global
Variables
Utilities
COMPONENTS
CUSTOM STYLES

Datagrid Adoption Agreement

Adoption Agreement for Datagrid Services

This Adoption Agreement for the Datagrid Services (the “Adoption Agreement”) is entered into by and between Datagrid AI, Inc. (“Datagrid”) and the customer contracting entity identified on the Order Form (“Customer”) and hereby adopts and incorporates by reference the terms of the Procore Subscription and Services Agreement (“Agreement”) between Procore Technologies, Inc. (“Procore”) and Customer, provided that Customer is either the same entity that executed the Agreement or an Affiliate thereof. If Customer is an Affiliate, such Affiliate agrees to be bound by the terms of the Agreement as if it were an original party. This Adoption Agreement creates a separate and independent contract between Datagrid and Customer, applies only to the Datagrid Services, and Procore is not a party to this transaction. Unless otherwise defined herein, capitalized terms have the meanings set forth in the Agreement. All other provisions of the Agreement not specifically modified by this Adoption Agreement are preserved. 

  1. Definitions. The following defined terms in the Agreement will have the following meanings for purposes of applying the Agreement to Customer’s subscription to and use of the Datagrid Services:
    1. Documentation” means all user guides, technical manuals, and related materials provided by Datagrid applicable to the Datagrid Services found at https://docs.datagrid.com.
    2. Order” or “Order Form” means the proposal, quote, or order document entered into between Datagrid and Customer for the Datagrid Services.
    3. Procore” means Datagrid with respect to the Datagrid Services.
    4. Support Services” means Datagrid’s customer support for the Datagrid Support Services described in the attached Exhibit A to this Adoption Agreement, and as may be specified or purchased within an Order Form.
  2. For purposes of Customer’s subscription to and use of the Datagrid Services, the Parties agree as follows: 
    1. Section 4.1 (Fees) in the Agreement does not apply to the Adoption Agreement. Customer must pay for the Datagrid Services at the Fees as set forth in the Order Form (“Fees”). Any discounts provided during the Initial Term do not carry over to Renewal Term(s). All Fees are non-cancelable and non-refundable. All charges must be paid in U.S. Dollars using the accepted methods of credit card or Automated Clearing House (ACH) transfer. Datagrid shall invoice Customer at the time of the initial Order Form and, for annual subscriptions, approximately one month in advance of any renewal or subsequent billing period. All invoiced amounts are due and payable within thirty (30) days of the invoice date. All overages are due and payable within thirty (30) days following the end of the Subscription Term or as otherwise specifically agreed in the applicable Order Form.
    2. Section 10.1 (Term of the Agreement) in the Agreement does not apply to the Adoption Agreement. This Adoption Agreement is effective as of the Effective Date and will continue until the Datagrid Services described in the Order Form and any SOW(s) have been completed, expired, or terminated (the “Term”). 
    3. Section 10.2 (Subscription Term) in the Agreement does not apply to the Adoption Agreement. The Subscription Term described in each Order Form will commence on the Order Form’s effective date and continue for the “Initial Term” as specified therein. Upon expiration of the Initial Term, the Adoption Agreement will automatically renew for additional one (1) year periods (“Renewal Term”) unless either Party provides written notice of non-renewal at least ninety (90) days prior to the end of the Initial Term or any Renewal Term. Rates for Fees during Renewal Terms will not increase by more than the Consumer Price Index (All Urban Index, latest year available) plus five percent (5%), unless otherwise agreed in writing.
    4. Section 10.5(d) (Effect of Termination) in the Agreement does not apply to the Adoption Agreement. 
    5. Notwithstanding anything to the contrary in Section 11.5 (Contracting Entity, Governing Law & Venue), the applicable Procore contracting entity, in every instance, irrespective of where Customer is domiciled, is Datagrid.
    6. Section 11.7 (Notices) in the Agreement does not apply to the Adoption Agreement. Notices to Customer will be delivered via email or overnight delivery at the address associated with the Order Form. Notices to Datagrid will be delivered via email to legalnotice@procore.com or by overnight delivery to Datagrid AI, Inc. (a subsidiary of Procore Technologies, Inc.), Attention Chief Legal Officer, 6309 Carpinteria Ave., Carpinteria, CA 93013 USA. All notices must be in writing and will be effective when received.
    7. The link in Section 12.5 (Documentation) is updated to https://docs.datagrid.com/.
    8. Exhibit A” in the Agreement does not apply to the Adoption Agreement. “Exhibit A – Subscription Support and Service Level Policy” of this Adoption Agreement applies to Datagrid’s customer support for the Datagrid Support Services.
    9. All references to Usage Metrics and Overages (including any associated definitions, obligations, or rights) in the Agreement do not apply to the Adoption Agreement.
    10. All references to the DPA in the Agreement shall be updated to mean “Exhibit B, Datagrid Data Processing Addendum” of this Adoption Agreement.     
  3. Additional Terms. For purposes of Customer’s subscription to and use of the Datagrid Services, the parties agree to the following terms:
    1. Datagrid Consumption Units
      1. “DGU(s)” or “Datagrid Consumption Unit(s)” means the units purchased by Customer that may be consumed during the Subscription Term for applicable Datagrid Services described in the Datagrid Consumption Unit Table or as otherwise agreed to between the Parties, including AI agent interactions, data import and learning, searches, and automations.
      2. Purchase and Utilization. Customer may purchase DGUs in pre-defined bundles, with specific terms and pricing outlined in a separate Order Form executed by both Parties. DGUs may be redeemed for the services described in the Datagrid Consumption Unit Table available at https://www.datagrid.com/credit-usage (“Datagrid Consumption Unit Table”), which includes the specific DGU cost for each Datagrid Service that is subject to the Datagrid Consumption Unit Table. 
      3. Reporting and Transparency. Datagrid shall provide Customer with a consumption meter in the main dashboard of the Customer account, displaying overall DGU usage and a summary of services utilized. While the meter does not provide line-by-line transaction details, it offers sufficient granularity for Customer to understand Customer’s consumption.
      4. Flexibility and Changes in DGU Pricing. Datagrid may update its Datagrid Consumption Unit Table periodically. Updates will be reflected on the Datagrid Consumption Unit Table’s “Effective Date,” and for material updates that increase the cost of items in the Datagrid Consumption Unit Tables by more than the Consumer Price Index plus 5% over a 12-month period, Datagrid shall provide at least 60 days’ written notice via email or through the Datagrid Service dashboard. Customers with an active subscription may purchase additional DGUs at the existing pricing in their Order Form until the end of their current Subscription Term. Upon renewal, updated pricing will apply. Any updates to pricing will take effect on Customer’s next billing cycle following the notice period, and Customer’s continued use of the Datagrid Services constitutes acceptance of the new terms.
      5. No Obligation for Line-by-Line Detailing. Datagrid is not obligated to provide line-by-line details of DGU consumption. The provided consumption meter balances transparency with administrative efficiency.
    2. Datagrid’s Discretion in Service Continuation. Datagrid may, at its sole discretion, continue to provide the Datagrid Service during periods of non-payment without waiving its right to suspend or terminate access in the future. If the Datagrid Service continues during non-payment, Customer remains liable for all outstanding and future Fees. If the Datagrid Service is suspended and later restored upon payment, Customer is not entitled to any extension of the Subscription Term or compensation for the period of suspension. If the Adoption Agreement is terminated due to non-payment, Datagrid may delete Customer Data after a 30-day grace period, unless otherwise required by law.
    3. Plan Upgrade. Customer may request to upgrade its service plan during the Term by providing written notice to Datagrid. If such a request is made, Customer shall pay the difference between the Fees for the current service plan and those for the upgraded plan. Customer will be invoiced for the upgrade, with payment due in accordance with the Agreement and the Adoption Agreement. Datagrid reserves the right to deny any upgrade request that does not align with the fee schedule attached to the Order Form. In the event of any dispute regarding upgrade Fees, the Parties agree to attempt to resolve the matter amicably before resorting to formal dispute resolution. Upon mutual agreement, this Agreement will be deemed amended to reflect any approved upgrade.
  4. Conflicts. If there is any conflict between the Adoption Agreement and the Agreement, the Adoption Agreement will control solely with regard to Customer’s subscription to and use of Datagrid Services. 

Exhibit A - Subscription Support and Service Level Policy

SUPPORT

Datagrid support consists of Preventive Support and Error Correction during normal business hours.

Preventive Support.

Datagrid will use reasonable efforts to prevent Datagrid Service failures by (a) advising Customer of relevant issues affecting other users; (b) performing necessary remedial work; (c) proactively remedying security vulnerabilities; and (d) reviewing Datagrid Service data to preempt potential problems.

Error Correction.
Customer may report defects via email at support@datagrid.com. Defects are classified as follows:

Severity Level

1 - Critical

Defect causing the Service to be unusable.

Initial response within 4 hours; immediate management escalation; status update if unresolved within 4 hours.

2 - Significant

Defect materially impacting Service use.

Initial response within 8 hours; management escalation within 16 hours; status update within 24 hours.

3 - Other

Non-critical, non-significant issues.

Initial response within 48 hours; management escalation within 5 business days; status update within 72 hours.

Exhibit B - Datagrid Data Processing Addendum

This Data Processing Addendum (this “DPA”) supplements and forms part of the services agreement between Customer and Datagrid AI, Inc. about the provision of Services by Datagrid to Customer (“Agreement”) when Data Protection Law applies to Customer’s access and use of the Services to Process Customer Personal Data (defined below).

Customer enters into this DPA on behalf of itself and, to the extent required under applicable law, in the name of and on behalf of its Data Controller Affiliates (defined below) (“Customer”).  For the purposes of this DPA only, and except as otherwise indicated, the term “Customer” shall include Customer and Data Controller Affiliates.

  1. Data Processing
    1. Scope and Roles. This DPA applies when Customer Personal Data is processed by Datagrid under applicable Data Protection Law. In this context, where the law provides for the roles of “controller” and “processor,” Customer is the Controller of the Customer Personal Data covered by this DPA, and Datagrid shall be a Processor Processing Customer Personal Data on behalf of Customer and this DPA shall apply accordingly.  
    2. Details of Data Processing.  
      1. Subject matter. The subject matter of the data Processing under this DPA is Customer Personal Data.
      2. Duration. The duration of the Processing under this DPA is determined by the Agreement.  Regardless of whether the Agreement has terminated or expired, this DPA will remain in effect until, and automatically expire when, Datagrid deletes or anonymizes all Customer Personal Data as described in the Agreement.
      3. Purpose. The purpose of the processing under the DPA is the provision of the Services by Datagrid to Customer as specified in the Agreement.
      4. Nature of the Processing. Customer Personal data is processed by Datagrid in connection with the Services under the Agreement and/or any applicable Order. 
      5. Categories of Data Subjects. The Data Subjects of Customer which may include Customers’ Authorized Users, employees, contractors, suppliers, or other third parties whose Personal Data is uploaded by Customer for use in connection with the Services.  
      6. Categories of data. Identifiers (contact detail including name, email, phone number  and addresses); Employment Data (professional data, contact details, hours worked, site access); Internet and Network Activity Data (such as IP addresses, log files, and login information); Geolocation Data (such as region, country, state, postal code, or location information derived from IP addresses or GPS); and other Personal Data that Customer or its Authorized Users elect to submit to the Services.
      7. Special categories of data (if appropriate). Datagrid and/or its Subprocessors do not intentionally collect or process any special categories of data in connection with the provision of the Services under the Agreements.
    3. Compliance with the laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA.
  2. Documented Instructions.
    1. Customer Instructions. Customer shall, in its use of the Services, at all times provide documented instructions to Datagrid for the Processing of Customer Personal Data, in compliance with applicable Data Protection Law. The Parties agree that this DPA and the Agreement constitute Customer’s documented instructions regarding Datagrid’s Processing of Customer Personal Data (“Documented Instructions”).  Datagrid will Process Customer Personal Data in accordance with Customer’s Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Datagrid and Customer, including agreement on any additional fees payable by Customer to Datagrid for carrying out such instructions. 
    2. Obligations. Customer is solely responsible for the accuracy, quality, and legality of (a) the Customer Personal Data provided to Datagrid by or on behalf of Customer; (b) how Customer acquired any such Customer Personal Data (e.g., appropriate notice and/or consent); and (c) the Documented Instructions it provides to Datagrid regarding the Processing of such Personal Data. Customer shall not provide or make available to Datagrid any Personal Data in violation of the Agreement, this DPA, or otherwise inappropriate for the nature of the Services. 
  3. Confidentiality of Customer Personal Data. Datagrid will not access or use, or disclose to any third party, any Customer Personal Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law, a Public Authority Request and/or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Datagrid a demand for Customer Personal Data, Datagrid will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Datagrid may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Personal Data to a governmental body, then Datagrid will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Datagrid is legally prohibited from doing so. 
  4. Authorized persons. Datagrid shall ensure that all persons authorized to Process Customer Personal Data on behalf of Datagrid are made aware of the confidential nature of the Customer Personal Data, and have committed themselves to confidentiality (e.g. by confidentiality agreements) or are under an appropriate statutory obligation of confidentiality.
  5. Authorized Subprocessors. Customer hereby generally authorizes Datagrid to engage Subprocessors in accordance with this Section 5.  Customer approves the Subprocessors currently disclosed in  Appendix A. Datagrid may remove, replace, or appoint suitable and reliable Subprocessors, provided that Datagrid shall notify Customer of any updates to its Subprocessors. Datagrid will provide Customer with an opportunity to object to any change in its Subprocessors where required under applicable Data Protection Law.
    1. Objections. If the Customer reasonably objects to the engagement of a new Subprocessor, Datagrid shall have the right to cure the objection through one of the following options (to be selected at Datagrid’s sole discretion): (a) Datagrid cancels its plans to use the Subprocessor with regard to Customer Personal Data; (b) Datagrid will take the corrective steps requested by Customer in its objection  (which removes  Customer's objection) and proceed to use the Subprocessor with regard to Customer Personal Data; (c) Datagrid may cease to provide or Customer may agree not to use (temporarily or  permanently) the particular aspect of the Service that would involve the use of such Subprocessor with regard to Customer Personal Data; and (d) Datagrid provides Customer with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If Datagrid, in its sole discretion, cannot provide any such alternative(s), or if Customer does not agree to any such alternative(s) if provided, Datagrid and Customer may terminate this DPA with prior written notice, or suspend the affected Services. Termination shall not relieve Customer of any fees or charges owed to Datagrid for Services provided up to the effective date of the termination under the Agreement. In the event that Datagrid elects to suspend Customer’s access to and use of affected Services, such suspension shall relieve Customer of any fees or charges owed to Datagrid for such Services after the effective date of the suspension.  If Customer does not object to a new Subprocessor's engagement within ten (10) days of notice by Datagrid, that new Subprocessor shall be deemed accepted. 
    2. Subprocessor Obligations.  Where Datagrid authorizes a Subprocessor as described in Section 5.1:

  1. Datagrid will restrict the Subprocessor’s access to Customer Personal Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and Datagrid will prohibit the Subprocessor from accessing Customer Personal Data for any other purpose;
  2. Datagrid will enter into a written agreement with the Subprocessor and, to the extent that the Subprocessor performs the same data processing services provided by Datagrid under this DPA, Datagrid will impose on the Subprocessor the same contractual obligations that Datagrid has under this DPA; and 
  3. Datagrid will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Datagrid to breach any of Datagrid obligations under this DPA.
  1. Security; Audits; Personal Data Breach.
    1. Security. Datagrid’s provision of the Services will be consistent with the Security Measures and Controls described in Appendix B and any security measures described in the Agreement..   
      1. Updates to Security Measures and Controls. Customer is responsible for reviewing the information made available by Datagrid relating to data security and making an independent determination as to whether the Security Measures and Controls set forth in Section 6.1, above, meet Customer’s requirements and legal obligations under applicable law. Customer acknowledges that the Security Measures and Controls are subject to technical progress and development and that Datagrid may update or modify the Security Measures and Controls from time to time provided that such updates and modifications do not materially degrade the overall security of the Services during the Subscription Term.
    2. Confidential Security Reports and Audits.  For the duration of its processing of Customer Personal Data, Datagrid will maintain compliance with appropriate security standards for its industry.  Upon request, Datagrid shall, no more than once per calendar year make available for Customer’s review, a summary copy of an audit report(s) ("Report") that reflects such compliance, a request may be made by emailing Datagrid.  Customer acknowledges and agrees that such Reports are Datagrid’s Confidential Information. Datagrid shall also provide a requesting Customer with a Report and/or confirmation of Datagrid's own audits and/or a report of third party auditors' audits of its Subprocessors that have been provided by those Subprocessors to Datagrid, to the extent such reports or evidence may be shared with Customer (“Third-party Subprocessor Audit Reports”). Customer acknowledges that (a) Reports and Third-party Subprocessor Audit Reports shall be considered Confidential Information as well as confidential information of the third-party Subprocessor and (b) certain third-party Subprocessors to Datagrid may require Customer to execute a non-disclosure agreement with them in order to view a Third-party Subprocessor Audit Report.
    3. Personal Data Breach. In the event of a Personal Data Breach, except where prohibited by law, Datagrid shall notify Customer without undue delay and otherwise respond as described in 6.3.1 below.  In addition, Datagrid shall, taking into account the nature of the Processing and the information available to Datagrid assist Customer in ensuring compliance with its obligations under applicable Data Protection Law to conduct a data protection impact assessment and, with prior notice, to assist with consultations with the Competent Supervisory Authority (defined below), where required.
      1. Practices.  Datagrid does and will (a) maintain and follow a documented incident response plan and associated procedures consistent with industry standards for Personal Data Breach handling; (b) investigate Personal Data Breach of which Datagrid becomes aware, and, within the scope of the Services, and take such steps as Datagrid in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach; and (c) notify Customer without undue delay upon confirmation of a Personal Data Breach that is known or reasonably suspected by Datagrid to affect Customer Personal Data, and provide Customer with reasonably requested information about such Personal Data Breach and the status of the remediation and restoration activities. The obligations herein shall not apply to a Personal Data Breach caused by Customer, Customer’s Authorized Users or misuse of Customer’s Access Credentials. Datagrid’s obligation to report or respond to a Personal Data Breach under this Section 6 is not and will not be construed as an acknowledgement by Datagrid of any fault or liability of Datagrid with respect to the Personal Data Breach. 
  2. Datagrid Assistance with Data Subject Requests. Datagrid will inform Customer of requests from Data Subjects exercising their Data Subject rights under applicable Data Protection Law (e.g., including but not limited to rectification, deletion and blocking of data) addressed directly to Datagrid regarding Customer Personal Data. Datagrid shall not respond to such Data Subject requests itself, except that Customer authorizes Datagrid to redirect such requests to Customer to allow Customer to respond directly. Upon a written request for assistance by Customer, Datagrid will reasonably assist Customer with handling such Data Subject requests.
  3. International Transfers of Personal Data
    1. U.S. Based Processing; Notification of Changes.  Customer acknowledges and agrees that Datagrid may transfer and process Customer Personal Data to and in the United States and where Datagrid, its Affiliates, or its Subprocessors maintain global data processing operations. Datagrid shall ensure that such  transfers are made in compliance with applicable Data Protection Law and this DPA.
    2. Application of SCCs. The applicable SCC Controller-to-Processor Clauses,  will apply to Customer Personal Data that is transferred via the Services from Europe (defined below) and/or the United Kingdom, either directly or via onward transfer, to any country not recognized by the European Commission, the Swiss Federal Data Protection and Information Commissioner and/or a competent United Kingdom regulatory authority or governmental body as providing an adequate level of protection for Customer Personal Data. 
      1. For purposes of this DPA, if the SCCs apply,  this DPA fully incorporates the SCCs. If Customer submits Customer Personal Data to the Services for Processing by Datagrid, Customer and Datagrid will be deemed to have entered into the SCCs, where applicable, and the submission of such Customer Personal Data to the Services will constitute Customer’s prior written consent to the transfer and Processing by Datagrid if such consent is required under the SCCs.  The SCCs, will not apply where the Customer Personal Data is transferred in accordance with an Alternative Transfer Mechanism (defined below), such as when necessary for the performance of Services pursuant to the Agreement or on Customer’s Documented Instructions.
    3. Alternative Transfer Mechanisms.  If necessary, Datagrid may designate a valid  Alternative Transfer Mechanism to any mechanism designated in this DPA.
    4. Explicit Consent and Notice.  Where required, Customer shall bear sole responsibility for obtaining its Authorized User’s and/or Data Subjects’ informed and explicit consent prior to the transfer of any Customer Personal Data to Datagrid in a manner consistent with the applicable Data Protection Law.
  4. Effect of Termination. Upon termination or expiration of the Agreement, Datagrid shall (at Customer's written request) anonymize or delete all Customer Personal Data in its possession or control. This requirement shall not apply to the extent Datagrid is required by applicable law to retain some or all of the Customer Personal Data. Customer acknowledges that Datagrid may be required to be retain Customer Personal under applicable laws for the establishment, exercise or defense of legal claims. 
  5. Indemnification by Customer.  To the maximum extent permitted by applicable law and in addition to any other remedy that is available, including the indemnities provided in the Agreement, Customer agrees to defend and indemnify Datagrid, its Affiliates and Datagrid’s Subprocessors, including their respective officers, directors, employees, agents, successors, representatives, agents, resellers and assigns (each, a “Datagrid Indemnitee”) from and against any and all Losses resulting from Customer’s violation of this DPA and/or the infringement or violation by Customer, its Authorized Users or any other user of Customer’s Access Credentials, of any privacy or other right of any person under applicable Data Protection Law.
  6. Limitation of Liability
    1. Exclusion of Damages.  UNDER NO CIRCUMSTANCES AND REGARDLESS OF THE NATURE OF ANY ACTION SHALL THE DATAGRID INDEMNITEES BE LIABLE, DIRECTLY OR INDIRECTLY, IN WHOLE OR IN PART, TO CUSTOMER OR TO ANY OTHER PERSON OR ENTITY FOR ANY LOSSES OR LOSS, DAMAGE, CORRUPTION OR RECOVERY OF CUSTOMER PERSONAL DATA ARISING FROM OR RELATING TO CUSTOMER’S BREACH OF ITS OBLIGATIONS IN THIS DPA. 
    2. Limitation of Liability. Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Customer and its Data Controller Affiliates and Datagrid, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement and the applicable cap (maximum) for the relevant party set forth in the Agreement. Any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.  For the avoidance of doubt, the Datagrid Indemnitees’ total liability for all Actions by Customer and all of Customers Affiliates (including Data Controller Affiliates) arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Customer Affiliate that is a contractual party to any such DPA.  To the extent required by applicable law, (a) this section is not intended to modify or limit the Parties’ liability for Data Subject claims made against a Party where there is joint and several liability under Data Protection Law, or (b) limit either Party’s responsibility to pay penalties imposed on such Party by a regulatory authority.
  7. Survival of the DPA.      This DPA will continue in force until the termination of the Agreement (the “Termination Date”), provided that the data protection obligations of this DPA shall continue to apply for so long as Datagrid processes Customer Personal Data. 
  8. Severance.  Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
  9. Jurisdiction Specific Terms.  Certain global jurisdictions require other specific terms.  Where required, Customer and Datagrid agree to amend this DPA to incorporate such specific terms as may be required under applicable Data Protection Law. This DPA fully incorporates the specific terms below: 
    1. United States: The definition of “Data Protection Law” includes (without limitation) any federal or state data protection laws in effect and applicable to Datagrid’s Processing of Customer Personal Data in the United States (including The California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. as amended by the California Privacy Rights Act).Datagrid’s obligations to Customer under the DPA are only those express obligations imposed by applicable Data Protection Law that require that a “Business” and a “Service Provider” to have in place.  Each party is responsible for fulfilling its respective obligations set out in applicable Data Protection Law. 

Datagrid will not (a) sell or share Customer Personal Data; (b) retain, use, or disclose any Customer Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing the Customer Personal Data for a commercial purpose other than providing the Services, including to provide services to a different customer; (c) retain, use, or disclose the Customer Personal Data outside of the direct business relationship between Datagrid and Customer; or (d) combine Customer Personal Data with other Personal Data that Datagrid receives from another entity or collects from individuals, except as permitted by applicable law or as authorized by Customer.

The terms used in the applicable provisions of the DPA shall be replaced as follows: “Personal Data” shall mean "Personal Information"; "Controller" shall mean "Business"; "Processor" shall mean "Service Provider"; and "Data Subject" shall mean "Consumer" (collectively, the “replaced terms”).  Further, the replaced terms shall have the definitions ascribed to in the applicable Data Protection Law.

  1. Entire Agreement; Order of Precedence.  Except as supplemented by this DPA, the Agreement will remain in full force and effect. Any conflict between the terms of the Agreement and this DPA related to the processing of Customer Personal Data are resolved in the following order of priority: (1) the Standard Contractual Clauses, where applicable; (2) the DPA; and (3) the Agreement.
  2. Definitions. Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:
    1. Access Credentials” means any user name, identification number, password, license or security key, security token, PIN, or other security code, method, technology, or device used, alone or in combination, to verify an individual’s identity and authorization to access and use the Services.
    2. Action” means any claim, action, cause of action, demand, lawsuit, arbitration, inquiry, audit, notice of violation, proceeding, litigation, citation, summons, subpoena, or investigation of any nature, civil, criminal, administrative, regulatory, or other, whether at law, in equity, or otherwise.
    3. Affiliates”, “Customer Data”, “Datagrid”, and “Services” shall each have the meaning ascribed to it in the Agreement.
    4. Alternative Transfer Mechanism” means an alternative Personal Data export solution that has been approved pursuant to applicable Data Protection Law. This can include Binding Corporate Rules, any new version of or successor to the SCCs, or an existing certification mechanism adopted pursuant to applicable Data Protection Law for the international transfer of Personal Data.
    5. Competent Supervisory Authority'' means (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioner's Office. With respect to Personal Data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
    6. Controller" means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Data. Unless otherwise specified, Controller or "data exporter" refers to Customer. 
    7. Customer”, as used on this DPA, shall include Customer (as defined in the Agreement) and its Data Controller Affiliates.
    8. Customer Personal Data” means Personal Data within Customer Data submitted to Datagrid for Processing in connection with the Services pursuant to the Agreement.
    9. Data Controller Affiliates” means any of Customer's Affiliates that have not signed or otherwise accepted their own Order with Datagrid and therefore would not be a "customer" as defined under the Agreement but is an entity which is: (i) subject to Data Protection Law; and (ii) permitted to use the Datagrid Services pursuant to the Agreement between Customer and Datagrid.  For the avoidance of doubt, no third-party beneficiaries are intended.
    10. Data Protection Law” means any data protection and privacy laws and regulations that are applicable to the processing of Customer Personal Data by Datagrid, including, where applicable, the laws listed in Datagrid’s Jurisdiction Specific Terms, as may be amended, superseded or replaced from time to time. Data Protection Law includes (without limitation) i) any federal or state data protection laws in effect and applicable to Datagrid’s Processing of Customer Personal Data in the United States (including The California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. as amended by the California Privacy Rights Act), ii) the GDPR, and ii) the UK GDPR.
    11. Data Subject” means the identified or identifiable person to whom Customer Personal Data relates.
    12. Documented Instructions” has the meaning ascribed in Subsection 2.1 of this DPA.
    13. GDPR " means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing of Directive 95/46/EC (General Data Protection Regulation).
    14. including” and its derivatives mean “including but not limited to.”
    15. Losses” means any and all losses, damages, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, expert witness fees, settlement amounts, and the costs of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers.
    16. “Personal Data” means any data that relates to an identified or identifiable natural person, to the extent that such information is protected under applicable Data Protection Law.
    17. Personal Data Breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Datagrid or Datagrid’s Subprocessors.
    18. Datagrid Indemnitee” shall have the meaning ascribed to it in Section 10, above.
    19. “Processing” (unless defined differently under applicable Data Protection Law) means any operation or set of operations which is performed upon Personal Data, manually or automatically, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. 
    20. “Processor” means an entity which Processes Personal Data on behalf of the Controller pursuant to the Agreement. Processor or "data importer" in this DPA refers to Datagrid.
    21. Public Authority Request” means a government agency or law enforcement authority, including a judicial authority request for information. 
    22. Services” means Datagrid’s services as set forth in the Agreement.
    23. "Standard Contractual Clauses" or “SCCs” means : (i) where the GDPR applies the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant  to Article 46(2)(c) or (d) of the UK GDPR (the "UK SCCs"); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner ("FDPIC")(the "Swiss SCCs"). 
    24. "Subprocessor" means any Processor engaged by Datagrid to assist in processing Customer Personal Data in connection with the Services per Customer’s Documented Instructions under the terms of the Agreement and this DPA.  Subprocessors may include Datagrid’s Affiliates, but shall exclude Datagrid employees, contractors, and consultants.  
    25. "UK GDPR" means the UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018 and renamed by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the UK's Data Protection Act 2018.

Appendix A – List of Datagrid Subprocessors

Name Nature/Description of Processing Subject of Processing / Customer Personal Data Country of Processing
Amazon Web Services Cloud infrastructure, RDS Instances (user/customer data), GuardDuty (vulnerability monitoring), Secrets Manager (credentials), CloudWatch (log data, monitoring), S3 (data persistence, backups), Analytics (customer activity assessment) i.e.: Authorized User Identifiers, Internet and Network Activity Data, other Personal Data that Customer or its Authorized Users elect to submit to the Services United States
Google, LLC Large Language Model and AI services, Google Cloud Storage (blobs, files), Kubernetes (monitoring services), Big Query (datasets), Vertex AI (AI platform monitoring) i.e.: Authorized User Identifiers, Internet and Network Activity Data, other Personal Data that Customer or its Authorized Users elect to submit to the Services United States*
Anthropic Large Language Model and AI services i.e.: Authorized User Identifiers, Internet and Network Activity Data, other Personal Data that Customer or its Authorized Users elect to submit to the Services United States
OpenAI Large Language Model and AI services i.e.: Authorized User Identifiers, Internet and Network Activity Data, other Personal Data that Customer or its Authorized Users elect to submit to the Services United States
Stripe Billing subscription information, customer subscription and credit card payments i.e.: Authorized User Identifiers, Internet and Network Activity Data, Credit Card Processing Data as processed by Stripe United States*
Sentry Application Performance and error monitoring i.e.: Authorized User Identifiers, Internet and Network Activity Data and Identifiers based on error United States
Github Codebase & CICD/Pipeline, Dependabot (supply chain vulnerability scanning) i.e.: Authorized User Identifiers, Internet and Network Activity Data United States*
LaunchDarkly Feature flags i.e.: Authorized User Identifiers, Employment Data, Internet and Network Activity Data United States
Mixpanel Customer activity assessment in a product i.e.: Authorized User Identifiers, Internet and Network Activity Data United States
Zilliz Milvus (Vector store database) i.e.: Authorized User Identifiers, Internet and Network Activity Data, other Personal Data that Customer or its Authorized Users elect to submit to the Services United States

*Country of processing is the United States unless Datagrid’s services are accessed from outside of the applicable region in which case Customer traffic is processed globally at the data center applicable to the end user.

Appendix B – Security Measures and Controls

Datagrid will implement and maintain technical and organizational measures designed to secure Customer Data (including Customer Personal Data). Datagrid will maintain and follow a written information security program (including the adoption and enforcement of internal policies and procedures) designed to (i) help Customer secure Customer Data against accidental or unlawful loss, access or disclosure, (ii) identify reasonably foreseeable risks to Customer Data and unauthorized access to the Services,  (iii) minimize Customer Data risks, including through risk assessment and regular testing and iv) monitor, detect, and mitigate attacks or intrusions into Customer Data. Datagrid will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following Security Measures (as updated from time to time):

  1. Physical Access Controls:  Datagrid takes measures, such as security personnel and secured buildings, designed to (i) prevent unauthorized persons from gaining access to Customer Data, (ii) manage, monitor and log movement of persons into and out of Datagrid facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage. 
  2. System Access Controls:  Datagrid takes measures designed to prevent unauthorized use of Customer Data. These controls may vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords and two-factor authentication, documented authorization processes, documented change management processes, logging of access on several levels, system audit or event logging, and related monitoring procedures to proactively record user access and system activity for routine review.
  3. Data Access Controls:  Datagrid takes measures designed to ensure that Customer Data is accessible and manageable only by properly authorized staff, direct database query access is restricted, and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Customer Data to which they have privilege of access, and that Customer Data cannot be read, copied, modified, or removed without authorization in the course of Processing.
  4. Access Policy: In addition to the access control rules set forth in Subsections 1-3 above, Datagrid implements an access policy under which access to its system environment, to Personal Data, and to other Customer Data is restricted to authorized personnel only.
  5. Input Controls: Datagrid takes measures to ensure that: (i) the Customer Data source is under the control of Customer; and (ii) Customer Data integrated into Datagrid’s systems is managed by secured file transfer from Customer and the Authorized User subject.
  6. Data Backup:  Datagrid ensures that backups are made on a regular basis, are secured, and are encrypted when storing data to protect against accidental destruction or loss when hosted by Datagrid. 
  7. Organizational Management: Datagrid maintains a dedicated staff responsible for the development, implementation, and maintenance of Datagrid’s data privacy and information security programs.
  8. Audit: Datagrid maintains audit and risk assessment procedures for the purposes of periodic review and assessment of risks to the organization, monitoring and maintaining compliance, and reporting the condition of its information security and compliance to senior internal management.
  9. Policies: Datagrid maintains data protection and information security policies and makes sure that policies and measures are regularly reviewed and where necessary, improve them.
  10. Integration: Datagrid communicates with Customer applications utilizing cryptographic protocols such as TLS 1.2 or above to protect information in transit over public networks. At the network edge, stateful firewalls, web application firewalls, and DDoS protection are used to filter attacks. Within the internal network, applications follow a multi-tiered model which provides the ability to apply security controls between each layer.
  11. Operations: Datagrid maintains operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal. or release from Controller possession.
  12. Incident Response: Datagrid maintains incident procedures designed to investigate, respond to, mitigate and notify of events related to Customer’s data. or information assets. A dedicated network operations and security operations staff performs rapid monitoring and response capabilities to address alerts. 
  13. Network Security: Datagrid engages in network security controls such as providing for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
  14. Risk Management: Datagrid utilizes vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
  15. Business Continuity: Datagrid maintains business resiliency/continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters. Testing is performed to evaluate the plans and recovery capabilities.

Additional information: For additional information on Datagrid’s security measures and compliance please refer to the information made available and updated periodically at the following link: https://www.datagrid.com/data-security-standards.

Appendix C – Annexes to the Standard Contractual Clauses

ANNEX I 

A. List of Parties

Data exporter(s): 

Name: The entity identified as “Customer” in the Agreement. 

Address: The address for Customer specified in the Agreement. 

Contact person’s name, position and contact details: The contact details associated with Customer’s account, or as otherwise specified in the DPA or the Agreement. 

Activities relevant to the data transferred under these Clauses: The activities specified in Section 1.2 of the DPA. 

Role (controller / processor): Controller 

Data importer(s): 

Name: Datagrid AI, Inc.

Address: 6309 Carpinteria Ave., Carpinteria, CA 93013, United States

Contact person’s name, position and contact details: Chief Legal Officer, legalnotice@procore.com      

Activities relevant to the data transferred under these Clauses: The Services as described in the Agreement.          

Role (controller / processor): Processor

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer Controller to Processor

Categories of Data Subjects whose Personal Data is transferred/Processed

The Personal Data transferred/Processed concern the following categories of Data Subjects:

  • Authorized Users as defined in the Subscription Services Agreement.
  • Customers’ employees, contractors, suppliers, or other third parties whose Personal Data is uploaded by the data importer for use in connection with the Services.  

Categories of personal data transferred/Processed

The Personal Data transferred/Processed concern the following categories of data:

Customer Personal Data as defined in the DPA.  It includes: 

  • Identifiers (contact detail including name, email, phone number  and addresses); 
  • Employment Data (professional data, contact details, hours worked, site access);
  • IT Data (IP addresses, browser type, language preferences, cookies data);
  • Geolocation Data (such as region, country, state, postal code, or location information derived from IP addresses or GPS);
  • Other data Controller elects to upload to Processor’s system.

Datagrid does not knowingly process Sensitive Data, as defined by applicable law, on behalf of the Controller.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

  • Continuous basis as needed for performance of Services and throughout the Subscription Term until the DPA’s Termination Date, provided that the data protection obligations of the DPA and the SCCs shall continue to apply for so long as the data importer processes Customer Personal Data.

Nature of the processing

  • Personal data is processed by Datagrid in connection with the Services under the Agreement and/or any applicable Order. 

Purpose(s) of the data transfer and further Processing

  • Datagrid will Process Personal Data as necessary to perform Services pursuant to the Agreement and/or any applicable Order and/or as further specified by Controller’s lawful Documented Instructions.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period.

  • For the duration of the Subscription Term as defined in the Agreement, pursuant to the terms stated in the DPA, unless otherwise required by applicable law. 

For transfers to Subprocessors, also specify subject matter, nature, and duration of the Processing.

  • Datagrid uses its Affiliates and a range of third party Subprocessors to assist in providing the Services.  These Subprocessors provide cloud hosting and storage services; content delivery and analytic services; assist in providing customer support; as well as incident tracking, response, diagnosis and resolution services. The Processing activity will take place during the Subscription Term, unless otherwise required in accordance with the DPA and/or applicable laws or regulations.
  • Personal Data transfers to Subprocessors are based upon Standard Contractual Clauses unless an Alternative Transfer Mechanism is in place.

Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13 of the Module 2 SCC:

  •  Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority. 
  • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as the competent supervisory authority. 
  • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: Irish Data Protection Commission - 21 FITZWILLIAM SQUARE SOUTH, DUBLIN 2, D02 RD28, IRELAND
  •  shall act as the competent supervisory authority. 
  • Where the data exporter is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws and Regulations, the Information Commissioner's Office shall act as the competent supervisory authority. 
  • Where the data exporter is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations. 

ANNEX II - TECHNICAL AND ORGANIZATIONAL MEASURES

Description of the technical and organizational measures implemented by Datagrid (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons. 

  • Please see Appendix B to the DPA. 

Transfers to Subprocessors: For transfers to subprocessors, also describe the specific technical and organisational measures to be taken by the subprocessor to be able to provide assistance to the controller and, for transfers from a processor to a subprocessor, to the data exporter.

  • Please see Appendix B to the DPA.
  • For additional information on assistance with rights to the Controller and with transfer measures, please see Annex III - Subprocessors.

ANNEX III - SUBPROCESSORS

This Annex III to the Standard Contractual Clauses sets out the Subprocessors’ Processing of Personal Data under the Agreement.

  • Please see Appendix A in DPA.