Legal
Data Processing Addendum
Effective date: May 28, 2026
Last updated: May 28, 2026
This Data Processing Addendum ("DPA") supplements the Terms of Service between you ("Customer," "Controller") and 26 Degrees Software LLC ("Processor," "we," "us"). It applies when we process personal data on your behalf in connection with the 26 Cloud Platform, ViewAQC, Collectus, and related services (the "Services").
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws (including GDPR Art. 4(1) and CCPA § 1798.140(v)).
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- "Sub-processor" means a third party engaged by us to process Personal Data on your behalf.
- "Data Protection Laws" means all applicable privacy and data protection legislation, including the GDPR (EU 2016/679), UK GDPR, and the CCPA (California Civil Code § 1798.100 et seq.).
2. Scope and roles
- You are the Controller of Personal Data uploaded to or generated within the Services.
- We are the Processor, processing Personal Data only on your documented instructions and solely for the purpose of providing the Services.
- The categories of data subjects, types of Personal Data, and purposes of processing are described in Annex A below.
3. Our obligations
- Process Personal Data only on your documented instructions, unless required by law.
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures (see Section 5).
- Assist you in responding to data subject rights requests (access, rectification, erasure, portability, restriction, and objection).
- Assist you with data protection impact assessments and prior consultations with supervisory authorities, where required.
- Notify you without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach.
- Delete or return all Personal Data upon termination of the Services, at your election, unless retention is required by law.
4. Your obligations
- Ensure that your use of the Services and your instructions to us comply with applicable Data Protection Laws.
- Provide any required notices to, and obtain any required consents from, data subjects whose Personal Data is processed through the Services.
- Ensure that Personal Data provided to us is accurate and lawfully collected.
5. Security measures
We implement and maintain the following technical and organizational measures to protect Personal Data:
- Encryption: TLS 1.3 for data in transit; AES-256 for data at rest, managed via AWS KMS.
- Access control: role-based access control (RBAC), multi-factor authentication for administrative access, and least-privilege IAM policies.
- Network security: AWS VPC isolation, WAF, and GuardDuty for threat detection.
- Audit logging: comprehensive logging via AWS CloudTrail with tamper-evident storage.
- Backup and recovery: automated cross-region backups with point-in-time recovery.
- Incident response: documented incident response procedures with defined escalation paths.
- Personnel: confidentiality agreements and security training for all personnel with access to Personal Data.
6. Sub-processors
You provide general authorization for us to engage Sub-processors to assist in providing the Services. Our current Sub-processors include:
| Sub-processor |
Purpose |
Location |
| Amazon Web Services (AWS) |
Cloud infrastructure, hosting, and data storage |
United States (primary) |
We will notify you at least 30 days before engaging a new Sub-processor. If you object to a new Sub-processor on reasonable data protection grounds, we will work with you to find an alternative solution. If no resolution is possible, you may terminate the affected Services.
We impose data protection obligations on each Sub-processor that are no less protective than those in this DPA.
7. International data transfers
If Personal Data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, we ensure that appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision 2021/914).
- UK International Data Transfer Addendum, where applicable.
- Supplementary technical measures (encryption, access controls) as described in Section 5.
8. Data subject rights
We will assist you in fulfilling your obligations to respond to data subject requests. If we receive a request directly from a data subject, we will promptly notify you and will not respond to the request without your instructions, unless required by law.
9. Audits
Upon reasonable request and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA. You may conduct an audit (or engage a qualified third-party auditor) no more than once per year, with at least 30 days' notice, during normal business hours.
10. Term and termination
- This DPA remains in effect for the duration of your use of the Services.
- Upon termination of the Services, we will delete or return Personal Data within 30 days at your election, and certify deletion upon request, unless retention is required by law.
11. Liability
Liability under this DPA is subject to the limitations set forth in the Terms of Service.
12. Conflict
In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.
Annex A — Details of processing
| Categories of data subjects |
Customer's employees, contractors, and collaborators who use the Services; end users whose data appears in BIM models or project documentation. |
| Types of Personal Data |
Name, email address, job title, company affiliation, IP address, usage logs, and any Personal Data contained within BIM models or project files uploaded by Customer. |
| Purpose of processing |
Providing the Services, including model hosting, coordination, quality control, analytics, AI-assisted features, user authentication, and support. |
| Duration of processing |
For the term of the Customer's subscription plus a 30-day post-termination data export period. |
13. Contact
For questions about this DPA or to exercise data rights:
26 Degrees Software LLC
9010 Strada Stell Ct #107
Naples, FL 34109, USA
Email: jason.shebert@26degreesoftware.com
Phone: +1 507-967-3826
