Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Conjunction ("Data Processor") and you ("Data Controller" or "you") when you process personal data of EU/UK residents through Conjunction.
1. Roles and Definitions
Data Controller: You, the customer using Conjunction to process personal data of your own end users or contacts.
Data Processor: Conjunction, which processes personal data only on your documented instructions as a sub-processor to your use of the service.
Personal Data: Any information relating to an identified or identifiable natural person ("data subject") as defined by GDPR (EU) 2016/679 or UK GDPR.
Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
2. Subject Matter and Purpose of Processing
Subject matter: The processing of personal data incidental to your use of the Conjunction BIM platform — primarily account registration data (email, name) and, for enterprise customers, team member data.
Purpose: Provision of the BIM SaaS platform, account management, billing, support, and compliance with legal obligations.
Duration: For the duration of your subscription plus 90 days post-termination.
3. Nature and Scope of Processing
- Collection: Registration data via magic link, support form submissions, team invite acceptances
- Storage: In Neon (PostgreSQL) database, hosted in the United States
- Use: Authentication, billing, transactional emails, support ticketing
- Disclosure: To sub-processors listed in Section 7 for infrastructure and service delivery
- Deletion: On account deletion or DPA termination request, within 90 days
Conjunction does not process special categories of data (health, biometric, financial, children's data) as part of standard service operations.
4. Data Controller Obligations
You, as Data Controller, are responsible for:
- Ensuring you have a lawful basis for processing any personal data you submit through Conjunction
- Ensuring data subjects have been informed of how their data is used (via your own privacy notice)
- Responding to data subject rights requests (access, erasure, portability) within the timeframes required by law
- Not submitting special category data to Conjunction without explicit written agreement
5. Processor Obligations
Conjunction agrees to:
- Process personal data only on your documented instructions (as defined in this DPA and our Terms)
- Ensure persons authorized to process data are bound by confidentiality obligations
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (TLS encryption, access controls, audit logging)
- Not engage another processor without your prior specific written consent; we maintain a list of approved sub-processors (Section 7)
- Assist you in fulfilling data subject rights requests, taking into account the nature of processing and information available to us
- Delete or return all personal data upon termination of the DPA, at your choice
- Make available all information necessary to demonstrate compliance with GDPR Article 28
- Allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, with reasonable notice
6. Data Breach Notification
If Conjunction becomes aware of a personal data breach that is likely to result in risk to the rights and freedoms of data subjects, we will:
- Notify you without undue delay, and at the latest within 72 hours of becoming aware
- Provide: nature of breach, categories and approximate number of data subjects affected, categories and approximate number of personal data records affected, name and contact of DPO (if applicable), likely consequences, measures taken or proposed
- Document all breaches in our incident log regardless of notification requirement
7. Sub-processors
Conjunction uses the following sub-processors, all operating under written DPA with Conjunction:
| Sub-processor | Service Provided | Data Processed | Country |
|---|---|---|---|
| Render | Cloud hosting and compute | All application data | USA |
| Neon (Neon.tech) | PostgreSQL database | All application data | USA |
| Stripe | Payment processing | Billing name, email, transaction refs | USA |
| OpenAI | AI-assisted render generation | Viewport images, render prompts (not stored by OpenAI) | USA |
| PeerJS (PeerServer) | WebRTC signaling for collaboration | Session metadata, no message content | USA |
You authorize Conjunction to use additional sub-processors with 30 days' prior written notice. If you object to a new sub-processor, you may terminate your subscription with no penalty within 30 days of notification.
8. International Data Transfers
Personal data of EU/UK residents is processed in the United States. Data transfers from the European Economic Area and United Kingdom to the USA are governed by:
- EU Standard Contractual Clauses (SCCs): EU Commission Decision 2021/914 (Module 2: Controller-to-Processor), incorporated by reference
- UK International Data Transfer Agreements (IDTA): Where applicable for UK GDPR transfers
Conjunction maintains transfer records documenting the legal mechanism for each international transfer and makes these available upon request.
9. Documentation and Compliance
Conjunction maintains and can provide on request:
- Record of processing activities (Article 30 GDPR)
- DPIA (Data Protection Impact Assessment) for high-risk processing activities
- Written instructions for processing (this DPA)
- Sub-processor agreements and list
- Security policies and incident response procedures
10. Return and Deletion
Upon termination of your subscription:
- Export: You may export BIM models, issues, and account data via the Conjunction interface during the 90-day post-termination retention period
- Deletion: Conjunction will delete all personal data within 90 days of termination, except data required for legal compliance (audit logs retained 12 months)
- Certification: Upon request, Conjunction will certify in writing that deletion is complete
11. Termination
This DPA terminates automatically upon termination of your Conjunction subscription. The provisions that by their nature should survive termination (data breach notification obligations, return/deletion obligations) survive termination.
12. Contact
For GDPR/UK GDPR compliance questions, contact our Data Protection Officer:
Email: dpo@conjunction.pro
Postal: Conjunction Data Protection Officer, 123 Architecture Way, New York, NY 10001