DATA PROCESSING AGREEMENT · v1.0 · 2026-05
Data Processing Agreement (DPA)
This page summarises the Data Processing Agreement (DPA) under which CRM-Line, Lda. processes personal data on behalf of bidyou.ai customers, in accordance with Article 28 of the GDPR. The signable contract — including subprocessor list and full Technical and Organisational Measures (TOMs) — is provided to every customer before first project upload.
1. Parties
- Controller: the customer entity that decides why and how their personal data is processed.
- Processor: CRM-Line, Lda. · TIN 507 830 466 · Estoril, Portugal · privacy@bidyou.ai.
2. Subject matter, duration, nature and purpose of processing
| Subject matter | Provision of the bidyou.ai estimating, quote-engine and related services. |
| Duration | Term of the Principal Agreement plus retention windows defined in §10. |
| Nature of processing | Storage, structured analysis, AI-based extraction and classification, vector embedding, querying of public sources and Customer-loaded supplier catalogues. |
| Purpose | Enable the Customer to produce construction estimates, manage projects, obtain price comparisons across suppliers and marketplaces. |
| Categories of data subjects | Employees, contractors, suppliers and (for homeowner customers) the Customer themselves, plus persons named in project documentation. |
| Categories of personal data | Identification + contact data, professional data (role, company), authentication credentials, audit-log metadata. No special categories (Art. 9 GDPR) without an explicit written addendum. |
3. Processor obligations
The Processor commits to:
- Process Personal Data only on the Controller's documented instructions.
- Ensure personnel are bound by confidentiality obligations.
- Implement and maintain the Technical and Organisational Measures (TOMs) described in §6.
- Engage Sub-processors only under §4 conditions.
- Assist the Controller in responding to data-subject rights requests (access, rectification, erasure, portability, restriction, objection).
- Assist with security obligations, breach notifications, DPIAs and prior consultations under Articles 32–36 GDPR.
- Notify the Controller of any personal data breach within 72 hours of awareness, with all information required under Art. 33(3).
- At the Controller's choice, return or delete all Personal Data after the end of services and provide a deletion certificate on request.
- Make available all information necessary to demonstrate compliance with Art. 28 and contribute to audits.
4. Sub-processors
The Controller grants general written authorisation to the Processor to engage Sub-processors. The current list is published at /legal/subprocessors/. The Processor will:
- Impose equivalent data-protection obligations on each Sub-processor by written contract.
- Remain fully liable for each Sub-processor's performance.
- Notify the Controller at least 30 days in advance of any addition or replacement of Sub-processors, giving the Controller a right to object on reasonable grounds.
5. International transfers
Personal Data is stored and processed within the European Union (EU/EEA). Where any onward transfer involves processing outside the EU/EEA, the Processor implements the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and supplementary measures in line with the case law of the Court of Justice of the European Union (Schrems II).
6. Security measures (summary)
The full TOMs are an annex to the signable DPA. Headlines:
- Confidentiality — TLS 1.2+ in transit (AEAD-only); AES-256 at rest; tenant isolation by namespace at database, vector store and object storage; SSH key-only on production hosts; mandatory 2FA on admin; physical access logged.
- Integrity — file-integrity monitoring (Wazuh); change-management via internal CMDB (GLPI); input validation at the application layer.
- Availability — daily encrypted off-site backups (30-day retention); quarterly restore tests; observability (Zabbix); on-call alerting within 60 seconds; documented BCP/DR plan.
- Testing — daily authenticated vulnerability scanning (GVM); quarterly external PCI DSS ASV scans (HackerGuardian); SIEM detection (Wazuh, MITRE ATT&CK); annual independent penetration test.
See /trust/ for the full posture, including operational stack and certification roadmap.
7. Data-subject rights assistance
The Processor provides the technical and organisational measures necessary for the Controller to respond to data-subject requests under Chapter III GDPR, including export of the data subject's personal data, rectification, erasure, restriction of processing and portability. Standard SLA: 14 calendar days from Controller's request.
8. Personal data breach notification
In the event of a personal data breach affecting Controller data, the Processor will notify the Controller without undue delay and in any event within 72 hours of awareness, including (to the extent then known): the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences and measures taken or proposed.
9. Audit rights
The Controller may audit the Processor's compliance with Art. 28 GDPR. Audits ordinarily take the form of independent audit reports (e.g., pentest summary; future ISO 27001 / SOC 2 reports). On-site audits are available with reasonable advance notice (≥30 days), conducted during business hours under reasonable confidentiality undertakings, and at the Controller's cost (except where the audit reveals material non-compliance, in which case the Processor bears reasonable costs).
10. Retention, deletion, return
| Subscription paused / trial expired | Project data retained 30 days, then logically deleted (recoverable on request). |
| Subscription terminated | Personal Data exported to the Controller on request; logically deleted within 30 days; permanently purged from primary storage and backups within 90 days. Deletion certificate issued on request. |
| Statutory retention | Where Union or Member State law requires retention (e.g., billing data), only data strictly necessary is kept, segregated and access-restricted. |
11. Liability and termination
Each Party's liability is governed by the Principal Agreement, subject to the carve-outs of Art. 82 GDPR (which cannot be lawfully limited). Termination of the Principal Agreement automatically terminates the DPA, subject to the post-termination obligations in §10.
12. Governing law and jurisdiction
The DPA is governed by Portuguese law and the GDPR. Disputes are resolved by the competent courts of Cascais (Portugal), without prejudice to any mandatory data-subject venue.
13. Order of precedence
In the event of conflict, the order of precedence is: (i) the GDPR and applicable mandatory data-protection law; (ii) the signed DPA; (iii) the Principal Agreement; (iv) any service-level documentation.
14. Changes
This page summarises the current DPA template. Material changes are communicated to active customers at least 30 days in advance. Last update: 10 May 2026.
To execute a DPA, write to privacy@bidyou.ai. We send the signable PDF, the subprocessor list, and the full TOMs annex within one business day.