’s termination rules).

• Processor shall ensure Subprocessors are bound by written contractual terms at least as protective as this DPA. Processor remains liable to Controller for Subprocessor performance.

7. Security Measures

Processor will implement appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and accidental loss, destruction or damage, having regard to: the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risk of varying likelihood and severity to Data Subjects. Such measures include, at minimum:

• Access controls and role-based access to systems and data.

• Encryption for Personal Data in transit (TLS) and, where feasible, at rest.

• Regular vulnerability management, patching and hardening practices.

• Secure development lifecycle and code review practices for custom work.

• Logging and monitoring of systems and access.

• Regular backups and tested restore procedures.

• Periodic information security awareness training for staff.

• Incident response plan and testing.

Controller acknowledges that no technical measure is perfect; Processor will use commercially reasonable efforts to maintain and improve security.

8. Personal Data Breach Notification

• Processor will notify Controller without undue delay and, in any event, within 72 hours after becoming aware of a Personal Data Breach affecting Controller’s Personal Data, providing available information about the breach, its likely consequences, and reasonable mitigation steps and remediation actions.

• Processor shall cooperate with Controller (at Controller’s expense only where required by law or the Agreement) to assist Controller in complying with any notification obligations to supervisory authorities or Data Subjects.

9. Data Subject Rights

• Taking into account the nature of the processing, Processor shall assist Controller by implementing appropriate technical and organizational measures, insofar as this is possible, to fulfill Controller’s obligation to respond to Data Subject requests to exercise their rights (access, rectification, erasure, portability, restriction, objection), and to assist in meeting Controller’s other obligations under Applicable Law (e.g., DPIAs, prior consultations).

• If Processor receives a Data Subject request directly, Processor will promptly forward it to Controller unless legally required to respond directly (in which case Processor will inform Controller unless prohibited).

10. International Transfers

• Personal Data may be transferred or accessed by Processor and Subprocessors in countries outside the country of the Data Subject. Where transfers to countries outside the EEA/UK occur, Processor will ensure appropriate safeguards are in place (e.g., EU Standard Contractual Clauses, other lawful transfer mechanisms, or adequacy decisions) and will provide copies or evidence of such safeguards upon reasonable request. Controller and Processor may execute additional transfer mechanisms (e.g., SCCs) if required.

11. Audit & Compliance

• Controller (or an independent auditor mandated by Controller) may, once per 12-month period and upon reasonable notice, audit Processor’s compliance with this DPA, either by: (a) reviewing Processor’s relevant security policies and third-party audit reports (e.g., SOC 2, ISO 27001), or (b) conducting an on-site audit if essential and proportionate. Controller will treat all non-public information as confidential.

• Audits must be limited in scope, scheduled reasonably, and not unreasonably disrupt Processor’s business. Costs of audits borne by Controller unless non-compliance is discovered, in which case Processor will be responsible for reasonable audit costs.

12. Data Retention, Return and Deletion

• Processor will process Personal Data for the duration necessary to perform the Services and in accordance with Controller’s instructions and Annex A.

• Upon termination or expiration of the Agreement, Processor will, at Controller’s choice, delete or return all Personal Data to Controller within a reasonable timeframe (not to exceed 60 days), and delete remaining copies unless retention is required by Applicable Law (in which case Processor will isolate and protect such Personal Data and notify Controller). Processor will provide written certification of deletion upon request.

13. Records & Assistance

• Processor will maintain records of processing activities performed on behalf of Controller, including categories of processing, transfers, and Subprocessors.

• Processor will reasonably assist Controller with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities when required by Applicable Law.

14. Liability

• Each party’s liability for breaches of Applicable Law or this DPA shall be subject to the liability and limitation provisions in the Agreement, except that damages caused by Processor’s breach of its obligations under this DPA (including unauthorized disclosure, failure to implement appropriate security measures, or failure to follow Controller’s documented instructions) will be governed by the Agreement’s liability clauses, subject to Applicable Law.

• Nothing in this DPA excludes or limits liability where prohibited by Applicable Law (e.g., for willful misconduct, gross negligence, or certain statutory liabilities).

15. Miscellaneous

• Amendments: This DPA may be amended by written agreement or to reflect changes in Applicable Law. Processor may update operational details (e.g., Subprocessor list) with notice as provided above.

• Conflict: In case of conflict between this DPA and the Agreement, the terms that provide greater protection for Personal Data shall prevail, unless otherwise required by Applicable Law.

• Governing law & jurisdiction: The governing law and dispute resolution mechanisms are those set out in the Agreement.

• Severability & survival: Provisions that by their nature are intended to survive termination will survive (e.g., confidentiality, data return/deletion, liability). If a provision is found unenforceable, parties will replace it with a valid provision achieving the original intent.

16. Contact

For all notices and data protection matters under this DPA: privacy@aibuildrs.com.

Signatures

AIBuildrs (Processor)
By: _______________________
Name: _____________________
Title: ______________________
Date: ______________________

Client / Controller
By: _______________________
Name: _____________________
Title: ______________________
Date: ______________________

Annex A — Processing Details (template)

(Fill in with project-specific details for each engagement.)

1. Purpose of processing: e.g., design, build and maintain website, host content, integrate third-party payment, analytics, provide customer support.

2. Categories of Data Subjects: e.g., Client contacts, website visitors, donors, subscribers, applicants, end users.

3. Categories of Personal Data: e.g., contact details (name, email, phone), billing information (name, address, transaction records), content uploads (images, videos), technical data (IP, device, browser, cookies), support communications.

4. Special Categories / Sensitive data (if any): e.g., none; or specify if processing health, political or other sensitive data and legal basis/controls.

5. Duration of processing: For the term of the Agreement and any post-termination retention as legally required or agreed.

6. Subprocessors: (example list — replace with actual)

   • Hosting provider (e.g., Vercel, Netlify, Framer Hosting) — subprocessors for hosting.

   • Payment processor (e.g., Stripe, PayPal) — payment processing.

   • Email provider (e.g., Mailchimp, Sendgrid) — mailing lists & transactional emails.

   • Analytics (e.g., Google Analytics/GA4) — usage analytics.
     (Processor will provide the actual, current list to Controller upon request.)

7. Security measures: High-level description of technical and organizational measures applied (see Section 7).