Legal

Data Processing Agreement

Effective: April 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Buvio ("Processor") and the customer ("Controller") for the provision of compliance platform services.

Scope of processing

Buvio processes personal data on behalf of the Controller solely for the purpose of providing compliance platform services. This includes processing project data, generating compliance documents, and maintaining audit trails as instructed by the Controller.

Data categories

Categories of personal data processed may include: employee names and roles, project participant details, supplier contact information, and other personal data contained in construction project documentation submitted to the platform.

Sub-processors

Buvio maintains a list of approved sub-processors. The Controller will be notified at least 30 days before any new sub-processor is engaged. Current sub-processors are available upon request at privacy@buvio.ai.

Security measures

Buvio implements appropriate technical and organisational measures including encryption at rest and in transit, access controls, regular security assessments, and incident response procedures as detailed in our Security page.

Data breach notification

In the event of a personal data breach, Buvio will notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach, providing all information required under Article 33 of GDPR.

Data subject requests

Buvio will assist the Controller in fulfilling data subject access requests (DSARs) and other rights under GDPR. Requests should be directed to privacy@buvio.ai.

International transfers

All data processing occurs within the European Economic Area. In the event a transfer outside the EEA is necessary, Buvio will ensure appropriate safeguards are in place in accordance with Chapter V of GDPR.