This Data Processing Addendum ("DPA") is an agreement between LTplus AG ("Processor") and the customer who is using the QTOpro service ("Customer" or "Controller") and is incorporated into the Terms of Service between the parties. This DPA governs the processing of personal data that Customer uploads to or processes through QTOpro, in cases where Customer is the data controller and LTplus AG is acting as a data processor on Customer's behalf. This DPA ensures both parties meet the requirements of applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP).

Effective Date: This DPA is effective as of the date Customer agrees to the Terms of Service or first uses QTOpro to process personal data, whichever is earlier.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed under this DPA.
"Process/Processing" means any operation or set of operations performed on Personal Data, such as collection, storage, use, disclosure, deletion, etc., whether by automated means or not.
"Controller" means the entity which determines the purposes and means of the processing of Personal Data (here, the Customer, when using QTOpro to process their data).
"Processor" means the entity which processes Personal Data on behalf of the Controller (here, LTplus AG).
"Sub-Processor" means any third-party engaged by the Processor to assist in processing Personal Data on behalf of the Controller in providing the service. (See Annex for current authorized Sub-Processors.)
Other capitalized terms used but not defined in this DPA shall have the meanings given in the Terms of Service or applicable data protection laws. For instance, "GDPR" refers to Regulation (EU) 2016/679, and "FADP" refers to the Swiss data protection law.

2. Scope and Roles

This DPA applies only when Customer Data uploaded to QTOpro contains Personal Data and LTplus AG is processing it on behalf of Customer. The parties acknowledge that, for such data:

Customer is the Controller (or acting on behalf of the controller) and
LTplus AG is the Processor.

The subject-matter of the processing is the BIM/IFC file data and related content that Customer uploads to or generates via QTOpro. The duration of processing is the period during which Customer chooses to use QTOpro services. The nature and purpose of the processing is to perform quantity take-off analyses and related BIM data processing as instructed by the Customer through their use of the Service. The types of personal data and categories of data subjects are determined by Customer's input (e.g. personal names, contact details, or other personal identifiers that might appear in the BIM files, typically relating to project participants, building owners, etc., if any). It is generally expected that IFC files contain minimal personal data, but this DPA covers any that might be present.

3. Customer's Instructions

LTplus AG (Processor) will process Personal Data only on documented instructions from Customer. By using QTOpro and uploading data, Customer instructs LTplus AG to process the data for the following purposes: (i) to provide the QTOpro service and generate results, (ii) to troubleshoot and provide support upon Customer's request, and (iii) to comply with Customer's other reasonable instructions given via configuration of the Service (for example, if the Customer uses a feature to share a result with a third party, that is an instruction to transmit data to that third party).

Processor will not process the Personal Data for any purpose other than providing the Service and following Customer's instructions, unless processing is required by law to which Processor is subject. In that case, Processor will inform Customer of the legal requirement before processing (unless the law prohibits such notice).

Customer shall ensure that its instructions are lawful and that the processing of Personal Data in accordance with such instructions will not put Processor in breach of applicable data protection laws. If Processor believes an instruction violates any law, Processor will notify Customer and may suspend such processing (without liability) until the issue is resolved.

4. Compliance and Responsibilities

Customer Responsibilities:

Customer is responsible for obtaining all necessary consents and legal bases for processing the Personal Data that it uploads to QTOpro. Customer must not upload or otherwise provide Processor with any Personal Data for which Customer lacks a lawful basis or that is unrelated to the use of the QTOpro service. Customer is responsible for the accuracy, quality, and legality of Personal Data provided and the means by which Customer acquired Personal Data. If a Data Subject (individual) is involved, Customer must provide any required notices to them under law (such as a privacy notice stating that their data will be processed by QTOpro on your behalf) and handle their rights requests related to that data, except as explicitly agreed otherwise.

Customer shall maintain a record of processing activities and any other documentation required by applicable laws as a controller, covering the use of QTOpro, and include this DPA as necessary. Customer acknowledges that, as between the parties, it has the sole responsibility for defining retention periods for its data within QTOpro and for deleting data when no longer needed (subject to Processor's standard retention schedules in case Customer does not delete data proactively).

Processor Responsibilities:

LTplus AG shall process Personal Data in compliance with the obligations of processors under GDPR, FADP, and any other applicable data protection law. This means we will:

Only act on Customer's documented instructions (as per Section 3).
Ensure that persons authorized to process the Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality (see Section 5).
Take appropriate security measures (see Section 6).
Not engage a Sub-Processor without proper authorization and safeguards (see Section 7).
Assist Customer, where possible, in responding to Data Subject requests and in meeting other compliance obligations (see Sections 8 and 10).
Upon termination of the Service, delete or return data (see Section 9).
Make available to Customer all information necessary to demonstrate compliance and allow for audits (Section 10).

5. Confidentiality

Any Personal Data processed under this DPA is considered confidential information of the Customer. Processor will not disclose Personal Data to any third party except as permitted in the Terms of Service, this DPA, or by Customer's instructions. Processor ensures that all employees and agents authorized to process Personal Data are bound to confidentiality (either by contract or statutory duty) and are trained on privacy and data security practices. Access to Personal Data is limited to those who need to know it for the purposes of the processing. If Processor uses contractors or contingent workers in delivering the Service, they will be subject to the same confidentiality obligations.

6. Security Measures

Processor will implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures are designed to ensure a level of security appropriate to the risk. Measures include, but are not limited to:

"Encryption:" Personal Data in transit is protected by encryption (e.g., TLS). Data at rest in our databases or storage (especially any sensitive data) is encrypted where feasible.
"Access Control:" Strict access controls are in place. Only authorized personnel with a legitimate need can access Personal Data. All such access is logged.
"Employee Training and Policies:" We maintain internal policies and conduct training to ensure our team handles Personal Data securely and in compliance with data protection principles.
"Network and System Security:" We use firewalls, intrusion detection systems, and endpoint protection to safeguard systems. Regular updates and patch management are carried out.
"Data Minimization:" Wherever possible, we minimize the amount of Personal Data we need to fulfill the processing (for example, IFC files might rarely contain personal data; if they do, we do not extract or use that personal portion beyond what is necessary for the service).
"Backups and Recovery:" We perform regular backups of data (encrypted) and have disaster recovery procedures. Backup access is restricted.
"Monitoring and Testing:" Our systems are monitored for security events. We periodically test and evaluate the effectiveness of our security measures (including through vulnerability scanning or penetration testing by us or third parties).

Customer has reviewed these measures as described (further details can be found in our Security documentation or Annex, if provided) and agrees that they provide an appropriate level of security for the likely risks. Processor may update or modify the security measures from time to time, provided that such updates do not degrade the overall security.

7. Sub-Processors

Customer provides a general authorization for Processor to engage Sub-Processors as necessary to provide the QTOpro service. A list of current authorized Sub-Processors (including their functions and locations) is provided in the Sub-Processor List (Annex) and on our website. Key sub-processors include our authentication provider, payment processor, hosting provider, and analytics platform (as detailed in the Privacy Policy and Sub-Processor List).

When engaging a new Sub-Processor, Processor will: (a) carry out due diligence to ensure the Sub-Processor is capable of providing the level of data protection required, and (b) enter into a written agreement with the Sub-Processor that imposes data protection obligations equivalent to those in this DPA (particularly, granting at least the same level of protection for Personal Data).

"Notification of New Sub-Processors:" Processor will notify Customer of any intended changes concerning the addition or replacement of Sub-Processors by updating the Sub-Processor List online (and, if Customer has subscribed to notifications, by email or through the Service). Customer has the right to reasonably object to a new Sub-Processor by notifying Processor in writing within 7 days after the update, provided the objection is based on reasonable grounds relating to data protection. In such a case, Processor will discuss the concerns in good faith and attempt to resolve them (for example, by ensuring the sub-processor is subject to additional measures). If a resolution cannot be found, Customer may have the right to terminate the Service (if the use of the new Sub-Processor is essential to the Service) and receive a prorated refund for any prepaid period not used.

Processor will be liable for the acts and omissions of its Sub-Processors to the same extent it would be liable if performing the services of each Sub-Processor directly under the terms of this DPA.

8. Data Subject Rights Assistance

If Customer receives a request from an individual (Data Subject) to exercise their rights under data protection law (such as access, correction, deletion, restriction, or portability) in relation to Personal Data processed by Processor, Customer can either:

Access and handle it directly using the features of QTOpro (if available, e.g., deleting or exporting a file that contains the personal data in question), or
Request Processor's assistance. In such cases, Processor will provide commercially reasonable assistance to fulfill the request, to the extent Customer cannot fulfill it independently through the Service. For example, if a Data Subject requests deletion of their data and Customer cannot remove it via the interface, Processor can delete the data upon verified instruction from Customer.

Processor shall promptly (to the extent legally permitted) notify Customer if it receives a direct request from a Data Subject pertaining to Personal Data that was provided by Customer. Processor will not respond directly to the Data Subject's request unless required by law or authorized by Customer. Instead, Processor will forward the request to Customer and await instructions.

Any assistance provided under this section may take into account the nature of processing and the information available to Processor. If fulfilling a request involves significant effort beyond the standard service (e.g., extensive data collation), the parties may discuss a reasonable fee to cover the cost of such assistance, as permitted by GDPR Art. 12(5) and similar provisions (usually data subject requests should be free of charge, but excessive or manifestly unfounded requests could justify a fee).

9. Personal Data Breach Notification

In the event Processor becomes aware of a Personal Data Breach (a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data) affecting Customer's Personal Data, Processor will notify Customer without undue delay. Such notice will include at least:

A description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and records concerned).
The likely consequences of the breach.
The measures taken or proposed to address the breach and mitigate its possible adverse effects.
Contact information for a point of contact where Customer can obtain more info (if not the usual contact).

If complete information is not available at the time of initial notice, Processor will provide the information in phases as it becomes available. Processor will promptly take reasonable steps to contain, investigate, and mitigate any data breach.

Customer is responsible for notifying the relevant supervisory authority(ies) and/or affected Data Subjects of the breach when required by law. Processor will assist Customer in meeting these obligations, for example by providing information about the breach. We will also document the breach and our response in compliance with legal requirements (e.g., as required by GDPR Art. 33(5)).

Notification of a breach by Processor to Customer shall not be construed as an acknowledgment by Processor of any fault or liability with respect to the breach.

10. Audit and Compliance

Processor shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA. This may include providing copies of relevant third-party certifications, audit reports, or summaries of our security measures.

Customer has the right to audit Processor's operations (no more than once annually, unless required by a supervisory authority or evidence of non-compliance) to verify Processor's compliance with this DPA. Such audits may be conducted by an independent third-party auditor mutually agreed upon, during normal business hours, and with reasonable advance notice to Processor (at least 2 weeks). Both parties will agree on the scope and timing of the audit to avoid disruption.

Before any on-site audit, Customer must have the auditor sign a confidentiality agreement reasonably acceptable to Processor. Processor may object to an auditor if the auditor is, in Processor's reasonable opinion, not independent, a competitor of Processor, or otherwise manifestly unsuitable. In such case, Customer will appoint a different auditor or allow Processor to provide audit results from a qualified independent auditor.

The audit shall be limited to documents and data relevant to the scope of this DPA. Customer shall be responsible for any costs of the audit. If the audit identifies any material deficiencies, Processor will take prompt action to address them.

Alternatively, in many cases, Processor may present recent third-party audit certifications or reports (such as ISO 27001 certification, SOC 2 report, or similar) as evidence of compliance. If such documentation is provided and adequately addresses the requirements, the parties can agree that an additional customer-conducted audit is not necessary.

11. International Transfers

Where the processing of Personal Data involves transfers from the European Economic Area (EEA), Switzerland, or the United Kingdom to a country not deemed to provide an adequate level of protection, the parties shall ensure such transfers are protected by appropriate safeguards in accordance with applicable law.

By agreeing to this DPA, the parties are deemed to have executed the Standard Contractual Clauses (SCCs) as adopted by the European Commission (and the equivalent UK International Data Transfer Addendum and Swiss Addendum, as applicable), with the following specifics:

Customer acts as "data exporter" and LTplus AG acts as "data importer."
For Module 2 of the SCCs (Controller to Processor transfers): The details provided in Sections 1 and 2 of this DPA (Scope, Categories of Data, etc.) shall serve as Annex I of the SCCs. The security measures outlined in Section 6 of this DPA serve as Annex II of the SCCs. The option for docking clause may be applicable if Customer has affiliates using the service. The governing law of the SCCs shall be that of Switzerland for Swiss data, that of an EU Member State (preferably Switzerland or Germany) for EU data, and England and Wales for UK data (per the UK Addendum).
If relying on SCCs, the parties agree that if there is any conflict between the SCCs and this DPA or other agreements with respect to cross-border transfers, the SCCs will prevail.

In addition, if and where applicable, the parties may rely on the EU-U.S. Data Privacy Framework or Swiss-U.S. Data Privacy Framework in case LTplus AG or relevant sub-processors are certified under those programs for transfers to the United States. (LTplus AG itself is based in Switzerland and currently processes data in Switzerland/EU/US; we will maintain compliance with transfer laws accordingly.)

Processor will not transfer or access Personal Data from a third country in a manner that violates applicable transfer restrictions. If Customer requires data localization or specific regional processing, Customer should inform Processor to discuss available options (additional fees may apply for specialized hosting).

12. Return or Deletion of Data

Upon termination or expiration of Customer's use of QTOpro, Customer can retrieve any Personal Data via the Service prior to account closure. After termination, Processor will, upon Customer's request, return any remaining Personal Data to Customer in a commonly readable format (unless already available to Customer) and, to the extent allowed by law, will delete all Personal Data in its systems. This deletion will be completed within a reasonable timeframe, not to exceed 60 days after termination, unless applicable law requires retention.

If deletion of data (including backups) within this period is not feasible (for example, archived backups in secure storage), Processor will continue to protect such data and prevent any active use of it until deletion is possible.

Processor will certify deletion upon Customer's request. If Customer prefers, the parties can agree for Processor to continue storing the data for a specific period post-termination (for example, if Customer is likely to renew service or needs data held for compliance), but absent such agreement, deletion is the default.

13. Liability and Indemnity

Each party's liability arising out of or in connection with this DPA shall be subject to the exclusions and limitations of liability set forth in the main Terms of Service or agreement between the parties. In no event shall either party's total liability under this DPA exceed the limits applicable under that main agreement.

Customer shall indemnify and hold Processor harmless against all claims, damages, or penalties incurred by Processor arising from Customer's breach of this DPA or Customer's instructions that violate applicable laws, to the extent that Processor has complied with Customer's instructions. Conversely, Processor shall indemnify Customer for any fines or damages finally awarded against Customer that arise directly from Processor's breach of this DPA or applicable data protection law, but only to the extent that Processor's actions were not in compliance with Customer's lawful instructions or this DPA. Any indemnification is subject to the procedures and caps (if any) in the main agreement.

14. Miscellaneous

"Duration:" This DPA remains in effect as long as Processor processes Personal Data on behalf of Customer (i.e., until deletion of all such data after termination). Sections relating to confidentiality, liability, and any ongoing obligations shall survive termination.
"Conflict:" In the event of any conflict between the Terms of Service and this DPA regarding the processing of Personal Data, the terms of this DPA shall prevail. If there is conflict between this DPA and any Standard Contractual Clauses or other international transfer addendum executed, those transfer mechanisms shall prevail with respect to cross-border transfers.
"Amendment:" Except for the addition of new Sub-Processors as outlined, any changes to this DPA require a written agreement (including electronic) by both parties. However, if laws change or new standard clauses are adopted, Processor may update this DPA accordingly (such as replacing SCCs with newer versions) by notifying Customer, to maintain compliance.
"Governing Law:" This DPA is governed by the same law as the main Terms of Service (which is Swiss law) except to the extent that mandatory data protection laws (like GDPR's provisions on governing law) dictate otherwise. For example, the Standard Contractual Clauses have their own governing law as noted in Section 11.
"Order of Precedence:" This DPA is an addendum to the main agreement (Terms of Service). The main agreement remains in effect and applies to the extent not overridden by this DPA. In case of ambiguities, this DPA will be interpreted to permit compliance with applicable data protection law.

By using QTOpro and/or by signing below (if a signature process is used), Customer and LTplus AG agree to this Data Processing Addendum.

No physical signature is required if acceptance is through online sign-up or click-through agreement referencing this DPA.

Data Processing Addendum (Customer DPA)