This DPA supplements the Terms of Service and governs how we process personal data on your behalf.
Last updated: May 2026
In this DPA, the following capitalized terms have the meanings set out below:
Customer is the Controller with respect to Customer Personal Data. Customer determines the purposes for which Personal Data is uploaded to the Service (e.g., construction specification analysis).
[LEGAL ENTITY NAME] is the Processor. We process Customer Personal Data only on documented instructions from Customer (as set out in this DPA and the Agreement) and not for our own purposes.
Each party is an independent Controller for its own operational data (e.g., Company's account management data, Customer's corporate records).
| Subject matter | AI-powered analysis of construction specification documents |
| Duration | For the term of the Agreement, plus up to 30 days post-termination for deletion |
| Nature | Collection, storage, retrieval, AI processing, and deletion of Customer Data |
| Purpose | Providing the BidReady AI Service as described in the Agreement |
| Categories of data | Contact information (names, emails of account users); document content uploaded by Customer (which may incidentally contain personal information); usage logs |
| Categories of data subjects | Customer's employees, contractors, and project team members who use the Service or whose information appears in uploaded documents |
Customer provides general authorization for us to engage the following Sub-processors. We will inform Customer of any material changes to this list at least 14 days in advance, giving Customer the opportunity to object.
| Sub-processor | Purpose | Processing location | Transfer mechanism |
|---|---|---|---|
| Google Cloud / Firebase | Auth, database, file storage, cloud functions | USA (us-central1) | Google's EU SCCs / Data Processing Terms |
| Google Gemini API | AI document analysis | USA | Google's EU SCCs / Data Processing Terms |
| Stripe, Inc. | Payment processing and subscription management | USA | Stripe's DPA / EU SCCs |
| Resend | Transactional email delivery | USA | Resend's DPA |
SCCs = Standard Contractual Clauses as approved by the European Commission.
We are working toward SOC 2 Type II. No formal certifications have been issued at this time.
We will promptly notify Customer (within 5 business days) if we receive a request from a Data Subject to exercise rights under applicable Data Protection Law (e.g., access, correction, deletion, or portability).
We will not respond to such requests directly but will provide Customer with reasonable assistance to fulfill the request, consistent with the nature of the processing and the information available to us.
Customer is responsible for responding to Data Subject requests within applicable statutory deadlines.
We will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a confirmed Personal Data breach affecting Customer Personal Data. Notification will be sent to the email address on Customer's account.
Notification will include, to the extent available: (a) a description of the nature of the breach; (b) the categories and approximate number of data subjects and records affected; (c) likely consequences; and (d) measures taken or proposed to address the breach.
We will cooperate with Customer and take such reasonable commercial steps as are directed by Customer to remediate and mitigate the effects of any breach.
Upon termination of the Agreement, or upon Customer's written request, we will delete or return all Customer Personal Data within 30 days, and will delete existing copies unless applicable law requires retention.
Customers may request an export of their project data in JSON format at any time by contacting legal@bidreadyai.com.
We will make available to Customer, upon written request, information reasonably necessary to demonstrate compliance with this DPA. This may include completed security questionnaires, relevant certifications obtained by our Sub-processors (e.g., Google Cloud's ISO 27001), and summary descriptions of our security practices.
If Customer reasonably determines that information provided is insufficient, we will, at Customer's expense, accommodate an audit or inspection by Customer or Customer's designated auditor, subject to reasonable prior written notice and execution of a mutually agreed confidentiality agreement.
Customer Personal Data is primarily processed in the United States. Transfers of Personal Data from the European Economic Area (EEA), the UK, or Switzerland to the US are made pursuant to:
Customers that require a countersigned SCCs agreement between Customer and [LEGAL ENTITY NAME] directly should contact legal@bidreadyai.com.
This DPA is governed by the same governing law as the Agreement. In the event of any conflict between this DPA and the Agreement regarding processing of Personal Data, the terms of this DPA shall prevail.
For DPA requests, countersigning, or data protection inquiries, contact legal@bidreadyai.com or privacy@bidreadyai.com.