Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the Terms of Service (“Agreement”) between Precon, Inc. (“Precon” or “Processor”) and the Customer (“Controller”). This DPA governs Precon's processing of Personal Data on behalf of the Controller in connection with the Service.

This DPA applies to the extent that Precon processes Personal Data subject to applicable Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (“CCPA”), and other applicable privacy and data protection legislation.

Precedence. In the event of any conflict between this DPA and the Agreement (or any other agreement between the parties) on matters relating to data protection, the terms of this DPA shall prevail.

• “Controller” means the Customer, who determines the purposes and means of processing Personal Data
• “Processor” means Precon, which processes Personal Data on behalf of the Controller
• “Personal Data” means any information relating to an identified or identifiable natural person processed by Precon in connection with the Service
• “Data Subject” means the individual to whom Personal Data relates
• “Sub-processor” means a third party engaged by Precon to process Personal Data on behalf of the Controller
• “DPA Data” means all Personal Data processed by Precon under this DPA
• “Data Protection Laws” means all applicable laws relating to the processing of Personal Data, including the GDPR, UK GDPR, CCPA, and equivalent legislation

Roles. The Controller is the Data Controller. Precon is the Data Processor. Precon processes Personal Data solely on the Controller's documented instructions and as necessary to provide the Service.

Documented Instructions. The Controller's instructions for processing are set forth in the Agreement (including this DPA) and in the Controller's configuration and use of the Service. Any additional instructions must be provided in writing (email to privacy@precon.com is sufficient). Precon will promptly inform the Controller if, in Precon's reasonable opinion, an instruction from the Controller infringes applicable Data Protection Laws. Precon is not obligated to independently assess the lawfulness of the Controller's instructions but will refrain from processing until the Controller confirms or modifies the instruction.

Subject matter: Provision of the Precon pre-construction platform, including all features described in the Agreement.

Duration: The term of the Agreement between the Controller and Precon, plus any post-termination retention period as described in Section 9.

Nature and purpose: Document processing and AI analysis (reconstruction, normalization, entity extraction, trade classification), email intelligence (opportunity detection, project tracking, relationship mapping), lead generation and scoring, project analytics and reporting, team collaboration, and agentic AI workflows.

Types of Personal Data: Contact information (name, email address, phone number, job title), organization details, project data (construction documents, plans, specifications), email content (headers, body, attachments from connected accounts), usage data (features used, pages visited, session data), professional information (trades, market sectors), device and browser identifiers, and city-level geolocation derived from IP address.

Categories of Data Subjects: Customer employees and authorized users, email correspondents, project contacts, subcontractor representatives, and individuals whose personal data appears in Customer-uploaded documents.

Processing Locations. Processing occurs in the United States using Google Cloud Platform (us-central1 and us-east1 regions) unless otherwise specified in the Controller's order form or agreed in writing. Precon will not process Personal Data in a jurisdiction not approved by the Controller without prior written notice, except as required to provide the Service using approved Sub-processors (see Section 5).

Precon shall:

• Process Personal Data only in accordance with the Controller's documented instructions and as necessary to provide the Service
• Ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations
• Implement and maintain appropriate technical and organizational security measures as described in Section 7
• Assist the Controller in responding to Data Subject requests within ten (10) business days of receiving the request or notification
• Notify the Controller of a Personal Data breach within forty-eight (48) hours of confirmation, as described in Section 8
• Assist the Controller with data protection impact assessments (“DPIAs”) where required by Data Protection Laws
• At the Controller's election, return or delete all DPA Data upon termination of the Agreement, as described in Section 9
• Make available to the Controller information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws

General Authorization. The Controller provides general written authorization for Precon to engage Sub-processors to assist in providing the Service.

Notification. Precon will provide at least thirty (30) days' advance notice via email before engaging a new Sub-processor or replacing an existing one.

Objection Right. The Controller may object to a new Sub-processor within fifteen (15) days of notification. If the objection cannot be reasonably resolved, the Controller may terminate the Agreement with a pro-rata refund.

Sub-processor Obligations. Precon will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA. Precon remains liable for the acts and omissions of its Sub-processors.

Current Sub-processors. As of the effective date of this DPA, Precon engages the following Sub-processors:

This table is updated when Sub-processors are added or replaced. The Controller will receive thirty (30) days' advance email notice before any change takes effect.

To the extent the CCPA applies:

• Precon will not sell or share DPA Data as defined under the CCPA
• Precon will not retain, use, or disclose DPA Data for any purpose other than providing the Service, except as permitted by the CCPA
• Precon will not combine DPA Data with personal information received from or on behalf of other persons, except as permitted by the CCPA
• Precon will not attempt to re-identify any de-identified data except to verify that de-identification is functioning correctly

Precon implements the following technical and organizational measures to protect DPA Data:

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Access controls based on least privilege, with multi-factor authentication for administrative access
• Network security including firewalls and intrusion detection
• Regular security assessments and vulnerability management
• Personnel security including confidentiality obligations and security training
• Incident response procedures tested and updated regularly
• Audit logging of data access and administrative actions

In the event of a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to DPA Data (“Personal Data Breach”), Precon will:

• Notify the Controller without undue delay and in any event no later than forty-eight (48) hours after Precon becomes aware of the Personal Data Breach. Notification will be sent to the Controller's designated contact (as provided during onboarding or updated via account settings) and to security@precon.com as a backup channel
• Provide the following information (to the extent known at the time of notification, with further details provided as they become available):
  • A description of the nature of the breach, including the categories and approximate number of affected Data Subjects and Personal Data records
  • The name and contact details of Precon's privacy contact point (currently privacy@precon.com)
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects and prevent recurrence

Controller's obligations. The Controller is responsible for assessing whether the Personal Data Breach triggers a notification obligation to its supervisory authority under GDPR Article 33 (within seventy-two (72) hours of becoming aware) and/or to affected Data Subjects under GDPR Article 34. Precon will provide reasonable assistance and information to support the Controller in meeting these obligations.

Precon will cooperate fully with the Controller's investigation and remediation efforts, preserve evidence related to the breach, and provide ongoing updates as additional information becomes available. Precon will document the breach, its effects, and the remedial actions taken, and make this documentation available to the Controller upon request.

Upon termination of the Agreement:

• Export Window. The Controller has a thirty (30) day window to export DPA Data via the platform's built-in export tools or by written request to support@precon.com
• Return Format. Upon written request during the export window, Precon will return DPA Data in a structured, commonly used, and machine-readable format (JSON or CSV for structured data; original file format for uploaded documents). Reasonable assistance in data portability is provided at no additional charge for standard exports; complex or custom export requests may be subject to reasonable fees
• Deletion. After the export window, Precon will delete all DPA Data from primary systems within sixty (60) days
• Deletion Certification. Precon will provide a written certification of deletion to the Controller upon written request
• Legal Holds. Data required to be retained by applicable law, regulation, or legal proceeding is exempt from deletion but will be isolated, access-restricted, and protected in accordance with this DPA for the duration of the retention requirement
• Backup Purge. Backup copies are purged within ninety (90) days of deletion from primary systems

Where DPA Data is transferred from the EEA, UK, or Switzerland to countries not recognized as providing adequate protection, Precon relies on:

• Standard Contractual Clauses (EU Commission Decision 2021/914, Module 2: Controller-to-Processor)
• The UK International Data Transfer Addendum to the EU SCCs
• The Swiss Federal Act on Data Protection (FADP) transfer mechanisms

Precon will implement supplementary measures where required by applicable law to ensure an essentially equivalent level of protection.

Precon will assist the Controller in responding to Data Subject requests for access, rectification, erasure, portability, restriction, and objection. If Precon receives a request directly from a Data Subject, Precon will redirect the request to the Controller unless instructed otherwise.

The Controller may exercise audit rights as follows:

• Request Precon's most recent SOC 2 Type II report and security questionnaire annually
• Conduct an on-site audit with at least thirty (30) days' written notice, during business hours, at the Controller's expense, no more than once per year (unless triggered by a confirmed breach)
• Request additional information reasonably necessary to verify compliance with this DPA

• AI Sub-processors are listed in Section 5 with their specific data handling commitments
• AI providers are contractually required not to retain DPA Data beyond the duration of processing a single request
• Neither Precon nor its AI Sub-processors will train foundation AI models using DPA Data
• The Controller acknowledges that AI processing is performed as described in Precon's AI & Risk Disclosure

Both parties acknowledge that AI-related legislation is evolving rapidly. If new legislation materially impacts the processing described in this DPA, both parties agree to:

• Review the DPA in light of the new requirements
• Negotiate amendments in good faith
• Either party may terminate the Agreement with reasonable notice if compliance becomes commercially infeasible, with a pro-rata refund for prepaid fees

Liability under this DPA follows the provisions of the Terms of Service. Liability for intentional breach of this DPA's data protection obligations is not subject to the general liability cap.

This DPA is effective for the duration of the Agreement. Precon's obligations under this DPA survive for as long as Precon retains any DPA Data.

For questions about this DPA or to exercise any rights, contact privacy@precon.com.