Data Protection Addendum

Last updated: October 19, 2025

​

1. Definitions

• Controller means the entity which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.
• Customer Personal Data means Personal Data that is provided by Customer or otherwise collected via the Services on behalf of the Customer, and is not Services Data.
• Data Protection Laws mean all laws applicable to the Processing of Customer Personal Data.
• Data Subject means any individual about whom Customer Personal Data may be Processed under this DPA.
• Personal Data means “personal data,” “personal information,” “personally identifiable information,” or an equivalent term under Data Protection Laws.
• Process or Processing means any operation or set of operations performed on Customer Personal Data or on sets of Personal Data, whether by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Data.
• Processor means the entity which Processes Personal Data on behalf of the Controller.
• Services means the services provided by Brew to Customer pursuant to the Agreement.
• Services Data means data that relates to Brew’s relationship with Customer, including (i) contact information of individuals authorized by Customer to access Customer’s account; (ii) any data Brew may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations; (iii) Services use data collected in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.

​

2. Relationship Between the Parties

​

3. Customer Obligations

Customer represents and warrants that its collection of Customer Personal Data and disclosure to Brew complies with Data Protection Laws, and that Customer has provided all notices and obtained all consents required by Data Protection Laws to enable Brew to Process Customer Personal Data for the purposes set out in the Agreement, including Annex I to this DPA.

​

4. Instructions

Brew will Process Customer Personal Data only (i) in accordance with Customer’s instructions as documented in the Agreement, including Annex I to this DPA; and (ii) as needed to comply with applicable law, in which case Brew will inform Customer before Processing Customer Personal Data unless applicable law prohibits such information on important grounds of public interest. Brew shall not be required to act on any Customer instruction that could (in Brew’s reasonable opinion) cause Brew to breach applicable law. Brew will inform Customer if it believes that any Customer instructions regarding Customer Personal Data Processing would violate applicable Data Protection Law.

​

5. Security

Brew will implement technical and organizational measures designed to protect Customer Personal Data against anticipated threats or hazards to its security, confidentiality, or integrity. Brew will require persons that Brew authorizes to Process Customer Personal Data to protect the confidentiality of the information. Annex II sets forth additional information regarding Brew’s technical and organizational security measures.

​

6. Security Incidents

Brew will notify Customer without undue delay whenever Brew learns that there has been a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data that results in compromise of the privacy, security, integrity or availability of Customer Personal Data (“Security Incident”), unless prohibited by applicable law or otherwise instructed by law enforcement or a supervisory authority. Brew will make reasonable efforts to identify the cause of such Security Incident and take steps it deems necessary and reasonable in order to remediate such Security Incident and provide information about the Security Incident to Customer to enable Customer to comply with its obligations under Data Protection Laws, to the extent the Security Incident is within Brew’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s users. In any event, Customer will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).

​

7. Return or Disposal

Following completion of the Services, Brew will destroy and/or return all Customer Personal Data to Customer within 120 days, unless applicable law requires or authorizes storage of Customer Personal Data by Brew.

​

8. Audits; Inquiries

Upon Customer’s reasonable request (to be exercised no more than once a year, unless required more frequently by a supervisory authority) Brew will make available for Customer’s review copies of certifications or reports demonstrating Brew’s compliance with its obligations under this DPA. If the provision of reports or certifications is not reasonably sufficient under Data Protection Laws, Brew will allow an independent third party to be mutually agreed on by the Parties to conduct an audit or inspection of Brew’s data security infrastructure and procedures that is sufficient to demonstrate Brew’s compliance with its obligations under this DPA, provided that (i) Customer provides 60 days’ prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Brew’s business; (ii) such audit shall only be performed during business hours and occur no more than once per calendar year; and (iii) such audit shall be restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits or inspections, including without limitation reimbursing Brew for any time expended for on-site audits. All information provided will be Brew’s Confidential Information and may not be disclosed without Brew’s prior written consent, except as required by applicable law.

​

9. Sub-Processors

Customer authorizes Brew to transfer Customer Personal Data to sub-processors for purposes of providing the Services to Customer. Brew’s current list of sub-processors is available here.

​

10. Brew Assistance

At Customer’s reasonable request and taking into account the nature of the Processing and information available to Brew, Brew will take reasonable steps: (i) to assist Customer with Customer’s obligation to respond to Data Subjects’ requests to exercise their rights under applicable law by taking appropriate technical and organizational measures; and (ii) in meeting Customer’s compliance obligations to carry out data protection impact assessments and related consultations with supervisory authorities.

​

11. California Consumer Privacy Act (CCPA) Provisions

11.1. Legal Compliance. Brew will provide the same level of privacy protection for Customer Personal Data of California residents as required of Customer under the CCPA. Brew will notify Customer in writing if Brew determines that it can no longer meet its obligations under the CCPA. Customer has the right, upon providing notice to Brew, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data, including where Brew has notified Customer that it can no longer meet its CCPA obligations. 11.2. Restriction on Processing. In no event may Brew: (a) disclose Customer Personal Data of California residents to a third party for monetary or other valuable consideration or disclose Customer Personal Data to a third party for cross-context behavioral advertising; (b) disclose Customer Personal Data of California residents to any third party for the commercial benefit of Brew or any third party; (c) retain, use, or disclose Customer Personal Data of California residents outside of Brew’s direct business relationship with Customer or for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted by applicable laws; or (d) combine Customer Personal Data of California residents with personal information that Brew receives from, or on behalf of, other persons, or collects from its own interaction with the Data Subject, except as permitted under applicable laws. Brew certifies that it understands and will comply with the foregoing restrictions.

​

12. Data Transfers

12.1. Restricted Transfers from the EEA. The EU Standard Contractual Clauses (Module 2 Controller to Processor) ((EU) 2021/914) available at https://eur-lex.europa.eu/eli/dec_impl/2021/914 (“EU SCCs”), and incorporated herein by reference, together with the attached Annexes I, II, and III will apply as completed below to any transfer to Brew of Customer Personal Data from Customer in the European Economic Area (“EEA”). Notwithstanding the foregoing, the EU SCCs will not apply to the extent the transfer is covered by a decision adopted by a competent authority with jurisdiction over Customer declaring that a jurisdiction meets an adequate level of protection of Customer Personal Data (an “Adequacy Decision”). Signature to the Agreement will be considered a signature to the EU SCCs. The Parties agree that the EU SCCs will be completed as follows:

1. Optional Clause 7 is removed.
2. In Clause 9, the Parties agree that Option 2 will apply in accordance with Section 9 (Sub-Processors).
3. The optional language in Clause 11 is excluded.
4. In Clause 17, the EU SCCs will be governed by the laws of Ireland.
5. In Clause 18, any dispute arising from the EU SCCs will be resolved by the courts of Ireland.
6. In Annex IC, the data protection authority where Customer is located is the competent supervisory authority.

12.2. Restricted Transfers from Switzerland. The EU SCCs, as modified in this section, will apply to any transfer to Brew of Customer Personal Data from Customer in Switzerland where the transfer is not otherwise subject to an Adequacy Decision:

1. The term “EU Member State” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
2. References in the EU SCCs to the GDPR are to be understood as references to the Federal Act on Data Protection (FADP).
3. In Clause 17, the EU SCCs will be governed by the laws of Switzerland.
4. In Annex IC, the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority.

12.3. Restricted Transfers from the United Kingdom. Where Customer Personal Data is transferred to Brew from Customer in the UK and the transfer is not otherwise subject to an Adequacy Decision, the Parties agree:

1. The provisions of the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force from March 21, 2022, available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/ (“UK Addendum”) are herein incorporated by reference and shall apply in full;
2. In Table 1 of the UK Addendum, the names of the Parties, their roles and their details shall be set out in the attached Annex 1;
3. In Tables 2 and 3 of the UK Addendum, Module 2 of the EU SCCs incorporated into this DPA by reference, including the information set out in the attached Annexes, shall apply; and
4. In Table 4 of the UK Addendum, either Party may end the UK Addendum.

​

13. Analytics Data

Customer acknowledges and agrees that Brew may create and derive from Processing related to the Services anonymized and/or aggregated data that does not identify or relate to Customer or any Data Subject (“Analytics Data”) and use such Analytics Data for Brew’s own business purposes.

​

14. Services Data

The Parties acknowledge and agree that Brew is an independent Controller with respect to Services Data. Brew will process Services Data in accordance with Brew’s Privacy Policy.

​

15. Liability

Each Party’s liability towards the other Party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement. Customer acknowledges that Brew is reliant on Customer for direction as to the extent to which Brew is entitled to Process Customer Personal Data on behalf of Customer in performance of the Services. Consequently, Brew will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by Brew in compliance with Customer’s instructions or (b) from Customer’s failure to comply with its obligations under the Data Protection Laws.

​

16. Authorized Affiliates

The Parties acknowledge and agree that, by executing the DPA, Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its affiliates. Each affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an affiliate shall be deemed a violation by Customer. Customer shall remain responsible for coordinating all communication with Brew under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its affiliates.

​

17. Modifications

If required by applicable law, Brew may modify this DPA with respect to such requirements with the provision of written notice to Customer.

​

18. Conflicts; Enforceability

If any provision of this DPA is held to be invalid or unenforceable by any court of competent jurisdiction, such holding will not invalidate or render unenforceable any other provision of this DPA or any other contract between Customer and Brew. This DPA supplements the Agreement. This DPA will control in the event of any inconsistency between the Agreement and this DPA. Any other provisions of or obligations under the Agreement that are otherwise unaffected by this DPA will remain in full force and effect. If this DPA, or any actions to be taken or contemplated to be taken in performance of this DPA, do not or would not satisfy either Party’s obligations under the laws applicable to each Party, the Parties will negotiate in good faith upon an appropriate amendment to this DPA.

---

​

Annex I - List of Parties and Description of Transfer

A. List of Parties Data exporter(s):

Name
Address
Contact person’s name, position, contact details
Signature and date
Role (controller/processor)	Controller

Data importer(s):

Name	Brew
Address	Same as the Agreement
Contact person’s name, position, contact details	Same as the Agreement
Signature and date	Same as the Agreement
Role (controller/processor)	Processor

B. Description of Transfer

Field	Description
Categories of Data Subjects whose Personal Data is transferred	Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects: Customer’s subscribers, customers, users, employees, and other individuals whose data Customer submits to the Services.
Categories of Personal Data transferred	Names, email addresses, contact information, message content, engagement and delivery events, and device/browser metadata.
The frequency of the transfer	Continuous basis.
Nature and purpose of the processing	Performing the Agreement, this DPA and/or other contracts executed by the Parties, including providing the Services to Customer by collecting, storing, transmitting, routing, filtering, scanning, and analyzing Personal Data as necessary to operate email sending and related functionality (including engagement measurement and abuse prevention) and to provide customer support and troubleshooting.
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period	Personal Data will be retained for the period required to perform the Services under the Agreement unless a longer period is permitted or required by applicable law.
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the Processing	See description above.

---

​

Annex II - Security Measures

This appendix represents the security measures that will be taken by Brew. 1. Information Security Policies and Standards Brew will implement security requirements for personnel with access to Customer Personal Data that are designed to ensure a level of security appropriate to the risk and address the requirements as detailed in this Annex. 2. Physical Security Brew will maintain commercially reasonable security systems at all Brew sites where an information system that uses or houses Customer Personal Data is located. Brew reasonably restricts access to such Customer Personal Data appropriately and has in place practices to prevent unauthorized individuals from gaining access to Customer Personal Data. 3. Organizational Security

• Upon Customer’s request, Brew will provide contact information for its designated primary security manager.
• Brew will implement procedures to prevent any subsequent retrieval of any Customer Personal Data stored on media before such media is disposed of or reused.
• Brew will implement security policies and procedures to classify sensitive information assets, clarify security responsibilities and promote awareness for employees.
• Brew will manage all Customer Personal Data breaches in accordance with appropriate procedures.
• Brew will encrypt, using industry-standard encryption tools, Customer Personal Data that Brew: (i) transmits or sends wirelessly or across public networks; and (ii) stores on portable devices or at rest, where technically feasible.

4. Network Security Brew maintains network security using commercially available equipment and industry-standard techniques, including firewalls, intrusion detection and prevention systems, access control lists, and routing protocols. 5. Access Control Brew will maintain appropriate access controls, including, but not limited to, restricting access to Customer Personal Data to the minimum number of Brew personnel who require such access.

---