Data Processing Addendum

Last updated: December 5, 2025

1. Definitions

For the purposes of this Agreement:

  • "Controller" means you, the customer, who determines the purposes and means of processing Personal Data
  • "Processor" means WayCivil, which processes Personal Data on behalf of the Controller
  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion
  • "Data Protection Laws" means applicable data protection and privacy laws, including GDPR and CCPA

2. Scope and Roles

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between you (Controller) and WayCivil (Processor). WayCivil will process Personal Data only:

  • On documented instructions from the Controller
  • For the purpose of providing the civil engineering review services
  • In accordance with Data Protection Laws
  • Within the scope defined in our Terms and Conditions

3. Data Processing Obligations

WayCivil commits to:

  • Process Personal Data only as instructed by the Controller
  • Ensure personnel processing data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to data subject requests
  • Delete or return Personal Data upon termination of services
  • Maintain records of processing activities as required by law

4. Security Measures

WayCivil implements industry-standard security measures including:

  • Encryption of data in transit and at rest using AES-256 encryption
  • Multi-factor authentication for account access
  • Regular security audits and penetration testing
  • Role-based access controls and principle of least privilege
  • Secure backup and disaster recovery procedures
  • 24/7 security monitoring and incident response
  • Employee security training and background checks

5. Sub-processors

WayCivil may engage third-party sub-processors to assist in providing services. We will:

  • Maintain a list of authorized sub-processors
  • Ensure sub-processors are bound by equivalent data protection obligations
  • Provide 30 days notice before adding or replacing sub-processors
  • Allow you to object to any new sub-processor on reasonable grounds
  • Remain fully liable for any sub-processor's performance

6. Data Subject Rights

WayCivil will assist you in fulfilling data subject rights requests, including:

  • Right of access to Personal Data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing

We will respond to such requests within the timeframes required by applicable Data Protection Laws.

7. Data Breach Notification

In the event of a Personal Data breach, WayCivil will:

  • Notify you without undue delay upon becoming aware of the breach
  • Provide details of the nature and scope of the breach
  • Describe measures taken to address the breach and mitigate harm
  • Cooperate in investigating and remediating the breach
  • Maintain documentation of all data breaches

8. International Data Transfers

Personal Data is primarily stored and processed in secure data centers within the United States. If data transfers to other countries are necessary, WayCivil will ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by relevant authorities or adequacy decisions.

9. Audit Rights

Upon reasonable notice, you have the right to audit WayCivil's compliance with this DPA. WayCivil will provide relevant documentation and certifications (such as SOC 2 reports) and allow on-site audits as needed, subject to confidentiality obligations and reasonable limitations to protect our operations and other customers' data.

10. Termination and Data Return

Upon termination of services, WayCivil will:

  • Provide you with the option to export your data
  • Delete or return all Personal Data within 90 days
  • Certify deletion of all copies, except where retention is required by law
  • Ensure sub-processors also delete or return Personal Data

For questions about this Data Processing Agreement, contact us at legal@waycivil.com