BidReady AI

BidReady AI

Spec intelligence for precon teams

Data Processing Addendum

Data Processing Addendum (DPA)

This DPA supplements the Terms of Service and governs how we process personal data on your behalf.

Last updated: May 2026

Note: This is a template document. [LEGAL ENTITY NAME] has not yet completed a formal legal review. Customers requiring a countersigned DPA for GDPR/CCPA compliance should contact legal@bidreadyai.com to request a signed version.

1. Definitions

In this DPA, the following capitalized terms have the meanings set out below:

  • "Agreement" means the Terms of Service between Customer and [LEGAL ENTITY NAME].
  • "Controller" means the party that determines the purposes and means of processing Personal Data.
  • "Customer Personal Data" means any Personal Data contained in or derived from Customer Data that is processed by Company on behalf of Customer.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation) and its UK equivalent (UK GDPR), as applicable.
  • "Personal Data" has the meaning given to it under applicable Data Protection Law.
  • "Processor" means the party that processes Personal Data on behalf of the Controller.
  • "Sub-processor" means any third party engaged by Company to process Customer Personal Data.

2. Roles of the parties

Customer is the Controller with respect to Customer Personal Data. Customer determines the purposes for which Personal Data is uploaded to the Service (e.g., construction specification analysis).

[LEGAL ENTITY NAME] is the Processor. We process Customer Personal Data only on documented instructions from Customer (as set out in this DPA and the Agreement) and not for our own purposes.

Each party is an independent Controller for its own operational data (e.g., Company's account management data, Customer's corporate records).

3. Details of processing

Subject matter AI-powered analysis of construction specification documents
Duration For the term of the Agreement, plus up to 30 days post-termination for deletion
Nature Collection, storage, retrieval, AI processing, and deletion of Customer Data
Purpose Providing the BidReady AI Service as described in the Agreement
Categories of data Contact information (names, emails of account users); document content uploaded by Customer (which may incidentally contain personal information); usage logs
Categories of data subjects Customer's employees, contractors, and project team members who use the Service or whose information appears in uploaded documents

4. Customer obligations

  • Customer shall have a lawful basis for processing and transferring Customer Personal Data to Company.
  • Customer shall provide any notices and obtain any consents required by applicable Data Protection Law from Data Subjects prior to uploading their data.
  • Customer's instructions to Company shall comply with applicable Data Protection Law.

5. Company obligations

  • We will process Customer Personal Data only on documented Customer instructions, including the Agreement and this DPA, unless required by law to do otherwise.
  • We will ensure that all personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
  • We will implement and maintain the technical and organizational security measures described in Section 7.
  • We will not sell, rent, or share Customer Personal Data with any third party except as required to provide the Service or as required by law.
  • We will not use Customer Personal Data to train, fine-tune, or improve AI or machine-learning models without Customer's explicit written consent.

6. Sub-processors

Customer provides general authorization for us to engage the following Sub-processors. We will inform Customer of any material changes to this list at least 14 days in advance, giving Customer the opportunity to object.

Sub-processor Purpose Processing location Transfer mechanism
Google Cloud / Firebase Auth, database, file storage, cloud functions USA (us-central1) Google's EU SCCs / Data Processing Terms
Google Gemini API AI document analysis USA Google's EU SCCs / Data Processing Terms
Stripe, Inc. Payment processing and subscription management USA Stripe's DPA / EU SCCs
Resend Transactional email delivery USA Resend's DPA

SCCs = Standard Contractual Clauses as approved by the European Commission.

7. Technical and organizational security measures

  • Encryption in transit: All data transmitted between clients and the Service uses TLS 1.2+.
  • Encryption at rest: All data stored in Firestore and Firebase Storage is encrypted at rest using AES-256 by Google Cloud infrastructure.
  • Access control: Firestore security rules enforce per-project, per-user data isolation. Every server-side Cloud Function independently verifies user ownership before processing.
  • Authentication: Users authenticate via Firebase Authentication (OAuth 2.0 and email/password). Admin access uses separate service accounts with minimum necessary permissions.
  • Secrets management: API keys and credentials are stored in Firebase/Functions environment configuration. No secrets are exposed in client-side bundles.
  • Availability: The Service runs on Google Cloud infrastructure with built-in redundancy.
  • Vulnerability management: Dependencies are monitored for known vulnerabilities.

We are working toward SOC 2 Type II. No formal certifications have been issued at this time.

8. Data subject requests

We will promptly notify Customer (within 5 business days) if we receive a request from a Data Subject to exercise rights under applicable Data Protection Law (e.g., access, correction, deletion, or portability).

We will not respond to such requests directly but will provide Customer with reasonable assistance to fulfill the request, consistent with the nature of the processing and the information available to us.

Customer is responsible for responding to Data Subject requests within applicable statutory deadlines.

9. Security incidents and breach notification

We will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a confirmed Personal Data breach affecting Customer Personal Data. Notification will be sent to the email address on Customer's account.

Notification will include, to the extent available: (a) a description of the nature of the breach; (b) the categories and approximate number of data subjects and records affected; (c) likely consequences; and (d) measures taken or proposed to address the breach.

We will cooperate with Customer and take such reasonable commercial steps as are directed by Customer to remediate and mitigate the effects of any breach.

10. Deletion and return of data

Upon termination of the Agreement, or upon Customer's written request, we will delete or return all Customer Personal Data within 30 days, and will delete existing copies unless applicable law requires retention.

Customers may request an export of their project data in JSON format at any time by contacting legal@bidreadyai.com.

11. Audits and certifications

We will make available to Customer, upon written request, information reasonably necessary to demonstrate compliance with this DPA. This may include completed security questionnaires, relevant certifications obtained by our Sub-processors (e.g., Google Cloud's ISO 27001), and summary descriptions of our security practices.

If Customer reasonably determines that information provided is insufficient, we will, at Customer's expense, accommodate an audit or inspection by Customer or Customer's designated auditor, subject to reasonable prior written notice and execution of a mutually agreed confidentiality agreement.

12. International data transfers

Customer Personal Data is primarily processed in the United States. Transfers of Personal Data from the European Economic Area (EEA), the UK, or Switzerland to the US are made pursuant to:

  • Standard Contractual Clauses (SCCs) as incorporated in our Sub-processors' data processing agreements with Google, Stripe, and Resend.
  • Any adequacy decision, or other appropriate safeguard recognized under applicable Data Protection Law.

Customers that require a countersigned SCCs agreement between Customer and [LEGAL ENTITY NAME] directly should contact legal@bidreadyai.com.

13. Governing law

This DPA is governed by the same governing law as the Agreement. In the event of any conflict between this DPA and the Agreement regarding processing of Personal Data, the terms of this DPA shall prevail.

For DPA requests, countersigning, or data protection inquiries, contact legal@bidreadyai.com or privacy@bidreadyai.com.