CoordOS CoordOSConstruction Office

Legal · Data Processing

Data Processing Agreement

Effective May 7, 2026 · Version 0.1

This Data Processing Agreement ("DPA") supplements the Terms of Service between CoordOS, Inc. ("CoordOS," the "Processor") and the customer accepting these Terms ("Customer," the "Controller"). This DPA governs the processing of Personal Data by CoordOS on Customer's behalf in connection with the CoordOS service.

In case of conflict between the Terms of Service and this DPA, this DPA prevails for matters concerning Personal Data.

1. Definitions

Terms used in this DPA have the meaning given in the GDPR, the UK Data Protection Act 2018, and applicable US state privacy laws. Specifically:

  • "Personal Data" has the meaning under GDPR Article 4(1) (or equivalent in the applicable jurisdiction).
  • "Processing" has the meaning under GDPR Article 4(2).
  • "Sub-processor" means any third party engaged by Processor to process Personal Data on behalf of Controller.
  • "Sub-processor List" means the public list at coordos.ai/security/sub-processors.
  • "Standard Contractual Clauses" or "SCCs" means the EU 2021 SCCs (Implementing Decision (EU) 2021/914), specifically Module 2 (Controller to Processor).
  • "Personal Data Breach" has the meaning under GDPR Article 4(12).

2. Roles and scope

  • Customer is the Controller of Personal Data processed via the service.
  • CoordOS is the Processor acting on Customer's documented instructions.
  • Customer's instructions are: (a) the Terms of Service, (b) this DPA, (c) Customer's configuration in the portal, and (d) lawful written instructions Customer sends to support@coordos.ai.
  • CoordOS will not process Personal Data for any other purpose without Customer's prior written consent, except where required by law.

3. Subject matter, nature, duration, types of data

Subject matterProvision of the CoordOS service
DurationTerm of the Terms of Service plus retention periods specified in Section 12
Nature of processingReading, organizing, classifying, summarizing, and acting on (with Customer's signed approval) financial, operational, and communications data
PurposeOperating the service Customer subscribed to
Categories of data subjectsCustomer's employees, contractors, vendors, end-customers, and other counterparties who appear in Customer's connected services
Categories of Personal DataNames, email addresses, phone numbers, postal addresses, role/title, employment information, financial information (bills, invoices, payment history, account balances), communications content (with Customer's authorization), photographs (project photos uploaded to Drive)
Special categoriesNone expected; Customer agrees not to use the service to process Special Categories of Personal Data (Article 9) without prior written agreement

4. Customer's responsibilities

Customer:

  • Has and maintains a lawful basis (GDPR Article 6) for processing Personal Data through the service
  • Has provided required notices to data subjects per applicable law
  • Will respond to data subject requests it receives, with CoordOS's reasonable assistance per Section 9
  • Will not transmit Special Categories of Personal Data through the service without prior agreement
  • Is responsible for the accuracy and lawfulness of the data processed through the service

5. CoordOS's responsibilities

CoordOS:

  • Processes Personal Data only on Customer's documented instructions
  • Ensures personnel are bound by confidentiality
  • Implements appropriate technical and organizational measures (Annex II below)
  • Engages Sub-processors only per Section 7
  • Assists Customer per Sections 8 and 9
  • Notifies Customer of Personal Data Breaches per Section 10
  • At termination, deletes or returns Personal Data per Section 12
  • Makes available information necessary to demonstrate compliance and allows audits per Section 11

6. Confidentiality

CoordOS personnel and Sub-processors handling Personal Data are subject to confidentiality obligations equivalent to or stronger than this DPA.

7. Sub-processors

CoordOS uses Sub-processors to provide the service. The current list is published at coordos.ai/security/sub-processors with vendor name, processing purpose, and processing location.

General authorization: Customer authorizes CoordOS to engage the Sub-processors listed at the effective date of this DPA, and to engage new Sub-processors per the change procedure below.

Change procedure:

  • CoordOS will notify Customer at least 30 days before adding or replacing a Sub-processor.
  • Customer may object by emailing privacy@coordos.ai within 30 days. If Customer objects on reasonable data-protection grounds, CoordOS will work in good faith to provide an alternative or, if no alternative is available, Customer may terminate the Terms of Service for the affected portion of the service and receive a pro-rated refund.

Sub-processor obligations: CoordOS imposes data-protection terms on each Sub-processor that are no less protective than those in this DPA, including the Sub-processor's GDPR Article 28(3) obligations and SCCs where applicable.

CoordOS remains responsible for Sub-processor performance to the same extent as if performing directly.

8. Assistance with controller obligations

CoordOS will, taking into account the nature of processing, assist Customer with:

  • Implementing appropriate technical and organizational measures to ensure Customer's compliance (Article 32)
  • Conducting Data Protection Impact Assessments where required (Article 35)
  • Consulting with supervisory authorities where required (Article 36)
  • Responding to data subject requests (Articles 12-22), including providing the data export and deletion endpoints described in the Privacy Policy

CoordOS may charge reasonable costs for assistance that exceeds standard service operations and that requires custom engineering work.

9. Data subject requests

If CoordOS receives a data subject request directly:

  • For an active Customer's data subject: CoordOS will direct the requestor to Customer (the Controller) and notify Customer of the request without undue delay.
  • CoordOS will not respond directly to data subject requests except where legally required, except to acknowledge receipt and direct to Controller.

CoordOS provides Customer with self-service tools for export (app.coordos.ai/admin/export) and deletion (/disconnect) covering most data subject requests.

10. Personal Data Breach notification

CoordOS will notify Customer of a confirmed Personal Data Breach without undue delay and in any event within 72 hours of becoming aware. Notification will include, to the extent known: nature of the breach; categories and approximate number of data subjects affected; categories and approximate number of records affected; likely consequences; measures taken or proposed; contact for further information.

CoordOS will not notify Customer of unsuccessful attacks, port scans, or other events that did not result in unauthorized access to Personal Data.

11. Audits and records

CoordOS makes available the following on Customer's request (limited to once per twelve months unless a regulator requires more):

  • The current version of CoordOS's SOC 2 Type II report (or equivalent), once available
  • A summary of penetration testing results (under NDA)
  • Information from CoordOS's records sufficient to demonstrate compliance with this DPA
  • Reasonable answers to Customer's vendor security questionnaire

On-site audit: if Customer reasonably believes the above is insufficient, Customer may, with at least 30 days' prior written notice and at Customer's expense, conduct an on-site audit of CoordOS's processing of Customer's Personal Data, limited to once per twelve months. The audit will be conducted during business hours, will not unreasonably interfere with operations, will be subject to confidentiality, will not include access to other customers' data, source code, or sensitive security materials, and may be conducted by a mutually agreed independent auditor.

If the audit identifies material non-compliance, CoordOS will remediate at its expense within a reasonable time.

12. Return and deletion at termination

On termination of the Terms of Service:

  • Day 0: OAuth access tokens revoked at third-party providers; agent activity stops in Customer's tenant.
  • Days 0–30: Customer may export Personal Data via the self-service export endpoint.
  • Day 30: read-only access ends.
  • Day 90: CoordOS deletes Personal Data from operational systems, confirmed by an attestation email on Customer's request.
  • Audit log: retained 7 years per Privacy Policy Section 7; contains event metadata only, no document content; tenant identifier hashed.
  • Anonymous pattern library: Customer's contributions remain aggregated under k-anonymity ≥10, in non-identifiable form.
  • Customer's Drive contents: untouched. Customer keeps them.

Customer may request earlier deletion by emailing privacy@coordos.ai with subject Erasure Request.

13. International transfers

If Personal Data is transferred from the EEA, UK, or Switzerland to a country lacking an adequacy decision:

  • The EU 2021 SCCs Module 2 (Controller to Processor) are incorporated into this DPA by reference and apply to such transfers.
  • For UK transfers, the UK International Data Transfer Addendum to the EU SCCs applies.
  • For Swiss transfers, Customer and CoordOS rely on the Swiss FDPIC's recognized SCCs.
  • Where Sub-processors are outside the EEA/UK/Switzerland, CoordOS has signed equivalent SCC arrangements.

In case of conflict between this DPA and the SCCs, the SCCs prevail for transfers from the EEA, UK, or Switzerland.

SCC Annexes (incorporated):

  • Annex I.A — List of Parties: Customer (data exporter / Controller), CoordOS, Inc. (data importer / Processor). Contact details: as in the Terms of Service and Section 19 below.
  • Annex I.B — Description of Transfer: see Section 3 of this DPA.
  • Annex I.C — Competent supervisory authority: the competent authority of the EU member state where Customer is established, or the ICO for the UK.
  • Annex II — Technical and Organisational Measures: below.
  • Annex III — List of Sub-processors: the Sub-processor List page.

14. Liability

Liability under this DPA is governed by the limitation-of-liability clause in the Terms of Service, except: the cap does not limit either party's obligations under the SCCs to data subjects who are third-party beneficiaries; the cap does not limit liability arising from a party's gross negligence, willful misconduct, or breach of confidentiality.

15. Term

This DPA is effective from the date of acceptance and remains in force as long as CoordOS processes Personal Data on Customer's behalf, plus the post-termination obligations in Section 12.

16. Modifications

CoordOS may update this DPA to reflect changes in law, regulation, certifications, or service architecture. Material changes notified at least 30 days in advance. Non-material changes may be made without notice.

17. Governing law

This DPA is governed by the law specified in the Terms of Service, except where SCCs or local law requires otherwise.

18. Order of precedence

  1. SCCs (for cross-border transfers)
  2. This DPA
  3. The Terms of Service
  4. Sub-processor List
  5. Privacy Policy

19. Contact

  • Privacy questions: privacy@coordos.ai
  • Security incidents: security@coordos.ai
  • Postal: CoordOS, Inc., Wilmington, DE, USA
  • EU representative: appointed under GDPR Article 27 before our first EU customer signs

Annex II — Technical and Organizational Measures

Pseudonymization and encryption

  • TLS 1.3 in transit
  • AES-256 at rest
  • Per-tenant Customer-Managed Encryption Keys (CMEK) for OAuth refresh tokens, in Google Cloud KMS
  • KMS-signed approval batches for every write to Customer's connected services
  • Tenant identifiers hashed in long-term audit storage

Confidentiality, integrity, availability, resilience

  • Multi-tenant architecture with strict per-tenant data isolation enforced by Firestore security rules + per-tenant service accounts + per-tenant encryption keys
  • Container-per-tenant on Google Cloud Run
  • VPC Service Controls perimeter restricting egress
  • Daily automated backups; point-in-time recovery for 30 days
  • Multi-region replication for hot data

Restoration

  • Documented incident response runbook (in progress)
  • Tested backup restoration quarterly
  • Recovery Time Objective: 4 hours for portal availability; 24 hours for full service
  • Recovery Point Objective: 1 hour

Testing and assessment

  • Annual penetration testing (first test 2026 Q3)
  • Continuous vulnerability scanning (Dependabot, container scanning)
  • SOC 2 Type II audit in progress; expected report 2027
  • Quarterly internal security reviews

Access controls

  • Identity Platform with optional MFA for Customer accounts
  • Zero standing production access for CoordOS staff; production changes via PR review and automated deploy only
  • Break-glass access logged and alerted to PagerDuty
  • Strict role-based access controls; least-privilege principle
  • Annual access reviews

Authentication, data minimization, retention, accountability, portability

  • Identity Platform OAuth, optional MFA, SSO available on Business tier
  • We read only the data scopes Customer authorizes (default: drive.file for Drive)
  • We do not replicate QuickBooks data into our database; we read live via MCP
  • Pattern library aggregates only non-identifiable, k-anonymized data
  • Customer can correct learnings + phonebook entries directly in their Drive _system/ folder
  • Append-only audit ledger in BigQuery, 7-year retention
  • Self-service export at app.coordos.ai/admin/export (JSON + CSV)
  • Self-service deletion via account cancellation flow; sub-processor-level erasure within 90 days