Data Processing Addendum

Effective July 6, 2026 · Version 1.0

This Data Processing Addendum ("DPA") forms part of the BlunkWorks Master Terms of Service and any product-specific agreement between BlunkWorks, LLC, an Oklahoma limited liability company ("Processor," "we," "us") and the customer that accepts it ("Customer," "Controller," "you") for the products ScopeBuilder Pro, StockPilot, and OrbitDisk Pro (the "Services"). It reflects the parties' agreement on the processing of Personal Data in connection with the Services.

When this DPA applies. This DPA applies where, and to the extent that, BlunkWorks processes Personal Data on Customer's behalf that is subject to data-protection laws such as the EU/UK GDPR or the California Consumer Privacy Act (as amended by the CPRA). This DPA is accepted electronically — see "How to execute this DPA" below. In case of conflict between this DPA and the rest of the agreement, this DPA controls as to the processing of Personal Data.

Contents
  1. Definitions
  2. Roles & scope
  3. Processing instructions
  4. Confidentiality
  5. Security measures
  6. Subprocessors
  7. Data-subject rights
  8. Breach notification
  9. DPIAs & consultation
  10. Return & deletion
  11. Audits & information
  12. International transfers
  13. California (CCPA/CPRA) terms
  14. Liability
  15. Term, precedence & general
  16. How to execute this DPA
  17. Annex I — Details of processing
  18. Annex II — Security measures
  19. Annex III — Subprocessors

1. Definitions

Capitalized terms not defined here have the meaning in the agreement or applicable Data Protection Law. "Data Protection Law" means all laws applicable to the processing of Personal Data under the agreement, including the EU General Data Protection Regulation 2016/679 ("EU GDPR"), the UK GDPR and Data Protection Act 2018, and the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"). "Personal Data," "processing," "controller," "processor," and "data subject" have the meanings given under Data Protection Law (and correspond, under CCPA/CPRA, to "personal information," "business," and "service provider," respectively). "Customer Personal Data" means Personal Data contained in Customer Data that BlunkWorks processes on Customer's behalf. "Subprocessor" means a third party engaged by BlunkWorks to process Customer Personal Data.

2. Roles & scope

As between the parties for Customer Personal Data, Customer is the controller (or a processor acting on behalf of a third-party controller) and BlunkWorks is the processor (a service provider under CCPA/CPRA). BlunkWorks processes Customer Personal Data only to provide, secure, and support the Services and as described in Annex I. Customer is responsible for the lawfulness of the Personal Data it provides and of BlunkWorks' processing on its documented instructions, and for having any required notices, consents, and legal bases.

3. Processing instructions

BlunkWorks will process Customer Personal Data only on Customer's documented instructions, including as set out in the agreement, this DPA, and Customer's use and configuration of the Services, unless required to act otherwise by law (in which case, where permitted, BlunkWorks will inform Customer first). BlunkWorks will inform Customer if, in its opinion, an instruction infringes Data Protection Law. BlunkWorks will not sell or share Customer Personal Data and will not process it for its own purposes or for advertising.

4. Confidentiality

BlunkWorks ensures that persons authorized to process Customer Personal Data are bound by an appropriate duty of confidentiality and process the data only as needed to provide the Services.

5. Security measures

BlunkWorks implements and maintains appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature and risk of the processing. A description of these measures is set out in Annex II. Customer is responsible for its own use of the Services, including safeguarding its credentials, configuring access for its users, and maintaining backups of its data.

6. Subprocessors

Customer provides general authorization for BlunkWorks to engage the Subprocessors listed at blunk.works/legal/subprocessors.html (Annex III). BlunkWorks will: (a) impose data-protection obligations on each Subprocessor that are no less protective than those in this DPA; (b) remain responsible for each Subprocessor's performance; and (c) notify Customer of any intended addition or replacement of a Subprocessor (for example, by updating the subprocessors page and, on request, by email), giving Customer a reasonable opportunity to object on reasonable data-protection grounds. If Customer reasonably objects and the parties cannot resolve the concern, Customer may terminate the affected Service as its exclusive remedy.

7. Data-subject rights

Taking into account the nature of the processing, BlunkWorks will provide reasonable assistance (including appropriate technical and organizational measures, and the self-service export and deletion tools within the Services) to help Customer respond to requests from data subjects to exercise their rights under Data Protection Law. If BlunkWorks receives such a request directly, it will, where lawful, refer the data subject to Customer.

8. Personal data breach notification

BlunkWorks will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to help Customer meet its own notification obligations. Our notification is not an acknowledgment of fault or liability.

9. Data protection impact assessments & prior consultation

Taking into account the nature of processing and information available to it, BlunkWorks will provide reasonable assistance to Customer with data protection impact assessments and any prior consultation with a supervisory authority that Customer is required to carry out under Data Protection Law.

10. Return & deletion of data

On termination or expiry of the Services, and at Customer's choice, BlunkWorks will delete or return Customer Personal Data, and delete existing copies, within a reasonable wind-down period, unless retention is required by law. Customer can also export its data at any time using the tools in the Services. Residual copies may persist in routine backups for a limited period until they are overwritten in the ordinary course, during which they remain protected by this DPA.

11. Audits & information

BlunkWorks will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior written notice and subject to confidentiality, will allow for and contribute to audits — including by responding to reasonable security questionnaires — no more than once per year (unless required by a supervisory authority or following a Personal Data Breach). Audits must be conducted during business hours, without unreasonably disrupting BlunkWorks' operations.

12. International transfers

BlunkWorks processes and stores Customer Personal Data in the United States. Where Customer's transfer of Customer Personal Data to BlunkWorks (or an onward transfer to a Subprocessor) requires a transfer mechanism under EU/UK Data Protection Law, the parties agree that the applicable Standard Contractual Clauses (and the UK International Data Transfer Addendum, where relevant) are incorporated by reference and apply, with BlunkWorks as "data importer" and Customer as "data exporter," completed using the details in the Annexes. Where there is a conflict, those clauses prevail with respect to the restricted transfer.

13. California (CCPA/CPRA) terms

To the extent BlunkWorks processes Personal Data subject to the CCPA/CPRA as a service provider, BlunkWorks: (a) will process such data only to perform the Services and for the business purposes specified in the agreement and this DPA; (b) will not sell or share the data, and will not retain, use, or disclose it outside the direct business relationship or for any purpose other than performing the Services; (c) will not combine it with personal information from other sources except as permitted by the CCPA/CPRA; and (d) certifies that it understands and will comply with these restrictions. BlunkWorks will notify Customer if it determines it can no longer meet its obligations under the CCPA/CPRA.

14. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the agreement, and any reference to a party's liability means the aggregate liability of that party under the agreement and this DPA together.

15. Term, precedence & general

This DPA takes effect when Customer accepts the agreement or this DPA and continues while BlunkWorks processes Customer Personal Data. This DPA supplements, and in case of conflict regarding the processing of Personal Data prevails over, the rest of the agreement. If any provision is found unenforceable, the remainder stays in effect. This DPA is governed by the same law as the agreement, except where Data Protection Law requires otherwise.

16. How to execute this DPA

This DPA is accepted electronically and forms part of the agreement. By clicking to accept this DPA or the agreement — or by creating an account, completing a purchase, or otherwise using the Services — you agree, on behalf of the Customer, to this DPA, and it becomes legally binding without any physical or electronic signature or countersignature. The person accepting represents that they are authorized to bind the Customer. A DPA accepted this way is valid and enforceable. If your organization has a specific procurement requirement, contact cs@blunk.works.

Annex I — Details of processing

Parties. Data exporter: the Customer (controller/business). Data importer: BlunkWorks (processor/service provider).

Subject matter & duration. Processing of Customer Personal Data to provide the Services, for the duration of the agreement plus any wind-down period described in this DPA.

Nature & purpose. Hosting, storage, transmission, synchronization, backup, display, export, and support of Customer Data; account authentication; billing and license administration; and sending service, billing, and license emails.

Categories of data subjects. Customer's authorized users and staff (e.g., admins and team members); the Customer's own end customers, contacts, or other individuals whose information the Customer chooses to include in its content (e.g., in a scope, inventory record, or attachment); and, for licensed software, the purchaser/licensee.

Types of Personal Data. Account data (name, email, company name, hashed password); billing reference (Stripe customer/charge identifier; card data handled by Stripe, not BlunkWorks); license and activation records (email, license key, edition, status, hashed device identifier); Customer Content (which may incidentally contain personal data the Customer inputs); and technical data (IP address, browser type, request logs).

Special-category data. Not intended or required. Customer should not submit special-category data except as strictly necessary and lawful; any such data is processed under the same safeguards.

Frequency. Continuous, for the duration of the agreement.

Annex II — Technical & organizational security measures

These measures may be updated over time provided the level of protection is not materially decreased.

Annex III — Approved subprocessors

The current list of approved Subprocessors is maintained at blunk.works/legal/subprocessors.html and is incorporated into this DPA. It currently comprises Stripe, Inc. (payment processing) and Namecheap, Inc. (application hosting, database, and transactional email). Changes are handled under Section 6.