Joist AI is an AI-powered pursuit enablement platform designed for AEC firms to find, curate, and organize content for winning proposals.

How much faster can teams build proposals with Joist AI?

AEC teams using Joist AI build proposals up to 75% faster and improve department productivity by over 30%.

Joist AI is used by construction, architecture, and engineering firms including McKim & Creed, PCL Construction, Woodard & Curran, and Lockwood, Andrews & Newnam.

Data Processing Agreement

Last updated April 6, 2026
‍
This Data Processing Agreement (“DPA”) is incorporated into and forms part of the https://www.joist.ai/terms-and-conditions (or other similarly titled written or electronic agreement addressing the same subject matter) (“Agreement”) between Customer (as defined in the Agreement) and “Joist AI” under which the Joist AI provides the Customer with the software and services (the “Services”). The Controller and the Processor are individually referred to as a “Party” and collectively as the “Parties”.The Parties seek to implement this DPA to comply with the requirements of GDPR (defined hereunder), or other similar regulation, in relation to Processor’s processing of Personal Data as part of its obligations under the Agreement.This DPA shall apply only to Personal Data which is processed by Joist AI or its Subprocessors on behalf of the Customer as part of providing Services.Except as modified below, the terms of the Agreement shall remain in full force and effect.

1. DEFINITIONS

Terms not otherwise defined herein shall have the meaning given to them in the GDPR or the Agreement. The following terms shall have the corresponding meanings assigned to them below:Terms not otherwise defined herein shall have the meaning given to them in the EU GDPR or the Agreement. The following terms shall have the corresponding meanings assigned to them below:

1.1“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

1.2 “Customer” means the entity that executed the Agreement together with its Affiliates (for so long as they remain Affiliates) which have signed Order Forms. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and its Authorized Affiliates.

1.3 “Data Protection Laws and Regulations” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including those of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states.

1.4 “Data Subject” means the identified or identifiable person to whom Personal Data relates.

1.5 “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) including as implemented or adopted under the laws of the United Kingdom.

1.6 “Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as Personal Data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.

1.7 “Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.

1.8 “Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

1.10 “Sub-processor” means a processor/sub-contractor appointed by the Processor for the provision of all or parts of the Services and Processes the Personal Data as provided by the Controller.

1.11 “Technical and Organization Measures” shall mean the technical and organization measures adopted by Joist AI to protect the security and integrity of Customer Data.

‍

2. PROCESSING OF PERSONAL DATA

2.1. Customer’s Processing of Personal Data. Customer as a Controller or Processor shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirement to provide notice to Data Subjects of the use of Joist AI as Processor (including where the Customer is a Processor, by ensuring that the ultimate Controller does so). For the avoidance of doubt, Customer’s instructions for the processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted-out from sales or other disclosures of Personal Data, to the extent applicable under Data Protection Laws and Regulations.

‍2.2. Joist AI’s Processing of Personal Data. Joist AI shall treat Personal Data as Confidential Information and shall process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) processing in accordance with the Agreement and applicable Order Form(s); (ii) processing initiated by Users in their use of the Services; and (iii) processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

‍2.3. Details of the Processing. The subject-matter of processing of Personal Data by Joist AI is the performance of the Services pursuant to the Agreement. The duration of the processing, the nature and purpose of the processing, the types of PersonalData and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Description of Processing/Transfer) to this DPA.

‍2.4. Customer Instructions. Joist AI shall inform Customer immediately (i) if, in its opinion, an instruction from Customer constitutes a breach of the GDPR and/or (ii) if Joist AI is unable to follow Customer’s instructions for the processing of Personal Data.

3. RIGHTS OF DATA SUBJECTS

3.1. Data Subject Request. Joist AI shall, to the extent legally permitted, promptly notify Customer of any complaint, dispute or request it has received from a Data Subject such as a Data Subject’s right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, object to the processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Joist AI shall not respond to a Data Subject Request itself, except that Customer authorizes Joist AI to redirect the Data Subject Request as necessary to allow Customer to respond directly.

‍3.2. Required Assistance. Taking into account the nature of the processing, Joist AI shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations.

‍3.3. Additional Assistance. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Joist AI shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Joist AI is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Joist AI’s provision of such assistance.

4. JOIST AI PERSONNEL AND DATA PROTECTION OFFICER

4.1. Confidentiality, Reliability and Limitation of Access. Joist AI shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Joist AI shall(i) ensure that such confidentiality obligations survive the termination of the personnel engagement; and(iii) ensure that Joist AI’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement, any applicable Order Form(s) and Documentation.

‍4.2. Data Protection Officer. Joist AI has appointed a data protection officer. The appointed person may be reached at nikhil@joist.ai.

5. SUB-PROCESSORS

5.1. Appointment of Sub-processors. Customer acknowledges and agrees that (a) Joist AI’s Affiliates may be retained as Sub-processors; and (b) Joist AI and Joist AI’s Affiliates respectively may engage third-party Sub-processors to provide the Services.Joist AI or an Joist AI Affiliate has entered into a written agreement with each Sub-processor containing, in substance, data protection obligations no less protective than those in the Agreement with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor.

‍5.2. Current List of Sub-processors and Notification of New Sub-processors. The current list of Sub-processors engaged in processing Personal Data for the performance of each applicable Service, including a description of their processingactivities and countries of location, can be found on Joist AI’s Trust Center webpage at https://trust.joist.ai/item/subprocessors (“Sub-processor Documentation”). Customer hereby consents to these Sub-processors, their locations and processing activities as it pertains to their Personal Data. The Sub-processor Documentation contains a mechanism to subscribe to notifications of new Sub-processors. Joist AI will notify Customer of a new Sub-processor(s) (either via the notification mechanism, if subscribed to by Customer, or by adding such new Sub-Processor to the Sub-processor Documentation) before authorizing any new Sub-processor(s) to Process Personal Data to provide the applicable Services (each, a “New Sub-processor Notification”).

‍5.3. Objection Right for New Sub-processors. Customers may object to Joist AI’s use of a new Sub-processor by notifying Joist AI promptly in writing within thirty (30) days of receipt of a New Sub-processor Notification (the “Sub-processor Objection Period”). If Joist AI does not receive any objection from Customer within the Sub-processor Objection Period, Customer is deemed to have accepted the new Sub-processor. If Customer objects to a new Sub-processor within the Sub-processor Objection Period, Joist AI will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Joist AI is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Joist AI without the use of the objected-to new Sub-processor by providing written notice to Joist AI. Joist AI will refund Customer any unused, prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.

‍5.4. Liability. Joist AI shall be liable for the acts and omissions of its Sub-processors to the same extent Joist AI would be liable if performing the services of each Sub-processor directly under the terms of this DPA, unless otherwise set forth in the Agreement.

6. SECURITY, CERTIFICATIONS AND AUDIT

6.1. Controls for the Protection of Customer Data. Joist AI shall maintain appropriate Technical and Organization Measures for protection of the security (including protection against unauthorized or unlawful processing and against accidental orunlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, as set forth in the Technical and Organization Measures. Joist AI regularly monitors compliance with these measures. Joist AI will not materially decrease the overall security of the Services during a subscription term.

‍6.2. Third-Party Certifications and Audits. Joist AI has obtained the third-party certifications and audits set forth in the Technical and Organizational Measures or Joist AI’s Trust Center (https://trust.joist.ai) (the “Trust Center”). Where Joist AI has obtained ISO 27001 certifications and SSAE 18 Service Organization Control (SOC) 2 reports as described in the Documentation or the Trust Center, Joist AI agrees to maintain these certifications or standards, or appropriate and comparable successors thereof, for the duration of the Agreement.

‍6.3. Audit Program. Joist AI shall maintain an audit program to help ensure compliance with the obligations set out in this DPA and shall make available to Customer information via the Trust Center to demonstrate compliance with the obligations set out in this DPA, including those obligations required by applicable Data Protection Laws and Regulations, as set forth in this Section 6.3.

‍6.3.1. Access to Third-Party Certifications and Audits Information. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Joist AI shall: (i) the make available to Customer (or Customer’s Third-Party Auditor - as defined below in section 6.3.4) information regarding Joist AI’s compliance with the obligations set forth in this DPA in the form of a copy of Joist AI’s then most recent third-party audits or certifications set forth in the Technical and Organization Measures or the Trust Center. Such third-party audits or certifications may also be shared with Customer’s competent supervisory authority on its request; (ii) provide Customer with a report and/or confirmation of Joist AI's audits of third-party Sub-processors’ compliance with the data protection controls set forth in this DPA and/or a report of third-party auditors’ audits of third party Sub-processors that have been provided by those third-party Sub-processors to Joist AI, to the extent such reports or evidence may be shared with Customer (“Third-party Sub-processor Audit Reports”). Customer acknowledges that (i) Third-party Sub-processor Audit Reports shall be considered Confidential Information as well as confidential information of the third-party Sub-processor and (ii) certain third-party Sub-processors to Joist AI may require Customer to execute a non-disclosure agreement with them in order to view a Third-party Sub-processor Audit Report.

‍6.3.2. On-Site Audit. Customers can request an on-site audit of Joist AI’s Processing activities covered by this DPA (“On-Site Audit”). An On-Site Audit may be conducted by Customer either itself or through a Third-Party Auditor (as defined below in section 6.3.4) selected by Customer when: (i) the information available pursuant to section “Third-Party Certifications and Audits” is not sufficient to demonstrate compliance with the obligations set out in this DPA and its Schedules; (ii) Customer has received a notice from Joist AI of a Customer Data Incident; or (iii) such an audit is required by Data Protection Laws and Regulations or by Customer’s competent supervisory authority. Any On-Site Audits will be limited to Customer Data processing and storage facilities operated by Joist AI or any of Joist AI’s Affiliates.

‍6.3.3. Reasonable Exercise of Rights. An On-Site Audit shall be conducted by Customer or its Third-Party Auditor: (i) acting reasonably, in good faith, and in a proportional manner, taking into account the nature and complexity of the Services used by Customer; (ii) up to one time per year with at least sixty (60) days’ advance written notice. If an emergency justifies a shorter notice period, Joist AI will use good faith efforts to accommodate the On-Site Audit request; and (iii) during Joist AI’s normal business hours, under reasonable duration and shall not unreasonably interfere with Joist AI’s day-to-day operations. Customer acknowledges that Joist AI operates a multi-tenant cloud environment. Before any On-Site Audit commences, Customer and Joist AI shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by or on behalf of Joist AI. Joist AI shall have the right to reasonably adapt the scope of any On-Site Audit to avoid or mitigate risks with respect to, and including, service levels, availability, and confidentiality of other Joist AI customers’ information.

‍6.3.4. Third-Party Auditor. A Third-Party Auditor means a third-party independent contractor that is not a competitor of Joist AI. An On-Site Audit can be conducted through a Third Party Auditor if: (i) prior to the On-Site Audit, the Third-Party Auditor enters into a non-disclosure agreement containing confidentiality provisions no less protective than those set forth in the Agreement to protect Joist AI’s proprietary information; and (ii) the costs of the Third-Party Auditor are at Customer’s expense.6.3.5. Findings. Customers must promptly provide Joist AI with information regarding any non-compliance discovered during the course of an On-Site Audit.

‍6.4. Data Protection Impact Assessment. Upon Customer’s request, Joist AI shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Data Protection Laws and Regulations to carry out a dataprotection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Joist AI.

7. CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION

Joist AI maintains security incident management policies and procedures specified in the Technical and Organizational Measures or Trust Center and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Joist AI or its Sub-processors of which Joist AI becomes aware (a “Customer Data Incident”). Joist AI shall make reasonable efforts to identify the cause of such Customer Data Incident and take such steps as Joist AI deems necessary and reasonable to remediate the cause of such a Customer Data Incident to the extent the remediation is within Joist AI’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.

8. GOVERNMENT REQUESTS

8.1 Joist AI requirements. As a Processor, Joist AI shall maintain appropriate measures to protect Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including by implementing appropriate technical and organizational safeguards to protect Personal Data against any interference. If Joist AI receives a legally binding request to access Personal Data from a competent supervisory authority, Joist AI shall, unless otherwise legally prohibited, promptly notify Customer including a summary of the nature of the request. To the extent Joist AI is prohibited by law from providing such notification, Joist AI shall use commercially reasonable efforts to obtain a waiver of the prohibition to enable Joist AI to communicate as much information as possible, without undue delay. Joist AI agrees it will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

‍8.2 Sub-processors requirements. Joist AI shall ensure that Sub-processors involved in the Processing of Personal Data are subject to the relevant commitments regarding access requests from competent supervisory authorities in the Standard Contractual Clauses.

9. RETURN AND DELETION OF CUSTOMER DATA

Joist AI shall return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Technical and Organizational Measures or Trust Center is deleted or returned, Joist AI shall continue to comply with this DPA and its Appendices.

10. AUTHORIZED AFFILIATES

10.1. Contractual Relationship. The parties acknowledge and agree that, by executing the Agreement, Customer enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Joist AI and each such Authorized Affiliate subject to the provisions of the Agreement and this section 10 and section 11. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement, and is a party only to this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.

‍10.2. Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Joist AI under this DPA and be entitled to make and receive any communication in relation to this DPAon behalf of its Authorized Affiliates.

‍10.3. Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to this DPA with Joist AI, it shall to the extent required under applicable Data Protection Laws and Regulations be entitled to exercise the rights and seek remedies under this DPA, subject to the following:

‍10.3.1 Except where applicable Data Protection Laws and Regulations require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Joist AI directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA, not separately for each Authorized Affiliate individually, but in a combined manner for itself and all of its Authorized Affiliates together (as set forth, for example, in Section 10.3.2, below).

‍10.3.2 The parties agree that the Customer that is the contracting party to the Agreement shall, when carrying out an On-Site Audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impacton Joist AI and its Sub-Processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of itself and all of its Authorized Affiliates in one single audit.

11. LIMITATION OF LIABILITY

Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Joist AI, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, Joist AI’s and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that isa contractual party to any such DPA.

12. INTERNATIONAL PROCESSING

12.1. Conditions for International Processing. Joist AI shall be entitled to process Personal Data, including by using Sub-processors, in accordance with this DPA, outside the country in which the Customer is located as permitted under Data Protection Laws and Regulations.

‍12.2 Standard Contractual Clauses 8.3 to 8.4 apply where there is a transfer to a Third Country of Personal Data that is either subject to GDPR or to other Data Protection Law and Regulations and where any required adequacy means under GDPR or other Data Protection Law and Regulations can be met by entering into the Standard Contractual Clauses, as amended in accordance with Data Protection Laws and Regulations. Joist AI and Customer enter into the Standard Contractual Clauses with Customer asthe data exporter and Joist AI as the data importer as follows:(a) Module 2 (Controller to Processor) shall apply where Customer is a Controller; and(b) Module 3 (Processor to Processor) shall apply where Customer is a Processor. Where Customer acts as Processor under Module 3 (Processor to Processor) of the Standard Contractual Clauses, Joist AI acknowledges that Customer acts as Processor under the instructions of its Controller(s). Other Controllers or Processors whose use of Joist AI Services is authorized by Customer under the Agreement may also enter into the Standard Contractual Clauses with Joist AI in the same manner as Customer in accordance with this Section. In such cases, Customer enters into the Standard Contractual Clauses on behalf of other Controllers or Processors.

‍12.3 Where Customer is located in a Third Country and is acting as a Processor under Module 2 or Module 3 of the Standard Contractual Clauses and Joist AI is acting as Customer's Sub-processor, the respective data exporter shall have the following third-party beneficiary right:

SCHEDULE 1

DESCRIPTION OF THE PROCESSING

This Schedule 1 applies to the Processing of Personal Data under the Agreement and for the purposes of the Standard Contractual Clauses and Data Protection Laws and Regulations.

Where Customer and Joist AI enter into the Standard Contractual Clauses, Schedule 1 is incorporated as Annex I of the Standard Contractual Clauses.

1. OPTIONAL CLAUSES OF THE STANDARD CONTRACTUAL CLAUSES

1.1 Docking Clause. The optional clause 7 and the option in clause 11a of the Standard Contractual Clauses shall not apply.

1.2 Option 2, General Written Authorization of clause 9 of the Standard Contractual Clauses shall apply in accordance with the notification periods set out in Section 5 of this DPA.

1.3 Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the Governing Law section of the Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either (i) the laws of France; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of England and Wales.

2. A. LIST OF PARTIES

Data exporter(s):

Name: Customer

Address: As set forth in the relevant Order Form.

Contact person's name, position, and contact details: As set forth in the relevant Order Form.

Activities relevant to the data transferred under these Clauses: Recipient of the Services provided by Joist AI in accordance with the Agreement.

Role Controller/ Processor): Controller

Data importer(s):

Name: Joist AI

Address: Joist Technologies, Inc. 8910 University Center Lane, Suite 400, San Diego, CA 92122.

Contact person's name, position, and contact details: Nikhil Almeida, DPO (nikhil@joist.ai).

Activities relevant to the data transferred under these Clauses: Provision of the Services to the Customer in accordance with the Agreement.

Role (controller/processor): Processor

3. B. DESCRIPTION OF PROCESSING/TRANSFER

Categories of data subjects whose personal data is transferred:

Customer's Users (as defined in the Agreement) of the Services.

Categories of personal data transferred

Name, Title, Role, Education/Qualifications/Past Experience/Career Summaries/Bios, Business contact details, Phone numbers, Email addresses, Physical addresses, Image, Gender Identification (i.e. pronouns), Language, Related person, Related URL, User ID, Username, hourly rates.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No sensitive data collected.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
Continuous basis

Nature of the processing
Extracting the person's information from past proposal documents and indexing and organization purposes, enabling fast and efficient retrieval.

Purpose(s) of the data transfer and further processing
The purpose of the transfer is to facilitate the performance of the Services more fully described in the Agreement pursuant to executed Order Forms.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Personal Data will be retained only for as long as is necessary to fulfil the purposes for which it was collected or in accordance with applicable data protection legislation.

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing
The subject matter, nature, and duration of the processing more fully described in the Agreement, the DPA, the Trust Center and executed Order Forms.

SCHEDULE 2

TECHNICAL AND ORGANIZATIONAL MEASURES

Description of the technical and organisational security measures implemented by Joist AI as the data processor/data importer to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Security Management System.
- Organization. Joist AI designates qualified security personnel whose responsibilities include development, implementation, and ongoing maintenance of the Information Security Program.
- Policies. Management reviews and supports all security related policies to ensure the security, availability, integrity and confidentiality of Customer Personal Data. These policies are updated at least once annually.
- Assessments. Joist AI engages a reputable independent third-party to perform risk assessments of all systems containing Customer Personal Data at least once annually.
- Risk Treatment. Joist AI maintains a formal and effective risk treatment program that includes penetration testing, vulnerability management and patch management to identify and protect against potential threats to the security, integrity or confidentiality of Customer Personal Data.
- Vendor Management. Joist AI maintains an effective vendor management program.
- Incident Management. Joist AI reviews security incidents regularly, including effective determination of root cause and corrective action.
- Standards. Joist AI operates an information security management system that complies with the requirements of ISO/IEC 27001:2022 standard.
Personnel Security.
- Joist AI personnel are required to conduct themselves in a manner consistent with the company's guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Joist conducts reasonably appropriate background checks on any employees who will have access to client data under this Agreement, including in relation to employment history and criminal records, to the extent legally permissible and in accordance with applicable local labor law, customary practice and statutory regulations.
- Personnel are required to execute a confidentiality agreement in writing at the time of hire and to protect Customer Personal Data at all times. Personnel must acknowledge receipt of, and compliance with, Joist's confidentiality, privacy and security policies. Personnel are provided with privacy and security training on how to implement and comply with the Information Security Program. Personnel handling Customer Personal Data are required to complete additional requirements appropriate to their role (e.g., certifications). Joist's personnel will not process Customer Personal Data without authorization.
Access Controls
- Access Management. Joist AI maintains a formal access management process for the request, review, approval and provisioning of all personnel with access to Customer Personal Data to limit access to Customer Personal Data and systems storing, accessing or transmitting Customer Personal Data to properly authorized persons having a need for such access. Access reviews are conducted periodically to ensure that only those personnel with access to Customer Personal Data still require it.
- Infrastructure Security Personnel. Joist AI has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Joist's infrastructure security personnel are responsible for the ongoing monitoring of Joist's security infrastructure, the review of the Services, and for responding to security incidents.
- Access Control and Privilege Management. Joist AI's and Customer's administrators and end users must authenticate themselves via a Multi-Factor authentication system or via a single sign on system in order to use the Services.
- Internal Data Access Processes and Policies – Access Policy. Joist AI's internal data access processes and policies are designed to protect against unauthorized access, use, disclosure, alteration or destruction of Customer Personal Data. Joist designs its systems to only allow authorized persons to access data they are authorized to access based on principles of "least privileged" and "need to know", and to prevent others who should not have access from obtaining access. Joist requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel's job responsibilities; job duty requirements necessary to perform authorized tasks; a need to know basis; and must be in accordance with Joist's internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies follow industry standard practices. These standards include password complexity, password expiry, password lockout, restrictions on password reuse and re-prompt for password after a period of inactivity.
Data Center and Network Security.
- Data Centers.
  - Infrastructure. Joist AI has AWS as its data center.
  - Resiliency. Multi-AZ deployments are enabled via AWS's serverless architecture, ensuring high availability and fault tolerance. Additionally, Joist performs regular disaster recovery testing, including backup restoration exercises, with a business continuity plan in place.
  - Server Operating Systems. Joist AI operates within a customized application environment hosted on AWS, where all compute resources are securely configured and hardened in alignment with best practices. A rigorous code review process is implemented as part of the secure development lifecycle to ensure code quality and reduce vulnerabilities prior to deployment, thereby strengthening the security of services in production.
  - Disaster Recovery. Joist AI is committed to maintaining uninterrupted service and data integrity through a robust Disaster Recovery and Incident Response program. Joist AI implements automated daily backups, multi-system data replication, and isolated storage to safeguard against data loss. Regular disaster recovery testing and a formal incident response plan—with defined roles and rapid escalation procedures are also implemented.
  - Security Logs. Joist AI's systems have logging enabled to their respective system log facilities to support security audits and enable monitoring and detection of actual or attempted attacks or intrusions. Logging is enforced across the infrastructure, with logs securely stored and continuously monitored for anomalous activity.
  - Vulnerability Management. Joist AI performs regular vulnerability scans on all infrastructure components of its production and development environment. Vulnerabilities are remediated on a risk basis, with Critical security patches for all components installed as soon as commercially possible.
Networks and Transmission.
- Data Transmission. All transmissions within Joist AI's production environments are secured using industry-standard Internet protocols, including HTTPS with TLS 1.2 or higher.
- External Attack Surface. Joist AI's external attack surface is secured through a layered network security architecture within AWS. The production environment is hosted in isolated Virtual Private Clouds (VPCs), where traffic flow is tightly controlled using a combination of Security Groups and Network Access Control Lists (NACLs).
- Incident Response. Joist AI maintains formal incident response policies and procedures, including defined escalation paths, roles, and responsibilities to ensure swift and effective handling of security incidents. A range of communication channels and monitoring tools are actively observed for indicators of compromise. Upon detection of a suspected or confirmed incident, Joist's security team initiates containment and mitigation actions, conducts root cause analysis, and documents the incident and resolution in accordance with its incident response plan.
- Encryption Technologies. Joist AI employs HTTPS encryption (TLS 1.2 or higher) to protect all data in transit across its services. In addition, data at rest is encrypted using AES-256 via AWS Key Management Service (KMS), ensuring strong protection for sensitive information both during transmission and while stored within AWS infrastructure.
Data Storage, Isolation, Authentication, and Destruction.
Joist AI stores data in a multi-tenant environment on AWS RDS servers. Data, the Services database and file system architecture are replicated between multiple availability zones on AWS. Joist logically isolates the data of different customers. A central authentication system is used across all Services to increase uniform security of data. Joist ensures secure disposal of Client Data through the use of a series of data destruction processes.

See Joist AI in Action