Data Processing Addendum (DPA)

Version 1.1Dernière mise à jour 2025-12-19

This Data Processing Addendum (“DPA”) forms part of the Agreement between Brwse Co. (“Brwse”, “Processor”, “we”) and the Customer (“Controller”, “you”) governing the Services.

This DPA applies only to the extent we process personal data on Customer’s behalf as a processor (or service provider) in connection with the Services.

1) Definitions

Terms such as “personal data”, “processing”, “controller”, “processor”, and “supervisory authority” have the meanings given in the GDPR and UK GDPR, as applicable.

Customer Personal Data” means personal data contained in Customer Content that we process on Customer’s documented instructions.

2) Processing instructions

A) Documented instructions

We will process Customer Personal Data only:

  • To provide and secure the Services; and
  • As documented in the Agreement, this DPA, and Customer’s lawful instructions consistent with the Services.

If we believe an instruction violates applicable law, we will notify Customer (unless prohibited by law).

B) Details of processing

The subject matter, duration, nature, and purpose of processing, and the types of personal data and categories of data subjects are described in Annex 1.

3) Confidentiality

We will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations.

4) Security measures

We will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

High-level measures are described in Annex 2 (to be tailored to the Services and your deployment).

5) Subprocessors

A) Use of subprocessors

Customer authorizes us to use subprocessors to process Customer Personal Data for the Services.

B) Subprocessor obligations

We will:

  • Enter into a written agreement with each subprocessor that imposes data protection obligations materially similar to this DPA; and
  • Remain responsible for our subprocessors’ performance of their obligations.

C) List and updates

Our current subprocessors are listed on the . We may update the list from time to time.

Where required by applicable law, we will provide reasonable advance notice of material changes and a way to object. If Customer objects and the parties cannot resolve the objection in a commercially reasonable manner, Customer may terminate the affected Services by providing written notice (without penalty) within a reasonable period.

6) Assistance

Taking into account the nature of the processing and information available to us, we will provide reasonable assistance to Customer to:

  • Respond to data subject requests (access, deletion, etc.) relating to Customer Personal Data; and
  • Meet obligations relating to security, breach notifications, DPIAs, and consultations with authorities, to the extent applicable.

Customer remains responsible for responding to data subject requests and determining whether a request is valid and applicable.

7) Personal data breach

We will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably necessary for Customer to meet its notification obligations.

8) Deletion or return of data

Upon termination or expiration of the Services, we will, at Customer’s choice and to the extent supported by the Services:

  • Return Customer Personal Data; and/or
  • Delete Customer Personal Data,

unless retention is required by law. Customer acknowledges that residual copies of Customer Personal Data may remain in backups for a limited period, subject to reasonable safeguards and routine deletion cycles.

9) Audits

Customer may audit our compliance with this DPA as follows:

  • Customer may request reasonable information about our security and compliance measures; and
  • Where required by law, Customer may conduct an audit (or appoint an independent auditor) subject to reasonable confidentiality, security, and scheduling requirements.

To minimize risk, audits will be limited to information reasonably necessary to confirm compliance and may be satisfied by third-party audit reports or certifications where available.

10) International transfers

Where Customer Personal Data is transferred from the EEA/UK to a country not recognized as providing adequate protection, the parties will rely on an appropriate transfer mechanism, which may include:

  • The EU Standard Contractual Clauses (SCCs); and/or
  • The UK International Data Transfer Addendum or UK IDTA,

as applicable, and completed/implemented for the relevant transfer.

11) US state privacy terms (where applicable)

To the extent applicable under US state privacy laws (including CPRA), we will:

  • Process Customer Personal Data as a service provider/processor on Customer’s behalf;
  • Not sell Customer Personal Data or share it for cross-context behavioral advertising; and
  • Not retain, use, or disclose Customer Personal Data for any purpose other than providing the Services, except as permitted by applicable law.

12) Priority; liability

If there is a conflict between this DPA and the Agreement regarding the processing of Customer Personal Data, this DPA controls.

This DPA does not modify the parties’ liability allocation or limitations of liability in the Agreement unless expressly stated in an Order Form or an amendment signed by both parties.

Annex 1 — Details of Processing

Subject matter: Provision of the Services.

Duration: For the term of the Agreement and any additional period required for deletion/return and backups.

Nature and purpose of processing: Hosting, processing, transmitting, and displaying Customer Content; providing support; maintaining security and availability.

Categories of data subjects: Authorized Users; Customer’s end users; individuals whose data is included in Customer Content.

Types of personal data: Determined by Customer and may include identifiers (name, email), usage/activity data, and other data Customer provides to the Services.

Special categories of data: Customer will not provide special categories of data unless expressly agreed in writing and supported by the Services with appropriate safeguards.

Annex 2 — Technical and Organizational Measures (TOMs)

The following are example measures (tailor to your program and product):

  • Access controls (least privilege, role-based access).
  • Encryption in transit (TLS) and encryption at rest where feasible.
  • Logging and monitoring for security events.
  • Vulnerability management and patching processes.
  • Backup and recovery procedures.
  • Incident response procedures.

Annex 3 — Subprocessors

See the current list at .

Lorsque votre agent fait quelque chose, vous saurez pourquoi.

Déploiement géré ou auto-hébergé. Accès avec privilèges minimaux. Journaux d'audit complets. Indicateurs de production.

Fondée

0

Siège social situé à

San
Francisco

Brwse est en version bêta privée. Contactez-nous à l'adresse hello@brwse.ai.

© 2025 Brwse Co. Tous droits réservés.

Nous respectons votre vie privée

Nous utilisons des cookies essentiels pour assurer le bon fonctionnement de ce site. Les cookies analytiques sont facultatifs.