DATA PROCESSING ADDENDUM

ShedBuilder.ai

Operated by CAIO

Effective Date: March 16, 2026

1. Scope and Purpose

This Data Processing Addendum ("DPA") supplements the Terms of Service and Privacy Policy for ShedBuilder.ai and governs the processing of personal data that Subscribers ("Data Controllers" or "you") input into or collect through the Platform, particularly data relating to Subscribers' clients and end users ("End User Data").

For the purposes of this DPA, CAIO ("Data Processor" or "we") processes End User Data on behalf of and under the instructions of the Subscriber. This DPA applies to the extent that applicable data protection laws (including the California Consumer Privacy Act, as amended by the CPRA, and any future U.S. state privacy laws) require a data processing agreement between a controller and processor.

Extended scope: This DPA also governs the processing of team member personal information (names and email addresses of users invited to a Subscriber's Workspace) to the extent such processing is performed on behalf of the Subscriber for the purpose of providing Workspace access. For team member data, the Subscriber is the Data Controller and CAIO is the Data Processor.

2. Definitions

  • "End User Data" means personal information of Subscriber's clients, leads, and end users that is input into or collected through the Platform, including through the Subscriber's client-facing configurator.
  • "Team Member Data" means personal information (names and email addresses) of individuals invited to a Subscriber's Workspace by the Workspace administrator.
  • "Personal Data" means any information that identifies or could reasonably be used to identify a natural person, as defined under applicable data protection laws.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, transmission, and deletion.
  • "Sub-processor" means a third party engaged by the Data Processor to process End User Data or Team Member Data on behalf of the Data Controller.
  • "Data Breach" means any unauthorized access, acquisition, use, or disclosure of unencrypted Personal Data that compromises the security, confidentiality, or integrity of the data.

3. Data Controller and Data Processor Roles

3.1 Controller

The Subscriber is the Data Controller for End User Data and Team Member Data. The Subscriber determines the purposes and means of processing, including what data is collected through their configurator, how it is used, and how long it is retained within their Workspace.

3.2 Processor

CAIO is the Data Processor for End User Data and Team Member Data. We process this data solely on behalf of the Subscriber and in accordance with the Subscriber's documented instructions (as expressed through Platform configuration, account settings, and this DPA). We do not independently determine the purposes of processing End User Data or Team Member Data.

3.3 CAIO as Controller

CAIO acts as an independent Data Controller for Subscriber account information, billing data, and Platform usage analytics, as described in our Privacy Policy. This DPA does not govern data for which CAIO is the Controller.

Platform usage analytics (for which CAIO is Controller) is limited to: aggregated feature usage metrics (e.g., which tools are used most frequently), performance and error telemetry, and de-identified navigation patterns. Platform usage analytics does not include any End User Data content, Workspace business data, or information that could identify individual End Users or their projects. Any data derived from End User interactions—even if aggregated—is processed under CAIO's processor obligations, not its controller status.

4. Categories of Data Processed

———————-- ———————————————————— ———————————-- Category Data Elements Data Subjects

Contact Information Name, email, phone, address End Users (leads, clients)

Project Information Property address, site photos, specifications, preferences End Users (clients)

Configuration Data Shed selections, design choices, feature preferences End Users (configurator visitors)

Communication Records Notes, messages, project comments entered by Subscriber End Users (clients)

Financial References Quote amounts, payment status (no payment card data) End Users (clients)

Team Member Data Name, email address Subscriber team members ———————-- ———————————————————— ———————————--

IMPORTANT: The Platform does not process payment card numbers, Social Security numbers, health information, or other sensitive personal data categories for End Users or Team Members. Subscribers should not input such data into the Platform.

Quote amounts and payment status data stored in Subscriber Workspaces are treated as Subscriber Confidential Information under the Terms of Service (Section 17) and are not included in any aggregated analytics or benchmarking.

5. Processing Instructions

We will process End User Data and Team Member Data only in accordance with the Subscriber's documented instructions, which include:

  • Providing and maintaining the Platform features used by the Subscriber.
  • Storing data within the Subscriber's isolated Workspace.
  • Transmitting data as necessary to deliver the Service (e.g., sending configurator data to the Subscriber's dashboard).
  • Backing up and securing data as part of our standard infrastructure operations.
  • Deleting data upon Subscriber's request or upon account termination per the Terms of Service.

Additional instructions: Subscribers may issue reasonable written processing instructions beyond those enumerated above by submitting them to privacy@shedbuilder.ai. We will comply with such instructions to the extent technically feasible and consistent with the Agreement, or notify the Subscriber within 10 business days if we are unable to comply, together with the reasons for non-compliance.

If we receive a legal request (e.g., subpoena, court order) that requires disclosure of End User Data, we will notify the Subscriber before complying, to the extent permitted by law, so the Subscriber can seek appropriate legal remedies.

6. Security Measures

We implement and maintain appropriate technical and organizational measures to protect End User Data and Team Member Data, including:

  • Encryption: TLS/HTTPS for data in transit; encryption at rest for stored data.
  • Access controls: Role-based access limiting our personnel's access to End User Data on a need-to-know basis. Multi-factor authentication (MFA) is required for all administrative access to production systems.
  • Workspace isolation: Logical separation of Subscriber Workspaces at the application and database layers.
  • Infrastructure security: Hosting on Vercel with industry-standard security practices, regular updates, and monitoring. Vercel maintains SOC 2 Type II certification and undergoes regular third-party security audits. Vercel's security documentation is available at vercel.com/security.
  • Encryption key management: Encryption keys are managed through the infrastructure provider's key management service with automatic rotation.
  • Logging and monitoring: Access to production systems and End User Data is logged and monitored. Logs are retained for a minimum of 12 months.
  • Personnel: All CAIO personnel and contractors with access to End User Data are bound by confidentiality obligations.
  • Incident response: Documented procedures for detecting, responding to, and recovering from security incidents.
  • Vulnerability management: Regular vulnerability scanning of Platform components and timely application of security patches.

7. Sub-processors

7.1 Current Sub-processors

The following sub-processors may process End User Data on our behalf:

——————— ———————————————————————————————- —————- Sub-processor Purpose Location

Vercel Inc. Application hosting, CDN, serverless functions, Vercel Postgres database hosting and storage United States

Stripe, Inc. SaaS billing (Subscriber payments only; does not process End User payment data) United States

Plausible Analytics Privacy-respecting website analytics (no personal data processed) European Union ——————— ———————————————————————————————- —————-

All sub-processors store and process data within the United States or European Union. No sub-processor has offshore components or processes data in jurisdictions outside of these regions.

7.2 Sub-processor Changes

We will notify Subscribers at least 45 days before engaging a new sub-processor that will process End User Data. Notification will be sent via email to the Subscriber's account email address. If a Subscriber objects to a new sub-processor, we will consult with the Subscriber in good faith and consider commercially reasonable alternatives before engaging the objected-to sub-processor. If no alternative is available and the Subscriber maintains its objection, the Subscriber may terminate their subscription before the sub-processor is engaged, and we will provide a pro-rata refund for any prepaid, unused period.

7.3 Sub-processor Obligations

All sub-processors are bound by written agreements requiring them to provide at least the same level of data protection as this DPA, including equivalent security measures and confidentiality obligations. We remain liable for our sub-processors' compliance with the obligations of this DPA. Sub-processor agreements require compliance with the CCPA/CPRA service provider certification requirements set forth in Section 11.

8. Data Subject Rights

If we receive a request from a data subject (an End User) seeking to exercise their privacy rights (access, deletion, correction, portability), we will:

  • Promptly notify the relevant Subscriber of the request (within 3 business days).
  • Not respond directly to the data subject unless authorized by the Subscriber or required by law.
  • Provide reasonable technical assistance to the Subscriber in fulfilling data subject requests.

Reasonable technical assistance includes, at minimum: (a) exporting the data subject's data from the Workspace in machine-readable format (JSON, CSV); (b) facilitating targeted deletion of specific data subject records within the Workspace; (c) correcting specific data fields upon Subscriber instruction; and (d) providing confirmation of completion. Assistance for routine requests is included in the subscription fee; assistance for unusually complex or voluminous requests may be provided at CAIO's then-current professional services rates, communicated in advance.

Subscribers are responsible for responding to data subject requests within the timeframes required by applicable law.

9. Data Breach Notification

In the event of a Data Breach affecting End User Data or Team Member Data, we will:

  • Notify: Notify affected Subscribers without undue delay, and in any event within 72 hours of becoming aware of the breach.
  • Information: Provide the following information to the extent available: (a) nature of the breach, (b) categories and approximate number of data subjects affected, (c) likely consequences, (d) measures taken or proposed to address the breach.
  • Cooperate: Cooperate with the Subscriber's investigation and any required notifications to data subjects or regulatory authorities.
  • Remediate: Take immediate steps to contain and remediate the breach, and implement measures to prevent recurrence.
  • Forensic preservation: Preserve all forensic evidence related to the breach for a minimum of 12 months from the date of discovery.
  • Root cause analysis: Provide a preliminary root cause analysis to affected Subscribers within 14 days of breach discovery.
  • Final incident report: Provide a final incident report within 45 days of breach discovery, including: root cause determination, scope and impact assessment, detailed timeline of events, remediation actions completed, and measures implemented to prevent recurrence.

The obligation to notify does not constitute an acknowledgment of fault or liability.

10. Data Deletion and Return

Upon termination of a Subscriber's account:

  • We will make End User Data and Team Member Data available for export for 90 days after account deactivation. Exports are available in machine-readable, open-standard formats including JSON, CSV, and PDF.
  • After 90 days, End User Data and Team Member Data will be permanently deleted from our active systems.
  • Data may persist in encrypted backups for up to an additional 30 days, after which backup copies will be purged.
  • Aggregated, anonymized data derived from End User Data (which does not identify any individual and meets the de-identification standard described in the Terms of Service, Section 6.3) is not subject to deletion and may be retained indefinitely.

Deletion certification: Upon Subscriber request following the completion of the deletion process, we will provide written certification that all End User Data and Team Member Data has been permanently deleted from our active systems and backups, except for any data we are required to retain by law.

Subscribers may request earlier deletion of End User Data at any time by contacting us at privacy@shedbuilder.ai.

11. CCPA/CPRA Service Provider Certification

To the extent the California Consumer Privacy Act (CCPA) or California Privacy Rights Act (CPRA) applies to our processing of End User Data:

  • We are a "Service Provider" as defined under CCPA/CPRA.
  • We will not sell or share End User Data.
  • We will not retain, use, or disclose End User Data for any purpose other than providing the Service as specified in the Agreement.
  • We will not combine End User Data with personal information received from other sources except as permitted under CCPA/CPRA for service provider activities.
  • We certify that we understand and will comply with these restrictions.

This certification extends to all sub-processors in the processing chain. We require equivalent service provider certifications from all sub-processors that process End User Data.

12. Audits and Compliance

Upon reasonable written request (no more than once per year unless a Data Breach has occurred), we will provide Subscribers with:

  • A summary of our security measures and data protection practices relevant to End User Data.
  • Copies of relevant certifications, audit reports, or security assessments (including SOC 2 Type II reports when available).
  • Responses to written security questionnaires within 30 business days of receipt.

SOC 2 commitment: We are committed to obtaining SOC 2 Type II certification within 18 months of the effective date of this DPA. Upon completion, reports will be shared with Subscribers under NDA.

Third-party audit for cause: In the event of a confirmed Data Breach affecting a Subscriber's End User Data, the affected Subscriber may, at the Subscriber's expense, engage a mutually agreed-upon independent third-party auditor to conduct an audit of our security practices relevant to the breach. Such audit will be conducted upon reasonable notice, during normal business hours, and subject to confidentiality obligations. We will cooperate in good faith with such audit.

We do not currently support routine on-site audits by individual Subscribers, given the multi-tenant nature of the Platform.

13. International Data Transfers

End User Data and Team Member Data is stored and processed in the United States. If Subscribers or their End Users are located outside the U.S., personal data will be transferred to the U.S. for processing.

Data residency: All primary data storage and processing occurs within the United States. We do not transfer End User Data to jurisdictions outside of the United States and European Union.

Transfer mechanisms: If applicable data protection laws (including the GDPR, UK GDPR, or Swiss Federal Act on Data Protection) require additional transfer safeguards, we will execute EU Standard Contractual Clauses (SCCs, EU Commission 2021 version) with the Subscriber upon request. Subscribers requiring SCCs should contact legal@shedbuilder.ai. If the nature of our processing or sub-processor arrangements changes in a way that affects the risk assessment for international transfers, we will notify affected Subscribers and cooperate in conducting any required Transfer Impact Assessment.

We apply the security measures described in Section 6 regardless of data origin.

14. Term and Survival

This DPA is effective as of the date the Subscriber accepts the Terms of Service and remains in effect for the duration of the Subscriber's account. Sections relating to data security, confidentiality, data deletion, breach notification, forensic preservation, and deletion certification survive termination for as long as we retain any End User Data or Team Member Data, plus 12 months.

15. Conflict

In the event of a conflict between this DPA and the Terms of Service or Privacy Policy, this DPA controls with respect to the processing of End User Data and Team Member Data. For all other matters, the Terms of Service govern.

16. Contact

For DPA-related inquiries:

CAIO — Data Protection

Email: privacy@shedbuilder.ai

Website: https://shedbuilder.ai