Preqonn AIScope and definitions
This Data Processing Addendum, the "DPA", applies where Preqonn AI, operated by ELMNTALSAI PRIVATE LIMITED, processes personal data on behalf of a customer in connection with the Preqonn AI platform. It supplements the Terms of Service and any signed order.
In this DPA, personal data means information relating to an identified or identifiable person that is contained in customer content or otherwise processed through the platform. Processing means any operation performed on personal data. Data subject means the individual the personal data relates to. The terms controller and processor have the meaning given under applicable data protection law.
Roles of the parties
For personal data processed under this DPA, the parties act in the following roles.
Decides why and how personal data in its project documents is processed, and is responsible for having a lawful basis to provide that data to Preqonn AI.
Processes personal data only on the customer's documented instructions, to deliver and support the platform under the agreement.
The customer is the controller of the personal data it submits. Preqonn AI is the processor and acts on behalf of the customer. Preqonn AI remains an independent controller for limited account and billing data needed to run its business, which is governed by the Privacy Policy.
Scope of processing
The details of the processing under this DPA are as follows.
| Subject matter | Provision of the Preqonn AI estimating and bid package platform. |
|---|---|
| Duration | For the term of the agreement, plus the deletion period in Section 10. |
| Nature and purpose | Hosting, reading, and processing project documents to generate estimates, takeoffs, and bid packages. |
| Types of data | Names and contact details of project stakeholders that appear in uploaded documents, and account user details. |
| Categories of data subjects | Customer personnel, project contacts, and other individuals named in customer project documents. |
Customers should not upload special categories of personal data, and the platform is not designed to process them.
Customer instructions
Preqonn AI processes personal data only on the customer's documented instructions, including those given through use of the platform, the agreement, and this DPA. Preqonn AI does not process personal data for its own purposes.
If Preqonn AI believes an instruction conflicts with applicable data protection law, it will inform the customer. If Preqonn AI is required by law to process personal data beyond the customer's instructions, it will inform the customer of that requirement before processing, unless the law prohibits such notice.
Subprocessors
The customer authorizes Preqonn AI to engage subprocessors to support the platform. Each subprocessor is bound by a written contract that imposes data protection obligations no less protective than those in this DPA.
Preqonn AI maintains a current list of subprocessors and their function. It will give the customer prior notice of any new subprocessor and a reasonable period to object on legitimate data protection grounds. If the customer objects and the parties cannot resolve the concern, the customer may terminate the affected part of the service. Preqonn AI remains responsible for the performance of its subprocessors.
The current categories of subprocessors are listed below.
| Category | Function | Region |
|---|---|---|
| Cloud hosting | Application and document storage, compute | United States |
| Model inference | Document reading and estimate generation | United States |
| Payments | Subscription billing and invoicing | United States |
| Email and support | Transactional email and support tickets | United States |
Security measures
Preqonn AI maintains technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include the following.
- Encryption. Personal data is encrypted in transit with TLS and at rest with industry-standard encryption.
- Access control. Access to production systems is limited to authorized personnel on a least-privilege basis, with authentication and logging.
- Tenant isolation. Customer content is logically separated so one customer cannot access another's data.
- Resilience. Backup and recovery processes designed to restore availability after an incident.
- Monitoring. Logging and monitoring of system activity, with a defined incident response process.
- Personnel. Staff are bound by confidentiality obligations and receive security training.
- Testing. Regular review and testing of the effectiveness of these measures.
Preqonn AI may update these measures over time, provided the updates do not reduce the overall level of protection.
Confidentiality
Preqonn AI treats personal data processed under this DPA as confidential. It ensures that personnel authorized to process personal data are subject to a duty of confidentiality and process the data only as needed to deliver the platform.
Data subject requests
Where a data subject contacts Preqonn AI directly to exercise a right, such as access, correction, deletion, or objection, Preqonn AI will not respond on the customer's behalf but will promptly forward the request to the customer, unless the law requires otherwise.
Taking account of the nature of the processing, Preqonn AI will provide reasonable assistance, through appropriate technical and organizational measures and the features of the platform, to help the customer respond to data subject requests.
Breach notification
Preqonn AI will notify the customer without undue delay after becoming aware of a personal data breach affecting personal data processed under this DPA. The notification will describe the nature of the breach, the data and data subjects affected so far as known, the likely consequences, and the measures taken or proposed to address it.
Preqonn AI will provide enough information for the customer to meet its own notification obligations to authorities and data subjects, and will cooperate in good faith on investigation and remediation. A breach notice is not an acknowledgment of fault.
Deletion and return
The customer may export its personal data from the platform at any time during the term using the platform's features.
On termination or expiry of the agreement, Preqonn AI will, at the customer's choice, delete or return the personal data it processes on the customer's behalf. Unless the customer requests return within 30 days of termination, Preqonn AI will delete or de-identify the personal data within 30 days. Copies held in backups are purged on a rolling schedule. Preqonn AI may retain personal data where required by law, and will continue to protect it for as long as it is retained.
Audit and assistance
Preqonn AI will make available to the customer information reasonably necessary to demonstrate compliance with this DPA. This includes summaries of relevant third-party audit reports and security documentation, provided on request and subject to confidentiality.
Where required by applicable data protection law, and on reasonable prior notice, the customer may conduct an audit, which may be carried out by an independent third party bound by confidentiality. Audits will take place during business hours, no more than once per year unless a regulator or a breach requires otherwise, and in a manner that does not disrupt Preqonn AI's operations. Preqonn AI will also provide reasonable assistance with data protection impact assessments and consultations with supervisory authorities, taking account of the nature of the processing.
International transfers
Preqonn AI processes personal data in the United States and in other locations where its subprocessors operate. Where personal data is transferred from a jurisdiction that restricts international transfers, the parties will rely on an appropriate transfer mechanism, such as standard contractual clauses, which are incorporated into this DPA by reference where applicable.
Preqonn AI will apply supplementary measures where needed so that transferred personal data receives a level of protection consistent with applicable data protection law.
Contact us
For questions about this DPA, to request the current subprocessor list, or to raise a data protection matter, contact our privacy team and we will respond promptly.
Questions? Contact info@preqonn.com