Legal

Data processing agreement

Summary of our DPA template for enterprise customers. The signable document is delivered on request.

This page summarizes the eleven sections of the PipeTakeoff.com data processing agreement so a buyer-side privacy or procurement team can evaluate it before requesting a copy. The framing language below is the engineering specification of the DPA; the signable version is in counsel review. To request the signable document, email legal@pipetakeoff.com with your organization name and the legal entity you intend to sign under.

1. Definitions

Terminology aligned with applicable law — including the GDPR Article 4 definitions of controller, processor, personal data, and processing. The DPA uses the GDPR baseline even where it does not strictly apply because it is the de facto industry standard.

2. Scope and purpose of processing

Processing is limited to what is necessary to render the extraction service the customer subscribed to, plus operational ancillaries (logging, error monitoring, customer support).

3. Categories of data and data subjects

Customer employees (engineers, administrators) — name and email. Incidentally, any names or emails that appear inside uploaded PDF drawings. We do not process special-category data and do not knowingly process data relating to children.

4. Roles

The customer is the data controller; PipeTakeoff.com is the data processor. The customer determines purpose and means of processing; PipeTakeoff.com processes only on the customer's documented instructions.

5. Subprocessors

Listed on the public subprocessor page. The customer receives 30 days advance notice of new subprocessors via email to organization administrators and may object during the notice window per the Terms of service.

6. Technical and organizational measures

TLS 1.2+ in transit, AES-256 at rest, role-based access controls, audit logging, tenant isolation enforced at both application and database layers. Full controls inventory delivered on request under NDA.

7. Data subject rights assistance

PipeTakeoff.com provides tooling and timelines to assist the customer in responding to data subject access, deletion, and portability requests directed at the customer.

8. Data breach notification

PipeTakeoff.com notifies the customer within 72 hours of confirming a personal data breach affecting the customer's data. Notification includes scope, data categories affected, remediation status, and recommended customer actions.

9. International transfers

Standard Contractual Clauses appendix attaches to the DPA when the customer is established in a jurisdiction requiring a transfer mechanism for data leaving its borders.

10. Audit rights

The customer may audit PipeTakeoff.com's compliance with the DPA once per calendar year on reasonable notice and under a mutually-agreed scope and NDA. PipeTakeoff.com's SOC 2 Type II report, when available, satisfies this obligation.

11. Return and deletion of data on termination

On termination the customer has a 90-day window to export all organization data via the in-product export surface. After the 90-day window all customer data is permanently deleted across primary storage, backups, and any subprocessor surfaces, with a deletion attestation provided on request.

Custom terms

The standard DPA covers the requirements of the vast majority of enterprise customers and is provided at no cost. Custom addenda or jurisdiction-specific carve-outs may be available subject to a separate negotiation and fee.

Contact

Questions about the DPA or to request a signable copy? Email legal@pipetakeoff.com.