Compliance with General Data Protection Regulation (GDPR)

Compliance with General Data Protection Regulation (GDPR)

Kevin Fitzpatrick

For customers in the European Union and United Kingdom, CoConstruct is compliant with the General Data Protection Regulation (GDPR) legislation.

Here is a list of how we ensure compliance with the GDPR for customers in the EU or UK:

  • All of our vendors and sub-processors with whom we share personally identifiable information are GDPR compliant. We have data processing agreements in place in our contracts with these vendors to ensure protections for the transfer of personal information for you and your clients.
  • We have updated our privacy policy and terms of service to explicitly outline the types of personal information we collect, what we do with that data, and to include details on how you and your clients can revoke consent.
    Learn More: CoConstruct Privacy Policy.
  • In addition to the privacy policy, we have implemented a cookie policy to keep you informed about tracking technology that CoConstruct uses.
    Learn More: CoConstruct Terms of Use
  • We have incident response protocols in place to notify all customers of a breach without undue delay. Our contracts with our third-party vendors hold them to the same standard, to keep you informed of breaches so that you can keep your clients informed.
  • CoConstruct places a lot of emphasis on maintaining a change log or "paper trail" of communication and selection history for your projects. Despite that framework, though, we can respond to requests to remove or modify personal information should the need arise, provided it does not conflict with our ability to provide our service.
  • Throughout 2017 and 2018 we have rolled out continued security updates to ensure industry standard security frameworks and password requirements are in place for the transfer of all data throughout CoConstruct.
  • We have mapped our personal data transfers among our application and 3rd party vendors.
  • We have internal processes and training documented around how we handle GDPR.

Data Processing Addendum

We have an optional Data Processing Addendum (DPA) that you can sign, providing a contractual way for us to meet GDPR compliance with our customers. This contract addendum enables us to transfer your personal data to the United States and outside of the EU, and places additional requirements on us to ensure we are providing the appropriate rights to you and your clients as required by GDPR.

Request the DPA by sending us an email at or

Note that the addendum will not be contractually binding until you fill out the required information and send a signed copy back to us.