Data Processing Addendum

This DPA applies when buildr-plannr processes customer personal data for a workspace, procurement review, billing flow, support case, or governed agent planning workflow.

• The customer acts as controller or business for customer personal data submitted to the service.
• buildr-plannr acts as processor or service provider and processes customer personal data only for documented product, security, support, billing, and legal purposes.
• Customer instructions are captured through the product, signed order forms, support requests, enterprise security review, and mutually approved written instructions.
• This DPA does not authorize customers to submit regulated data, secrets, payment card data, health data, or government identifiers unless a signed enterprise agreement explicitly allows it.

Customer instructions cover operation of the application, agent governance, support, billing, security, analytics, imports, exports, and deletion workflows.

• Processing is limited to providing the product, enforcing workspace permissions, coordinating human and agent work, maintaining entitlement state, and producing verification evidence.
• Agents and integrations may process workspace metadata, issue records, task contracts, and context packs only within configured workspace scopes and approval controls.
• buildr-plannr may refuse or suspend processing instructions that appear unlawful, unsafe, outside contract scope, or likely to expose secrets or third-party data without authority.
• Product analytics must use pseudonymous identifiers and must not collect raw prompts, private issue bodies, customer source material, secrets, or full support payloads.

Agent-generated data and workspace metadata are treated as customer data when they identify users, describe customer work, or preserve customer-specific evidence.

• Agent-generated recommendations, task contracts, approval requests, risk scores, and verification evidence remain connected to the workspace that generated them.
• Human review and approval evidence is retained to explain delegated work, release decisions, escalations, blocked actions, and audit outcomes.
• Imports, exports, bulk operations, and API access must preserve workspace ownership and avoid leaking data across tenants or environments.
• Support and debugging workflows must use privacy-safe references instead of raw prompts, customer secrets, private source material, or full issue bodies wherever possible.

Security controls are designed to protect customer personal data, agent execution evidence, and workspace state throughout the service lifecycle.

• Use Cognito-backed authentication, environment-specific AWS accounts, least-privilege roles, protected deployment workflows, and secure session handling.
• Encrypt data in transit and at rest using AWS-managed or service-managed encryption unless a signed enterprise agreement requires a different control.
• Redact tokens, secrets, API keys, Cognito tokens, webhook signatures, private keys, raw passwords, and full customer email values from logs and support evidence.
• Maintain incident response, access review, change management, backup, restore, and monitoring evidence as launch readiness controls mature.

Subprocessors support hosting, authentication, billing, monitoring, analytics, email, support, and related service operations.

• The public subprocessor list records vendor purpose, status, region, data categories, transfer notes, and the update process.
• Subprocessors must be assessed before customer data is sent to them and must be used only for the documented service purpose.
• Enterprise customers receive material subprocessor change notices through their nominated legal or security contact when required by contract.
• International transfers, where applicable, use the vendor transfer terms, Standard Contractual Clauses, or other approved transfer mechanisms available for the relevant service.

Retention, deletion, return, and export handling are governed by product lifecycle, customer requests, security duties, billing obligations, and enterprise contract terms.

• Workspace records, issue data, agent activity, task contracts, and evidence are retained while the workspace is active and then exported, deleted, or aged out through the supported lifecycle.
• Operational logs are redacted and retained according to the active Terraform-managed CloudWatch retention policy unless a scoped incident, abuse, or legal hold requires otherwise.
• Billing records, invoices, tax data, support history, fraud prevention evidence, and dispute records may be retained where legally or contractually required.
• Enterprise deletion, return, and backup aging expectations must be captured in the order form, DPA, security addendum, or approved written request.

buildr-plannr supports reasonable data request, audit, security review, incident, and procurement assistance through documented support and enterprise review paths.

• Customers can request access, correction, export, deletion, restriction, and portability help through /support?intent=legal.
• Enterprise customers can request security whitepaper, subprocessors, architecture, access control, logging, backup, and incident response evidence through /contact?intent=security-review.
• Security incidents involving customer personal data are triaged through incident response procedures and communicated through the customer contact route required by contract or law.
• Audit assistance should use existing evidence, privacy-safe exports, and scoped review materials rather than direct production access.