Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the structIQ Terms of Service (the “Agreement”) between structIQ, operated by Kevin Hatt, Basel, Switzerland (“structIQ”, “Processor”, “we”, “us”) and the customer agreeing to the Agreement (“Customer”, “Controller”, “you”). It governs the Processing of Personal Data by structIQ on behalf of the Customer in connection with the structIQ service (the “Service”).

By accepting the Agreement, the Customer also accepts this DPA. Where the Customer requires a separately signed DPA (for example, where the Customer's own procurement process demands it), the Customer may request one at privacy@structiq.co.

Terms not defined here have the meaning given in the Agreement or in applicable Data Protection Laws.

— “Data Protection Laws” means all laws applicable to the Processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 (“GDPR”) and the Swiss revised Federal Act on Data Protection (“revFADP”).

— “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, and “Personal Data Breach” have the meanings given in the GDPR.

— “Customer Personal Data” means any Personal Data that structIQ Processes on behalf of the Customer under the Agreement.

— “Sub-processor” means any third party engaged by structIQ to Process Customer Personal Data.

2.1 Roles.For Customer Personal Data, the Customer is the Controller and structIQ is the Processor. Where the Customer is itself a processor acting on behalf of a third-party controller, structIQ acts as a sub-processor; the Customer warrants it has the authority required for structIQ's Processing under this DPA.

2.2 Customer instructions. structIQ Processes Customer Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law (in which case structIQ will inform the Customer of that legal requirement before Processing, unless the law prohibits it). The Agreement, this DPA, and the Customer's use and configuration of the Service constitute the Customer's complete and documented instructions. structIQ will inform the Customer if, in its opinion, an instruction infringes Data Protection Laws.

2.3 Subject matter, nature and purpose. structIQ Processes Customer Personal Data to provide the Service described in the Agreement: hosting and storing Customer content; AI-powered epic splitting, content generation, quality review, estimation, and chat; extraction and cross-document analysis of structured information from uploaded documents; duplicate and relationship detection; and export. Processing continues for the duration of the Agreement plus the limited retention period described in the Agreement and Privacy Policy.

2.4 Types of Personal Data and categories of Data Subjects. The Customer determines what content it submits. Customer Personal Data may include information contained in project descriptions, epic content, chat messages, and uploaded documents (which may include names, contact details, and other identifiers present in the Customer's business documents), plus the account email address and optional display name of the Customer's users. Categories of Data Subjects may include the Customer's personnel and any individuals referenced in the content the Customer uploads. The Customer is responsible for the categories of Personal Data it chooses to upload.

2.5 Restricted data. The Service is designed for structuring project requirements and is not intended to receive special categories of Personal Data (GDPR Article 9) or data relating to criminal convictions (Article 10) as structured input. The Customer is responsible for the content it uploads and agrees not to upload such data unless separately agreed with structIQ in writing.

3.1 Confidentiality. structIQ ensures that persons authorized to Process Customer Personal Data are bound by appropriate obligations of confidentiality.

3.2 Security. structIQ implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 1, in accordance with GDPR Article 32. These include encryption of Personal Data in transit and at rest, database-level data isolation via row-level security, and access controls.

3.3 Assistance with Data Subject rights. Taking into account the nature of the Processing, structIQ assists the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests to exercise Data Subject rights under Chapter III of the GDPR. The Service additionally provides self-service export and deletion features that allow the Customer to action many such requests directly.

3.4 Assistance with security, breach notification, and impact assessments. structIQ assists the Customer in ensuring compliance with its obligations under GDPR Articles 32 to 36, taking into account the nature of Processing and the information available to structIQ.

3.5 Personal Data Breach. structIQ notifies the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provides the Customer with information reasonably available to it to assist the Customer in meeting its obligations under GDPR Articles 33 and 34.

3.6 Deletion or return. Upon termination of the Agreement, structIQ deletes Customer Personal Data in accordance with the Agreement and Privacy Policy, unless applicable law requires storage. The Customer may export its data before deletion using the Service's export features.

3.7 Records and demonstration of compliance. structIQ makes available to the Customer information reasonably necessary to demonstrate compliance with its obligations under GDPR Article 28.

3.8 Audit. structIQ allows for and contributes to audits of its Processing of Customer Personal Data, conducted by the Customer or an auditor mandated by the Customer, no more than once per calendar year (and additionally in the event of a confirmed Personal Data Breach affecting the Customer's data), subject to reasonable prior notice and confidentiality obligations. The Customer bears its own costs for such audits. structIQ may satisfy audit obligations by making available relevant documentation, security information, or third-party certifications where these reasonably address the Customer's audit request.

4.1 General authorization. The Customer provides a general authorization for structIQ to engage Sub-processors to Process Customer Personal Data, subject to this Section 4. structIQ's current Sub-processors are listed at structiq.co/subprocessors.

4.2 New Sub-processors. structIQ maintains the current list of Sub-processors at the page above. structIQ informs the Customer of intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance (for example by updating the page and, on request, notifying the Customer), thereby giving the Customer the opportunity to object to such changes on reasonable data-protection grounds.

4.3 Sub-processor obligations. Where structIQ engages a Sub-processor, it imposes on that Sub-processor, by contract, data-protection obligations materially equivalent to those set out in this DPA. structIQ remains liable to the Customer for the performance of each Sub-processor's obligations.

5.1 structIQ is operated from Switzerland and stores Customer project data within the European Union. Certain Sub-processors are located in or Process data in the United States or globally (see structiq.co/subprocessors).

5.2Where Processing involves a transfer of Customer Personal Data outside Switzerland or the European Economic Area to a country without an adequacy decision, structIQ ensures that an appropriate transfer mechanism is in place, such as the European Commission's Standard Contractual Clauses together with the Swiss addendum, or another mechanism recognized under applicable Data Protection Laws.

6.1 Liability. Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

6.2 Conflict. In the event of a conflict between this DPA and the Agreement regarding the Processing of Customer Personal Data, this DPA prevails.

6.3 Governing law and jurisdiction. This DPA is governed by the laws of Switzerland, and disputes are subject to the jurisdiction set out in the Agreement, except where mandatory Data Protection Laws require otherwise.

6.4 Changes. structIQ may update this DPA to reflect changes in the Service, its Sub-processors, or applicable law, consistent with the change-notification provisions of the Agreement.

structIQ implements the following measures (GDPR Article 32):

— Encryption. All data is encrypted at rest using AES-256 and in transit using TLS/SSL. All communication with AI sub-processors is protected via TLS/SSL.

— Data isolation. Every Customer's data is isolated at the database level using Row Level Security. No Customer can access another Customer's data, including through direct database access. Authentication tokens are validated on every request.

— Access control. Production data is accessible only to the operator (Kevin Hatt) via authenticated access; no other personnel have access. Access follows the principle of least privilege.

— AI provider safeguards. AI sub-processors are contractually prohibited from training on Customer content. Embedding excerpts are processed with zero-day retention.

— Monitoring. Technical error and performance monitoring is configured to avoid capturing Customer project content.

— Deletion. Deletion of projects and accounts permanently removes associated data, including derived data such as embeddings.

The current list of Sub-processors is maintained at structiq.co/subprocessors and is incorporated into this DPA by reference.