Data Processing Addendum

How to use this page. This is the standard DPA template Momentum offers. If your firm needs an executed copy with your name + counterparty signature blocks, email Info@getmomentum.studio with your legal entity name and we'll send a Word version for signature. For most US customers, the existing Terms of Service + Privacy Policy are sufficient; the DPA is most often requested by EU customers, US customers in regulated industries, or any customer's information-security team.

1. Definitions

Capitalized terms have the meanings set out below; terms not defined here have the meanings given to them under the GDPR or applicable US state privacy law.

Customer — the legal entity that has subscribed to Momentum (the "data controller" under GDPR; the "business" under CCPA/CPRA).
Momentum — the legal entity operating the Momentum service (the "data processor" / "service provider").
Personal Data — any information relating to an identified or identifiable natural person processed under this DPA.
Processing — any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
Sub-processor — any third party engaged by Momentum to process Personal Data on Customer's behalf.
Standard Contractual Clauses (SCCs) — the EU Commission's 2021 Module 2 SCCs (Controller→Processor) for international data transfers.
Data Subject — a Customer's modeler or admin whose Personal Data is Processed by Momentum.

2. Scope and roles

Momentum processes Personal Data on Customer's behalf solely to provide the Momentum service as described in the Terms of Service and How Momentum works page. The Customer is the controller of the Personal Data; Momentum is the processor.

Each party will comply with its respective obligations under applicable data protection laws, including (as applicable) the EU GDPR, UK GDPR, California CCPA/CPRA, and other US state privacy statutes.

3. Subject matter, duration, nature and purpose of processing

Item	Detail
Subject matter	Provision of Revit-activity tracking, task routing, project management, and related services.
Duration	The term of the Customer's subscription, plus a 30-day reactivation window after cancellation, then deletion on request or in the next quarterly purge.
Nature	Storage, retrieval, organization, structuring, transmission to Customer-configured webhooks (where enabled), and deletion of Personal Data.
Purpose	Enable Customer to track project hours, route tasks, surface budget alerts, and operate workplace project management.
Categories of Personal Data	Email addresses; display names; Windows usernames; machine names; Autodesk usernames + login IDs; Revit session timestamps; document and view names; counts of edits/saves/syncs; idle/active intervals; tasks (titles, bodies, assignees); project metadata; webhook delivery records.
Categories of Data Subjects	Customer's admins, members, and modelers (typically employees of Customer or its contractors who use Autodesk Revit).
Special categories	None. Momentum does not process special-category data (Article 9 GDPR) by design.

4. Customer instructions

Momentum will Process Personal Data only on documented instructions from Customer, including those set out in the Terms of Service, the Privacy Policy, this DPA, and any Customer configuration choices made in the dashboard or the addin (e.g., webhook subscriptions, data deletion requests, workspace settings).

If Momentum is required by EU or Member State law to Process Personal Data outside the scope of Customer's instructions, Momentum will notify Customer before doing so unless that law prohibits such notice on important grounds of public interest.

5. Confidentiality

Momentum ensures that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations.

6. Security measures

Momentum implements appropriate technical and organizational measures (Article 32 GDPR) including:

Encryption of Personal Data at rest (Google-managed AES-256) and in transit (TLS 1.2+).
Multi-tenant isolation enforced at the Firestore database layer via per-tenant claims and rules; tokens scoped to a single tenant cannot read or write any document outside that tenant.
Per-tenant API keys — revocable without rebuilding the addin.
Authentication via Microsoft 365 SSO; no password storage on Momentum's side.
HMAC-SHA256 signed webhooks for outbound event delivery.
Audit logging of admin-significant actions on a per-tenant basis.
Defer-until-acknowledged capture: no Personal Data is written to Momentum's systems for any individual modeler until that modeler has acknowledged the in-addin monitoring notice.

A current summary of security practices is maintained at /research; Customer may request a more detailed security questionnaire response by emailing Info@getmomentum.studio.

7. Sub-processors

Customer authorizes Momentum to engage the following Sub-processors:

Sub-processor	Service	Location
Google LLC (Firebase / Google Cloud)	Hosting, database (Firestore), authentication, Cloud Functions	United States (us-central1, nam5)
Microsoft Corporation (Azure AD / Entra)	Identity provider for Microsoft 365 SSO sign-in	Customer's Microsoft tenant region
Stripe, Inc.	Payment processing for paid subscriptions	United States

Momentum will notify Customer at least 30 days before adding or replacing a Sub-processor; Customer may object on reasonable grounds. If the parties cannot resolve the objection in good faith, Customer may terminate the affected portion of the service for cause.

8. International data transfers

Personal Data is hosted in the United States. For Personal Data of Data Subjects in the EU, UK, or other jurisdictions with cross-border transfer restrictions, the parties agree that the EU Standard Contractual Clauses (Module 2: Controller to Processor, 2021/914) are incorporated by reference into this DPA, with:

Annex I.A (parties): Customer = data exporter; Momentum = data importer.
Annex I.B (description of transfer): as described in Section 3 above.
Annex II (technical and organizational measures): as described in Section 6 above.
Annex III (Sub-processors): as listed in Section 7 above.
Clause 17 governing law: Ireland. Clause 18 forum: Ireland.

For UK transfers, the UK International Data Transfer Addendum to the EU SCCs (Version B1.0) is incorporated by reference.

9. Data subject rights

Momentum will assist Customer in fulfilling Customer's obligations to respond to Data Subject requests under applicable law. Specifically:

Self-serve DSAR: every signed-in user can download a JSON export of their own Personal Data via the "My data" card on their dashboard.
Self-serve deletion request: users can request deletion via the same card; Customer's admin reviews and approves through the dashboard.
For requests Momentum receives directly from Data Subjects, Momentum will route them to Customer rather than fulfill directly (Customer is the controller).
Momentum will notify Customer without undue delay of any complaint, inquiry, or government request relating to Customer's Personal Data, unless prohibited by law.

10. Personal Data Breach notification

Momentum will notify Customer without undue delay (and within 72 hours where feasible) after becoming aware of a Personal Data Breach affecting Customer's Personal Data. Notice will include the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed.

11. Audits

Momentum will make available all information necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. Audits may be satisfied by:

Provision of Momentum's then-current security questionnaire response and architecture documentation;
Any third-party audit reports Momentum holds (e.g., SOC 2 Type 1 when available);
A reasonable annual on-site or remote audit at Customer's expense, scoped to avoid disrupting the service.

12. Deletion or return of Personal Data

On termination of the subscription, Momentum will, at Customer's choice, delete or return all Personal Data within 30 days, unless EU or US law requires further storage. Backups containing Personal Data are deleted in the next quarterly purge cycle.

13. CCPA/CPRA service-provider terms

For Personal Data subject to the California Consumer Privacy Act (as amended by the CPRA), Momentum:

Will not Sell or Share Personal Data, as those terms are defined under CCPA/CPRA;
Will not retain, use, or disclose Personal Data for any purpose other than the specific business purpose of providing the Momentum service;
Will not retain, use, or disclose Personal Data outside the direct business relationship between the parties;
Will not combine Personal Data received from Customer with Personal Data received from any other source, except as permitted under § 7050(b) of the CCPA Regulations;
Certifies that it understands the foregoing restrictions and will comply with them.

14. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.

15. Order of precedence

If there is any conflict between this DPA and the Terms of Service, this DPA controls with respect to the Processing of Personal Data. The SCCs prevail over both with respect to international transfers governed by them.

16. Term and termination

This DPA is effective upon Customer's first acceptance of the Terms of Service or, if separately signed, the effective date of the signed copy. It terminates automatically when the Customer's subscription terminates and Momentum has fulfilled its deletion or return obligations under Section 12.

17. Contact

For requests under this DPA — including signed copies, audit requests, breach notifications, and Sub-processor objections:

Info@getmomentum.studio

Want a signed copy? Email us with your legal entity name + a contact for execution and we'll send a Word version with signature blocks within one business day. Most customers don't need this — but if your information-security or legal team requires it for procurement, we have it ready.