Data Processing Addendum

Updated: May 21, 2026

This Data Processing Addendum (​“DPA”) forms part of the CompanyCam Terms & Conditions or other written or electronic agreement between CompanyCam and Customer (the ​“Agreement”). Customer and CompanyCam may each be referred to as ​“Party” and together, ​“Parties.”

1. DEFINITIONS

The defined capitalized terms below will have the following meanings when used in this DPA. All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement or in applicable Data Protection Laws. 

1.1 ​“Controller” means the person or entity who determines the purposes and means of the Processing of Personal Information and includes the term ​“Business” as similarly defined under applicable Data Protection Laws. 

1.2 ​“Customer Personal Information” means Personal Information Processed by CompanyCam on behalf of Customer pursuant to the Agreement. 

1.3 ​“Business Purpose” means the Processing of Customer Personal Information (i) as necessary for the provision of the Services pursuant to Agreement; (ii) as otherwise permitted by Data Protection Laws in connection with the Services; and (iii) to comply with CompanyCam’s legal obligations which do not conflict with Data Protection Laws. 

1.4 ​“Data Protection Laws” means any applicable current and future laws, rules, regulations and guidance governing the privacy, security and protection of Personal Information processed under the Agreement, including but not limited to: (i) the US Data Protection Laws; and (ii) the European Data Protection Laws. 

1.5 ​“Data Subject” means an identified or identifiable natural person or a ​“Consumer” as defined under applicable Data Protection Laws. 

1.6 ​“Data Subject Request” means a request from an individual seeking to exercise the rights granted to Data Subjects under the Data Protection Laws which may include, the right to access, correct, opt out, restrict Processing, and data portability. 

1.7 ​“European Data Protection Laws” means all applicable legislation applicable to data protection and privacy regarding residents of the EU, UK or Switzerland, including but not limited to: (i) the EU General Data Protection Regulation ((EU) 2016⁄679) (the ​“EU GDPR”); (ii) Directive 2002/58/EC the Privacy and Electronic Communications Regulations 2003 as amended (iii) the EU GDPR as applicable as part of UK domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 (as amended) (“UK GDPR”); (iv) the Swiss Federal Act on Data Protection of 1 September 2023 and its corresponding ordinances (the ​“FADP”); and any applicable guidance or codes of practice issued by any applicable Supervisory Authorities from time to time. 

1.8 ​“Personal Information” or ​“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Personal Information does not include information that has been deidentified or aggregated such that the information can no longer identify or link to an individual. 

1.9 ​“Personnel” means those employees, approved agents, or Sub-Processors that CompanyCam uses to perform its obligations or exercise its rights under the Agreement or this DPA. 

1.10 ​“Process” or ​“Processing” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, such as collection, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, deletion or destruction or as otherwise defined in the Data Protection Laws. 

1.11 ​“Processor” means the entity which Processes Personal Information on behalf of Customer and includes the term ​“Service Provider” as similarly defined under applicable Data Protection Laws. 

1.12 ​“Restricted Transfer” means (i) where EU GDPR or the FADP applies, a transfer of Personal Information from the European Economic Area (“EEA”) including Switzerland to a country outside of the EEA, which is not the subject of an adequacy determination by the European Commission; and (ii) where UK GDPR applies, a transfer of Personal Information from the United Kingdom to any country which is not subject based on adequacy regulations pursuant to Section 17A of the UK Data Protection Act. 

1.13 ​“Sub-Processor” means a third party engaged by CompanyCam or another Processor to assist in the provision of the Services and which will Process Customer Personal Information. 

1.14 ​“Security Incident” means unauthorized loss, destruction, acquisition, use, disclosure of, or access to Customer Personal Information in CompanyCam’s possession, custody, or control and includes ​“Personal Data Breach” as defined in EU Data Protection Laws. 

1.15 ​“Standard Contractual Clauses” means: in respect of Personal Data subject to GDPR, the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Implementing Decision (EU) 2021⁄914, including the text from Module Two; in respect of Swiss Personal Data, the EU Standard Contractual Clauses, provided that any references in the clauses to the GDPR shall refer to the FADP; the term ​‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18© of the clauses and in respect of UK Personal Data, the International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022 but, as permitted by Clause 17 of such Addendum, the Parties agree to change the format of the information set out in Part 1 of the Addendum so that: (i) the details of the parties in Table 1 of the Addendum shall be as set out in Appendix 1 to this DPA (with no requirement for signature); (ii) for the purposes of Table 2 of the Addendum, the Addendum shall be appended to the EU Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as noted above) and Clause 13(2)(a) below selects the option and timescales for Clause 9 of the EU Standard Contractual Clauses; (iii) the appendix information listed in Table 2 of the Addendum is set out in Appendices 2 and 3 to this DPA; and (iv) for the purposes of Table 3 of the Addendum, the following option is selected regarding which party/​ies may end the Addendum as set out in Clause 19 thereof: the Data Controller only. 

1.16 ​“Supervisory Authority” means any international, federal, state, or local agency, department, official, legislature, or any governmental or professional body, regulatory or supervisory authority, board, or other body responsible for administration of and enforcement of the Data Protection Laws with regard to CompanyCam Data Processed under this Agreement. 

1.17 ​“US Data Protection Laws” means the US federal, state and local laws, rules, regulations and guidance related to the privacy, security and protection of Personal Information processed under the Agreement, including but not limited to: (i) the Federal Trade Commission Act, 15 U.S.C. § 45 and its implementing regulations; (ii) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and its implementing regulations, and (iii) any other U.S. federal or state consumer privacy laws, data breach notification laws and data security laws. 

2. ROLE OF THE PARTIES

For the purposes of processing of Customer’s Personal Data under the Agreement, Customer shall be regarded as a Controller and CompanyCam shall be regarded as a Processor. The Parties agree that Customer shall be the Controller and CompanyCam shall be the Processor concerning the Customer Personal Information CompanyCam Processes pursuant to the Agreement. 

3. CUSTOMER OBLIGATIONS

3.1 Customer shall comply with the Data Protection Laws in connection with the Processing of Customer Personal Information as applicable to Customer as a Controller. Customer shall have sole responsibility for the accuracy, quality, and legality for the Processing of Customer Personal Information. Customer warrants that it has all rights necessary to provide the Customer Personal Information to CompanyCam for Processing in accordance with the Agreement and this DPA. Customer shall not instruct CompanyCam to Process Customer Personal Information under this DPA in a manner that Customer knows or reasonably should know, violates the Data Protection Laws that are applicable to such instructions. 

3.2 Customer shall promptly inform us of any Data Subject Requests made pursuant to applicable laws that we must comply with and provide us with the information necessary for us to comply with such request. 

4. DETAILS OF THE PROCESSING

This DPA includes Customer’s instructions for the Processing Customer Personal Information by CompanyCam, including: (i) provision of the Services pursuant to the Agreement; (ii) Processing initiated by Data Subjects in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the scope of the Services described in the Agreement and the terms of this DPA. 

5. PROCESSOR OBLIGATIONS

5.1 Compliance with Laws. CompanyCam shall comply with the Data Protection Laws as applicable. 

5.2 Customer Instructions. CompanyCam will only Process Customer Personal Data in accordance with instructions from Customer, including those set forth in the Agreement or in this DPA, except where and to the extent otherwise required by applicable law. 

5.3 Customer Compliance with Laws. CompanyCam has no obligation to monitor the compliance of Customer’s use of the Services with applicable law and CompanyCam will have no liability for harm or damages resulting from CompanyCam’s compliance with unlawful instructions received from Customer. If CompanyCam becomes aware that we cannot Process Customer Personal Data in accordance with your Instructions due to a legal requirement under any applicable law, we will notify you of that legal requirement to the extent permitted by the applicable law and, where necessary, cease all Processing until such time as you issue new Instructions. CompanyCam will not be liable to you under the Agreement for any failure to perform the applicable Services if this provision is invoked. 

5.4 Security Measures. CompanyCam implements and maintains appropriate technical and organizational measures to protect Customer Personal Information that are at least as protective as those listed in Appendix 2 (“Security Measures”). CompanyCam aligns its data protection policies and practices with the American Institute of Certified Public Accountants Service Organization Control 2 (“SOC 2”). CompanyCam may modify or update the Security Measures at our discretion provided that such modification or update does not result in a lesser standard of security. 

5.5 Confidentiality. CompanyCam shall ensure that all persons engaged in Processing Customer Personal Information are committed to the obligation of confidentiality. 

5.6 Security Incident. CompanyCam shall notify Customer without undue delay after becoming aware of a Security Incident and provide timely information relating to the Security Incident as it becomes known or reasonably requested by Customer. CompanyCam take reasonable steps to mitigate the impact of any such Security Incident. 

5.7 Deletion of Customer Personal Information. Within 30 days after the expiration or termination of the Agreement, Customer may request in writing for CompanyCam to delete Customer Personal Information Processed in the provision of the Services. Upon Customer’s request, CompanyCam shall provide a written confirmation to Customer that CompanyCam has complied with such obligations. CompanyCam shall retain Customer Personal Information to the extent needed to comply with its business and legal obligations as allowed under applicable Data Protection Laws. 

6. DATA SUBJECT REQUESTS

6.1 If CompanyCam receives a Data Subject Request that identifies Customer as the Controller, CompanyCam shall notify Customer of such Data Subject Request. 

6.2 If Customer is unable to fulfill a Data Subject Request using the controls provided to Customer in the Services, upon Customer’s written request, CompanyCam shall provide reasonable assistance to Customer to fulfill Customer’s obligations to respond to the Data Subject Request to the extent required under the appliable Data Protection Laws. Customer shall provide CompanyCam with all information relevant to the Data Subject Request and the actions Customer requests of CompanyCam. 

7. SUB-PROCESSORS

7.1 Notice Period and Objections. Customer authorizes CompanyCam to engage Sub-Processors. CompanyCam may continue to use those Sub-Processors already engaged by us at the effective date of this DPA, which are listed in Appendix 3. CompanyCam may engage new Sub-Processors and must update the list in Appendix 3 accordingly at least 10 days in advance of the Sub-Processor Processing Customer Personal Information (“Notice Period”). Customer may object to CompanyCam’s engagement of a new Sub-Processor by sending a written notice to CompanyCam specifically describing its objection. Customer will have authorized CompanyCam’s engagement of a new Sub-Processor should Customer fail to provide CompanyCam a written objection in compliance with this section within the Notice Period. Upon receipt of Customer’s written objection, the Parties will work together in good faith to seek a mutually agreeable solution. 

7.2 Engagement. CompanyCam’s use of a Sub-Processor to assist in the Processing of Customer Personal Information shall be governed by a written agreement that requires each Sub-Processor to protect such Customer Personal Information in the same manner as required of CompanyCam under this DPA. 

8. RESTRICTED TRANSFERS

8.1 Restrictions on Transfer. The Parties agree that CompanyCam shall engage in Restricted Transfers of Customer Personal Information of residents of the European Economic Area (“EEA” includes all EU member states, plus Iceland, Liechtenstein, and Norway), the United Kingdom, or Switzerland (as applicable) pursuant to the Agreement and this DPA. 

8.2 Data Privacy Framework. CompanyCam is certified under the EU‑U.S. Data Privacy Framework, the UK Extension thereto, and the Swiss‑U.S. Data Privacy Framework (“DPF”). To the extent the DPF applies to a Restricted Transfer, CompanyCam will comply with the DPF Principles. 

8.3 Incorporation of Standard Contractual Clauses. Transfers of Customer Personal Information of residents of the EEA, the United Kingdom or Switzerland to the United States shall take place pursuant to Module 2 of the Standard Contractual Clauses (Controller to Processor), which is incorporated by reference in a format which is mutually agreeable to the Parties and in compliance with applicable Data Protection Laws. 

8.4 In addition, the Parties agree that the following optional clauses are incorporated into the EU Standard Contractual Clauses: (i) Clause 7: the optional docking clause will not apply; (ii) Clause 9: Option 2 will apply, and the time period for notice of Sub-Processor changes will be as set out in Section 7(b) of this DPA; (iii) Clause 11: the optional language will not apply; (iv) Clause 17: Option 1 will apply, and the clauses shall be governed by the laws of Ireland; (v) Clause 18(b): the courts of Ireland shall have jurisdiction; (vi) Annex I shall be deemed completed with the information set out in Annex I to this DPA; and (vii) Annex II shall be deemed completed with the information set out in Annex II to this DPA. 

8.5 Transfers of UK Personal Information. In respect to transfers of Customer Personal Information of residents of the UK, the EU Standard Contractual Clauses will apply as amended by the UK Addendum, which is incorporated by reference, as though they were set out in full in this Agreement, with Customer as the ​“exporter” and CompanyCam as the ​“importer”. Tables 1, 2, and 3 of the UK Addendum will be deemed completed with the information set out in this DPA and Table 4 will be deemed completed by selecting ​“neither party.” 

8.6 Switzerland. In respect to transfers of Customer Personal Information of residents of Switzerland, the EU Standard Contractual Clauses will apply with the following modifications: references to the GDPR will be understood as references to Swiss law and references to ​“Member State” will not be read to prevent data subjects in Switzerland from suing for their rights in Switzerland. 

9. RESPONSE TO COMPLAINTS AND REQUESTS

CompanyCam will notify Customer in the event it receives a complaint, notice, inquiry or communication from a Supervisory Authority that relates to the Processing of Customer Personal Information or the Parties’ compliance with the Data Protection Laws. 

10. AUDITS

10.1 Audits. Upon written request by Customer, CompanyCam will respond to Customer’s data security questionnaire on an annual basis. Upon Customer’s request, CompanyCam’s most recent SOC 2 Type II report shall be made available to Customer subject to the confidentiality obligations set forth in the Agreement.

Should Customer identify any unauthorized Processing of Customer Personal Information, Customer shall provide written notice to CompanyCam. The Parties agree to work together in good faith to remediate such Processing. 

10.2 Data Protection Impact Assessment. To the extent a data protection impact assessment or similar assessment is required under applicable Data Protection Laws, CompanyCam shall provide Customer with reasonable assistance needed to carry out such an assessment related to Customer’s use of the Services, if Customer does not otherwise have access to the relevant information and to the extent such information is available to CompanyCam. 

11. LIMITATION OF LIABILITY

Each Party’s liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ​‘Limitation of Liability’ section of the Agreement. 

12. ADDITIONAL TERMS

12.1 Term; Survival. This DPA shall be effective as of the Effective Date of the Agreement and shall continue in full force and effect until the expiration or termination of the Agreement. 

12.2 Relationship to Agreement. The requirements set forth in this DPA are in addition to, and not in place of, any similar requirements set forth in the Agreement. Notwithstanding anything contrary to the Agreement, to the extent any conflict or inconsistency between the terms of this DPA and the Agreement, this DPA shall govern. 

ANNEX

ANNEX I.A. – LIST OF PARTIES

Data exporter/​Controller:

• Name: Customer listed in the applicable Agreement. 

• Address: Address listed in the applicable Agreement. 

• Contact person’s name, position and contact details: Contact person listed in the applicable Agreement. 

• Activities relevant to the data transferred under these Clauses: Processing to carry out the Services pursuant to the Agreement. 

Data importer/​Processor: 

• Name: CompanyCam, Inc. 

• Address: 300 Canopy Street, Suite 200, Lincoln, NE 68508 

• Contact person’s name, position and contact details: Privacy Legal Counsel, privacy@​companycam.​com

ANNEX I.B. – DESCRIPTION OF TRANSFER

• Categories of Data Subjects whose Personal Data is transferred: 

  • Customer’s Authorized Users of the Services including Customer employees, contractors, collaborators, customers, prospects, vendors, suppliers and subcontractors. 

  • Customer’s clients and contacts as may be captured in project descriptions and photos. 

• Categories of Personal Data transferred: Personal Data required to provide the Services, including: Contact Information and any other Personal Data submitted by Customer to CompanyCam. 

• Frequency of the transfer: Continuous 

• Nature of Processing: Provision of the Services under the Agreement. 

• Purpose of the data transfer and further Processing: CompanyCam will process Personal Data as necessary to provide the Services pursuant to the Agreement. 

• The period for which the Personal Data will be retained: Duration of the Agreement, unless otherwise instructed by the Customer and as needed to comply with CompanyCam’s business and legal obligations under the applicable Data Protection Laws. 

• For transfers to (sub-) processors, also specify subject matter, nature and duration of the Processing: Sub-processors Process Personal Data to provide the Services described in the Agreement. 

ANNEX I.C. – COMPETENT SUPERVISORY AUTHORITY

• For EU Personal Data: the Irish Data Protection Commission; 

• For Swiss Personal Data: the Swiss Federal Data Protection and Information Commissioner. 

• For UK Personal Data: UK Information Commissioner’s Office.

ANNEX 2

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA 

We currently observe the Security Measures described in this Annex 2. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement. For more information on these security measures, please refer to CompanyCam’s SOC 2 Type 2 Report and Penetration Test Summaries, available at https://companycam.com/trust‑c….

Preventing Unauthorized Product Access 

• Outsourced processing: We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors. 

• Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II, among other certifications. 

• Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data. 

• Authorization: Customer Data is stored in storage systems accessible to Customers via only application user interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in our product is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set. 

• Application Programming Interface (API) access: Public product APIs may be accessed using an API key. 

Preventing Unauthorized Product Use 

• Industry standards: We implement industry-standard access controls and detection capabilities for the internal networks that support its products. 

• Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules. 

• Penetration testing: We perform an annual penetration test. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios. 

Limitations of Privilege & Authorization Requirements 

• Product access: A subset of our employees have access to the product and to Customer Data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, troubleshoot potential problems, detect and respond to security incidents and implement data security. Employee roles are reviewed at least once every twelve months. 

• Employee Security: All CompanyCam, Inc. employees undergo reference checks prior to being extended an employment offer, in accordance with and as permitted by the applicable laws and sign Confidentiality Agreements. All CompanyCam, Inc. employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards and sign off on our internal policies annually. 

Transmission Control

• In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available on every one of our Service login interfaces. Our HTTPS implementation uses industry-standard algorithms and certificates. 

• At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest. 

Input Control

• Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel are responsive to known incidents. 

• Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to You will be in accordance with the terms of the Agreement and DPA. 

Availability Control

• Infrastructure availability: Our infrastructure providers use commercially reasonable efforts to ensure industry-standard uptime as set forth in the Agreement. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services. 

• Backup and recovery: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer Data is backed up to multiple durable data stores and replicated across multiple availability zones. Recovery strategies are tested at least annually. 

• Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry-standard methods. 

ANNEX 3

LIST OF SUB-PROCESSORS 

Sub-Processor	Location	Service
Amazon Web Services	United States	Cloud server
Amplitude, Inc.	United States	Analytics
Anthropic, PBC	United States	Access to internal systems via MCPs
Bugsnag	United States	Analytics
DataDog, inc.	United States	Monitoring and security
Google, LLC	United States	Infrastructure, analytics, and communication
Hex Technologies Inc.	United States	Analytics
Intercom, Inc.	United States	Customer Service
Honeybadger	United States	Analytics
Marketo, Inc.	United States	Transactional and marketing
Omni Analytics, Inc.	United States	Analytics
Salesforce, Inc.	United States	Customer account management
Snowflake, Inc.	United States	Data storage
Snowplow	United States	Analytics
Stripe, Inc.	United States	Finance
Twilio Inc.	United States	Transactional and marketing messages