Rokas
Data Processing

Data Processing Agreement

Last Updated: April 13, 2025

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions ("Terms") between Sustaina ("Processor," "we," "our," or "us") and the user or entity ("Controller," "you," or "your") accessing or using our AI-powered architectural and engineering platform (the "Platform").

This DPA reflects the parties' agreement with respect to the processing of Personal Data in accordance with the requirements of Data Protection Laws, including the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection regulations.

By using our Platform, you acknowledge that you have read and understood this DPA and agree to be bound by its terms.

Definitions

In this DPA, the following terms shall have the meanings set out below:

  • "Controller" means the entity that determines the purposes and means of the Processing of Personal Data.
  • "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the GDPR, CCPA, and similar data protection laws in relevant jurisdictions.
  • "Data Subject" means the identified or identifiable person to whom Personal Data relates.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  • "Processing" means any operation or set of operations which is performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • "Processor" means the entity that Processes Personal Data on behalf of the Controller.
  • "Sub-processor" means any Processor engaged by Sustaina to process Personal Data on behalf of Controller.
  • "Project Data" means architectural designs, engineering specifications, material information, and other technical data uploaded to or generated on the Platform.

Scope and Application

Purpose Limitation

This DPA applies to the Processing of Personal Data by Sustaina as a Processor on behalf of the Controller in connection with the provision of the Platform. We shall Process Personal Data only for the purposes necessary to provide the Platform in accordance with the Terms and this DPA or as otherwise agreed in writing.

Processing Activities

Sustaina's Processing activities include:

  • Account creation and management
  • User authentication and access control
  • Project collaboration and management
  • AI-powered design optimization
  • Sustainability analysis and material recommendations
  • Customer support and communication
  • Service improvement and analytics

Categories of Data Subjects

The categories of Data Subjects whose Personal Data may be Processed under this DPA include:

  • Controller's employees, contractors, and authorized users
  • Controller's clients and customers (if applicable)
  • Other individuals whose Personal Data is uploaded to the Platform by the Controller

Types of Personal Data

The types of Personal Data that may be Processed under this DPA include:

  • User account information (name, email address, professional role)
  • Contact information
  • Login credentials
  • Professional qualifications and certifications
  • IP addresses and device information
  • User preferences and settings
  • Project metadata and attribution data
  • Other Personal Data provided by the Controller through use of the Platform

Processor Obligations

Compliance with Instructions

We shall Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law. In such a case, we shall inform the Controller of that legal requirement before Processing, unless the law prohibits such information.

Confidentiality

We shall ensure that all personnel authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Security Measures

We shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate:

  • Pseudonymization and encryption of Personal Data
  • Ability to ensure ongoing confidentiality, integrity, availability, and resilience of Processing systems and services
  • Ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident
  • Process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures

The security measures we implement include:

  • Strong authentication and access controls
  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Physical security measures for data centers and facilities
  • Employee security awareness training
  • Formal incident response procedures
  • Continuous monitoring and logging
  • Redundant infrastructure and regular backups

Sub-processor Engagement

We may engage Sub-processors to perform specific Processing activities on behalf of the Controller. When engaging any Sub-processor, we shall:

  • Conduct adequate due diligence to ensure the Sub-processor can provide sufficient guarantees to implement appropriate technical and organizational measures
  • Ensure that the arrangement with the Sub-processor is governed by a written contract including terms no less protective than those in this DPA
  • Remain fully liable to the Controller for the performance of the Sub-processor's obligations

Current Sub-processors include:

  • Cloud infrastructure providers
  • Database management services
  • Customer support tools
  • Analytics and monitoring services
  • Payment processors

We shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes. If the Controller objects to a new Sub-processor, the parties will work together in good faith to find a mutually acceptable resolution.

Data Subject Rights

We shall, to the extent legally permitted, promptly notify the Controller if we receive a request from a Data Subject to exercise their rights under Data Protection Laws. Taking into account the nature of the Processing, we shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights.

Assistance to Controller

We shall assist the Controller in ensuring compliance with its obligations pursuant to Data Protection Laws, taking into account the nature of Processing and the information available to us, with respect to:

  • Security of Processing
  • Notification of Personal Data Breaches to supervisory authorities
  • Communication of Personal Data Breaches to Data Subjects
  • Data protection impact assessments
  • Prior consultation with supervisory authorities

Personal Data Breach Notification

We shall notify the Controller without undue delay upon becoming aware of a Personal Data Breach affecting the Personal Data Processed under this DPA. Such notification shall:

  • Describe the nature of the Personal Data Breach
  • Communicate the name and contact details of our data protection officer or other contact point
  • Describe the likely consequences of the Personal Data Breach
  • Describe the measures taken or proposed to address the Personal Data Breach, including measures to mitigate possible adverse effects

We shall cooperate with the Controller and provide reasonable assistance to investigate the Personal Data Breach and take steps to remediate and mitigate the damage.

Data Deletion or Return

Upon termination of the Platform services, we shall, at the Controller's choice, delete or return all Personal Data to the Controller and delete existing copies unless applicable law requires storage of the Personal Data.

Audit Rights

We shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Controller Obligations

Lawful Instructions

The Controller shall ensure that its instructions for the Processing of Personal Data comply with Data Protection Laws and that the Processing of Personal Data in accordance with the Controller's instructions will not cause us to violate any applicable Data Protection Laws.

Lawful Basis for Processing

The Controller represents and warrants that it has and will maintain a lawful basis for the Processing of Personal Data under Data Protection Laws, including obtaining any necessary consents or providing any required notices to Data Subjects.

Response to Data Subject Requests

The Controller shall be responsible for responding to Data Subject requests, with our assistance as described in this DPA.

Technical and Organizational Measures

The Controller shall implement appropriate technical and organizational measures to ensure and be able to demonstrate that Processing is performed in accordance with Data Protection Laws.

Project Data and AI Training

Processing of Project Data

The Platform processes Project Data, which may contain Personal Data, to provide services such as:

  • Architectural design optimization
  • Structural engineering analysis
  • Material recommendations
  • Sustainability assessments
  • Collaboration and version control

AI Training and Model Development

With the Controller's consent, anonymized and aggregated Project Data may be used to train, develop, and improve our AI models and algorithms. Such Processing shall:

  • Use only anonymized or pseudonymized data where Personal Data is not necessary
  • Implement security measures to prevent re-identification of Data Subjects
  • Respect the confidentiality of proprietary information
  • Comply with all applicable Data Protection Laws

International Data Transfers

Adequate Safeguards

If the provision of Platform services involves the transfer of Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws, such transfers shall be subject to appropriate safeguards, such as:

  • Standard Contractual Clauses
  • Binding Corporate Rules
  • Approved certification mechanisms
  • Other legally recognized transfer mechanisms

Standard Contractual Clauses

Where required, the parties agree to be bound by the Standard Contractual Clauses adopted by the European Commission for the transfer of Personal Data to processors established in third countries. The Standard Contractual Clauses shall be deemed incorporated into this DPA by reference.

Impact Assessments

For transfers subject to the GDPR, the parties shall cooperate to ensure that the transfer impact assessment requirements are fulfilled, including evaluating whether the legislation or practices in the destination country may impinge on the effectiveness of the appropriate safeguards.

Liability and Indemnity

Allocation of Responsibility

Each party shall be responsible for its own compliance with its obligations under this DPA and Data Protection Laws.

Indemnification

The Controller shall indemnify and hold harmless Sustaina from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or relating to the Controller's breach of this DPA or applicable Data Protection Laws.

Term and Termination

Term

This DPA shall commence on the date the Controller accepts the Terms and shall continue in force until termination of the Platform services under the Terms.

Effect of Termination

The obligations of Sustaina with respect to Personal Data shall survive termination of Platform services until all Personal Data has been returned or deleted in accordance with this DPA.

Modifications to this DPA

We may modify this DPA from time to time. We will provide notice of significant changes by posting the updated DPA on our website and updating the "Last Updated" date. Your continued use of the Platform after any changes to this DPA constitutes your acceptance of the revised DPA.

Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions will continue in full force and effect. Any invalid or unenforceable provision shall be replaced with a valid and enforceable provision that most closely reflects the intent of the original provision.

Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws specified in the Terms. Any disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions in the Terms.

Contact Information

For any questions regarding this DPA or to exercise your rights as a Controller, please contact our Data Protection Officer:

Sustaina - Data Protection Officer
Email: dpo@sustaina.pro
Address: Viale Monza 137, Milan, Italy
Phone: +1 (415) 555-0123

Appendix 1: Technical and Organizational Security Measures

Sustaina implements and maintains the following technical and organizational security measures to protect Personal Data:

Access Control

  • Role-based access controls
  • Multi-factor authentication
  • Regular review of access rights
  • Strong password policies
  • Automatic session timeout
  • Logging of access and authentication events

Systems Security

  • Encryption of data in transit (TLS 1.3 or higher)
  • Encryption of data at rest (AES-256)
  • Regular security patches and updates
  • Anti-malware protection
  • Intrusion detection and prevention systems
  • Vulnerability scanning and penetration testing
  • Secure development practices and code reviews

Network Security

  • Network segmentation and firewalls
  • Virtual private networks (VPNs) for remote access
  • Network monitoring and logging
  • Protection against DDoS attacks
  • Restriction of inbound and outbound traffic

Physical Security

  • Secured data centers with 24/7 monitoring
  • Access control systems for facilities
  • Physical intrusion detection
  • Environmental controls (temperature, humidity, fire suppression)
  • Redundant power supplies and backup systems

Organizational Measures

  • Regular security awareness training for employees
  • Background checks for employees with access to Personal Data
  • Confidentiality agreements
  • Documented security policies and procedures
  • Regular security audits and assessments
  • Data protection impact assessments
  • Incident response plan and team

Business Continuity

  • Regular data backups
  • Disaster recovery procedures
  • Redundant infrastructure
  • Failover mechanisms
  • Regular testing of recovery procedures

Third-Party Management

  • Security assessment of Sub-processors
  • Contractual security requirements
  • Regular review of Sub-processor compliance
  • Monitoring of Sub-processor security controls

Data Lifecycle Management

  • Data minimization practices
  • Retention policies and automated deletion
  • Secure data transfer mechanisms
  • Secure disposal of data and media
  • Data classification and handling procedures