bivy

Data Processing Agreement (DPA)

Contractual provisions governing the processing of personal data by bivy.

Version 1.0·Last updated: 2026-03-07

Data Processing Agreement (DPA)

Version: 1.0 Last updated: [DATE] Processor: [COMPANY NAME AND LEGAL FORM, e.g. bivy GmbH]

Note: This English version is provided for convenience. In the event of any discrepancy between the German and English versions, the German version (Auftragsverarbeitungsvertrag) shall prevail.

1. Subject Matter and Duration

1.1 Subject Matter

This Data Processing Agreement (DPA) governs the rights and obligations of the parties in connection with the processing of personal data by bivy (hereinafter "Processor") on behalf of the User (hereinafter "Controller") in the context of using the bivy SaaS platform.

This DPA supplements the General Terms and Conditions (GTC) and the Privacy Policy of bivy and forms an integral part of the contractual relationship.

1.2 Duration

This DPA applies for the entire duration of the contractual relationship between the Controller and bivy. It terminates automatically upon termination of the main agreement (GTC), subject to the post-termination obligations set out in Section 9.

2. Nature and Purpose of Processing

2.1 Nature of Processing

bivy processes personal data on behalf of the Controller through:

  • Storage and management of project data
  • Receipt, storage, and analysis of forwarded emails
  • AI-powered processing (task extraction, decision support, construction log)
  • Document and photo management
  • Display and preparation of data via the platform

2.2 Purpose of Processing

Processing is carried out exclusively for the purpose of providing the contractually agreed SaaS service — a digital construction project cockpit for managing private construction projects, including AI-powered features.

3. Categories of Data Subjects and Personal Data

3.1 Categories of Data Subjects

  • Platform users (Controller and their authorised users)
  • Third-party contacts: Contractors, tradespeople, architects, construction managers, suppliers, and other third parties whose data is uploaded or forwarded to the platform by the Controller

3.2 Categories of Personal Data

Category Description
Third-party contact data Name, email address, company, phone number (where contained in communications or documents)
Communication content Content of forwarded emails, subject lines, attachments
Project-related data Tasks, decisions, notes, construction log entries relating to third parties
Documents Uploaded documents and photos that may contain personal data of third parties
AI-derived data Tasks, deadlines, and summaries extracted from user inputs that relate to third parties

3.3 No Special Categories

The processing does not, as a general rule, involve special categories of personal data within the meaning of Art. 9 GDPR or Art. 5(c) FADP. The Controller is obliged to ensure that no special categories of personal data are uploaded to the platform unless expressly agreed.

4. Obligations of the Processor (bivy)

4.1 Instructions

bivy processes personal data exclusively in accordance with the documented instructions of the Controller. Instructions derive from:

a) this DPA; b) the GTC and Privacy Policy; c) the Controller's use of platform features; d) explicit individual instructions sent by email to datenschutz@bivy.ch.

If bivy considers that an instruction infringes data protection law, bivy shall immediately inform the Controller.

4.2 Confidentiality

bivy ensures that all persons authorised to process personal data have committed to confidentiality or are subject to an appropriate statutory duty of confidentiality.

4.3 Technical and Organisational Measures

bivy implements appropriate technical and organisational measures pursuant to Art. 32 GDPR and Art. 8 FADP to ensure a level of security appropriate to the risk. These measures include, in particular:

  • Encryption in transit: TLS 1.2 or higher for all data transmissions
  • Encryption at rest: AES-256 encryption (AWS KMS / Supabase) for all stored data
  • Access control: Multi-factor authentication, principle of least privilege
  • Tenant isolation: Row-Level Security (RLS) at the database level
  • Input control: Logging of changes to personal data
  • Availability control: Regular backups, infrastructure redundancy
  • Password security: Storage exclusively as cryptographic hashes (bcrypt)
  • Regular security audits: Automated vulnerability scanning of dependencies

4.4 Assistance to the Controller

bivy assists the Controller, taking into account the nature of the processing and the information available, with:

a) fulfilment of requests from data subjects (Art. 15–22 GDPR / Art. 25–29 FADP); b) compliance with obligations under Art. 32–36 GDPR (data security, data protection impact assessment, prior consultation); c) notification of personal data breaches in accordance with Section 8.

5. Obligations of the Controller (User)

5.1 Lawfulness

The Controller is responsible for the lawfulness of data processing. The Controller warrants, in particular, that:

a) they have a valid legal basis for processing the data (Art. 6 GDPR / Art. 31 FADP); b) they have properly informed the data subjects — including third parties such as contractors and tradespeople — about the processing (Art. 13/14 GDPR / Art. 19 FADP); c) no special categories of personal data are uploaded without express agreement.

5.2 Information Obligation Towards Third Parties

The Controller is solely responsible for informing third parties (in particular contractors, tradespeople, architects) whose data is uploaded to the platform or forwarded by email about the data processing. This includes, in particular, informing them about:

a) processing on the bivy platform, including AI-powered features; b) bivy's Privacy Policy (bivy.ch/datenschutz); c) the rights of the affected third parties (access, deletion, rectification).

bivy provides the Controller with a template clause for construction contracts (see Section 12).

5.3 Instructions

The Controller is entitled to issue instructions to bivy regarding the processing of personal data. Instructions that go beyond the contractually agreed service require a separate agreement.

6. Sub-Processors

6.1 Approved Sub-Processors

The Controller hereby grants general authorisation for the use of the following sub-processors:

Sub-Processor Purpose Location Safeguards
Amazon Web Services EMEA SARL Hosting (Lambda, CloudFront, S3), AI processing (Bedrock) EU — Frankfurt (eu-central-1), Stockholm (eu-north-1), Ireland (eu-west-1) DPA; AWS GDPR Data Processing Addendum
Supabase Inc. Database (PostgreSQL), authentication, file storage EU — Frankfurt (eu-central-1) DPA; Supabase DPA
Stripe Payments Europe Ltd. Payment processing EU (Ireland) DPA; PCI DSS Level 1
Amazon Web Services (SES) Email receiving and processing EU — Frankfurt (eu-central-1) Part of the AWS Data Processing Addendum

6.2 Changes to Sub-Processors

bivy shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors and shall give the Controller the opportunity to object to such changes. Notification shall be made by email with at least 30 days' notice before the planned change.

If the Controller raises a reasoned objection within 14 days of notification, the parties shall seek an amicable solution. If no agreement can be reached, the Controller has the right to terminate the main agreement with immediate effect.

6.3 Obligations Towards Sub-Processors

bivy shall contractually ensure that all sub-processors are subject to data protection obligations at least equivalent to those set out in this DPA. bivy remains responsible to the Controller for the fulfilment of obligations by sub-processors.

7. International Data Transfers

7.1 Principle: Processing Exclusively in the EU

All personal data is processed and stored exclusively within the European Union or the European Economic Area.

bivy's technical infrastructure is located in:

  • Frankfurt, Germany (eu-central-1) — primary location
  • Stockholm, Sweden (eu-north-1) — AI processing (Bedrock)
  • Dublin, Ireland (eu-west-1) — AI processing (Bedrock), payment processing (Stripe)

7.2 No Transfers to Third Countries

bivy does not transfer personal data to countries outside the EU/EEA that do not have an adequacy decision pursuant to Art. 45 GDPR.

Switzerland is recognised by the European Commission as a country with an adequate level of data protection.

8. Personal Data Breach Notification

8.1 Notification Obligation to the Controller

bivy shall notify the Controller without undue delay and in any event within 24 hours of becoming aware of any personal data breach.

The notification shall include at a minimum:

a) the nature of the breach, including the categories and approximate number of data subjects and data records affected; b) the name and contact details of the contact person; c) a description of the likely consequences of the breach; d) a description of the measures taken or proposed.

8.2 Assistance with Notifications

bivy shall assist the Controller in fulfilling their notification obligations to the supervisory authority (Art. 33 GDPR / Art. 24 FADP) and in notifying affected data subjects (Art. 34 GDPR / Art. 24(3) FADP).

9. Return and Deletion of Data

9.1 Upon Termination

Upon termination of the main agreement:

a) bivy shall provide the Controller with the ability to export their data via the platform for a period of 30 days; b) after the 30-day export period, bivy shall irreversibly delete all personal data of the Controller, unless a statutory retention obligation requires otherwise; c) bivy shall confirm deletion in writing upon request from the Controller.

9.2 Deletion by Instruction

bivy shall delete personal data upon instruction from the Controller, provided no statutory retention obligation requires otherwise.

10. Audit and Inspection Rights

10.1 Right to Information

bivy shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and Art. 9 FADP.

10.2 Audits

bivy shall allow for and contribute to inspections — including audits — by the Controller or an auditor mandated by the Controller. Audits shall be:

a) announced with reasonable advance notice (at least 30 days); b) conducted during normal business hours; c) designed so as not to unreasonably disrupt ongoing operations; d) conducted no more than once per year, unless a specific reason requires an additional audit.

The costs of the audit shall be borne by the Controller, unless the audit reveals a material breach by bivy.

11. Liability

Liability of the parties is governed by the provisions of the GTC (Section 12), the GDPR (in particular Art. 82), and the FADP. Both parties shall be liable to data subjects in accordance with applicable data protection laws.

12. Template Clause for Construction Contracts

To facilitate the Controller's information obligation towards third parties (Section 5.2), bivy provides the following template clause. This clause may be incorporated into construction contracts, architect agreements, or other contracts with third parties.

Template Clause: Digital Project Management via bivy

Subject: The principal/construction manager uses the SaaS platform bivy (bivy.ch) for the management of this construction project.

Data processing: In the course of project management, the following data of the contractor may be processed digitally via bivy:

  • Name, email address, company
  • Email correspondence (content, attachments)
  • Project-related documents and correspondence
  • Tasks and deadlines extracted from communications

AI processing: bivy uses artificial intelligence to automatically extract tasks, deadlines, and summaries from communications. AI processing takes place in real time and exclusively within the EU (Frankfurt, Stockholm, Ireland). Data is not used for training AI models.

Data storage: All data is stored and processed exclusively in the EU (Frankfurt am Main, Germany).

Privacy policy: bivy's full privacy policy is available at: bivy.ch/datenschutz

Rights: The contractor has the right to request information about the data stored about them, to request rectification or deletion, and to object to processing. Requests may be addressed to: datenschutz@bivy.ch

Acknowledgement: By signing this contract, the contractor acknowledges the above information.

Place, date: _______________

Contractor's signature: _______________

13. Contact

For questions regarding this DPA:

Email: datenschutz@bivy.ch Post: [COMPANY NAME AND LEGAL FORM], [STREET AND NUMBER], [POSTAL CODE] [CITY], Switzerland

14. Final Provisions

14.1 Precedence

In the event of any conflict between this DPA and the GTC, the provisions of this DPA shall prevail with respect to data protection matters.

14.2 Amendments

Amendments to this DPA must be in writing. bivy may amend this DPA with 30 days' notice, with the provisions of the GTC (Section 15) applying mutatis mutandis.

14.3 Governing Law and Jurisdiction

The provisions of the GTC (Section 16) regarding governing law and jurisdiction shall apply.

14.4 Language

This DPA is available in German and English. In the event of any discrepancy between the language versions, the German version shall prevail.

This Data Processing Agreement has been prepared in accordance with Art. 28 GDPR (Regulation (EU) 2016/679) and Art. 9 of the Swiss Federal Act on Data Protection (FADP, SR 235.1). It does not constitute individual legal advice. We recommend having this DPA reviewed by a law firm specialising in data protection law before concluding it.