This Data Processing Agreement (“DPA”) is an annex to and integral part of the Terms of Service between Vertical Real Estate B.V., KvK 99566346 (“Processor”) and the User (“Controller”). This DPA applies insofar as one or more of the territorial scope requirements of the GDPR are met.
01 Definitions
In this DPA, the following terms have the meanings set out below. Terms not defined herein have the same meaning as in the Terms of Service or the GDPR.
- Approved Measure means binding corporate rules, a code of conduct, or certification mechanism as meant in Article 46 GDPR.
- EC Standard Contractual Clauses means the standard contractual clauses approved or adopted by the European Commission in accordance with Article 46(2)(c) and (d) GDPR.
- Data Subjects means the natural persons whose Personal Data is processed under the Agreement by Processor or any Sub-Processor on behalf of Controller.
- GDPR means the EU General Data Protection Regulation 2016/679/EC and any related applicable national implementation legislation.
- Non-Adequate Country means a country not deemed to provide an adequate level of protection within the meaning of Article 45 GDPR.
- Personal Data has the meaning described in Article 4(1) GDPR, insofar as processed by Processor or a Sub-Processor under the Agreement.
- Personal Data Breach has the meaning described in Article 4(12) GDPR.
- Sub-Processor means any third party engaged by Processor that processes Personal Data on behalf of Controller. Approved Sub-Processors are listed in Schedule 1.
02 Description of the services
2.1 The subject-matter of this DPA is the processing of Personal Data by Processor on behalf of Controller in accordance with Controller’s written instructions. This includes:
- Processing Personal Data that Users provide as input for project management, document analysis, AI-assisted workflows, and data retrieval through the BrickPilot Platform.
- The nature of the processing consists of collecting, accessing, storing, retrieving, analysing (including via AI models), transferring, and deleting Personal Data.
- Processor may engage Sub-Processors (Schedule 1) for infrastructure hosting, AI model inference and routing, content delivery, payment processing, and related technical services.
- The types of Personal Data processed include account data (name, email, company), project data (documents, addresses, property information), and communications, excluding special categories (Article 9 GDPR).
2.2 The categories of Data Subjects whose Personal Data may be processed under this DPA include:
- employees, representatives, and agents of Controller;
- end-users of the Platform authorised by Controller;
- individuals whose personal data is contained in project data uploaded by Controller (e.g. property owners, tenants, or contact persons referenced in project documentation);
- any other natural persons whose Personal Data is provided by Controller through the Platform.
2.3 For certain activities (managing accounts, securing the Platform, analytics), Vertical Real Estate B.V. acts as Controller. These fall outside this DPA.
2.4 This DPA has the same term as the Terms of Service and terminates when Processor ceases processing.
03 Instructions
3.1 Processor shall process Personal Data only (i) on behalf of Controller, (ii) in accordance with Controller’s written instructions, and (iii) for purposes authorised by the Terms of Service or this DPA.
3.2 Processor shall not process Personal Data beyond what is strictly necessary, except as required by applicable EU or member state law, in which case Processor shall inform Controller beforehand unless prohibited by law.
04 Compliance with the GDPR
4.1 Processor shall comply with the GDPR and ensure each Sub-Processor is contractually bound to equivalent obligations.
4.2 Controller guarantees it has a valid legal ground, has been transparent to Data Subjects, and has ensured GDPR compliance.
05 Non-disclosure and confidentiality
5.1 Processor shall keep Personal Data confidential and not disclose it without Controller’s prior written approval, except for Sub-Processors or audit purposes.
5.2 Processor shall ensure all persons under its authority maintain confidentiality.
06 Security
6.1 Processor shall implement appropriate technical and organisational measures to protect Personal Data, considering the state of the art, costs, nature, scope, context, purposes, and risk.
6.2 Processor shall ensure each Sub-Processor implements equivalent measures.
6.3 Processor may implement adequate alternative measures provided they do not materially reduce the security level.
07 Sub-processors
7.1 Controller grants Processor general written authorisation to engage Sub-Processors. Processor remains fully liable.
7.2 Each Sub-Processor must be contractually bound to at least equivalent terms.
7.3 Controller consents to Sub-Processors in Schedule 1. Processor shall notify Controller of changes, allowing one (1) month to object.
7.4 If Controller objects, parties will consult on alternatives. Additional costs are payable by Controller.
7.5 Processor maintains an up-to-date list in Schedule 1.
08 Cooperation obligations
8.1 Processor shall assist Controller when Data Subjects exercise their rights.
8.2 Processor shall promptly inform Controller of complaints or requests from Data Subjects and shall not respond without Controller’s instruction.
8.3 Processor shall assist with data protection impact assessments and prior consultations.
09 Personal data breaches
9.1 Processor shall inform Controller without undue delay after becoming aware of a Personal Data Breach.
9.2 Processor shall take appropriate remedial measures and provide Controller with all relevant information.
10 Return and destruction of personal data
10.1 Upon termination, Processor shall return or securely destroy all Personal Data at Controller’s option, except where law requires longer retention.
10.2 Processor shall ensure Sub-Processors comply within a reasonable timeframe.
11 Compliance and right of audit
11.1 Controller may verify Processor’s compliance. Processor shall make systems and documentation available for audit. Controller bears costs.
11.2 Where a Sub-Processor does not permit direct auditing, Processor shall obtain and share their SOC 2 Type II report, ISO 27001 certificate, or equivalent.
11.3 Controller shall give reasonable notice, ensure confidentiality, avoid disruption, and conduct no more than one audit per year without pressing reason.
12 International data transfers
12.1 Transfers to Non-Adequate Countries shall be governed by EC SCCs or another lawful mechanism under Chapter V GDPR.
12.2 This does not apply where Approved Measures are in place. If those lapse, Processor will ensure alternative safeguards.
12.3 Schedule 1 specifies transfer mechanisms. Processor shall conduct and document a transfer impact assessment (TIA) for each Sub-Processor located in a Non-Adequate Country, evaluating the legal framework in the recipient country, the supplementary measures in place, and the risk to Data Subjects. Processor shall make these assessments available to Controller upon request.
13 Liability
13.1 Liability between the Parties is governed by the Terms of Service.
13.2 Controller shall indemnify Processor against claims arising from Controller’s failure to comply with Clause 4.2.
13.3 Processor is liable for Sub-Processor acts to the same extent as its own, unless the act is not attributable to the Sub-Processor.
A1 Schedule 1: Approved sub-processors
The following Sub-Processors are approved as of the date of this DPA:
| Sub-processor | Services / processing activities | Location | Transfer mechanism | Compliance |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, computing, storage, hosting of the Platform and Personal Data; AI model inference via AWS Bedrock (Anthropic Claude) | EU (Frankfurt, Ireland) / US | AWS Data Processing Addendum; EC SCCs for US transfers | SOC 2 Type II; ISO 27001 |
| Vercel (Vercel, Inc.) | Frontend hosting, serverless functions, edge network and CDN, handling of User requests and session data | Global (Edge) / US | Vercel DPA; EC SCCs; DPF | SOC 2 Type II |
| Railway (Railway Corp.) | Application hosting, deployment infrastructure, backend services, logging and container orchestration | US | Railway DPA; EC SCCs | SOC 2 Type II |
| Storyblok (Storyblok GmbH) | Content management system for website and platform content delivery | EU (Austria) | Storyblok DPA | ISO 27001 |
| OpenRouter (OpenRouter, Inc.) | AI model routing and API gateway; forwarding User prompts to Mistral and other AI providers for inference | US | OpenRouter DPA; EC SCCs | DPA in place |
| Slack (Salesforce, Inc.) | Internal team communication, including support request handling and project coordination where Personal Data may be referenced | US | Slack DPA; EC SCCs; DPF | SOC 2 Type II; ISO 27001 |
| Mollie B.V. | Payment processing for subscriptions and one-time purchases | EU (Netherlands) | Mollie DPA | PCI-DSS; SOC 2 |
For each Sub-Processor, Processor has ensured that:
- A data processing agreement meeting Article 28 GDPR requirements is in place.
- Appropriate technical and organisational security measures are implemented.
- Where Personal Data is transferred to a Non-Adequate Country, a valid transfer mechanism is in place, supplemented by a documented transfer impact assessment.
- Compliance posture is reviewed periodically.
Note regarding OpenRouter: OpenRouter routes User inputs to downstream AI providers (including Mistral). Processor ensures OpenRouter’s terms require equivalent data protection from each downstream provider. Processor has conducted a transfer impact assessment for this data flow.
Note regarding AWS Bedrock: AI inference via Anthropic is provided through AWS Bedrock. Prompts and outputs processed through Bedrock are governed by AWS’s Data Processing Addendum and are not used for model training.
Note regarding Slack: Slack is used for internal team communication. Personal Data may be referenced in support and project coordination channels. Processor shall ensure that Personal Data shared via Slack is limited to what is necessary for the relevant support or coordination purpose.
End of Data Processing Agreement.