Data Processing Agreement (DPA)

"Controller" means the customer who determines the purposes and means of personal data processing.

"Processor" means Massoi, which processes personal data on behalf of the controller.

"Personal data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, such as collection, storage, modification, and deletion.

Massoi processes personal data solely for the purpose of providing the service to the customer. Processing covers:

— User account management and authentication

— Analysis and quantity takeoff of construction drawings

— Cost estimation and bid preparation

— Service usage monitoring and billing

Categories of personal data processed:

— User data: name, email address, phone number, company name

— Usage data: login information, service usage history

— Files: drawings and documents uploaded by the customer (generally do not contain personal data, but may occasionally include names or contact information)

Personal data is processed for the duration of the service agreement.

After termination of the agreement, all personal data will be permanently deleted within 30 days, unless legislation requires a longer retention period.

Massoi commits to:

— Processing personal data only in accordance with the controller's documented instructions

— Ensuring that persons processing personal data are bound by confidentiality obligations

— Implementing appropriate technical and organizational security measures

— Assisting the controller in fulfilling data subject rights

— Notifying promptly of any data security breaches

— Deleting or returning all personal data upon termination of the agreement

Massoi uses the following sub-processors:

— Hosting service: servers located in the EU for data storage and processing

— AI model provider: the AI model is used for analyzing drawings without permanent data storage — data is not used for model training

Massoi will notify the controller in advance of the use of new sub-processors. The controller has the right to object to the use of a new sub-processor.

Personal data is primarily processed and stored within the EU.

If data transfer outside the EU is necessary (e.g., through technical service providers), transfers are carried out using EU Standard Contractual Clauses (SCC) or another GDPR-compliant transfer mechanism.

Massoi assists the controller in fulfilling data subject rights, including:

— Right to access their own data

— Right to rectification of data

— Right to erasure of data ("right to be forgotten")

— Right to restriction of processing

— Right to data portability

Massoi will notify the controller of a data security breach without undue delay and no later than 72 hours after discovery of the breach.

The notification will include a description of the breach, its likely consequences, and the measures Massoi has taken or proposes to take.

The controller has the right to audit or authorize a third party to audit Massoi's data protection practices and measures.

Audits are agreed upon in advance in writing. Massoi commits to providing the information and access necessary to carry out the audit.

For questions related to data protection, please contact:

Email: tatu@massoi.com