Data Processing Agreement

Last Updated: [Current Date]

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other agreement between Brew (“Processor,” “we,” “our,” or “us”) and the Customer (“Controller,” “you,” or “your”) for the provision of services (the “Services”). This DPA reflects the parties’ agreement with respect to the processing of Personal Data by Brew on behalf of the Customer in connection with the Services.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below:
  • “GDPR” means the General Data Protection Regulation (EU) 2016/679.
  • “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly.
  • “Processing” means any operation or set of operations which is performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • “Data Subject Rights” means the rights of Data Subjects as provided in applicable Data Protection Laws, including the right to access, rectify, erase, restrict, port, or object to the Processing of their Personal Data.
  • “Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

3. Scope and Purpose of Processing

3.1 Scope

This DPA applies to the Processing of Personal Data by Brew on behalf of the Customer in the course of providing the Services.

3.2 Purpose

Brew shall Process Personal Data only for the purpose of providing the Services to the Customer as specified in the Terms of Service and in accordance with the Customer’s documented instructions.

3.3 Categories of Data

The types of Personal Data processed may include:
  • Contact information (such as name, email address, phone number)
  • Professional information (such as job title, company)
  • User account information
  • Communication data (email content, preferences)
  • Technical data (IP address, usage data, cookies)
  • Any other Personal Data that the Customer chooses to include in the content processed by the Services

4. Obligations of Brew

4.1 Compliance with Instructions

Brew shall Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by law.

4.2 Confidentiality

Brew shall ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

Brew shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
  • The pseudonymization and encryption of Personal Data where appropriate
  • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
  • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

4.4 Sub-processors

Brew may engage sub-processors to perform specific processing activities. Brew shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Customer the opportunity to object to such changes. Brew shall ensure that any sub-processor it engages provides the same level of data protection as set out in this DPA by way of a written agreement.

4.5 Data Subject Rights

Brew shall assist the Customer in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws. If Brew receives a request from a Data Subject directly, it shall promptly notify the Customer.

4.6 Data Protection Impact Assessment

Brew shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with supervisory authorities that the Customer is required to carry out under applicable Data Protection Laws.

4.7 Data Breach Notification

Brew shall notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s Personal Data. Such notification shall include at least:
  • A description of the nature of the breach
  • The categories and approximate number of Data Subjects concerned
  • The categories and approximate number of Personal Data records concerned
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach

5. Obligations of the Customer

5.1 Lawful Basis

The Customer warrants that it has all necessary rights and has provided all necessary notices and obtained all necessary consents to transfer Personal Data to Brew and to permit the Processing of such Personal Data by Brew in accordance with the Terms of Service and this DPA.

5.2 Instructions

The Customer shall provide clear and documented instructions to Brew regarding the Processing of Personal Data.

6. Data Transfers

Brew may transfer Personal Data to countries outside the European Economic Area (EEA) or the jurisdiction where the Customer is located only if appropriate safeguards are in place as required by applicable Data Protection Laws, such as:
  • The country has been deemed to provide an adequate level of protection for Personal Data by the European Commission or other relevant authority
  • Standard contractual clauses approved by the European Commission or other relevant authority have been put in place
  • Another lawful data transfer mechanism is available

7. Audit Rights

Upon reasonable notice, Brew shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

8. Return or Deletion of Data

Upon termination of the Services, Brew shall, at the choice of the Customer, delete or return all Personal Data to the Customer and delete existing copies unless storage of the Personal Data is required by law.

9. Changes to This DPA

Brew may modify this DPA from time to time by posting a revised version on our website or by otherwise notifying the Customer. If such modifications materially reduce the Customer’s rights, Brew will provide notice to the Customer, and the modified DPA will become effective upon the Customer’s acceptance.

10. Contact Information

If you have any questions about this DPA, please contact us at: Email: hey@getbrew.ai
Phone: +1-(332)-203-2145