Data Processing Agreement (DPA)

Last Updated: 20/10/2025

This Data Processing Agreement (“DPA”) consists of:

1. The Key Terms set out below; and

  1. The Common Paper DPA Standard Terms, Version 1.1, available at https://commonpaper.com/standards/data-processing-agreement/1.1 (“DPA Standard Terms”).

If there is any inconsistency between these Key Terms and the DPA Standard Terms, the Key Terms control. Capitalized words not defined here have the meanings given in the DPA Standard Terms or in the Ideatura End User License Agreement (“EULA”).

  1. Agreement

    This DPA supplements the Ideatura End User License Agreement (EULA) and Terms and Conditions governing use of the Ideatura plugin and related services.

  2. Approved Subprocessors

    1. Name - Google Cloud Platform (Google LLC)

      Country of Location - United States (data centers in the EU and US)

      Processing Task - Infrastructure, hosting, and data storage for Ideatura services.


    2. Name - Langfuse GmbH

      Country of Location - Germany

      Processing Task - Monitoring, observability, prompt tracing, and evaluation of AI model performance.


    3. Name - Anthropic PBC

      Country of Location - United States

      Processing Task - Processing of text prompts and generation of AI outputs through Anthropic’s LLM API.


  3. Provider Security Contact

    Email: team@ideatura.ai


  4. Security Policy

    Ideatura will use commercially reasonable efforts to secure its Services from unauthorized access, alteration, or other unlawful tampering, consistent with industry standards.


  5. Service Provider Relationship

    To the extent the California Consumer Privacy Act (CCPA) applies, Ideatura acts as a service provider and processes Personal Data from the Customer only to provide the Services described in the Agreement.
    Ideatura will not:

    1. Sell or share any Personal Data;

    2. Retain, use, or disclose Personal Data for purposes other than performing its contractual obligations; or

    3. Retain data longer than necessary under applicable laws.


  6. Restricted Transfers

    1. EEA Transfers: Netherlands

    2. UK Transfers: England and Wales

  7. Annex I (A) — List of Parties

    Data Exporter: The Customer signing or agreeing to this DPA

    1. Role: Controller

    2. Address: As specified in the underlying Agreement

    Data Importer: Ideatura, Inc.

    1. Contact Person: Andrea Rocco Matta, CPO

    2. Address: 75 Sierra Street, Apt 402, San Francisco, CA 94107, USA

    3. Role: Processor


  8. Annex I (B) — Description of Transfer and Processing Activities

    Service

    Ideatura, a plugin developed by Ideatura Inc., automates documentation and dimensioning tasks within Autodesk Revit.
    The software operates as a local Revit add-in connected to Ideatura’s cloud services to execute AI-powered automation features.

    Processing activities include:

    1. Collecting and analyzing limited user input, prompts, and project-level metadata necessary to generate automation results;

    2. Maintaining performance and delivering requested outputs; and

    3. Processing aggregated and de-identified usage data to improve Ideatura’s products and services.

    Categories of Data Subjects

    1. Customer’s end users or customers

    2. Customer’s employees

    Categories of Personal Data

    1. Name

    2. Contact information (e.g., email address)

    3. User activity and analysis (e.g., device information, IP address)

    4. Project-related metadata (e.g., view names, element IDs, Revit model context)

    Special Category Data

    None processed.

    Frequency of Transfer

    Continuous during use of the Service.

    Nature and Purpose of Processing

    1. Receiving, collecting, and recording data

    2. Holding and organizing data

    3. Using data for analysis and automated processing

    4. Protecting and encrypting data

    5. Returning results to the Customer

    6. Erasing data upon request or termination

    7. Processing de-identified data to improve automation models and system performance

    Duration of Processing

    Personal Data is processed only for as long as required to fulfill the purposes described above or as mandated by applicable law.


  9. Annex I (C) — Competent Supervisory Authority

    The supervisory authority is determined based on the Customer’s jurisdiction under the EEA SCCs or UK Addendum.


  10. Annex II — Technical and Organizational Security Measures

    Ideatura implements and maintains the following measures:

    1. Pseudonymization and encryption of personal data

    2. Ensuring confidentiality, integrity, availability, and resilience of processing systems

    3. Regular testing and evaluation of security controls

    4. User authentication and authorization controls

    5. Protection of data in transit and at rest

    6. Event logging and monitoring

    7. Data minimization and limited retention policies


  11. Standard Terms

    The Common Paper DPA Standard Terms v1.1 apply and are publicly available at:
    https://commonpaper.com/standards/data-processing-agreement/1.1


  12. Contact

    Ideatura, Inc.
    team@ideatura.ai
    75 Sierra Street, Apt 402, San Francisco, CA 94107, USA