Data Processing Agreement

Effective Date: [TO BE INSERTED ON EXECUTION] Last Updated: May 2, 2026 Version: 1.0

This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the Terms of Service, Master Service Agreement, or other written agreement (the “Principal Agreement”) between Flikt.AI (“Flikt.AI,” “we,” “us,” or “Processor”) and the customer identified in the Principal Agreement (“Customer” or “Controller”). This DPA governs the processing of Personal Data by Flikt.AI on behalf of Customer.

In the event of any conflict between this DPA and the Principal Agreement, this DPA controls with respect to the processing of Personal Data.

How to execute this DPA. No signature is required. Customer’s continued use of the Flikt.AI platform after the Effective Date of the most recent version of this DPA constitutes acceptance. Customers who require a counter-signed copy may email legal@flikt.ai to request one.

Definitions
Processing of Personal Data
Sub-processors
Security Measures
International Data Transfers
Data Subject Rights
Security Incidents
Audits
Data Retention
Confidentiality
Data Return and Deletion
Liability
General

Annex I — Description of Transfer Annex II — Technical and Organizational Measures Annex III — Sub-processors

1. Definitions

1.1. Capitalized terms not defined in this DPA have the meanings given to them in the Principal Agreement, in the GDPR, or in applicable Data Protection Laws.

1.2. For purposes of this DPA:

“Controller” means the entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Processor” means an entity that Processes Personal Data on behalf of the Controller.
“Sub-processor” means any third party engaged by Flikt.AI to Process Personal Data on Customer’s behalf.
“Personal Data” has the meaning given in Article 4(1) GDPR and includes any analogous defined term under Data Protection Laws (e.g., “personal information” under CCPA/CPRA).
“Process” or “Processing” has the meaning given in Article 4(2) GDPR.
“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the EU GDPR, the UK GDPR, the Swiss Federal Act on Data Protection (FADP), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and any other applicable U.S. state privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, Florida, etc.).
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission Decision (EU) 2021/914 of June 4, 2021, Module Two (Controller to Processor).
“UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office, version B1.0, in force March 21, 2022.
“Customer Data” means data — including Personal Data — that Customer or its end users upload to or generate within the Flikt.AI platform.
“Security Incident” means a confirmed breach of Flikt.AI’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by Flikt.AI on behalf of Customer.

2. Processing of Personal Data

2.1. Roles and Scope

Customer is the Controller of Customer Data (or, where Customer is itself a Processor for its own end customers, Customer is the Processor and Flikt.AI is its Sub-processor). Flikt.AI Processes Personal Data only as a Processor acting on Customer’s documented instructions.

2.2. Subject Matter and Duration

Subject matter: Flikt.AI’s Processing of Personal Data contained in construction documents (PDF plan sets, specifications, schedules, RFIs, and related project artifacts) for the purpose of providing AI-assisted conflict-detection analysis and generating conflict reports.

Duration: From the Effective Date of the Principal Agreement until termination or expiration of the Principal Agreement, plus the post-termination periods set forth in Sections 9 (Data Retention) and 11 (Data Return and Deletion).

2.3. Nature and Purpose of Processing

Flikt.AI Processes Customer Data to:

ingest and render PDF plan sets;
extract elements from plans using a combination of text extraction and AI-assisted vision analysis;
cross-reference elements across architectural, structural, mechanical, electrical, plumbing, fire, civil, landscape, and interior-design disciplines;
produce conflict reports including severity classifications, location citations, and cost-impact estimates;
deliver reports to Customer via the Flikt.AI portal and (with Customer’s consent) email; and
provide ongoing platform operation, support, debugging, and security monitoring.
Improving Flikt.AI’s conflict-detection capability through prompt tuning, expansion of Flikt.AI’s internal reference library of construction patterns and conflict types, and benchmarking of detection accuracy on real plan sets. Customer Data is not shared with any third party (including any AI model provider) for this internal-improvement purpose.

2.4. Categories of Data Subjects

The Personal Data Processed concerns the following categories of data subjects, as they appear within Customer-uploaded documents:

Architects, engineers, and licensed design professionals (names, license numbers, professional stamps, signatures, contact information appearing on plan title blocks);
Property owners and developers (names, organizational affiliations, addresses);
General contractors, subcontractors, consultants, and other project participants whose names appear on plans;
Tenants in retail, multifamily, or commercial fit-out plans whose identifying information appears in tenant criteria documents;
Customer’s own employees and authorized users of the Flikt.AI platform.

2.5. Types of Personal Data Processed

Names, business contact information, and professional license numbers
Property addresses, project identifiers, and unit numbers
Authentication and account data for Customer’s authorized users (email, hashed credentials managed by sub-processor, IP address, device metadata)
Communication metadata (timestamps, sender/recipient of report-ready emails)
Usage data (login times, API calls, feature usage)

Flikt.AI does not intentionally Process special categories of Personal Data (Article 9 GDPR). If Customer’s plan sets contain special-category data (e.g., health-care occupancy plans referencing patient capacity), Customer is responsible for assessing the lawful basis for such Processing and notifying Flikt.AI before upload.

2.6. Customer Instructions

The Principal Agreement and this DPA constitute Customer’s complete and final documented Processing instructions. Customer may issue additional instructions in writing (email to legal@flikt.ai suffices). Flikt.AI will inform Customer if it believes an instruction violates Data Protection Laws.

3. Sub-processors

3.1. General Authorization

Customer grants Flikt.AI a general authorization to engage Sub-processors, subject to the terms of this Section 3.

3.2. Current Sub-processor List

The current list of Sub-processors is included in Annex III to this DPA and is also published at flikt.ai/legal/sub-processors (or such other URL as Flikt.AI may designate). The list includes the Sub-processor’s name, role, and the location of Processing.

3.3. Notification of Changes

Flikt.AI will provide at least 30 days’ advance notice of new or replacement Sub-processors by updating the published Sub-processor list and notifying Customers who have subscribed to sub-processor change notifications. To subscribe, Customer may email legal@flikt.ai.

3.4. Right to Object

If Customer reasonably objects to a new Sub-processor on data-protection grounds within 15 days of notification, Flikt.AI will use reasonable efforts to make available a commercially reasonable change to the platform that avoids Processing of Personal Data by the objected-to Sub-processor. If no such change is feasible, Customer may terminate the affected portion of the Principal Agreement upon written notice to Flikt.AI.

3.5. Sub-processor Obligations

Flikt.AI will impose data-protection terms on each Sub-processor that are no less protective than those in this DPA. Flikt.AI remains liable to Customer for any breach by a Sub-processor of those obligations.

4. Security Measures

Flikt.AI implements and maintains appropriate technical and organizational measures (TOMs) to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The current TOMs are described in Annex II and include:

Encryption of Customer Data at rest using AES-256 and in transit using TLS 1.2 or higher
Tenant logical isolation at the application and database layer
Role-based access controls and least-privilege provisioning for Flikt.AI personnel
Authentication using a third-party identity provider with RS256-signed JWT session tokens
Continuous infrastructure monitoring and intrusion detection
Daily encrypted backups with point-in-time recovery
Documented secure software development lifecycle, including code review and dependency-vulnerability scanning
Personnel confidentiality undertakings and security training

Flikt.AI may update its TOMs from time to time, provided that the level of protection is not materially decreased.

5. International Data Transfers

5.1. Transfer Mechanism

To the extent that Flikt.AI’s Processing involves transfers of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country not covered by an adequacy decision, the parties agree that the Standard Contractual Clauses, with the modules and clauses indicated below, are incorporated by reference into this DPA and apply to such transfers:

EU/EEA transfers: SCCs Module Two (Controller to Processor), in the form approved by Commission Implementing Decision (EU) 2021/914.
UK transfers: SCCs as above, supplemented by the UK Addendum (B1.0).
Swiss transfers: SCCs as above, with references to “GDPR” and “EU Member State law” interpreted as references to the Swiss FADP and Swiss law respectively, and with the Swiss Federal Data Protection and Information Commissioner (FDPIC) treated as the supervisory authority.

5.2. SCC Selections

For purposes of the SCCs:

Module Two (Controller to Processor) applies. (If Customer is itself a Processor and Flikt.AI is its Sub-processor, Module Three applies.)
Clause 7 (Docking Clause): not used.
Clause 9(a) (Sub-processors): Option 2 (general written authorization), with the 30-day notification period set in Section 3.3 of this DPA.
Clause 11(a) (Independent Dispute Resolution by data subjects): the optional language is not adopted.
Clause 17 (Governing Law): the laws of Ireland, unless local mandatory law requires otherwise.
Clause 18 (Forum and Jurisdiction): Ireland.
Annex I.A (Parties), Annex I.B (Description of Transfer), Annex II (Technical and Organizational Measures), Annex III (Sub-processors) are completed by reference to Annexes I, II, and III of this DPA.

5.3. Transfer Impact Assessment

On request, Flikt.AI will provide the information reasonably necessary to assist Customer with a transfer impact assessment, including details about Sub-processor locations, data flows, and applicable law-enforcement disclosure regimes.

6. Data Subject Rights

Flikt.AI will assist Customer in responding to data subject rights requests as required by Article 28(3)(e) GDPR and analogous Data Protection Laws. If Flikt.AI receives a request directly from a data subject identifying Customer, it will redirect the data subject to Customer without undue delay. Where the Flikt.AI platform provides self-service tools (export, correction, deletion), Customer uses those tools to respond.

7. Security Incidents

Flikt.AI will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of any Security Incident affecting Customer’s Personal Data. Notice will be sent to the email address on file in Customer’s account and will include the information required by Article 33(3) GDPR to the extent then known. Flikt.AI will cooperate in good faith with Customer’s investigation and any required notifications to supervisory authorities or data subjects. Notification is not an admission of fault or liability.

8. Audits

Customer may exercise its audit rights under Article 28(3)(h) GDPR and Clause 8.9 of the SCCs. On reasonable written request (no more than once per twelve-month period, except after a confirmed Security Incident or as required by a supervisory authority), Flikt.AI will provide a summary of TOMs (Annex II), any third-party audit reports or certifications it then holds, and responses to a reasonable security questionnaire (SIG-Lite, CAIQ-Lite, or equivalent). If documentation is insufficient, Customer may commission a qualified third-party auditor on 30 days’ written notice and at Customer’s expense, subject to Flikt.AI’s reasonable approval and the protection of other customers’ confidentiality. All audit information is Flikt.AI’s Confidential Information.

9. Data Retention

Flikt.AI retains Customer Data only for the periods necessary to provide the platform, comply with legal obligations, resolve disputes, and enforce agreements. The detailed retention schedule appears in the Privacy Policy (Section 5). Personal Data within Customer Data is retained for the same periods unless Customer instructs otherwise.

10. Confidentiality

Flikt.AI ensures that any personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations.

11. Data Return and Deletion

Upon termination or expiration of the Principal Agreement, and at Customer’s election, Flikt.AI will:

return all Customer Data to Customer in a structured, commonly used, machine-readable format; or
delete all Customer Data from production systems.

Customer’s election must be communicated in writing within 30 days of termination. Absent such election, Flikt.AI will delete Customer Data within 60 days of termination. Backups containing Customer Data are deleted in accordance with Flikt.AI’s documented backup-retention schedule (currently 35 days from the date of backup creation), after which point they are unrecoverable.

12. Liability

Each party’s liability arising out of or related to this DPA — whether in contract, tort, or under any other theory of liability — is subject to the limitations and exclusions set forth in the Principal Agreement.

13. General

13.1. Order of Precedence. This DPA prevails over the Principal Agreement to the extent of any conflict relating to the Processing of Personal Data.

13.2. Severability. If any provision of this DPA is held unenforceable, the remaining provisions remain in full force.

13.3. Modifications. Flikt.AI may update this DPA from time to time; the version published at flikt.ai/legal/dpa/ controls. Material changes will be communicated to Customers in advance.

13.4. Contact. Questions regarding this DPA may be sent to legal@flikt.ai.

Annex I — Description of Transfer

A. Parties

Data Exporter: Customer (as identified in the Principal Agreement). Role: Controller (or Processor, as applicable).
Data Importer: Flikt.AI, with principal place of business in Florida, United States. Role: Processor (or Sub-processor, as applicable).

B. Description of Transfer

Categories of data subjects: As described in Section 2.4 of the DPA.
Categories of Personal Data: As described in Section 2.5 of the DPA.
Special categories: None intentionally Processed.
Frequency of transfer: Continuous (on-demand, when Customer uploads documents or end users access the platform).
Nature of Processing: As described in Section 2.3 of the DPA.
Purposes of transfer: Provision of the Flikt.AI platform.
Period of retention: As described in Section 9 of the DPA.

C. Competent Supervisory Authority

Per Clause 13 of the SCCs, the supervisory authority of the EU Member State in which the data exporter is established, or — if the exporter is not established in the EU — the supervisory authority designated in writing by the data exporter, or, if none, the Irish Data Protection Commission.

Annex II — Technical and Organizational Measures

The current TOMs in effect for the Flikt.AI platform are summarized below. Flikt.AI may update these from time to time, provided the level of protection is not materially decreased.

Measure	Implementation
Encryption in transit	TLS 1.2 or higher for all customer-facing endpoints.
Encryption at rest	AES-256 for all Customer Data stored in cloud object storage, databases, and block storage.
Pseudonymization	Used where feasible for analytics and logging.
Confidentiality	Personnel access controls, least-privilege provisioning, confidentiality undertakings.
Integrity	Code review, dependency-vulnerability scanning, signed deployments.
Availability	Daily backups, point-in-time recovery, multi-AZ database deployment.
Resilience	Automated failover for database; container-orchestrated compute.
Restoration after incident	Documented runbooks; backup restoration tested at least annually.
Testing and evaluation	Internal review of TOMs at least annually.
User identification and authorization	Third-party identity provider; RS256-signed JWT sessions; role-based access controls.
Access logging	Application-level audit logs; cloud-provider audit logging for infrastructure events.
Data minimization	Customer Data retained only for periods set in Privacy Policy §5.
Quality assurance	Pre-production environments isolated from production data.
Sub-processor management	DPAs in place with all Sub-processors listed in Annex III.

Annex III — Sub-processors

#	Sub-processor	Purpose	Region
1	Anthropic, PBC	AI analysis services. Customer Data is not used for model training per the provider’s API terms.	United States
2	Amazon Web Services, Inc.	Cloud hosting and infrastructure (compute, database, object storage)	United States
3	Google LLC	Backup optical character recognition (OCR) for scanned PDFs	United States
4	Stripe, Inc.	Payment processing; PCI DSS Level 1	United States (with EU subsidiary)
5	Sendinblue / Brevo SAS	Transactional email — application notifications, contact-form delivery, and password resets	European Union (Paris)
6	Cloudflare, Inc.	Edge worker for `demo.flikt.ai`; no customer plan-set data	Global edge network
7	Clerk Inc.	User authentication, session management, RS256 JWT issuance	United States
8	Sentry, Inc. (Functional Software, Inc.)	Application error tracking and exception monitoring; receives stack traces and limited request metadata	United States
9	GoDaddy.com, LLC	Marketing site hosting (`flikt.ai`); no customer plan-set data	United States

The current list is also published at flikt.ai/legal/sub-processors. Customer may subscribe to change notifications by emailing legal@flikt.ai.

End of Data Processing Agreement.