Version 1, effective as of 1 January 2024

IMPORTANT

PLEASE READ THIS AGREEMENT CAREFULLY.

BY PLACING YOUR ORDER FOR THE BIMCLOUD SAAS SUBSCRIPTION, YOU, AS THE USER, ACKNOWLEDGE AND ACCEPT THE PROVISIONS OF THIS DATA PROCESSING AGREEMENT.

Data Processing Agreement

 for data processing related to the BIMcloud SaaS service

  1. Contractual background

The purpose of this Agreement is to set out the data protection rights and obligations of Graphisoft SE (registered address: 1031 Budapest (GRAPHISOFT Park), Záhony u 7.;  registered under registration number Cg. 01-20-000001; hereinafter referred to as "Data Processor" or “Processor”) and of the Customers and the Customer’s authorized users (hereinafter referred to collectively as "User" or "Data Controller" or “Controller”) using the "Services" as defined in the Software License Agreement, BIMcloud EULA, Work From Home Webshop – Terms of Service, and Graphisoft Store – Terms of Service, (hereinafter referred to as " Principal Agreement "), collectively referred to as "Parties".

On the basis of the Principal Agreement, the Parties have contracted for services which involve the processing of personal data as referred to at Annex A of this Agreement. When processing personal data, User acts as Data Controller, Graphisoft SE acts as Data Processor.

In order to protect the personal data of data subjects, to maintain trust of users, and to comply effectively with the legal requirements of data protection, the Contracting Parties define the requirements for processing of personal data by the Processor as follows.

  1. General Terms and Conditions for Data Processing

In respect of all personal data processed on behalf of Controller the Processor undertakes to process such personal data solely to the extent strictly necessary for the purposes of the Principal Agreement in accordance with Article 28 GDPR and as defined under Annex A of this Agreement.

The Processor shall not process these personal data for any other purpose, especially for its own purposes. In particular Processor shall not include personal data in any of its own products or services or in products or services offered to third parties.

The Processor shall keep and process personal data entrusted to it separately from other personal data processed on behalf of other controllers.

  1. Definitions

If the terms set out in this Agreement do not contradict the terms below, they shall be understood as given in the Principal Agreement.

3.1. “Personal data” means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

3.2. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3.3. “GDPR” means the EU General Data Protection Regulation 2016/679

3.4. “User data” means the information or content qualifying as Personal data that the Controller may create using BIMcloud SaaS in any form, which shall be stored in the cloud service. User data may be for example the User’s clients’ name, address.

3.5. “Principal Agreement” means the service contract stipulated between the Contracting Parties, in which the Processor processes personal data on behalf of Controller. The service contract includes the contractual documents related to the BIMCloud SaaS service available on Graphisoft’s website (Software License Agreement, BIMcloud EULA, Work From Home Webshop – Terms of Service, and Graphisoft Store – Terms of Service etc.)

3.6. “Obligatory security measures” mean the technical and organisational measures for which the processor undertakes to perform as defined in Annex D of this Agreement.

3.7. “Standard Contractual Clauses” mean the COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter SCC)

For terms not defined above, the definitions in the GDPR apply.

  1. Data processing compliance with legislation, responsibility  

4.1. Processor undertakes to comply with all applicable data protection laws, in particular the GDPR, for data processing covered by this Agreement. The Parties agree that the Processor shall be liable to compensate any damage caused by the infringement of the applicable data protection laws only if and to the extent that a supervisory authority or a court of law determines the liability of the Processor, i.e. that the damage is attributable to the breach of the obligations of the Processor.

4.2. By accepting this Agreement, the Data Controller undertakes that, when using the software which is the subject of the service, the Controller shall be under a duty of care to ensure that the legal basis for the processing of personal data is appropriate and that the processing is in accordance with the principles.

4.3. By accepting this Agreement, the Data Controller declares that they will process all data lawfully in the course of using the software that is the subject of the service and that if they breach this obligation and thereby violate any data protection law or its legal relationship with any other party, Controller shall bear all liability arising therefrom, without any liability on the part of the Data Processor in this respect.

4.4. By accepting this Agreement, the Data Controller undertakes to be liable for any damage caused by its breach of the data protection rules or of the provisions of this Agreement.

  1. Data processing on instructions from the Controller

5.1. The Processor shall process the personal data only on documented instructions from the Controller, including transfers of personal data to a third country or an international organisation, unless the Processor is required to do so by law which they are subject to. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information.

  1. Obligatory security measures

6.1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing carried out during the implementation of the Principal Agreement, as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the Processor shall implement appropriate technical and organisational measures, in order to guarantee an adequate level of data security to the degree of risk.

The Processor shall take the minimum security measures specified in Annex D of this Agreement.

6.2. In assessing the appropriate level of security Processor shall take into account in particular of the risks that are presented by processing, especially from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

6.3. Taking into account the abovementioned, where appropriate, the Processor shall strive to ensure in particular  

- the pseudonymisation and encryption of personal data;

- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

  1. Transfers of personal data outside the European Economic Area (EEA)

7.1. The Processor shall transfer personal data outside the European Economic Area solely on documented instructions or written permission from the Controller.  

7.2. If the Processor transfers personal data to a third country which, according to the European Commission’s decision, does not ensure an adequate level of data protection, the Processor is obliged to inform the Controller of the appropriate safeguard of lawful transfer of personal data.

7.3. The virtual servers running BIMcloud SaaS are activated on Google Cloud and operated by Google. The domain name services are provided by Amazon. In addition to the foregoing, the Processor uses the services of MongoDB, which is the database cluster provider. The physical servers are located within the European Union and also outside the European Union. The collected information and the content uploaded by the Controller, its registered administrator and all other registered users by the Controller, when using the BIMcloud SaaS are stored at servers used by the Processor located within the European Union and outside the European Union and also in Google Cloud as described above. Processor makes its best efforts to store the data linked to the User at server(s) located in the country identified during the purchase of the license based on the partner code or the country indicated in the Controller’s billing address. The aim of the selection is to provide the service to the user at the highest speed possible.

7.4. The Controller acknowledges that if a particular BIMcloud tenant is used by persons in different countries, including countries outside the EU, data may be transferred outside the EU. The Data Controller authorizes this transfer by accepting this contract.

7.5. In this Agreement, the Controller permits that the Processor uses Google Cloud, Amazon and MongoDB services in order to fulfil its obligations regarding the Principal Agreement. In these cases, personal data may be transferred outside the European Economic Area. Any such transfer is based on one of the mechanisms under Chapter V of the GDPR, either on an adequacy decision or on standard contractual clauses.

  1. Confidentiality and secrecy

8.1. The Processor shall ensure that personal data are accessed only by persons for whom it is absolutely necessary for the performance of their duties under the Principal Agreement and Annex A of this Agreement.

8.2. The Processor shall take appropriate measures to ensure that any natural person acting under the authority of the Processor, who has access to personal data, does not process those data except on instructions from Controller.

8.3. The Processor also undertakes that any person acting under the authority of the Processor, can only have access to the personal data if they have previously made a written commitment to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.4. The Processor shall provide an adequate level of data protection training for persons involved in data processing operations and update their privacy awareness.

  1. Engagement of subprocessors

9.1. The Processor shall not engage another processor (subprocessor) without prior specific or general written authorisation of the Controller. The Processor shall provide the Controller with appropriate information on the details of the data processor to be used.

The list of approved subprocessors used by the Processor shall be specified in Annex B of this Agreement.

 

9.2. Where the Processor engages a subprocessor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations shall be imposed on the subprocessor by way of a written contract as set out in the present Agreement. The subprocessor shall provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the present Agreement. Where the subprocessor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the subprocessor’s obligations. 

9.3. The Processor shall contract with the subprocessor in a way that in the event of a personal data breach caused by the actions of subprocessor, if requested by the Controller, the Controller may, under the subprocessor’s contract with the Processor, take all appropriate measures for the protection of personal data.

  1.  Cooperation with the Controller

10.1. The Processor shall process the personal data only on instructions of the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes any law. 

10.2. Contracting Parties shall notify each other in writing within a reasonable timeframe of any significant changes related to any information in Annex A of this Agreement.

  1.  Exercising the rights of data subjects

11.1. The Data Controller is entitled and obliged to fulfil any of the data subject's rights under Chapter III of the GDPR. The Data Controller is responsible for responding to data subjects' requests in a timely manner. The Data Controller shall be entitled to use the assistance of the Processor in fulfilling the data subject's request, where the fulfilment of the data subject's request requires the use of the technical skills or capabilities of the Processor.

11.2. The Processor assists the Controller with appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Controller’s obligation to respond to requests by data subjects to exercise their rights, in particular the right to information, access, rectification, erasure, be forgotten, restriction, data portability, objection, and not to be subject to automated decision-making.

11.3. In order to exercise the abovementioned rights under the GDPR, the Processor shall in particular take appropriate technical and organisational measures.

11.4. The Processor complies with the obligation laid down in this section via the following contact point: privacy@graphisoft.com

11.5. On request from Controller, the Processor shall respond in writing within one month. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

11.6. Processor shall promptly notify Controller if it receives a request directly from a data subject. The Processor is not authorised to give information about the data processing directly to the data subjects.

  1.  Dealing with personal data breaches

12.1. A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.

12.2. The Processor undertakes to provide an adequate level of data protection training for persons involved in data processing operations and to regularly keep their knowledge on data protection requirements up to date.

 

12.3. The Processor shall take appropriate technical and organisational measures to avoid personal data breaches, to be able to detect them without undue delay and to determine their severity, and to be able to notify the Controller about the personal data breaches promptly and without undue delay after becoming aware of them. 

Where the information is available, the Processor’s notification shall at least:

a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

c) describe the likely consequences of the personal data breach;

d) describe the measures taken or proposed to be taken by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects;        

e) the measures by which the data subjects concerned themselves can mitigate the risks arising from the personal data breach.

12.4. If it is not possible to provide all such information at the same time, Processor’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.

12.5. The Processor’s obligation to report a Data Breach under this DPA is not and will not be construed as an acknowledgement by the Processor of any fault or liability of the Processor with respect to such Data Breach.

12.6. Without written authorisation from the Controller or any specific legislative provision the Processor shall not disclose any information to anyone – in particular to the data subjects, the press, or the National Data Protection Authority.

12.7. The Processor undertakes, that in case of a personal data breach, if after the notification the Controller finds it necessary, without undue delay consults with the representatives of the Controller in order to mitigate the possible adverse effects, or if it is possible, to put an end to the personal data breach.  

12.8. The Data Controller shall notify the National Data Protection Authority of any data breach relating to the software and the personal data stored in the software that is the subject of the service, which poses a risk to the rights and freedoms of the data subjects, within the time limit set out in Article 33(1) of the GDPR.

Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller is under an obligation to inform the data subjects of the occurrence of the personal data breach and its main circumstances. The Data Controller is solely responsible for the fulfilment of all these obligations.

  1.  Data Protection Impact Assessment

13.1. Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment shall be carried out. The Controller is responsible for the carrying out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. Before starting to process data, the Processor shall make all necessary information available to the Controller to perform the data protection impact assessment at an appropriate level.

  1.  Audit

14.1. In order to demonstrate compliance with this Agreement the Processor shall allow for and contribute to audits. In the course of the audit, the Processor shall provide all the information necessary for the audit to assess the data protection compliance of the operation. The Controller at least 3 months before starting the audit shall notify the Processor about the audit.

14.2. Instead of the audit conducted by the Controller, at the choice of the Controller, the Processor’s processing activity can also be verified by an external auditor mandated by the Controller. In this case the Processor shall cooperate similarly with the external auditor.

 

14.3. Neither the audit performed by Controller, nor the external audit performed by a third party shall interfere unnecessarily with the operation of the Processor.

14.4. The expenses of the audit are borne by the Controller.

  1.  Erasure and return of the data

15.1. After the completion of the processing on behalf of the Controller, the Processor should, at the choice of the Controller, return or delete all personal data and their copies, unless there is a requirement to store the personal data under a law to which the Processor is subject, or where the Processor has another adequate purpose and legal basis for further processing the data.

Annex A. Records of processing activities performed by the Processor

The subject matter of the data processing

  1. Concluding and performing the Principal Agreement:

The Processor provides BIMcloud software as a service to the Controller as defined in the Principal Agreement, which is a cloud service hosted by the Processor. BIMcloud SaaS solution allows Users in different locations to work together on the same project, share and access contents in real time. During the use of BIMcloud SaaS, Users may create information and content qualifying as Personal data in different forms, which Personal data shall be stored in the cloud service hosted by the Processor.

  1. Providing support services:

In addition to the cloud service, the Processor may, at the User’s request, provide technical support to the User. When providing technical support, the Processor receive direct reports from the User, offer possible troubleshooting procedures to the User to resolve the issue or narrow it down to specific area, identify the source of the issue.

  1. Other processings:

When Processor processes personal data for the purpose of improving their services or taking actions in the event of a breach of the Terms of Service Graphisoft SE acts as Data Controller. When processing data for billing and contact purposes Graphisoft SE acts as a Data Controller as well.

The period of the data processing

  1. Concluding and performing the Principal Agreement :

Processor will retain User Data that remains stored in online services in a limited function account for 2 weeks after expiration or termination of the Principal Agreement, so that Controller may extract the data. Processor deletes all data from its servers within a month, while data stored on Google Cloud are deleted within 2 months after the expiration.

  1. Providing support services:

Most data (data relating to projects (e.g. project name, size, version)) is processed until the problem is solved. Data in error tickets (username, e-mail address) are retained until the error information may be necessary for solving future errors, but for a maximum of 5 years.

The nature and purpose of the data processing

  1. Concluding and performing the Principal Agreement:

The Processor processes - collects, stores, uses - personal data in order to enter into contract and to be able to perform the services (provide BIMcloud SaaS to the Users and authorization for the usage of the software).

  1. Providing support services:

The Processor processes - collects, stores, uses - personal data in order to provide technical support to the User, identify and resolve the issue.

Type of the personal data

  1.  Concluding and performing the Principal Agreement:

  1. Providing support services

Categories of the data subjects

Users of the software

Obligations of the Controller

The Data Controller is obliged to provide the data subjects - whose personal data is stored on the software that is the subject of the service - with the information required by Articles 13 and 14 of the GDPR. The Data Controller is solely responsible for the lawful performance of this obligation.

All Archicad project files uploaded by a registered user of the User together with any and all personal and non-personal information available in the uploaded files will be shared with all other registered users of the User. It is the User who remains fully liable for all content and sharing and any authorizations granted to its registered users.

The Controller determines and sets who has access to personal data processed in the system as follows: BIMcloud Administrator has full access to all BIMcloud controls, can create additional BIMcloud User Accounts on behalf of the Controller and assigns them roles and permissions, as appropriate, according to the Controller.

Obligations of the Processor

If access to, viewing or copying of personal data stored in the software is necessary for the performance of the service, the Processor shall be entitled to do so only on the basis of this agreement, in the case of support activities on the basis of the written or oral consent of the Controller. By accepting this contract, the Data Controller acknowledges that, in this respect, the Controller's electronic or verbal notification of an error shall also constitute an authorisation.

Annex B. List of the approved subprocessors

The Processor can engage the following subprocessors:

https://cloud.google.com/contact/

https://aws.amazon.com/contact-us/compliance-support/

MongoDB, Inc., 1633 Broadway, 38th Floor New York, NY 10019.

privacy@mongodb.com

85-87 Bayham Street, Camden, London, NW1 0AG

info@10duke.com

Annex C. Data Protection Responsible

- Contact details of the Processor’s Data Protection Responsible:

privacy@graphisoft.com

Annex D. Obligatory security measures - Minimum technical and organisational security standards

The Processor provides reasonable administrative, technical, and physical security controls to protect personal information. All information processed is stored on secure servers. The Processor uses strict procedures and security features to try to prevent unauthorised access. The Processor has put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, Processor limits access to personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process personal data on the Processor’s instructions and they are subject to a duty of confidentiality.

Annex E. Standard Contractual Clauses

If You, as a User are situated in a country outside the European Union (EU) and the European Economic Area (EEA) and Your processing of Personal Data is not subject to the GDPR, the Standard Contractual Clauses (SCCs) shall apply.

The SCCs are modular, containing Annexes that relate to a specific type of entity or transfer. For the purpose of the Principal Agreement and any transfer of Personal Data to third countries covered by this Data Processing Agreement, only the modular Annexs in Module 4 (Processor-Controller) shall apply, in addition to all general Annexs, subject to the following:

* * *

*