Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the Brand Protector Terms of Service and applies wherever Brand Protector (“Processor”) processes personal data on behalf of a Customer (“Controller”) that is subject to the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the Swiss FADP, or equivalent regimes. For data covered by this DPA, Customer is the controller and Brand Protector is the processor.

For Brand Protector's own account, billing, and telemetry data, Brand Protector acts as a controller — that processing is governed by our Privacy Policy, not this DPA.

“Personal Data”, “Processing”, “Controller”, “Processor”, “Sub-processor”, and “Data Subject” have the meanings given in the GDPR. “Customer Data” means personal data Customer uploads to or generates within the Service. “Standard Contractual Clauses” or “SCCs” means the European Commission's standard contractual clauses for the transfer of personal data to third countries (Module 2: controller to processor), and the UK International Data Transfer Addendum where applicable.

• Subject matter & nature. Hosting and processing of Customer Data to deliver the brand-protection Service: detection, validation, and takedown workflows.
• Duration.For the duration of Customer's subscription plus the 30-day soft-delete window.
• Purpose. Delivering, maintaining, securing, and supporting the Service.
• Categories of data subjects.Customer's authorised users; third parties whose details appear in takedown evidence (e.g. listing operators) and in scanner output.
• Categories of personal data. Names, email addresses, IP addresses, account identifiers, evidence artefacts (screenshots, archive URLs), and platform credentials (which Customer provides).

• We process Customer Data only on documented Customer instructions, including the instructions implicit in Customer's use of the Service.
• We require all personnel with access to Customer Data to commit to confidentiality.
• We assist Customer, where reasonable, with Article 32-36 obligations (security, breach notification, DPIAs, and consultations with supervisory authorities).
• We do not sell Customer Data and do not use it to train third-party AI models. (Where AI sub-processors are used to run scanners, we use enterprise endpoints with no-training commitments where available — see sub-processor list.)

Customer authorises Brand Protector to engage the following sub-processors. We will give Customer at least 30 days' notice of any new sub-processor that processes Customer Data and an opportunity to object.

We maintain technical and organisational measures appropriate to the risk, including:

• Encryption. TLS 1.2+ in transit; AES-256 at rest (GCP managed).
• Access control. Least-privilege IAM, tenant-scoped service accounts, MFA for human admin access.
• Application isolation. Server-side tenant-scope checks on every read and write; tenant id comes from the URL path and is validated against membership.
• Secret handling. Per-tenant credentials in Google Secret Manager under a strict naming convention (tenant-{tid}-...) — never in env files, code, or logs.
• Audit logging. Sign-ins, takedown attestations, and admin actions are written to a per-tenant audit log. Immutability is enforced in layers: a scoped Firestore Security Rules block denies every operation against the audit subcollection from any client-side path, a least-privilege service-account role denies audit deletion to the scanner workload, and the authoritative guarantee is a nightly export of every audit row to a separate Google Cloud Storage bucket whose retention policy is sealed by Bucket Lock for 7 years — even a project owner cannot delete or modify the archive within the retention window. This makes the audit-log immutability claim enforceable rather than aspirational.
• Backups. Encrypted backups on a 35-day cycle.
• Personnel. Background-checked staff with confidentiality obligations.
• Vulnerability management. Routine dependency auditing (npm audit, GitHub Dependabot) and patch cadence.

Primary processing happens in Google Cloud's us-central1 region (compute) and nam5 multi-region (Firestore). Where Customer Data is transferred outside the EEA, UK, or Switzerland, the transfer is governed by the Standard Contractual Clauses incorporated by reference into this DPA, plus any supplementary measures we deem appropriate after a transfer impact assessment.

We will notify Customer without undue delay (and in any event within 72 hours of becoming aware) of any confirmed personal data breach affecting Customer Data, with a reasonable description of the nature of the breach, likely consequences, and remediation taken or proposed. We will cooperate in good faith with Customer's breach-response obligations under applicable law.

Report suspected vulnerabilities to security@brandprotector.io.

Brand Protector will, taking into account the nature of processing, assist Customer with appropriate technical and organisational measures, insofar as possible, to fulfil Customer's obligation to respond to data subject requests under Articles 12-23 GDPR.

Article 15 (right of access). Owners and admins can self-serve a complete workspace data export from Settings → Data → Request workspace data export. The export is generated asynchronously by a Cloud Run Job and delivered as a single ZIP archive (one JSONL file per Firestore subcollection: detections, takedowns, cases, audit log, members, configuration, plus tokens and webhooks as metadata only). A download link is emailed to the requester and surfaces in the same Settings → Data screen; the link is valid for 7 days, after which a fresh export can be requested. The archive itself is purged from our storage after 30 days.

Article 17 (right to erasure).Workspace deletion remains a tenant-owner action (Settings → Danger zone) and triggers the 30-day soft-delete window followed by irreversible purge of all Customer Data, evidence files, and credentials. For individual data subjects (employees, collaborators) we offer in-product pseudonymization of audit rows on member removal: when an owner removes a member with the “pseudonymize audit” option, or when an individual leaves the workspace and ticks the right-to-erasure checkbox, that person's email is replaced in past audit entries with a stable per-tenant pseudonym. The audit trail's integrity is preserved for legal defensibility while no longer exposing the individual's email. Where regulatory pressure requires cross-tenant erasure for an individual, Customer or the data subject can email privacy@brandprotector.io and we will run the platform-wide erasure helper.

For Articles 16, 18, 20, 21 (rectification, restriction, portability, objection) Customer can self-serve via the settings UI (rectification of brand and legal context; the Article 15 export covers portability) or contact privacy@ for assistance.

Customer may, on at least 30 days' written notice and no more than once per twelve months (except where required by a supervisory authority or after a confirmed breach), audit Brand Protector's compliance with this DPA. To minimise disruption, Brand Protector may satisfy audit requests by providing recent third-party audit reports (e.g. SOC 2 from sub-processors, our own attestations as we mature).

On termination of the underlying agreement, Customer may export Customer Data within the 30-day soft-delete window. After 30 days, all Customer Data is purged from active systems; backups roll off on the standard 35-day cycle. Audit-trail entries that are required for legal defensibility may be retained in pseudonymised form per the Privacy Policy.

The Standard Contractual Clauses (Module 2: controller to processor; 2021/914) are incorporated by reference and apply to transfers of personal data from the EEA to a third country lacking an adequacy decision. The UK International Data Transfer Addendum (IDTA) and the Swiss adaptations apply to UK and Swiss transfers respectively. Annexes (data subjects, categories of data, sub-processors, security measures) are populated by reference to the corresponding sections of this DPA.

For DPA-related correspondence, email privacy@brandprotector.io. Customers needing a counter-signed copy of this DPA (including the SCCs) can request one by email.

Cookies set by the marketing site and the application are inventoried in our Cookie Policy.