Data Processing Addendum

Version 1.0 — effective April 25, 2026

This DPA forms part of the Terms of Service between FactoryLM, Inc. ("FactoryLM" — Processor) and the Customer (Controller) using the FactoryLM service (the "Service"). It governs FactoryLM's processing of Customer Data on the Customer's behalf. Counter-signed copies are available on request to legal@factorylm.com.

1. Definitions

  • Controller / Customer: the party using the Service, who determines the purposes of processing.
  • Processor / FactoryLM: FactoryLM, Inc., a Delaware corporation, processing data on the Controller's behalf.
  • Customer Data: any data submitted to or generated by the Service in connection with the Customer's use, including equipment manuals, work orders, asset registries, attachments, diagnostic queries, and personal information of the Customer's authorized users.
  • Personal Information: information about an identified or identifiable natural person (e.g., authorized-user names, work emails, IP addresses).
  • Sub-processor: a third party engaged by FactoryLM to process Customer Data; current list at /trust.
  • Applicable Law: data-protection laws applicable to the Customer's use of the Service. The Service is offered to United States customers only as of the effective date; FactoryLM is not registered as a GDPR data controller.

2. Scope & Roles

FactoryLM processes Customer Data solely as a Processor on the Controller's documented instructions. The Customer's use of the Service constitutes such instructions; supplemental instructions may be issued in writing to legal@factorylm.com.

3. Nature, Purpose, and Duration of Processing

TopicDetail
Subject matterProvision of the Service: AI-assisted industrial-maintenance diagnostics, equipment-manual ingestion, and CMMS work-order management.
Categories of data subjectsThe Customer's authorized users (technicians, supervisors, plant managers).
Categories of personal dataName, work email, company name, role/permission, IP address, user-agent, audit-log entries.
Categories of non-personal dataEquipment manuals (OEM), work orders, asset registries, photos, diagnostic queries, AI responses.
PurposeTo provide, maintain, secure, and improve the Service for the Customer.
DurationFor the term of the Customer's subscription, plus the deletion grace window in §9.

4. FactoryLM Obligations

  • Documented instructions: FactoryLM processes Customer Data only on the Controller's documented instructions.
  • Confidentiality: FactoryLM ensures personnel authorized to process Customer Data are bound by appropriate confidentiality obligations.
  • Security: FactoryLM maintains appropriate technical and organizational measures as described at /trust, including TLS in transit, AES-256 encryption at rest by underlying providers, hardened access controls, and append-only audit logging.
  • Sub-processor controls: see §5.
  • Data subject rights: FactoryLM assists the Controller in responding to data-subject requests as described in §7.
  • Breach notification: see §8.
  • Audit: see §11.

5. Sub-processors

The Customer authorizes FactoryLM to engage Sub-processors to process Customer Data, subject to the following:

  1. The current list of Sub-processors is published at /trust.
  2. FactoryLM enters into written contracts with each Sub-processor imposing data-protection obligations no less protective than those in this DPA.
  3. FactoryLM remains liable for the acts and omissions of its Sub-processors as if FactoryLM were performing them directly.
  4. FactoryLM provides at least 30 days' advance notice (by email to active subscribers and update to /trust) before adding or replacing a Sub-processor. The Customer may object on reasonable data-protection grounds; if the parties cannot agree on an alternative within 30 days, the Customer may terminate this DPA per §10.

6. Security Measures

FactoryLM implements and maintains:

  • Encryption in transit: TLS 1.2+ on all public endpoints; SSL on database connections.
  • Encryption at rest: AES-256 (Neon, AWS, MinIO defaults).
  • Access control: least-privilege IAM, magic-link authentication with optional TOTP MFA, per-tenant scoping at the application layer enforced by automated tests.
  • Secrets management: all production credentials in Doppler; pre-commit and CI gates scan for credential leaks.
  • Logging: append-only audit log of authentication, tenant-scoped writes, exports, and account-level events.
  • Vulnerability management: dependency scanning, Trivy image scanning in CI, semgrep + bandit static analysis, vulnerability disclosure mailbox at security@factorylm.com.
  • Compliance roadmap: SOC 2 Type II attestation in progress; current status published at /trust.

7. Data Subject Rights

FactoryLM provides reasonable assistance to the Controller in responding to requests from data subjects exercising rights under Applicable Law (right to know, deletion, correction, portability, opt-out of sale). Standard mechanisms:

  • Account deletion: the Controller may submit DELETE /api/v1/account in-product or email privacy@factorylm.com. Hard purge within 30 days of request.
  • Access / portability: Customer Data export available on request to privacy@factorylm.com; standard format JSON or CSV.
  • Correction: available via in-product editing for most fields; otherwise on request.

FactoryLM responds to such requests within 30 days unless a longer period is required by Applicable Law.

8. Personal Data Breach Notification

FactoryLM notifies the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting Customer Data. The notification includes (to the extent known):

  • The nature of the breach, including categories and approximate number of data subjects and records concerned.
  • The likely consequences of the breach.
  • Measures taken or proposed to address the breach and mitigate possible adverse effects.
  • The contact point for further information.

Notifications are sent to the Controller's billing email on file unless an alternative security contact has been provided in writing to legal@factorylm.com.

9. Return and Deletion of Customer Data

On termination of the Service, FactoryLM:

  1. Provides the Controller a 30-day window during which Customer Data may be exported.
  2. After the 30-day window (or on earlier written instruction from the Controller), securely deletes Customer Data from production systems, including Sub-processor systems where technically feasible.
  3. Retains records required by Applicable Law (e.g., payment records for tax / audit purposes) for the minimum period required.

10. Term & Termination

This DPA continues for the duration of the Customer's subscription to the Service and survives until all Customer Data has been deleted in accordance with §9. The Customer may terminate this DPA on the grounds described in §5(4).

11. Audit

FactoryLM makes available to the Controller, on request to legal@factorylm.com, the following information demonstrating compliance:

  • The current Trust page (/trust), including security measures, Sub-processor list, and certification status.
  • SOC 2 attestation reports under NDA (when available).
  • Penetration-test summaries (when available).
  • Responses to commonly used vendor security questionnaires (e.g., CAIQ-Lite, VSA-Core).

On-site audits are not generally provided. Independent third-party audits commissioned by the Controller may be requested with at least 60 days' notice; reasonable costs and confidentiality obligations apply, and audits must be limited to records and systems relevant to the processing of the Controller's Customer Data.

12. International Transfers

Customer Data is processed and stored in the United States (AWS us-east-1 for primary database; DigitalOcean USA for application hosting). FactoryLM is not registered as a GDPR data controller and does not currently offer service in the European Union. If the Customer is located outside the United States, the Customer is responsible for ensuring that its use of the Service complies with applicable cross-border-transfer laws.

13. Liability

The liability of each party under this DPA is subject to the limitations of liability set out in the Terms of Service. This DPA does not increase or reduce the liability of either party as set out in the Terms.

14. Governing Law

This DPA is governed by the laws of the State of Delaware, USA, without regard to conflict-of-law principles, consistent with the Terms of Service.

15. Order of Precedence

If there is any conflict between this DPA and the Terms of Service, this DPA controls with respect to data-protection matters.

16. Contact

Privacy / data subject requests: privacy@factorylm.com
Security incidents and disclosures: security@factorylm.com
Contracting and DPA counter-signature: legal@factorylm.com
FactoryLM, Inc. — Delaware, USA

For Controller (Customer)
Signature
Printed name
Title
Date
Company
For Processor (FactoryLM, Inc.)
Signature
Printed name
Title
Date