Pre Loader

Quality Delivery Matters

info@constructsum.com

Data Processing Agreement

  • Home
  • Data Processing Agreement

Data Processing Agreement (DPA)

ConstructSum | Data Processing Agreement (DPA)

ConstructSum

Data Processing Agreement (DPA)
Last updated: 18 December 2025

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of and is incorporated into the ConstructSum Terms of Service (the “Agreement”), entered into between CK Software Group Ltd. (“Processor”, “ConstructSum”, “we”) and the customer entity subscribing to or using the ConstructSum Platform (the “Controller”, “Customer”).

This DPA applies where ConstructSum processes Personal Data on the Customer's behalf in the course of providing the Services.

1 Definitions

Capitalised terms not defined in this DPA have the meaning given in the Terms of Service.

“Data Protection Laws” means all applicable data protection and privacy laws, including: UK GDPR, EU GDPR (where applicable), and the Data Protection Act 2018.

“Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, and “Personal Data Breach” have the meanings given in the Data Protection Laws.

2 Roles of the Parties

2.1 The Customer acts as the Data Controller in respect of Personal Data processed on the ConstructSum Platform.

2.2 ConstructSum acts as a Data Processor, processing Personal Data only on documented instructions from the Customer.

2.3 Each party shall comply with its obligations under Data Protection Laws.

3 Scope of Processing

3.1 Subject Matter
Provision of the ConstructSum cloud-based financial, contract, and project management platform.

3.2 Duration
For the duration of the Customer’s subscription and any applicable data retention period.

3.3 Nature and Purpose
Processing necessary to: provide and operate the Platform, enable customer configuration and use, provide support and maintenance, and ensure platform security and performance.

3.4 Categories of Data Subjects

  • Customer employees and authorised users
  • Subcontractors and suppliers
  • Project stakeholders
  • Client contacts entered by the Customer

3.5 Categories of Personal Data

  • Names, email addresses, job titles
  • User account credentials
  • Contact details
  • Financial and transactional references
  • Project and contract-related information uploaded by the Customer

4 Processor Obligations

ConstructSum shall:

  • 4.1 Process Personal Data only in accordance with documented instructions from the Customer, unless required by law.
  • 4.2 Ensure that persons authorised to process Personal Data are subject to confidentiality obligations.
  • 4.3 Implement appropriate technical and organisational measures to protect Personal Data, including: encryption in transit and at rest, role-based access controls, logical tenant isolation, regular security monitoring and backups.
  • 4.4 Assist the Customer, taking into account the nature of the processing, with: data subject rights requests, security obligations, and data protection impact assessments (where reasonably required).

5 Sub-Processors

5.1 The Customer authorises ConstructSum to engage Sub-Processors.

5.2 Current Sub-Processors include (but are not limited to):

  • Microsoft Azure (cloud infrastructure and hosting)
  • Stripe (payment processing)
  • Support and monitoring service providers

5.3 ConstructSum shall impose data protection obligations on Sub-Processors equivalent to those in this DPA and remain responsible for Sub-Processor performance.

5.4 ConstructSum may update Sub-Processors from time to time. Material changes will be made available upon request.

6 International Data Transfers

6.1 Personal Data is primarily processed within the UK and EEA.

6.2 Where Personal Data is transferred outside the UK/EEA, ConstructSum ensures appropriate safeguards, including adequacy decisions or Standard Contractual Clauses (SCCs).

7 Data Subject Rights

7.1 The Customer is responsible for responding to Data Subject requests.

7.2 ConstructSum shall provide reasonable assistance to enable the Customer to fulfil such requests.

8 Personal Data Breaches

8.1 ConstructSum shall notify the Customer without undue delay upon becoming aware of a Personal Data Breach.

8.2 Notification shall include: the nature of the breach (where known), categories and approximate number of affected data subjects, and mitigation steps taken or proposed.

9 Data Deletion and Return

9.1 Upon termination or expiry of the Services:

  • Personal Data will be retained for a limited period in line with ConstructSum’s data retention policies
  • The Customer is responsible for exporting data before expiry
  • Personal Data will be securely deleted thereafter unless retention is required by law

10 Audits

10.1 The Customer may request reasonable information to demonstrate compliance with this DPA.

10.2 Audits shall be limited to once per year, subject to reasonable notice, must not unreasonably disrupt operations, and shall be conducted at the Customer’s cost.

11 Liability

11.1 Liability under this DPA is subject to the limitations set out in the Terms of Service.

11.2 Nothing in this DPA limits liability where prohibited by Data Protection Laws.

12 Governing Law

This DPA is governed by the laws of England and Wales.

13 Contact

For data protection matters:

📧 legal@constructsum.com

© CK Software Group Ltd. – ConstructSum. All rights reserved.