Legal Documents

Data Processing Addendum

September 24, 2025

This Data Processing Addendum (together with its annexes, this "DPA") supplements and forms part of the Software-as-a-Service Agreement between PathBuilder LLC, ("PathBuilder") and Customer for PathBuilder's provision of its Services to such Customer (the "Agreement").

1. Definitions

Capitalized terms used in this DPA have the meanings given below or, if not defined in this DPA, have the meanings given in the Agreement.

  • "CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the "CPRA"), and any binding regulations promulgated thereunder.
  • "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
  • "Customer Personal Data" means any Customer Data that constitutes Personal Data.
  • "Data Protection Laws" means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Customer Personal Data under the Agreement.
  • "Personal Data" means "personal data," "personal information," or information within the scope of similar terms defined in Data Protection Laws.
  • "Processor" means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.
  • "Subprocessor" means any third party engaged directly or indirectly by or on behalf of PathBuilder to Process Customer Personal Data.

2. Scope of this Data Processing Addendum

The Parties acknowledge and agree that Annex 1 (Data Processing Details) to this DPA describes the details of PathBuilder's Processing of Customer Personal Data. The terms of this DPA apply solely with respect to PathBuilder's Processing of Customer Personal Data subject to the GDPR, the CCPA or other Data Protection Laws requiring data protection terms to be included in contracts between Customer and its Processors or Service Providers.

3. Processing of Customer Personal Data

PathBuilder shall Process Customer Personal Data only according to Customer's instructions or as required by applicable laws. Customer instructs PathBuilder to Process Customer Personal Data to provide the Services and as authorized by the Agreement. Where PathBuilder receives an instruction from Customer that, in its reasonable opinion, infringes Data Protection Laws, PathBuilder shall notify Customer.

4. PathBuilder Personnel

PathBuilder shall ensure that all PathBuilder personnel who access Customer Personal Data are subject to contractual or other legal duties of confidentiality with respect to such Customer Personal Data.

5. Security

The technical, organizational, and physical measures that PathBuilder maintains pursuant to the Agreement to protect Customer Personal Data (the "Security Measures") shall include the measures described in Annex 3 (Security Measures) of this DPA and any other security measures as PathBuilder is required to maintain under Data Protection Laws. PathBuilder may update the Security Measures from time to time provided such updates do not materially decrease the overall protection of Customer Personal Data.

6. Data Subject Requests

Customer is solely responsible for responding to Data Subject Requests. Taking into account the nature of the Processing of Customer Personal Data, and employing appropriate technical and organizational measures, PathBuilder shall provide Customer with such assistance as Customer may reasonably request in writing to enable Customer to perform its obligations under Data Protection Laws to respond to Data Subject Requests.

7. Personal Data Breaches

PathBuilder shall notify Customer of a Personal Data Breach without undue delay after becoming aware of the occurrence thereof. Notification timelines run from PathBuilder's confirmation of a Personal Data Breach and will account for law enforcement or legal holds and the need to implement measures to contain and assess the incident.

8. Subprocessing

a. Authorization; Current Subprocessors

Customer generally authorizes PathBuilder to engage Subprocessors in accordance with this Section 8, including the following list of Subprocessors and their Effective Date:

  • Stripe -- Effective Date 9/24/2025
  • OpenAI -- Effective Date 9/24/2025

b. Requirements

PathBuilder shall enter into a written contract with each Subprocessor imposing on such Subprocessor data protection obligations at least as protective as those in this DPA with respect to Customer Personal Data to the extent applicable to the nature of the services such Subprocessor provides.

c. New Subprocessors

When PathBuilder engages any Subprocessor not listed as a Subprocessor, PathBuilder shall notify Customer of the engagement via an updated policy. Upon a reasonable, data-protection-based objection, the Parties will in good faith (for up to 30 days) seek alternatives.

9. Compliance Assistance; Audits

a. Compliance assistance

Taking into account the nature of the Processing and the information available to PathBuilder, PathBuilder shall provide such information and assistance as Customer may reasonably request to enable Customer to perform its obligations under Data Protection Laws.

b. Information and audits

PathBuilder shall cooperate with audits (including inspections) of PathBuilder's technical and organizational measures to verify compliance with Customer's obligations under Data Protection Laws and PathBuilder's compliance with this DPA, provided that such audits shall be performed at Customer's sole cost and expense.

c. Audit reports

If the controls or measures to be assessed in the requested audit are assessed in an audit performed by a qualified and independent third-party auditor within twelve (12) months of Customer's audit request, Customer agrees to accept the auditor's report in lieu of requiring an audit of such controls or measures.

10. Return and Deletion

Upon expiration or earlier termination of the Agreement, PathBuilder shall return and/or delete all Customer Personal Data in PathBuilder's care, custody, or control in accordance with Customer's instructions as to the post-termination return and deletion of Customer Data expressed in the Agreement.

11. Customer Responsibilities

a. Security

Customer is solely responsible for its use of the Services, including making appropriate use of the Services to maintain a level of security appropriate to the risk posed to Customer Data.

b. Legal basis

Customer will not instruct PathBuilder to Process Customer Data in violation of Data Protection Laws. Customer shall ensure that there is a valid legal basis for PathBuilder's Processing of Customer Personal Data.

c. Prohibited data

Customer acknowledges that the Services are not designed to comply with, and shall ensure that Customer Personal Data does not contain any "protected health information" as defined in the Health Insurance Portability and Accountability Act (HIPAA).

Annex 1 - Data Processing Details

Customer / Data Exporter Details

  • Name: As provided in the Agreement or applicable ordering document
  • Contact details: As provided in the Agreement or applicable ordering document
  • Role: Controller

PathBuilder / Data Importer Details

  • Name: PathBuilderApp, Inc.
  • Contact: PathBuilder LLC, c/o Lisa Hagenauer, Hagenauer Law (Registered Agent), 230 Fulton Street East, Grand Rapids, Michigan 49503, help@pathbuilderapp.com
  • Activities: PathBuilder is an employee development hub
  • Role: Processor

Details of Processing

  • Categories of Data Subjects: Customer's personnel, customers, service providers, business partners and affiliates
  • Categories of Personal Data: Contact details, communications, and other categories of personal data that users choose to submit to the Services
  • Frequency of transfer: Continuous
  • Nature of the Processing: Processing operations required to provide the Services in accordance with the Agreement
  • Purpose of the Processing: Provide the Services as described in the Agreement
  • Duration: Concurrent with term of the Agreement and thereafter pursuant to Section 10 of the DPA

Annex 2 - California Annex

This Annex applies only to PathBuilder's Processing of Personal Data subject to the CCPA.

It is the Parties' intent that PathBuilder is a Service Provider with respect to its Processing of Personal Information. PathBuilder shall not:

  • Sell or Share Personal Information
  • Retain, use, or disclose any Personal Information for any purpose other than for the Business Purposes specified in the Agreement
  • Retain, use or disclose Personal Information outside of the direct business relationship between PathBuilder and Customer
  • Combine Personal Information received pursuant to the Agreement with Personal Information received from or on behalf of another person

Annex 3 - Security Measures

Measures of pseudonymization and encryption

Customer Personal Data is encrypted both in transit and at rest. In transit, PathBuilder uses TLS 1.2 or greater for data encryption. At rest, PathBuilder leverages Amazon Web Services (AWS) to store data, which allows for data to be encrypted at rest using RDS, EBS, and S3.

Measures for ongoing confidentiality, integrity, availability and resilience

PathBuilder encrypts Customer Personal Data and employs identity and access management designed to protect it. Code changes undergo a second code review and are tested in a staging environment before deploying to production.

Measures for restoring availability and access

PathBuilder performs daily backups using an automated system in AWS. Datastores are retained for 7 days. Backup data is also stored in a separate physical location allowing recovery in the event of a physical or technical incident.

Measures for physical security

Customer Personal Data is processed on PathBuilder owned systems at a secure colocation facility. Physical access to PathBuilder's location is strictly controlled with keycards and security guards at the building entrances.

Measures for data minimization

Customers determine what Customer Data will be submitted to the PathBuilder Service. PathBuilder will inform the Customer if certain data must be provided.

Measures for data portability and erasure

PathBuilder allows Customers to obtain Customer Personal Data in a structured, commonly used and machine-readable format. Customers can ask PathBuilder to delete their Customer Data as described in the Data Processing Addendum and such requests generally will be processed within 30 days.