Last updated June 22, 2026
1.1 This Data Processing Addendum ("DPA") is between you (the "Customer" / "Controller") and Pattern Build, LLC, the owner of the Column trademark and intellectual property ("Pattern Build," "Column," "Processor"). It forms part of the Column Terms of Service (the "Agreement") and applies to Pattern Build's Processing of Personal Data on Customer's behalf in providing the Service.
1.2 Roles. For Personal Data contained in Customer Content, Voice Profiles, and Output ("Customer Personal Data"), Customer is the Controller (or "Business" under the CCPA), and Pattern Build is the Processor (or "Service Provider"). Where Customer is itself a processor for a third party, Pattern Build is a subprocessor and Customer's instructions reflect that third party's requirements.
1.3 Definitions. "Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Personal Data Breach" have the meanings in applicable Data Protection Laws. "Data Protection Laws" means all privacy and data-protection laws applicable to the Processing, including the EU GDPR, the UK GDPR, the California Consumer Privacy Act as amended ("CCPA"), and other U.S. state privacy laws.
3.1 Instructions. Pattern Build will Process Customer Personal Data only on Customer's documented instructions, including as set out in the Agreement and this DPA, and as needed to provide the Service, unless required by law (in which case Pattern Build will notify Customer unless legally prohibited).
3.2 No training; no sale; purpose limitation. Pattern Build will not: (a) use Customer Personal Data to train, fine-tune, or improve any machine-learning model except on Customer's express opt-in; (b) sell or "share" (as defined under the CCPA) Customer Personal Data; (c) retain, use, or disclose Customer Personal Data for any purpose other than providing the Service, or outside the direct business relationship, except as permitted by Data Protection Laws. Pattern Build certifies it understands and will comply with these CCPA restrictions.
3.3 Confidentiality. Pattern Build ensures personnel authorized to Process Customer Personal Data are bound by confidentiality obligations.
3.4 Security. Pattern Build implements and maintains the technical and organizational measures in Annex II (Section 9), appropriate to the risk.
3.5 Assistance. Taking into account the nature of Processing, Pattern Build will provide reasonable assistance to Customer for: (a) responding to Data Subject requests (Section 5); (b) security of Processing; (c) Personal Data Breach notification (Section 6); and (d) data protection impact assessments and consultations with supervisory authorities.
3.6 Records. Pattern Build maintains records of Processing as required by Data Protection Laws and will make available information reasonably necessary to demonstrate compliance.
4.1 Authorization. Customer provides general authorization for Pattern Build to engage subprocessors to provide the Service, including hosting and third-party AI model providers. A current list of subprocessors is available to Customer on request.
4.2 Obligations. Pattern Build will impose data-protection obligations on each subprocessor that are no less protective than those in this DPA, including the no-training and retention commitments, and remains responsible for its subprocessors' performance.
4.3 Changes. Before adding or replacing a subprocessor, Pattern Build will notify Customer with reasonable advance notice (for example, by email to the account's administrative contact), giving Customer an opportunity to object on reasonable data-protection grounds. The parties will work in good faith to resolve any objection, and if they cannot, Customer may terminate the affected Service.
Pattern Build will, taking into account the nature of the Processing, provide self-service controls and reasonable assistance to enable Customer to respond to Data Subject requests to access, correct, delete, restrict, port, or object. If Pattern Build receives a request directly from a Data Subject (including a Represented Person), it will not respond except to refer the individual to Customer, unless legally required, and will notify Customer where permitted.
Pattern Build will notify Customer without undue delay, and where feasible within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to help Customer meet its notification obligations and take reasonable steps to mitigate.
7.1 Where Pattern Build Processes Customer Personal Data originating from the EEA, UK, or Switzerland in a country without an adequacy decision, the transfer is governed by an appropriate safeguard, including the Standard Contractual Clauses and, where Pattern Build has self-certified, the EU-U.S. Data Privacy Framework and UK Extension (Module Two, Controller-to-Processor, and Module Three where applicable), which are incorporated by reference and completed by the information in this DPA, together with the UK International Data Transfer Addendum and the Swiss amendments as applicable.
7.2 If a transfer mechanism is invalidated, the parties will cooperate in good faith to implement an alternative lawful mechanism.
8.1 On termination, Customer may export Customer Personal Data for 90 days. After that period, Pattern Build will delete Customer Personal Data from production systems.
8.2 On Customer's deletion of specific data through the Service, Pattern Build will delete it from production systems within 7 days. Encrypted backups expire on Pattern Build's regular cycle, within 90 days, after which the data is no longer retrievable.
8.3 Pattern Build may retain Customer Personal Data to the extent required by law, in which case the DPA terms continue to apply to the retained data.
Pattern Build maintains a security program with administrative, technical, and physical safeguards designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorized access, use, or disclosure. These measures are appropriate to the nature, scope, and context of the Processing and the risks involved, taking into account the state of the art and the cost of implementation.
As the Service and Pattern Build's practices develop, these measures may include encryption of data in transit; controls governing access to, and authentication of users of, systems and data; monitoring and logging of system activity; secure development practices; vendor and subprocessor management; and procedures for identifying, responding to, and notifying Personal Data Breaches.
In all cases, Pattern Build commits that: (a) each Customer's workspace is logically separated, and Pattern Build does not use one Customer's data to provide the Service to another Customer; and (b) Pattern Build's AI subprocessors are engaged on terms that prohibit using Customer Personal Data to train their models and that apply zero- or short-retention.
Pattern Build may update its security measures from time to time, provided that such updates do not materially reduce the overall level of protection for Customer Personal Data. Further detail about Pattern Build's security practices may be provided to Customer on request, subject to confidentiality. This Annex will be updated as Pattern Build's security program matures, including any future independent attestation such as SOC 2.
For Processing subject to the CCPA, Pattern Build is a Service Provider and: (a) will not sell or share Customer Personal Data; (b) will not retain, use, or disclose it for any purpose other than the business purposes specified in the Agreement, or outside the direct business relationship, or for a commercial purpose other than providing the Service; (c) will not combine it with data from other sources except as permitted by the CCPA; and (d) certifies it understands and will comply with these restrictions. Pattern Build will notify Customer if it determines it can no longer meet its CCPA obligations.
11.1 Conflict. If this DPA conflicts with the Agreement on data protection, this DPA controls. Where the Standard Contractual Clauses apply, they control over this DPA to the extent of any conflict.
11.2 Liability. Each party's liability under this DPA is subject to the limitations of liability in the Agreement.
11.3 Term. This DPA remains in effect for as long as Pattern Build Processes Customer Personal Data.