Data Processing Agreement

GDPR Compliant DPA Template

Important Notice

This is a template DPA for use between Build Vision LLC and its data processors. Both parties must complete, review, and sign this agreement before processing any personal data. Consult legal counsel to ensure compliance with your specific requirements.

This Data Processing Agreement (“DPA”) forms part of the Agreement for services between:

Data Controller:

Build Vision LLC
EIN: 61-2246015
1309 Coffeen Avenue, Suite 120
Sheridan, Wyoming 82801
United States
(“Controller”)

Data Processor:

To be completed by Processor
Company Name: _______________________
Address: _______________________
Country: _______________________
(“Processor”)

Effective Date: August 19, 2025

1. DEFINITIONS

1.1 “Data Protection Laws” means all applicable laws and regulations relating to processing of personal data and privacy, including:

  • The General Data Protection Regulation (EU) 2016/679 (“GDPR”)
  • The UK Data Protection Act 2018
  • The Swiss Federal Data Protection Act
  • Any other applicable data protection laws

1.2 “Personal Data” means any information relating to an identified or identifiable natural person as defined under Data Protection Laws.

1.3 “Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

1.4 “Data Subject” means the individual to whom Personal Data relates.

1.5 “Sub-processor” means any processor engaged by the Processor to process Personal Data on behalf of the Controller.

2. PROCESSING OF PERSONAL DATA

2.1 Scope and Purpose

The Processor shall process Personal Data only for the following purposes:

  • Provision of agreed services as outlined in the Service Agreement
  • Technical support and maintenance
  • Service improvement and optimization
  • Compliance with legal obligations

2.2 Categories of Data Subjects

  • Website visitors
  • Customers and prospective customers
  • Business contacts
  • Property inquirers
  • Newsletter subscribers
  • Real estate agents and partners

2.3 Types of Personal Data

  • Contact information (name, email, phone, address)
  • Technical data (IP addresses, browser data, device information)
  • Transaction data and payment information
  • Communication preferences
  • Property search preferences and saved properties
  • Inquiry history and correspondence
  • Authentication credentials

2.4 Duration of Processing

Processing shall continue for the duration of the Agreement, unless otherwise agreed in writing.

3. PROCESSOR OBLIGATIONS

3.1 Compliance with Instructions

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Immediately inform the Controller if instructions infringe Data Protection Laws
  • Not process Personal Data for any purpose other than those set out in this DPA

3.2 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data:

  • Are subject to confidentiality obligations
  • Process Personal Data only as required for the services
  • Are informed of the confidential nature of the Personal Data

3.3 Security Measures

The Processor shall implement appropriate technical and organizational measures, including:

  • Pseudonymization and encryption of Personal Data
  • Ensuring ongoing confidentiality, integrity, availability, and resilience of systems
  • Ability to restore availability and access to Personal Data in a timely manner
  • Regular testing and evaluation of security measures
  • Adherence to approved codes of conduct or certification mechanisms

3.4 Sub-processors

The Processor shall:

  • Not engage sub-processors without prior written consent from the Controller
  • Maintain a list of approved sub-processors (see Annex 1)
  • Ensure sub-processors are bound by equivalent data protection obligations
  • Remain fully liable for sub-processor performance
  • Notify the Controller of any intended changes to sub-processors with 30 days notice

3.5 Data Subject Rights

The Processor shall:

  • Assist the Controller in responding to data subject requests within 5 business days
  • Implement appropriate measures to facilitate the exercise of data subject rights
  • Not respond directly to data subjects without Controller authorization

3.6 Personal Data Breach

The Processor shall:

  • Notify the Controller without undue delay (within 24 hours) upon becoming aware of a breach
  • Provide full details including:
    • Nature of the breach
    • Categories and approximate number of data subjects affected
    • Categories and approximate number of records affected
    • Likely consequences
    • Measures taken or proposed to address the breach
  • Cooperate with the Controller in investigating and remediating breaches
  • Not inform third parties without Controller consent

3.7 Data Protection Impact Assessment

The Processor shall provide reasonable assistance for:

  • Data protection impact assessments
  • Prior consultations with supervisory authorities

3.8 Deletion or Return of Personal Data

Upon termination, the Processor shall:

  • At the Controller's choice, delete or return all Personal Data
  • Delete existing copies unless required by law
  • Certify compliance with deletion requirements

4. INTERNATIONAL TRANSFERS

4.1 Transfer Restrictions

The Processor shall not transfer Personal Data outside the EEA without:

  • Prior written consent from the Controller
  • Appropriate safeguards as required by GDPR Article 46
  • Compliance with Chapter V of the GDPR

4.2 Transfer Mechanisms

Where transfers are authorized, they shall be subject to:

  • Standard Contractual Clauses (Module 2: Controller to Processor)
  • Adequacy decisions
  • Other valid transfer mechanisms under Data Protection Laws

5. AUDIT AND COMPLIANCE

5.1 Audit Rights

The Controller may:

  • Conduct audits with 30 days written notice
  • Request evidence of compliance
  • Inspect processing facilities and systems
  • Appoint third-party auditors (subject to confidentiality)

5.2 Cooperation

The Processor shall:

  • Maintain records of processing activities
  • Provide information necessary to demonstrate compliance
  • Contribute to audits and inspections

6. LIABILITY AND INDEMNIFICATION

6.1 Processor Liability

The Processor shall be liable for damages arising from:

  • Failure to comply with GDPR obligations specific to processors
  • Acting outside or contrary to Controller instructions
  • Any breach of this DPA

6.2 Indemnification

The Processor shall indemnify the Controller against:

  • Regulatory fines resulting from Processor's breach
  • Claims from data subjects due to Processor's non-compliance
  • Costs and damages from Processor's violation of this DPA

7. GENERAL PROVISIONS

7.1 Term: This DPA shall remain in effect for the duration of the Agreement.

7.2 Governing Law: This DPA shall be governed by the laws of the State of Wyoming, United States.

7.3 Jurisdiction: Disputes shall be resolved in the courts of Wyoming, United States.

7.4 Severability: If any provision is invalid or unenforceable, the remainder shall continue in effect.

7.5 Entire Agreement: This DPA constitutes the entire agreement regarding data processing and supersedes all prior agreements.

8. CONTACT INFORMATION

Controller's Data Protection Contact:

Name: Data Protection Officer
Email: dpo@pygrealestate.com
Phone: +1 231 888 8804

Processor's Data Protection Contact:

To be completed by Processor
Name: _______________________
Email: _______________________
Phone: _______________________

SIGNATURES

For the Controller:

Signature

Name: _______________________

Title: _______________________

Date: _______________________

For the Processor:

Signature

Name: _______________________

Title: _______________________

Date: _______________________

ANNEX 1: LIST OF APPROVED SUB-PROCESSORS

Sub-processor NameLocationProcessing ActivitiesDate Approved
To be completed based on specific processor's sub-processors

ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES

A. Technical Measures

1. Access Control

  • Multi-factor authentication
  • Role-based access controls
  • Regular access reviews

2. Data Encryption

  • Encryption at rest (AES-256)
  • Encryption in transit (TLS 1.2+)
  • Key management procedures

3. System Security

  • Firewalls and intrusion detection
  • Regular security patches
  • Anti-malware protection

4. Data Backup

  • Regular automated backups
  • Secure backup storage
  • Tested restoration procedures

B. Organizational Measures

1. Personnel

  • Background checks
  • Confidentiality agreements
  • Regular training on data protection

2. Physical Security

  • Secured facilities
  • Access logging
  • Environmental controls

3. Incident Response

  • Documented response plan
  • Designated response team
  • Regular drills and updates

4. Business Continuity

  • Disaster recovery plan
  • Redundant systems
  • Regular testing

ANNEX 3: STANDARD CONTRACTUAL CLAUSES

If international transfers are involved, the appropriate EU Standard Contractual Clauses (Module 2: Controller to Processor) shall be incorporated by reference and form an integral part of this Agreement.

The current version of the Standard Contractual Clauses can be found at: EUR-Lex Decision 2021/914