Data Processing Addendum (DPA)
Last updated:
This Data Processing Addendum (“DPA”) forms part of the Terms of Service or other agreement between BIModular EIRL (“Provider”) and the customer entity agreeing to the Terms (“Customer”).
1. Subject matter
Provider processes Personal Data on behalf of Customer in connection with the provision of the BOMSync platform (the “Services”).
2. Roles of the Parties
- Customer is the Controller.
- Provider is the Processor.
- Sub-processors act on behalf of Provider.
3. Customer instructions
Provider shall process Personal Data only in accordance with documented instructions from Customer, to provide the Services, or to comply with legal obligations.
4. Confidentiality
Provider shall ensure persons authorised to process Personal Data are bound by confidentiality obligations.
5. Security
Provider shall implement technical and organisational measures appropriate to the risk, including encryption, access controls, monitoring, and regular testing.
6. Sub-processors
Customer authorises Provider to engage the Sub-processors listed below. Provider shall impose data protection obligations on Sub-processors no less protective than this DPA.
Advance notice. Provider will give Customer at least 30 days’ prior notice of any intended addition or replacement of a Sub-processor by posting an update to this page and/or notifying Customer’s admin contact. Customer may object on reasonable grounds related to data protection by notifying Provider in writing within that 30-day period. If the Parties cannot reach a resolution, Customer may suspend the affected Service or terminate the relevant order for convenience, with a pro-rata refund of prepaid fees for the remaining term of the terminated portion.
7. International transfers
Where Personal Data is transferred outside the EEA/UK, Provider ensures safeguards under GDPR Chapter V (e.g., SCCs, adequacy decisions).
8. Assistance
Provider shall assist Customer with data subject rights, DPIAs, and supervisory authority consultations as required by law.
9. Audit
Provider shall make available information to demonstrate compliance and allow audits no more than once annually, subject to confidentiality.
10. Breach notification
Provider shall notify Customer without undue delay of any Personal Data breach, including details sufficient to allow Customer to meet obligations.
11. Return or deletion
Upon termination of Services, Provider shall delete or return Personal Data, unless retention is required by law.
12. Liability
Liability under this DPA is subject to the limitations of the main agreement.
13. Governing law
This DPA is governed by the laws of the French Republic, unless otherwise required by applicable Data Protection Laws.
14. Notices
Notices under this DPA (including Sub-processor updates) will be provided via Customer’s admin email and/or posted at /legal/dpa. Customer is responsible for keeping its admin contact details current.
Schedule A – Data processing details
- Data subjects: Employees, contractors, clients, vendors, project participants.
- Categories: Names, emails, contact details, role information, BIM/BOM identifiers, logs.
- Special categories: None intentionally processed.
- Purpose: SaaS delivery, project collaboration, authentication, support, analytics.
- Retention: For the term of the agreement plus any legally required period.
Schedule B – Sub-processors
| Sub-processor | Location(s) | Purpose | Data Categories | Safeguards |
|---|---|---|---|---|
| Microsoft Azure | EU (France Central, West Europe), Global regions (fallback) | Cloud hosting, storage, DBs, backup, monitoring | Account data, project data, files, logs | EU SCCs, GDPR DPA, ISO 27001, SOC2 |
| Syncfusion Inc. | USA (with EU CDN endpoints) | UI components, reporting engine, document rendering | UI usage, rendered report data (transient) | EU SCCs, contractual DPA |
| Azure Communication Services | EU (France Central, West Europe), Global regions (fallback) | Email, SMS, chat, voice, real-time communication | Contact data (names, emails, phone numbers), message metadata | EU SCCs, GDPR DPA, ISO 27001, SOC2 |
| Google Gmail | [Region] | Email delivery, notifications | Email addresses, account info | DPA + SCCs required |
We will update this list as new Sub-processors are engaged. Customers will be notified in advance as described above.