Data Processing Agreement

In this DPA, the following terms have the meanings given below. Terms not defined here have the meanings given in the UK GDPR or the Terms of Service.

• “Controller” means the general contractor who uses LINTEL and determines the purposes and means of processing personal data of recipients.
• “Processor” means LINTEL BUILD LTD (trading as LINTEL), a company registered in England and Wales with company number 17061261, which processes personal data on behalf of the Controller.
• “Personal Data” means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the LINTEL service.
• “Processing” means any operation or set of operations performed on Personal Data, including collection, recording, storage, retrieval, transmission, erasure, and destruction.
• “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• “Data Subject” means the individual to whom the Personal Data relates.
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

The Controller engages the Processor to provide the LINTEL document-request and intake service. In the course of providing this service, the Processor processes Personal Data on behalf of the Controller as described in Appendix A.

The Controller is the data controller and the Processor is the data processor within the meaning of UK GDPR Article 4.

This DPA applies for the duration of the service agreement between the parties. It shall automatically terminate when the Processor ceases to process Personal Data on behalf of the Controller.

The Controller shall:

• Ensure it has a lawful basis under UK GDPR for providing recipient Personal Data (email addresses, phone numbers) to the Processor.
• Inform Data Subjects about the processing of their Personal Data by the Processor, including by reference to the Controller’s own privacy notice.
• Ensure that any instructions given to the Processor regarding the processing of Personal Data comply with applicable data protection law.
• Maintain a record of processing activities as required under Article 30 of UK GDPR.

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside the UK, unless required to do so by applicable law. The documented instructions are: (a) to process Personal Data as necessary to provide the LINTEL service as described in the Terms of Service, and (b) any additional written instructions agreed between the parties.
• Immediately inform the Controller if, in the Processor’s opinion, an instruction infringes UK GDPR or other applicable data protection law.

The Processor shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

The Processor shall not disclose Personal Data to any third party except as permitted under this DPA (including to approved Sub-processors) or as required by applicable law.

The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Appendix B. These measures include:

• Encryption of Personal Data in transit (TLS/HTTPS) and at rest (Supabase managed encryption)
• AES-GCM encryption of stored Procore OAuth access and refresh tokens
• Row Level Security (RLS) on all database tables, enforcing organisation-scoped access controls
• Unguessable UUID-based upload links
• CSRF-protected OAuth state tokens with automatic 10-minute expiry
• File type validation on upload (PDF by default; JPEG when photo uploads are enabled for the organisation), with a 50 MB maximum file size
• Service-role isolation in server-side edge functions
• Access controls limiting Processor personnel access to production data

The Processor shall regularly review and, where necessary, update these measures taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, and the risks to Data Subjects.

The Controller provides general written authorisation for the Processor to engage Sub-processors to assist in providing the LINTEL service, subject to the following conditions:

• The current list of approved Sub-processors is set out in Appendix C.
• The Processor shall inform the Controller of any intended changes to the Sub-processor list (additions or replacements) by providing at least 30 days’ prior written notice.
• The Controller may object to a new Sub-processor on reasonable data protection grounds within 14 days of receiving notice. If the objection cannot be resolved, the Controller may terminate the service agreement.
• The Processor shall impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, by way of a written contract.
• The Processor remains fully liable to the Controller for the performance of each Sub-processor’s obligations.

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under UK GDPR (including access, rectification, erasure, restriction, portability, and objection), taking into account the nature of the processing.

If the Processor receives a request directly from a Data Subject, the Processor shall promptly redirect the Data Subject to the Controller and notify the Controller of the request, unless otherwise instructed.

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Data Breach affecting Personal Data processed under this DPA.

The notification shall include, to the extent reasonably available:

• A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected
• The name and contact details of the Processor’s point of contact for further information
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to address the Data Breach, including measures to mitigate any adverse effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

The Processor stores primary data in the EU West (Ireland) region via Supabase. Where Personal Data is transferred to Sub-processors located outside the UK and the European Economic Area (specifically, Resend, Twilio, and Stripe in the United States), the Processor relies on the following transfer mechanisms:

• Standard Contractual Clauses (SCCs) as approved by the European Commission, with the UK International Data Transfer Agreement (IDTA) or UK Addendum
• Binding Corporate Rules (BCRs) where maintained by the Sub-processor

Details of each Sub-processor’s data residency and applicable transfer mechanism are set out in Appendix C.

Data transferred to Procore is governed by the Controller’s own agreement with Procore Technologies Inc.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and Article 28 of UK GDPR.

The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

• The Controller shall provide at least 30 days’ written notice of an audit request
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor’s operations
• The Controller shall bear its own costs of conducting the audit
• The scope of the audit shall be limited to the Processor’s compliance with this DPA
• Any auditor mandated by the Controller shall be bound by appropriate confidentiality obligations

On termination of the service agreement, or upon the Controller’s written request, the Processor shall, at the Controller’s election:

• Return all Personal Data to the Controller in a structured, commonly used, machine-readable format; or
• Delete all Personal Data and confirm deletion in writing

Unless retention is required by applicable law, the Processor shall complete deletion or return within 30 days of the request or termination date.

The Processor may retain Personal Data to the extent required by applicable law, provided the Processor ensures continued confidentiality and limits processing to the purposes required by law.

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that nothing in this DPA or the Terms of Service limits either party’s liability for breaches of its obligations under applicable data protection law to the extent such limitation is not permitted by law.

This DPA commences on the date the Controller first uses the LINTEL service and continues for the duration of the service agreement.

Either party may terminate the service agreement (and consequently this DPA) by providing 30 days’ written notice.

Clauses that by their nature should survive termination (including confidentiality, liability, deletion/return of data, and audit rights) shall survive.

This DPA is governed by and construed in accordance with the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Subject matter	Processing of personal data for the purpose of document-request intake and write-back to Procore on behalf of the Controller.
Duration	For the duration of the service agreement between the Controller and the Processor.
Nature and purpose	Receiving document requests from the Controller; delivering upload links to recipients via email and/or SMS; receiving uploaded documents (PDF and, where enabled, JPEG) from recipients; applying the Controller’s naming policy to generate compliant filenames; writing documents to the Controller’s Procore project via API; maintaining audit trail of request lifecycle events.
Types of personal data	Recipient names, email addresses, phone numbers Uploaded document content and metadata (filename, file size, content type) Document request metadata (vendor, document type, project details) Upload and notification event records and timestamps
Categories of data subjects	Subcontractor employees and representatives whose contact details are provided by the Controller for the purpose of receiving document upload requests.

Measure	Implementation
Encryption in transit	All connections use TLS/HTTPS. No unencrypted endpoints are exposed.
Encryption at rest	Supabase provides managed encryption at rest for the PostgreSQL database and object storage.
Application-level encryption	Procore OAuth access and refresh tokens are encrypted using AES-GCM with a dedicated encryption key, stored separately from the ciphertext.
Access control	Row Level Security (RLS) is enabled on all database tables, enforcing organisation-scoped access. Users can only access data belonging to their own organisation.
Upload link security	Upload links use unguessable UUID v4 identifiers. Links are not sequential or predictable.
OAuth security	Procore OAuth state parameters are CSRF-protected and automatically expire after 10 minutes.
Input validation	Uploads are restricted by MIME type validation (PDF by default; JPEG when photo uploads are enabled for the organisation) with a maximum file size of 50 MB.
Service isolation	Server-side edge functions use a service-role Supabase client, isolated from client-side access tokens.
File handling	Uploaded files are read into memory and written directly to Procore. They are not persisted in LINTEL’s storage infrastructure.
Infrastructure provider	Supabase Inc (SOC 2 Type II certified) provides database, authentication, edge functions, and storage hosting in EU West (Ireland).

Sub-processor	Role	Data processed	Data residency	Transfer safeguard
Supabase Inc	Database, authentication, edge functions, object storage	All Personal Data described in Appendix A; GC account data; organisation logos	EU West (Ireland)	N/A (EU-based hosting)
Resend (Plus Five Five, Inc)	Transactional email delivery	Recipient email addresses, notification content	United States	SCCs with UK IDTA / UK Addendum
Twilio Inc	SMS notification delivery	Recipient phone numbers, notification content	United States	BCRs and SCCs with UK IDTA / UK Addendum
Procore Technologies Inc	Destination platform (document write-back via API)	Uploaded document content and metadata, Procore project/folder identifiers	Per the Controller’s own Procore agreement	Per the Controller’s own Procore agreement
Stripe, Inc	Subscription billing and payment processing	GC billing contact email address, payment method tokens, invoice metadata	United States	SCCs with UK IDTA / UK Addendum

This Sub-processor list is current as of the effective date. Changes will be communicated to the Controller in accordance with Section 7 of this DPA.

This Appendix applies where the Controller is subject to the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”) or other comparable US state privacy laws.

Service provider classification

For the purposes of the CCPA/CPRA, the Processor acts as a service provider (as defined in California Civil Code § 1798.140(ag)) with respect to Personal Data received from the Controller.

Contractual commitments

The Processor shall:

• Process Personal Data solely for the specific business purposes set out in this DPA and the Terms of Service
• Not retain, use, or disclose Personal Data for any purpose other than performing the services specified in this DPA, including any commercial purpose other than providing the services
• Not sell or share Personal Data (as those terms are defined under the CCPA/CPRA)
• Not combine Personal Data received from the Controller with Personal Data received from or on behalf of another person, or collected from the Processor’s own interactions with Data Subjects, except as permitted by the CCPA/CPRA to perform the services
• Notify the Controller if the Processor determines it can no longer meet its obligations under the CCPA/CPRA
• Cooperate with the Controller to respond to verifiable consumer requests exercising rights under the CCPA/CPRA (including requests to know, delete, correct, and opt out)
• Grant the Controller reasonable rights to take steps to ensure the Processor uses Personal Data in a manner consistent with the Controller’s obligations under the CCPA/CPRA

Sub-contractor flow-down

Where the Processor engages Sub-processors, the Processor shall ensure each Sub-processor is contractually bound by obligations no less protective than those set out in this Appendix.

This DPA is entered into and becomes binding on both parties upon the earlier of: (a) the date of the last signature below, or (b) the date the Controller first uses the LINTEL service.

Controller Organisation: ___________________________ Signed: ___________________________ Print name: ___________________________ Title: ___________________________ Date: ___________________________

Processor Organisation: LINTEL BUILD LTD Company number: 17061261 Signed: ___________________________ Print name: Oliver Clegg Title: Director Date: ___________________________