This Data Processing Addendum (“DPA”) is entered into between the customer Organization (“Customer” or “Controller”) and Project Telemetry (“Processor”) and supplements the Terms of Service. It applies where Project Telemetry processes Personal Data on the Customer’s behalf in providing the Service. Where a conflict exists between this DPA and the Terms regarding the processing of Personal Data, this DPA controls.
1. Definitions
Capitalized terms not defined here have the meaning given in the Terms. “Personal Data,” “processing,” “controller,” “processor,” “data subject,” and “supervisory authority” have the meanings in the GDPR. “Data Protection Laws” means all privacy and data-protection laws applicable to the processing, including the EU GDPR, the UK GDPR, the Swiss FADP, and the CCPA/CPRA and other U.S. state privacy laws. “Customer Personal Data” means Personal Data within Customer Content that Project Telemetry processes on the Customer’s behalf. “SCCs” means the European Commission’s Standard Contractual Clauses (2021/914) and, where relevant, the UK International Data Transfer Addendum.
2. Roles of the Parties
For Customer Personal Data, the Customer is the controller (or “business” under the CCPA) and Project Telemetry is the processor (or “service provider”). Where the Customer is itself a processor for a third-party controller, Project Telemetry is a sub-processor and the Customer warrants it has authority to engage us. Each party is responsible for complying with its obligations under Data Protection Laws in its respective role. The Customer, as controller, is responsible for the lawfulness of the Personal Data and of its processing instructions, including for obtaining any notices and consents required from field employees, subcontractors, and other data subjects.
3. Details of the Processing
| Item | Description |
|---|---|
| Subject matter | Provision of the Project Telemetry construction project- and workforce-management Service. |
| Duration | The term of the Terms of Service, plus the wind-down/deletion period in Section 9. |
| Nature & purpose | Hosting, storage, and processing operations necessary to deliver the Service’s features (project management, scheduling, job cost, timecards, daily logs, documents, workforce/onboarding, and related modules). |
| Categories of data subjects | The Customer’s personnel and users; field employees and job applicants; subcontractor and vendor personnel; project and directory contacts; and individuals appearing in jobsite media. |
| Categories of Personal Data | Identity and contact data; employment, role, and certification data; timekeeping, classification, and certified-payroll/prevailing-wage records; jobsite photographs and metadata (including GPS); usage/telemetry; and, where the Customer enables onboarding, sensitive identifiers. |
| Special/sensitive data | Government identifiers including Social Security numbers and driver’s-license numbers, encrypted at rest. The Customer controls whether such data is entered. |
4. Processor Obligations & Customer Instructions
Project Telemetry will: (a) process Customer Personal Data only on the Customer’s documented instructions, including as set out in the Terms, this DPA, and the Customer’s use and configuration of the Service, unless required to act otherwise by law (in which case, where lawful, we will inform the Customer); (b) ensure persons authorized to process the data are bound by confidentiality; (c) implement the security measures in Section 6; (d) respect the conditions in Section 5 for engaging sub-processors; (e) assist the Customer, taking into account the nature of processing, with data-subject requests and with its obligations regarding security, breach notification, and data-protection impact assessments; and (f) at the Customer’s choice, delete or return Customer Personal Data as described in Section 9. If we believe an instruction infringes Data Protection Laws, we will inform the Customer.
As a “service provider” under the CCPA, Project Telemetry will not: sell or share Customer Personal Data; retain, use, or disclose it for any purpose other than performing the Service (or as otherwise permitted by law); or combine it with data from other sources except as permitted by the CCPA. We certify that we understand and will comply with these restrictions.
5. Sub-processors
The Customer provides general authorization for Project Telemetry to engage sub-processors to support the Service. We impose data-protection obligations on each sub-processor no less protective than those in this DPA, and we remain responsible for their performance. Our current sub-processors are:
| Sub-processor | Function | Location* |
|---|---|---|
| Cloud hosting / infrastructure provider | Application, database, and file/object hosting | United States |
| Stripe, Inc. | Subscription billing and payment processing | United States |
| Transactional email provider | Verification, invitation, and notification email | United States |
| Weather data provider | Automatic jobsite weather in daily logs | EU / United States |
| Analytics & error-monitoring provider | Diagnostics and product analytics | United States |
*Locations are indicative and updated as our vendor arrangements change. Specific named vendors are provided on request at legal@projecttelemetry.com.
We will give the Customer notice of any intended addition or replacement of a sub-processor with a reasonable opportunity to object on legitimate data-protection grounds before that sub-processor begins processing. If the Customer reasonably objects and we cannot accommodate the objection, the Customer may terminate the affected part of the Service.
6. Security Measures
Taking into account the state of the art, costs, and the nature and risk of the processing, Project Telemetry maintains appropriate technical and organizational measures, including:
- Encryption — TLS in transit; encryption at rest for sensitive identifiers (SSN, driver’s-license number).
- Access control — role-based permissions, per-Organization data isolation, least-privilege administrative access, and hashed credentials.
- Network & application security — rate limiting, abuse protections, input validation, and security headers.
- Monitoring & logging — audit logging and error monitoring to detect and investigate anomalies.
- Resilience — routine backups and recovery processes.
- Governance — confidentiality obligations for personnel, vendor due diligence, and change management.
We may update these measures provided the level of protection is not materially reduced.
7. Personal Data Breach Notification
Project Telemetry will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it, and we will provide updates as more information becomes available. We will reasonably cooperate with the Customer and assist with the Customer’s own notification obligations to authorities and data subjects. Our notification is not an acknowledgment of fault or liability.
8. Data-Subject Requests & Assistance
The Service provides tools that allow the Customer to access, correct, export, restrict, and delete Customer Personal Data, so the Customer can respond to data-subject requests. If Project Telemetry receives a request directly from a data subject regarding Customer Personal Data, we will not respond on the merits but will, where lawful, refer the request to the Customer without undue delay. Taking into account the nature of processing, we will provide reasonable assistance with data-subject requests and with the Customer’s obligations regarding security, breach notification, data-protection impact assessments, and prior consultation with supervisory authorities.
9. Return & Deletion of Data
On expiry or termination of the Service, the Customer may, within the export window described in the Terms and Privacy Policy, retrieve Customer Personal Data using the Service’s export tools. After that window, at the Customer’s choice, Project Telemetry will delete or return the Customer Personal Data and delete existing copies, except to the extent retention is required by law. Residual copies in routine backups are deleted on a rolling schedule and remain protected by this DPA until deleted.
10. International Transfers & SCCs
Where processing of Customer Personal Data involves a transfer from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties agree that the Standard Contractual Clauses (Module Two, controller-to-processor, or Module Three, processor-to-processor, as applicable) are incorporated into this DPA by reference and completed as follows: the Customer is the data exporter and Project Telemetry is the data importer; the optional docking clause applies; the governing law and forum are those of the SCCs’ default where required, otherwise Ireland; and Annexes I–III are populated by Sections 3, 5, and 6 of this DPA. For UK transfers, the UK International Data Transfer Addendum applies to the SCCs. Where required, we implement supplementary measures. If a transfer mechanism is invalidated, the parties will cooperate in good faith to adopt a valid alternative.
11. Audits
Project Telemetry will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or a mutually agreed auditor. To minimize disruption and protect the confidentiality and security of other customers, audits will occur on reasonable prior notice, no more than once per year (absent a supervisory-authority requirement or a suspected breach), during business hours, subject to confidentiality, and may be satisfied through our then-current certifications, reports, and questionnaire responses where these reasonably address the Customer’s request.
12. Liability & General
Each party’s liability under or in connection with this DPA is subject to the limitations and exclusions of liability in the Terms. This DPA is governed by the same law as the Terms, except where Data Protection Laws or the SCCs require otherwise. If any provision of this DPA is held invalid, the remainder continues in effect. This DPA supplements and does not replace any rights or obligations under Data Protection Laws.