Data processing addendum

This addendum applies where Aedifice processes personal data on behalf of a client in connection with the provision of the Aedifice service, including Wren. The client acts as the data controller in respect of that personal data, and Aedifice acts as the data processor. Where the client itself is a processor acting on behalf of a building owner or other upstream controller, Aedifice acts as a sub-processor on equivalent terms.

This addendum forms part of the agreement between Aedifice and the client and is intended to give effect to Article 28 of Regulation (EU) 2016/679 (the General Data Protection Regulation) and to comparable obligations under the United Kingdom General Data Protection Regulation and other equivalent frameworks.

Aedifice processes personal data only on documented instructions from the client, including with regard to transfers of personal data to a third country, unless required to do otherwise by law. The subject matter of the processing is the operation of Wren on the buildings the client has authorized, and the duration of the processing corresponds to the term of the relevant engagement.

Categories of data subjects typically include the client’s authorized users, licensed professionals engaged on a building, building owners where they are natural persons, and individuals identified in filings or correspondence associated with a building. Categories of personal data typically include contact information, professional-licensure information, and building-related records furnished by the client or drawn from the public record.

Aedifice ensures that personnel authorized to process personal data on its behalf are bound by written confidentiality obligations or by an equivalent statutory duty of confidentiality, and that access to personal data is limited to those personnel who require it to perform their duties.

Aedifice implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of personal data in transit and at rest, role-based access control keyed to engagement, audit logging of privileged actions, periodic review of access, and a written information-security program proportionate to the scale and sensitivity of the data processed.

The measures in force from time to time are described in the security documentation made available to clients on request, and are reviewed at least annually.

The client provides a general authorization for Aedifice to engage sub-processors in connection with the provision of the service, including hosting providers, observability providers, and the foundation-model provider that operates the underlying language models. Aedifice maintains a current list of sub-processors and provides prior notice of material changes to that list so that the client has an opportunity to object on reasonable data-protection grounds.

Aedifice imposes, by written contract, data-protection obligations on each sub-processor that are substantively the same as those set out in this addendum, and remains responsible for the acts and omissions of its sub-processors.

Taking into account the nature of the processing, Aedifice assists the client through appropriate technical and organizational measures, insofar as this is possible, in fulfilling the client’s obligation to respond to requests from data subjects exercising rights under Chapter III of the General Data Protection Regulation, and in complying with the client’s obligations under Articles 32 to 36 of that Regulation.

Where a data subject contacts Aedifice directly in connection with the client’s processing, Aedifice will promptly direct that data subject to the client, and will not respond substantively without the client’s instruction.

Where Aedifice transfers personal data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been the subject of an adequacy decision, the transfer is made under the European Commission’s Standard Contractual Clauses of 4 June 2021, together with any jurisdiction-specific addenda required, including the United Kingdom International Data Transfer Addendum and the Swiss amendments to the Standard Contractual Clauses.

The parties agree to cooperate in good faith on any supplementary measures that are reasonably necessary to give effect to the transfer mechanism in a particular jurisdiction.

Aedifice makes available to the client the information reasonably necessary to demonstrate compliance with its obligations under this addendum, and allows for and contributes to audits, including inspections, conducted by the client or another auditor mandated by the client on reasonable prior notice and subject to confidentiality commitments, in a manner that does not compromise the security or availability of the service or the data of other clients.

On termination of the engagement, and at the client’s choice, Aedifice deletes or returns the personal data processed under this addendum within a reasonable period, and deletes existing copies unless retention is required by law or by the professional standards of the licensed practitioners involved.