Data Processing Addendum

1. Roles

You are the Controller of the personal data you upload or direct us to process. We are the Processor. For some ancillary data (account emails, billing info, service logs), we are an independent Controller.

2. Scope of processing

• Subject matter: provision of the GoBrief service, which means collecting, validating, analyzing, storing, and delivering creative assets.
• Duration: for as long as you have an active subscription, plus the 30-day export window on termination plus the retention periods in the Privacy Policy.
• Nature + purpose: hosting uploads, running spec validation and AI analysis, sending emails, exposing a management UI, backing up data.
• Types of personal data: account data (name, email), workspace contact data (partner names + emails you add), uploaded content metadata (file names, sizes, types, timestamps), and uploaded content itself where it contains personal data.
• Categories of data subjects: your employees, your partners, your contacts, and any individuals whose personal data appears in uploaded content.

3. Our obligations as processor

• Process personal data only on your documented instructions (expressed through your use of the service, configuration, and support tickets).
• Ensure personnel with access are bound by confidentiality.
• Implement the technical and organizational security measures described in the Security Appendix (Exhibit A below) and at /security.
• Not engage subprocessors except as listed at /subprocessors and on notice as described there.
• Assist you with data-subject requests, Article 32 security obligations, Article 35 DPIAs, and Article 36 prior consultations, taking into account the nature of processing and the information available to us. Assistance is provided at no cost for reasonable volumes of requests; exceptional volumes may be invoiced at our documented cost.
• Notify you without undue delay, and in any case within 72 hours of confirmation, of any personal-data breach affecting your workspace.
• Return or deletion of data. At any time during the term, on your written request, return or delete your personal data within 30 days (and confirm deletion in writing). On termination of the Terms of Service, return or delete all personal data within 30 days (or within any longer export window agreed in the Terms), unless applicable law requires continued retention, in which case we will restrict processing to that purpose only and delete on expiry of the legal retention period.
• Make available information necessary to demonstrate compliance; allow audits by you or an independent auditor on reasonable notice, subject to confidentiality, no more than once per 12 months except where required by law or triggered by a confirmed incident.

4. Subprocessors

Our current subprocessors are listed at /subprocessors. By accepting this DPA, you give general written authorization for our use of these subprocessors (GDPR Art. 28(2)). We'll give you at least 30 days' notice, via the Subprocessors page and, where you have subscribed, by email, before adding or replacing any subprocessor that processes personal data. During that notice period you may object in writing on reasonable data-protection grounds; if the objection cannot be resolved, you may terminate the affected portion of the service without penalty and receive a pro-rata refund of pre-paid fees. We impose on each subprocessor data-protection obligations substantially similar to those in this DPA, and we remain fully liable to you for the performance of our subprocessors.

5. International transfers

When personal data is transferred from the EU/UK/Switzerland to a country without an adequacy decision, we rely on the Standard Contractual Clauses (EU 2021/914 Module Two, controller-to-processor) and, where applicable, the UK International Data Transfer Addendum and the Swiss FDPIC-approved amendments. These are incorporated into this DPA by reference, executed by our acceptance of this DPA, and apply to every subprocessor in the chain.

6. Data-subject requests

Individual data subjects who wish to exercise their rights should contact you as the Controller. If they contact us directly, we will acknowledge the request, not respond substantively, and forward it to you within 5 business days. We will assist you in responding to requests for access, rectification, erasure, restriction, portability, and objection; this assistance is provided at no additional cost for reasonable volumes of requests.

7. Security measures

The full list of technical and organizational measures lives at /security and is incorporated here by reference. Highlights relevant for Article 32:

• TLS 1.3 for data in transit; AES-256 for data at rest.
• Role-based access control, signed invite tokens, JWT sessions.
• Daily encrypted backups (30-day retention) in a second region.
• Security-header hardening (CSP, HSTS, etc.).
• Rate limiting + bot protection on public endpoints.
• Audit log with tamper-evident ordering.
• Vulnerability-disclosure program + security@ contact.
• Principle of least privilege for staff access.

8. Breach notification

Within 72 hours of confirming a personal-data breach involving your workspace, we will email the workspace owner and primary billing contact. The notification will include (to the extent known): nature of the incident, categories and approximate number of data subjects and records, likely consequences, and measures taken.

9. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, provided that nothing in those limitations excludes either party's liability for (i) claims that cannot be excluded or limited under applicable data-protection law, (ii) either party's indemnification obligations under this Section 9, (iii) gross negligence or willful misconduct, or (iv) fraud.

Indemnification. You will indemnify and hold harmless GoBrief against any regulatory fines, enforcement actions, or third-party claims to the extent arising from (a) your documented instructions that are themselves unlawful, (b) personal data you uploaded or instructed us to process without the required lawful basis, notice, or consent, or (c) your failure to honor data-subject requests you were obliged to honor as Controller. GoBrief will indemnify and hold harmless the Controller to the extent a regulatory fine or third-party claim arises from GoBrief's failure to meet its specific obligations as Processor under this DPA.

10. Conflicts

If any provision of this DPA conflicts with the Terms of Service, this DPA controls for the processing of personal data.

11. Acceptance

This DPA is accepted automatically when you sign up. Enterprise customers requiring a signed, counterparty-reviewed DPA can request one at legal@gobrief.co.

Exhibit A, Security Appendix (Article 32 measures)

The following technical and organizational measures are in place as of the effective date of this DPA. We may update individual measures from time to time provided the overall level of security is not materially reduced.

• Encryption in transit. TLS 1.2+ (TLS 1.3 preferred) is enforced for all customer traffic, subprocessor API calls, and administrative access. HSTS is enabled with preload.
• Encryption at rest. All customer content in Cloudflare R2 object storage and Cloudflare D1 database storage is encrypted at rest using AES-256. OAuth tokens and other high-sensitivity credentials are additionally encrypted at the application layer using AES-256-GCM with per-record nonces and a key derived via HKDF from a rotating master secret.
• Access control. Role-based access control inside the platform; short-lived signed tokens for partner access; MFA required on all GoBrief administrative accounts; scoped API keys with audit logging; least-privilege principle for staff access to production systems.
• Network and platform security. Cloudflare WAF, bot management, DDoS mitigation, and rate limiting. CSRF tokens on state-changing endpoints. CSP, HSTS, Referrer-Policy, and other security headers applied globally. Dependency scanning and Dependabot-equivalent alerts are configured.
• Secure development. Source control with protected main branches, code review of all changes, automated testing in CI, pre-deployment schema migrations with reversibility checks, and staged rollouts.
• Logging and monitoring. Application audit log with tamper-evident ordering. Security-relevant events (auth, admin actions, breach indicators) are retained for 30 days and reviewed on alert.
• Backup and resilience. Daily encrypted backups retained for 30 days. Documented restore procedures. Cloudflare's multi-region redundancy for object storage and database.
• Pseudonymisation and minimisation. Partner uploads are scoped to single-use signed URLs and do not require account creation. Personal data in logs is minimized and, where practical, redacted.
• Incident response. A documented security incident response plan defining roles, escalation paths, customer notification, and post-incident review. Reviewed at least annually.
• Personnel. All staff with access to customer data are bound by written confidentiality obligations and receive security awareness training on onboarding and at least annually thereafter.
• Vendor management. All subprocessors are subject to due diligence, written data-processing agreements, and ongoing monitoring.
• Vulnerability disclosure. A public security contact at security@gobrief.co with a documented disclosure and triage process.