BuildITSmrtBITS
Home  /  Data Processing Addendum

Data Processing Addendum

For B2B customers who need a written processor agreement to satisfy their own privacy-compliance obligations. Incorporated by reference into your subscription's Terms of Use when countersigned.

Effective: May 10, 2026  ·  Last updated: May 10, 2026

This Data Processing Addendum (the "DPA") supplements the Terms of Use and any related order between BuildITSmrt, LLC, a Wisconsin limited liability company ("BuildITSmrt," "Processor"), and the customer identified at signup or in a related order (the "Customer," "Controller"). It governs the processing of Personal Information by BuildITSmrt on Customer's behalf in connection with the MaintBlocks SaaS service (the "Service"). It does not change any term of the Terms of Use except as expressly stated. If there's a conflict between this DPA and the Terms of Use on a matter relating to the processing of Personal Information, this DPA controls.

1. Definitions

Capitalized terms not defined here have the meanings given in the Terms of Use or, where applicable, in the privacy law most relevant to the parties. For convenience:

  • "Personal Information" means information that identifies, relates to, describes, or could reasonably be linked with a particular individual, processed by BuildITSmrt on Customer's behalf in connection with the Service.
  • "Controller" means the entity that determines the purposes and means of processing the Personal Information. Customer is the Controller.
  • "Processor" means the entity that processes Personal Information on the Controller's behalf. BuildITSmrt is the Processor.
  • "Sub-processor" means any third party engaged by Processor to process Personal Information.
  • "Data Subject" means an identified or identifiable individual whose Personal Information is processed.
  • "Personal Information Breach" means a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information processed under this DPA.
  • "Applicable Privacy Law" means each privacy or data-protection law applicable to the processing, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Texas Data Privacy and Security Act, the Utah Consumer Privacy Act, and any successor or comparable law of any U.S. state.

2. Scope and roles

For the Personal Information that Customer (or the devices Customer enrolls) submits to the Service, Customer is the Controller and BuildITSmrt is the Processor. BuildITSmrt processes Personal Information only on Customer's documented instructions, including those expressed through Customer's use of the Service in the ordinary course, except where required to do so by law (in which case BuildITSmrt will inform Customer of that requirement before processing, unless legally prohibited from doing so).

BuildITSmrt is an independent Controller for the limited Personal Information it collects directly from Customer for its own business purposes — for example, Customer's billing contact details, signup information, and account-administration data. The handling of that data is governed by BuildITSmrt's Privacy Policy, not this DPA.

3. Subject matter, duration, nature, and purpose of processing

  • Subject matter: Provision of the Service to Customer, including license issuance, device-inventory storage, heartbeat ingestion, run-record storage, dashboard hosting, and related operational support.
  • Duration: The term of Customer's subscription, plus the data-retention windows described in the Privacy Policy and Section 11 of this DPA.
  • Nature and purpose: Storing and processing device inventory and operational data so Customer's authorized administrators can monitor, manage, and run maintenance on the devices Customer has enrolled.

4. Categories of Data Subjects and types of Personal Information

Categories of Data Subjects may include:

  • Customer's IT administrators and dashboard users
  • End users of the devices Customer enrolls in the Service (to the extent the device's local user accounts, hostname, or similar fields contain identifiable information)

Categories of Personal Information processed are limited to those listed in our Privacy Policy, Section 13, namely: account credentials and profile data; device-identity data; operating-system and hardware metadata; recent maintenance-action outcomes; installed-software inventory; services inventory; local-user-account names and flags; network-adapter metadata; BIOS/firmware metadata; and billing/subscription metadata received from the payment processor. Customer agrees not to submit, and not to configure devices to submit, special categories of data (health data, government identifiers beyond what's incidentally embedded in hardware identifiers, biometric data, children's data, financial-account numbers, or full payment-card numbers) to the Service.

5. Customer obligations

Customer represents and warrants that:

  • Customer has provided all notices, obtained all consents, and otherwise has a lawful basis under Applicable Privacy Law to disclose the Personal Information to BuildITSmrt and to instruct BuildITSmrt to process it for the purposes of the Service
  • Customer's instructions regarding the processing comply with Applicable Privacy Law
  • Customer is responsible for the accuracy of the Personal Information it submits and for responding (with BuildITSmrt's reasonable assistance) to Data Subjects exercising their rights
  • Customer will not configure the Service or its agent in a way that submits special categories of data outside the scope of Section 4

6. Processor obligations

BuildITSmrt will:

  • Process Personal Information only as necessary to perform the Service, on Customer's documented instructions, and in compliance with Applicable Privacy Law
  • Ensure that personnel authorized to access Personal Information are bound by confidentiality obligations consistent with this DPA
  • Implement and maintain appropriate technical and organizational security measures (Section 9) and assist Customer with related obligations
  • Promptly notify Customer if BuildITSmrt determines, in its good-faith judgment, that an instruction violates Applicable Privacy Law (without obligation to determine the legality of every instruction)
  • Not "sell" or "share" Personal Information as those terms are defined in CCPA/CPRA, and not retain, use, or disclose Personal Information for any purpose other than the specific purposes set out in this DPA, except as legally required

7. Sub-processors

Customer authorizes BuildITSmrt to use the Sub-processors listed below to process Personal Information in connection with the Service:

  • Stripe Payments Company (United States) — payment processing, subscription management, customer billing portal
  • Maileroo (United States) — transactional email delivery
  • Hostinger International, Ltd. (United States hosting) — virtual-server provider for the production environment
  • Cloudflare, Inc. (United States) — DNS, edge proxy, and CDN
  • GitHub, Inc. (United States) — source-code hosting; receives Personal Information only incidentally if Customer voluntarily files an issue or shares logs

BuildITSmrt has a written agreement with each Sub-processor that imposes data-protection obligations no less protective than those in this DPA. BuildITSmrt remains liable for the acts and omissions of its Sub-processors to the same extent as if performed by BuildITSmrt itself.

BuildITSmrt may engage a new Sub-processor by giving Customer at least 30 days' prior notice (by email and/or by updating this page). Customer may object in good faith on reasonable data-protection grounds within 15 days; if the parties cannot resolve the objection, Customer may terminate the affected portion of the subscription on 30 days' notice and BuildITSmrt will refund any pre-paid fees attributable to the post-termination period.

8. International transfers

BuildITSmrt currently stores Personal Information processed under this DPA on infrastructure located in the United States and does not knowingly transfer it outside the United States in the ordinary course. Sub-processors may operate globally; their handling of Personal Information is governed by the contracts BuildITSmrt has with them. BuildITSmrt does not market the Service to, or contract with, customers based in the European Economic Area, the United Kingdom, or other regions outside the United States; if Customer's use of the Service involves cross-border transfers that require an additional transfer mechanism (e.g., EU Standard Contractual Clauses), the parties will negotiate one in good faith — BuildITSmrt may decline to support such transfers if doing so isn't operationally feasible.

9. Security

BuildITSmrt will maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk of the processing. Without limiting the generality of the foregoing, BuildITSmrt currently implements:

  • TLS for all in-transit communications between Customer's devices, dashboard users, and the Service backend
  • Per-tenant logical isolation in a single database, with explicit tenant-scoped query enforcement
  • Industry-standard password hashing (BCrypt with work factor 12) for account credentials
  • Ed25519-signed license tokens with bounded lifetime and per-issuance audit records
  • Encrypted-at-rest authentication cookies (ASP.NET Core Data Protection key ring persisted to the database)
  • Two-factor authentication available to dashboard users (TOTP plus single-use recovery codes)
  • Brute-force lockout for repeated failed sign-ins
  • Principle-of-least-privilege internal access controls and key-only SSH for server administration
  • Isolated production and test environments with separate signing keys, separate databases, and separate sub-processor credentials
  • Automatic security updates on host operating systems
  • Off-server backups of the production database

BuildITSmrt may modify these measures from time to time, provided that the modifications do not materially decrease the overall level of security.

10. Data Subject requests; assistance to Customer

Taking into account the nature of the processing, BuildITSmrt will provide reasonable assistance to Customer to enable Customer to respond to requests from Data Subjects exercising rights under Applicable Privacy Law (access, deletion, correction, portability, opt-out of sale/sharing, and similar). BuildITSmrt will not respond directly to a Data Subject request relating to Customer's data except as legally required or as Customer instructs; if BuildITSmrt receives such a request directly, it will refer the Data Subject to Customer and notify Customer (unless legally prohibited from doing so).

Customer can submit assistance requests through the contact form at /contact?interest=privacy, or directly to [email protected]. BuildITSmrt aims to respond within 5 business days; legally mandated timeframes (e.g., the 30-day clock under several U.S. state privacy laws) are honored.

11. Personal Information Breach notification

BuildITSmrt will notify Customer without undue delay, and in any case within 72 hours after BuildITSmrt becomes aware of a Personal Information Breach, by email to the billing or administrative email address on file. The notification will include, to the extent known at the time:

  • A description of the nature of the breach, the categories and approximate number of Data Subjects affected, and the categories and approximate number of records affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach and to mitigate its possible adverse effects
  • A point of contact for follow-up

If full information isn't available at the time of initial notification, BuildITSmrt will provide it as it becomes available, in phases. BuildITSmrt's notification of a Personal Information Breach is not an acknowledgment of fault or liability.

12. Audit rights

Once per calendar year, on at least 30 days' written notice, Customer (or an independent third-party auditor Customer engages and that is acceptable to BuildITSmrt acting reasonably) may audit BuildITSmrt's compliance with this DPA. Audits will be conducted during normal business hours, in a manner that does not disrupt the operation of the Service, and subject to a reasonable confidentiality agreement. To minimize disruption, BuildITSmrt may satisfy audit requests by providing a recent third-party audit report, written responses to a reasonable questionnaire, or comparable documentation. Customer bears its own costs of the audit and reimburses BuildITSmrt's reasonable out-of-pocket costs of cooperating, except where the audit reveals a material breach of this DPA, in which case BuildITSmrt bears those costs.

13. Return and deletion of Personal Information

Within 90 days after termination or expiration of the subscription (or earlier if Customer requests), BuildITSmrt will, at Customer's election, either return or delete the Personal Information processed under this DPA, except to the extent BuildITSmrt is required by law to retain some or all of it (in which case BuildITSmrt will isolate it and protect it from any further processing except as required by law). Backups containing Personal Information are overwritten in the ordinary course of BuildITSmrt's backup-rotation schedule, typically within 35 days. On request, BuildITSmrt will certify the deletion in writing.

14. Liability

Each party's aggregate liability arising out of or relating to this DPA is subject to the limitations of liability set out in the Terms of Use, including (where applicable) Section 16.12. Without limiting the foregoing, the parties acknowledge that the Service is a low-cost subscription service and that the limitations of liability are commercially reasonable in light of the price.

15. Term and termination

This DPA takes effect when Customer agrees to the Terms of Use and signs up for the Service, and continues for as long as BuildITSmrt processes Personal Information on Customer's behalf. Sections that by their nature should survive termination — including Sections 11 (Breach notification, for breaches discovered after termination involving pre-termination data), 13 (Return and deletion), and 14 (Liability) — survive.

16. Order of precedence

In the event of any conflict or inconsistency among the documents governing the parties' relationship, the order of precedence is: (a) this DPA; (b) any countersigned order or written master services agreement; (c) the Terms of Use; (d) the Privacy Policy. The EULA, where applicable, controls over the foregoing on matters concerning the desktop Software's licensing.

17. Governing law and venue

This DPA is governed by the laws of the State of Wisconsin, without regard to its conflict-of-laws principles. Disputes are resolved in the state or federal courts located in Brown County, Wisconsin, consistent with the Terms of Use.

18. Counterparts; how to execute

Customers who require a countersigned copy of this DPA for their compliance records should submit a request through the contact form, selecting "Legal / terms of service" as the inquiry category. BuildITSmrt will provide a counterpart suitable for execution. Electronic signatures (DocuSign, Adobe Sign, etc.) are acceptable. For Customers who do not require a countersigned copy, this DPA applies as part of the Terms of Use as published.

19. Contact

Questions about this DPA should be directed through the contact form, selecting "Privacy / data request" or "Legal / terms of service" as the inquiry category:

Contact us about the DPA

Note: This DPA is provided as our standard form. Negotiated DPAs for enterprise customers are available on request. Customers based outside the United States, or whose use of the Service involves cross-border transfers requiring transfer mechanisms not addressed above, should contact us before subscribing.