Data processing addendum

Last updated May 2026. This DPA forms part of the Agreement between Builtable Labs Inc. (Processor) and the customer (Controller) for the GO Pilot GO Service. It applies whenever the Service processes personal data subject to the GDPR, the UK GDPR, or the Swiss FADP.

1. Definitions

Capitalized terms not defined here have the meanings given in the GDPR or in our Terms of Service. "Customer Data" means personal data the Controller submits to the Service. "Applicable Data Protection Law" means the GDPR, the UK GDPR, the Swiss FADP, and any other privacy law that applies to the processing.

2. Roles and scope

The Controller determines the purposes and means of processing. The Processor processes Customer Data only on documented Controller instructions, which include the Agreement, this DPA, and the in-product configuration the Controller chooses. Each party complies with Applicable Data Protection Law applicable to its role.

3. Subject matter and duration

Subject matter: provision of the GO Pilot GO Service (account management, agent definition storage, agent execution, integration credential handling, event logging, billing). Duration: for the term of the Agreement and any wind-down period.

4. Nature, purpose, and types of data

Nature and purpose: hosting agents and running them on Controller instructions. Categories of data: as determined by Controller (commonly business contact data, end-user identifiers, communications content, and any data Controller routes through its agents). Categories of data subjects: Controller's employees, contractors, customers, prospects, and end users.

5. Sub-processors

Controller authorizes Processor to engage sub-processors listed at /legal/sub-processors. Processor will give at least 30 days' notice before adding or replacing a sub-processor. Controller may object on reasonable data-protection grounds; the parties will discuss in good faith, and if no resolution is reached the Controller may terminate the affected Service with a pro-rata refund of pre-paid fees for unused capacity.

6. Security

Processor implements the technical and organizational measures described at /security, which include envelope encryption of credentials at rest, TLS 1.2 or higher in transit, isolated worker runtimes, scoped OAuth tokens with rotation, role-based access controls, audit logging, and a documented incident-response process. Processor reviews these measures regularly and may update them provided the level of protection is not materially reduced.

7. Confidentiality

Processor ensures personnel with access to Customer Data are bound by confidentiality obligations.

8. Assistance

Taking into account the nature of the processing, Processor will provide reasonable assistance to Controller in responding to data-subject requests, performing data-protection impact assessments, and consulting with supervisory authorities. Processor may charge a reasonable fee for assistance that exceeds what is required by Applicable Data Protection Law.

9. Personal data breach

Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting Customer Data and will provide information reasonably available to assist Controller's notification obligations. Notification is not an acknowledgment of fault.

10. International transfers

For transfers of EEA, UK, or Swiss personal data to a third country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module 2 Controller-to-Processor or Module 3 Processor-to-Processor as applicable) and the UK Addendum, with docking, governing law, and supervisory authority elections as commonly used.

11. Deletion or return

On termination of the Service, Controller may export Customer Data from the in-product tools. After a reasonable wind-down period (default 30 days), Processor will delete Customer Data from active systems. Backups follow standard rolling retention and are securely overwritten over time.

12. Audit

Processor will make available the information necessary to demonstrate compliance, in the form of a current security overview, sub-processor list, and (where available) third-party attestations. On request no more than once per year, and subject to a confidentiality agreement, Processor will respond to a reasonable, scoped written security questionnaire. On-site audits are only available to Enterprise customers with a signed audit addendum.

13. Liability

The liability provisions in the Agreement apply to this DPA. Aggregate liability under this DPA and the Agreement is capped as set out in the Terms of Service.

14. Conflict

In the event of a conflict, this DPA prevails over the Terms of Service with respect to the processing of personal data subject to Applicable Data Protection Law. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Clauses prevail.

15. Countersignature

Pro and Enterprise customers may countersign a copy of this DPA. Submit the request through our contact form.