# Data Processing Agreement

**Between Nudgy (the "Processor") and the Customer (the "Controller").**

_Last updated: June 18, 2026_

> **Note:** This is a working scaffold for execution alongside a signed Order.
> Confirm the legal entity name, capture each party's address in the signature
> block below, and have counsel review before relying on it in a paid engagement.
> This document is not legal advice.

This Data Processing Agreement ("DPA") forms part of, and is incorporated by
reference into, the Terms of Service (the "Agreement") between the customer
("Customer," "you") and Nudgy ("Nudgy") and governs Nudgy's Processing of
Personal Data contained in Customer Content. It applies to the extent Nudgy
Processes Personal Data on Customer's behalf and to which Applicable Data
Protection Laws apply. Capitalized terms used but not defined here have the
meaning given in the Agreement.

---

## 1. Definitions

- **"Applicable Data Protection Laws"** means all data-protection and privacy
  laws applicable to the Processing of Personal Data under this DPA, including
  Canada's PIPEDA and substantially similar provincial legislation and, where
  applicable, the EU/UK GDPR.
- **"Controller," "Processor," "Data Subject," "Personal Data," "Processing,"**
  and **"Personal Data Breach"** have the meanings given in the GDPR, and
  equivalent terms in other Applicable Data Protection Laws are construed
  accordingly.
- **"Customer Personal Data"** means Personal Data contained in Customer Content
  that Nudgy Processes on Customer's behalf under the Agreement.
- **"Subprocessor"** means any third party engaged by Nudgy to Process Customer
  Personal Data.
- **"Standard Contractual Clauses" ("SCCs")** means the clauses approved by the
  European Commission for the transfer of Personal Data to third countries, and,
  for the United Kingdom, the UK International Data Transfer Addendum.

## 2. Roles & scope of Processing

As between the parties, Customer is the Controller (or a Processor acting on
behalf of a third-party Controller) and Nudgy is the Processor of Customer
Personal Data. Nudgy will Process Customer Personal Data only:

a. to provide, secure, support, and maintain the Service in accordance with the
   Agreement;
b. on Customer's documented instructions, including those set out in this DPA and
   given through Customer's use of the Service; and
c. as required by law to which Nudgy is subject, in which case Nudgy will, where
   permitted, inform Customer of that legal requirement before Processing.

The subject matter, duration, nature and purpose of the Processing, the types of
Personal Data, and the categories of Data Subjects are described in **Annex A**.
If Nudgy believes an instruction infringes Applicable Data Protection Laws, it
will inform Customer.

## 3. Customer's obligations

Customer is responsible for the accuracy, quality, and legality of Customer
Personal Data and for the means by which it acquired that data. Customer warrants
that it has established a valid legal basis for the Processing, has provided all
required notices, and has obtained all consents necessary for Nudgy to Process
Customer Personal Data as contemplated by the Agreement, and that its
instructions comply with Applicable Data Protection Laws.

## 4. Confidentiality

Nudgy will ensure that personnel authorized to Process Customer Personal Data are
bound by appropriate obligations of confidentiality, have received appropriate
data-protection training, and access Customer Personal Data only on a
need-to-know basis to perform under the Agreement.

## 5. Security measures

Nudgy will implement and maintain appropriate technical and organizational
measures designed to ensure a level of security appropriate to the risk, taking
into account the state of the art and the nature of the Processing. A description
of these measures is set out in **Annex B**. Nudgy may update its measures from
time to time provided the updates do not materially reduce the overall level of
security.

## 6. Subprocessors

Customer provides general written authorization for Nudgy to engage Subprocessors
to Process Customer Personal Data. Nudgy:

a. maintains a current list of Subprocessors at https://app.nudgy.ca/subprocessors;
b. imposes on each Subprocessor data-protection obligations no less protective
   than those in this DPA, by written contract;
c. remains responsible for each Subprocessor's performance of its obligations to
   the same extent Nudgy would be liable if performing the services directly; and
d. will give Customer prior notice (by updating the Subprocessors page) of the
   addition or replacement of any Subprocessor, giving Customer a reasonable
   opportunity to object on reasonable data-protection grounds before that
   Subprocessor begins Processing.

If Customer reasonably objects and the parties cannot resolve the objection,
Customer may, as its sole remedy, terminate the affected portion of the Service.

## 7. Data Subject requests

Taking into account the nature of the Processing, Nudgy will assist Customer by
appropriate technical and organizational measures, insofar as possible, in
fulfilling Customer's obligations to respond to requests from Data Subjects
exercising their rights under Applicable Data Protection Laws. If Nudgy receives
such a request directly, it will, unless legally required to respond, promptly
inform the Data Subject to contact Customer and notify Customer of the request.

## 8. Personal Data Breach

Nudgy will notify Customer without undue delay after becoming aware of a Personal
Data Breach affecting Customer Personal Data, and will provide Customer with
information reasonably available to it to assist Customer in meeting its own
breach-notification obligations to regulators and Data Subjects. Nudgy will take
reasonable steps to mitigate and remediate the breach. Nudgy's notification is
not an acknowledgement of fault or liability.

## 9. Assistance with assessments & consultations

Taking into account the nature of the Processing and the information available to
Nudgy, Nudgy will provide reasonable assistance to Customer with data-protection
impact assessments and any prior consultations with supervisory authorities that
Customer is required to carry out under Applicable Data Protection Laws.

## 10. International transfers

Customer authorizes Nudgy and its Subprocessors to transfer Customer Personal
Data across borders as necessary to provide the Service. Where a transfer is
subject to the GDPR and is made to a country without an adequacy decision, the
parties agree that the SCCs (and the UK Addendum, where applicable) are
incorporated into this DPA by reference and apply to that transfer. For transfers
subject to PIPEDA, Nudgy uses contractual means to ensure a comparable level of
protection while Customer Personal Data is being Processed by a Subprocessor.

## 11. Return & deletion

On termination or expiry of the Agreement, Nudgy will, at Customer's written
election and within a reasonable period, delete or return Customer Personal Data
and delete existing copies, except to the extent Nudgy is required by law to
retain it or it is contained in routine backups, which are deleted on Nudgy's
ordinary backup-rotation cycle. Personal Data retained as part of the immutable
audit trail is kept for the period and purposes described in the Privacy Policy.

## 12. Audits

Nudgy will make available to Customer information reasonably necessary to
demonstrate compliance with this DPA. Where Applicable Data Protection Laws
require, and on reasonable prior written notice, Nudgy will allow for and
contribute to audits, including inspections, conducted by Customer or an
independent auditor it mandates, subject to reasonable confidentiality and
security conditions, no more than once per year except where required by a
supervisory authority or following a Personal Data Breach. Nudgy may satisfy this
obligation by providing then-current third-party certifications or reports where
available.

## 13. Liability, term & precedence

Each party's liability arising out of or related to this DPA is subject to the
exclusions and limitations of liability set out in the Agreement. This DPA takes
effect on Customer's acceptance of the Agreement and continues for as long as
Nudgy Processes Customer Personal Data. In the event of a conflict between this
DPA and the remainder of the Agreement with respect to the Processing of Personal
Data, this DPA prevails. Except as modified here, the Agreement remains in full
force and effect, and this DPA is governed by the laws of Manitoba, Canada.

---

## Annex A — Details of Processing

**Subject matter and duration.** Processing of Customer Personal Data contained
in Customer Content for the purpose of providing the Service, for the duration of
the Agreement and the retention periods described in the Privacy Policy.

**Nature and purpose of Processing.** Hosting, storage, retrieval, indexing,
embedding, transmission to Subprocessors for AI analysis, generation and
retention of Findings and the audit trail, and deletion — all solely to provide,
secure, support, and maintain the Service.

**Types of Personal Data.** Personal Data incidentally contained in construction
specifications and drawings (for example, names, professional designations,
stamps, signatures, and contact details appearing in title blocks or revision
histories), and the identity and contact details of Customer's authorized users
(name, work email, and account identifiers).

**Categories of Data Subjects.** Customer's authorized users; and the design and
construction professionals and other individuals whose details appear in Customer
Content.

**Parties.** Controller: Customer (and any third-party Controller it represents).
Processor: Nudgy (contact: contact@nudgy.ca; address provided at signing).

## Annex B — Technical & organizational measures

Nudgy maintains measures including:

- Encryption of Personal Data in transit (TLS) and at rest by the managed
  services that hold it;
- Logical separation of data per organization and per project, enforced
  server-side on every query;
- Least-privilege access controls, with privileged service credentials confined
  to trusted server-side infrastructure;
- Ephemeral processing of drawing files: temporary working copies are deleted
  immediately after each audit;
- Use of reputable managed infrastructure and Subprocessors bound by their own
  security commitments;
- Logging and monitoring to detect, investigate, and respond to security
  incidents; and
- Procedures for breach detection, response, and notification.

## Annex C — Subprocessors

The current list of authorized Subprocessors, including each one's purpose and
processing location, is maintained at https://app.nudgy.ca/subprocessors and is
incorporated into this DPA by reference. Changes are handled as described in
Section 6.

---

## Signatures

**Customer (Controller)**

- Organization: ____________________________
- Name: ____________________________
- Title: ____________________________
- Signature: ____________________________
- Date: ____________________________

**Nudgy (Processor)**

- Entity: Nudgy
- Name: ____________________________
- Title: ____________________________
- Signature: ____________________________
- Date: ____________________________
