Renovo
Customer data terms

Data processing addendum

Processing terms for business customers whose use of Renovo is subject to data-protection law.

Effective July 16, 2026

01

Scope and definitions

This Data Processing Addendum applies when Renovo processes personal data contained in Customer Data on behalf of a customer. Terms such as controller, processor, business, service provider, personal data, processing, and data subject have the meanings given by applicable data-protection law. If a conflict concerns that processing, this DPA controls over the general Terms.

02

Roles and instructions

Customer determines the purposes and means of its client, project, and workforce processing and is responsible for lawful instructions, notices, permissions, and the accuracy of Customer Data. Renovo processes Customer Data only to provide, secure, support, and maintain the service; follow documented customer instructions; comply with law; and perform the limited activities described in the agreement. Use of product features constitutes documented instructions.

03

Compliance and restricted use

Each party will comply with the data-protection obligations applicable to its role. Renovo will not sell Customer Data, share it for cross-context behavioral advertising, retain or use it outside the business relationship, or combine it with data obtained from another person except as permitted to provide the service, with customer direction, or by law.

04

Confidentiality

Renovo will ensure that personnel authorized to process Customer Data are bound by confidentiality obligations and receive access only as needed for their responsibilities. Customer is responsible for managing its authorized users, devices, recipients, and exported records.

05

Security measures

Renovo will maintain safeguards appropriate to the risk, including access control, authentication, authorization boundaries, encryption in transit, protected cloud storage, logging, dependency and change practices, incident handling, deletion controls, and provider oversight. Customer acknowledges that security is shared and will configure and use the service appropriately.

06

Subprocessors

Customer grants general authorization for the subprocessors listed on the Subprocessor page and their disclosed replacements. Renovo will impose data-protection obligations appropriate to the services they perform and remains responsible for its own obligations under this DPA. A customer with a negotiated objection right must use the process stated on that page or in its order.

07

Individual rights

Taking into account the nature of processing, Renovo will provide reasonable assistance so Customer can respond to verified data-subject requests. If Renovo receives a request concerning Customer Data, it may direct the requester to Customer unless law requires a direct response. Customer remains responsible for determining whether and how to fulfill the request.

08

Security incidents

Renovo will notify affected customers without undue delay after confirming a breach of Customer Data for which notice is legally required. Notice will include information reasonably available about the nature, likely consequences, affected data, and mitigation. Notice is not an admission of fault. Customer is responsible for notices it must give to individuals or authorities.

09

Return, deletion, and legal holds

During the service term, Customer may use available export and deletion features. After termination or a verified request, Renovo will delete or return Customer Data within its ordinary deletion and backup cycle unless law requires retention. Data in protected backups will remain isolated from ordinary use until overwritten. A legal hold, dispute, security investigation, or statutory record duty may delay deletion of the affected data.

10

Information and audits

Renovo will make information reasonably necessary to demonstrate compliance available through this DPA, published security material, provider documentation, and responses to proportionate questionnaires. If law requires an audit, the parties will first use available reports and remote evidence. Any additional audit must be scoped, confidential, non-disruptive, at Customer's expense, and avoid exposing another customer's data or Renovo security secrets.

11

International transfers

Where Customer Data is transferred from a jurisdiction that restricts international transfers, the parties will use an applicable lawful mechanism, which may include adequacy decisions, the European Commission's Standard Contractual Clauses, the United Kingdom addendum, or another recognized safeguard. The correct modules, exporter and importer details, and annexes must be completed for the parties and transfer at issue.

12

Government requests

Renovo will review demands for Customer Data, disclose only what it reasonably believes is legally required, and challenge overbroad demands when appropriate and lawful. Renovo will notify Customer before disclosure unless prohibited and may provide delayed notice when the prohibition ends.

13

Processing details

Subject matter and duration: provision of Renovo for the service term and deletion cycle. Nature and purpose: hosting, organization, synchronization, quote delivery, decisions, documents, support, security, and customer-selected features. Data subjects: customer personnel, clients, quote recipients, contractors, and people included in Customer Data. Data: identifiers, contact and business details, addresses, project and quote records, files, signatures, device and technical data, and communications. Sensitive data is not intended unless Renovo expressly supports it. Frequency is continuous or customer-initiated. Retention follows the Data Retention Policy and customer instructions.

14

Liability and execution

Liability under this DPA follows the limitations in the governing agreement to the extent permitted by law. This published DPA is incorporated when the Terms, an order, or applicable law makes it part of the customer relationship. A customer needing a countersigned DPA, completed transfer annexes, or entity-specific terms must request them before regulated production use.