Brizy Shops is here! Build your store & save with early-bird pricing 👉 Explore Brizy Shops →

DPA - Data Processing Agreement

Last updated: September 1st, 2025

1. Introduction and Incorporation

1.1 Part of the Terms of Service.

This Data Processing Addendum (“DPA”) forms part of the Brizy Terms of Service and applies where and to the extent that ProWebCraft LTD (“Brizy”) processes Personal Data on behalf of the Customer in connection with the provision of the Services. This DPA reflects the parties’ agreement regarding the processing of such data in accordance with Data Protection Laws.

1.2 Priority.

In the event of a conflict between this DPA and the Terms of Service or any other agreement between the parties, the provisions of this DPA shall prevail with respect to the subject matter of data protection.

1.3 Scope.

This DPA applies to all processing of Personal Data by Brizy in its role as Processor, whether such processing is carried out for Customers directly, or for Customers acting as agencies or resellers who use the Services to provide websites and related offerings to their own end users. For the avoidance of doubt, Customers remain responsible for ensuring that their end users’ Personal Data is collected and processed in compliance with Data Protection Laws, and that lawful instructions are provided to Brizy.

1.4 Global Application.

This DPA is intended to satisfy the requirements of:

the UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018,
the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”),
the Swiss Federal Act on Data Protection (“FADP”), and
applicable US state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other similar state laws to the extent applicable.

1.5 Order of Precedence.

If Brizy publishes region-specific terms (e.g., for the EEA, UK, Switzerland, or US states) that supplement this DPA, those region-specific terms shall take precedence over this DPA to the extent of any inconsistency.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalised terms not otherwise defined herein shall have the meanings given to them in the Terms of Service.

2. Definitions

2.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.

2.2 “Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the Customer is the Controller. Where the Customer is acting on behalf of its own clients (such as agencies or resellers), the Customer remains responsible for ensuring that lawful Controller instructions are provided to Brizy.

2.3 “Customer” means the entity that has entered into the Terms of Service with Brizy and that determines the purposes and means of Processing of Personal Data. For clarity, “Customer” includes agencies, resellers, and other organisations who use Brizy to create and manage websites for their own clients or end users.

2.4 “Customer Personal Data” means any Personal Data processed by Brizy on behalf of the Customer under the Terms of Service. This may include Personal Data relating to Customer’s own employees, clients, website visitors, or end users, as determined and controlled by the Customer.

2.5 “Data Protection Laws” means all applicable privacy and data protection laws, rules, and regulations, including but not limited to:

the GDPR;
the UK GDPR and UK Data Protection Act 2018;
the Swiss FADP;
the CCPA/CPRA and other applicable US state privacy laws; and
any laws implementing, replacing, or amending the foregoing.

2.6 “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.

2.7 “Personal Data” means any information relating to a Data Subject, as defined under applicable Data Protection Laws, that is processed by Brizy on behalf of the Customer.

2.8 “Processing” (and “Process”) means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

2.9 “Processor” means the entity which Processes Personal Data on behalf of the Controller. For the purposes of this DPA, Brizy acts as a Processor when processing Customer Personal Data.

2.10 “Services” means the Brizy website building platform and related products or services, including Brizy Cloud, Brizy for WordPress, and any associated hosting, integrations, or support tools provided by Brizy to the Customer under the Terms of Service.

2.11 “Sub-processor” means any third party engaged by Brizy to Process Customer Personal Data in connection with the provision of the Services.

2.12 “Supervisory Authority” means any independent public authority established pursuant to Data Protection Laws that is responsible for monitoring and enforcing compliance with such laws.

3. Roles of the Parties

3.1 Customer as Controller.

The Parties acknowledge that, with respect to Customer Personal Data, the Customer acts as the Controller (or, where the Customer acts as a Processor on behalf of its own clients, the Customer warrants that it is authorised to instruct Brizy as a sub-processor). The Customer determines the purposes and means of Processing Customer Personal Data and is responsible for ensuring that it has an appropriate legal basis for such Processing under Data Protection Laws.

3.2 Brizy as Processor.

Brizy will process Customer Personal Data solely as a Processor on behalf of the Customer and strictly in accordance with the Customer’s documented lawful instructions, unless otherwise required to do so by applicable law (in which case Brizy shall notify the Customer, unless prohibited from doing so by law).

3.3 Brizy as Controller.

Brizy acts as an independent Controller with respect to certain data that it processes for its own business purposes, including:

Account registration and authentication data (e.g., names, email addresses, login credentials);
Billing, payment, and tax-related data;
Security, logging, and fraud-prevention data;
Platform usage analytics for service optimisation;
Communications sent directly to Customers (support, updates, or marketing, where permitted).

When acting as a Controller, Brizy determines the purposes and means of such processing independently, and this DPA does not apply to such processing.

3.4 Agencies and Resellers.

Where the Customer is an agency, reseller, or similar entity that uses the Services to provide websites and related offerings to its own clients (“End Clients”), the Customer remains solely responsible for its relationship with End Clients and for ensuring that lawful instructions and appropriate notices are provided to Brizy. Brizy acts as a Processor to the Customer only, and does not act as a Processor or Controller with respect to End Clients directly.

3.5 No Joint Controllership.

Nothing in this DPA shall be construed to establish joint controllership between the Parties. Each Party acts as a separate and independent Controller when processing Personal Data for its own purposes.

4. Scope of Processing

4.1 Subject Matter.

The subject matter of this DPA is the Processing of Customer Personal Data by Brizy in connection with the provision of the Services under the Terms of Service.

4.2 Duration.

Brizy will process Customer Personal Data for the duration of the Terms of Service, unless otherwise required by applicable law. Upon termination or expiry, Customer Personal Data will be deleted or returned in accordance with Section 12 (Data Retention, Return, and Deletion).

4.3 Nature and Purpose.

Brizy will process Customer Personal Data solely as necessary to provide and secure the Services, which may include:

Hosting, rendering, and publishing websites;
Providing website templates, forms, and integrations chosen by the Customer;
Managing accounts, roles, and workspaces;
Processing form submissions, leads, and communications initiated through Customer websites;
Performing backups, troubleshooting, and support;
Detecting and preventing fraud, abuse, or security incidents;
Improving the functionality, performance, and stability of the Services.

4.4 Categories of Data Subjects.

The categories of Data Subjects whose data may be processed include:

Customers (account holders and their authorised users);
Customer employees, contractors, or representatives;
End Clients of Customers (where the Customer is an agency, reseller, or SaaS provider);
End Users and website visitors interacting with Customer websites built on Brizy.

4.5 Categories of Personal Data.

The categories of Personal Data processed may include:

Account data (name, email address, password, profile information);
Billing and payment information (billing address, partial payment details, VAT/tax IDs, invoicing records);
Technical data (IP address, device/browser type, system logs, analytics data);
Website content uploaded by Customer or End Users (text, images, video, audio, code, documents);
Leads or form submission data collected through Customer websites;
Communication and support data exchanged with Brizy (support tickets, emails, or live chat).

4.6 Special Categories of Data.

Brizy does not intentionally require or request the Processing of special categories of Personal Data under Article 9 GDPR. However, Customers or their End Clients may choose to collect or upload such data via the Services at their sole discretion and under their sole responsibility. Brizy will process such data only on documented instructions and subject to the safeguards described in this DPA.

5. Customer Instructions and Purpose Limitation

5.1 Documented Instructions.

Brizy shall process Customer Personal Data only in accordance with the documented lawful instructions of the Customer, as set out in this DPA, the Terms of Service, and any configuration or written direction given by the Customer through the Services. Brizy shall not process Customer Personal Data for any other purpose unless required to do so by applicable law. In such cases, Brizy shall notify the Customer of that legal requirement before processing, unless prohibited by law.

5.2 Permitted Purposes.

Brizy will process Customer Personal Data solely for the following purposes:

To provide, secure, and maintain the Services;
To comply with Customer’s documented instructions through use of the Services;
To resolve technical or support issues requested by the Customer;
To investigate, prevent, or mitigate fraud, abuse, or security incidents;
To comply with legal obligations applicable to Brizy.

5.3 Prohibition on Other Uses.

Brizy shall not:

Sell or share Customer Personal Data with third parties for commercial benefit;
Combine Customer Personal Data with personal data obtained from other sources, except as necessary to provide or secure the Services;
Use Customer Personal Data for Brizy’s own marketing or analytics purposes, unless Customer has explicitly consented.

5.4 Customer Responsibility.

The Customer is responsible for ensuring that its use of the Services, including collection and submission of Customer Personal Data (by the Customer itself, its End Clients, or its End Users), complies with all applicable Data Protection Laws. The Customer warrants that all documented instructions provided to Brizy are lawful and that it has obtained all necessary consents or legal bases for Processing.

6. Security Measures

6.1 Implementation of Security Measures.

Brizy shall implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures shall take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of Data Subjects.

6.2 Examples of Measures.

Without limiting the generality of Section 6.1, Brizy will implement and maintain measures that include, where appropriate:

Encryption in transit and at rest for Customer Personal Data;
Access controls and authentication safeguards for systems handling Customer Personal Data;
Regular backups and recovery processes;
Logging and monitoring of system activity;
Network and application security, including firewalls and vulnerability management;
Security awareness and confidentiality obligations for personnel with access to Customer Personal Data;
Procedures for regular testing, assessment, and evaluation of the effectiveness of security measures.

6.3 Confidentiality of Processing.

Brizy shall ensure that all personnel authorised to process Customer Personal Data are subject to confidentiality obligations, whether contractual or statutory.

6.4 Updates to Measures.

Brizy may update or modify its technical and organisational measures from time to time, provided that such updates and modifications do not result in a material decrease in the overall level of protection of Customer Personal Data during the term of the Services.

6.5 Customer Responsibilities.

The Customer is responsible for configuring the Services, using available security features, and ensuring that Personal Data it submits to the Services is limited to what is necessary for its purposes.

7. Data Subject Rights

7.1 Assistance with Requests.

Taking into account the nature of the Processing and the information available to Brizy, Brizy shall provide reasonable assistance to the Customer, by appropriate technical and organisational measures, to enable the Customer to fulfil its obligations to respond to requests from Data Subjects under Data Protection Laws. This includes requests to exercise rights of access, rectification, erasure, restriction, portability, and objection.

7.2 Forwarding of Requests.

If Brizy receives a request directly from a Data Subject relating to Customer Personal Data, Brizy shall, without undue delay, forward such request to the Customer. Brizy shall not respond directly to the Data Subject except on documented instructions from the Customer, unless required by applicable law.

7.3 Customer Responsibility.

The Customer remains solely responsible for managing its relationship with Data Subjects and for ensuring that all necessary notices, consents, and legal bases for Processing are in place.

7.4 Costs.

Where a Data Subject request requires Brizy to provide assistance beyond what is made available through the Services’ standard functionality, Brizy may charge the Customer for its reasonable costs in providing such additional assistance, provided such charges are proportionate and permitted under Data Protection Laws.

8. Breach Notification

8.1 Notification Obligation.

In the event of a Personal Data Breach affecting Customer Personal Data, Brizy shall notify the Customer without undue delay and, where feasible, no later than forty-eight (48) hours after becoming aware of the Breach.

8.2 Content of Notification.

Such notification shall include, to the extent known to Brizy at the time:

a description of the nature of the Breach, including the categories and approximate number of Data Subjects and records concerned;
the likely consequences of the Breach;
the measures taken or proposed to be taken by Brizy to address the Breach and mitigate its possible adverse effects;
contact details for Brizy’s data protection contact point from whom further information can be obtained.

8.3 Updates.

Where all details cannot be provided at once, Brizy may provide the information in phases without undue further delay. Brizy shall continue to cooperate with the Customer and provide timely updates as more information becomes available.

8.4 No Admission of Liability.

Brizy’s notification of or response to a Breach shall not be construed as an acknowledgment of fault or liability for the incident.

8.5 Customer Responsibility.

The Customer is responsible for determining whether to notify Supervisory Authorities and/or affected Data Subjects of the Breach, in accordance with applicable Data Protection Laws.

9. Sub-processors

9.1 General Authorisation.

The Customer provides Brizy with a general authorisation to engage Sub-processors in connection with the provision of the Services. Brizy shall ensure that each Sub-processor is bound by a written agreement imposing data protection obligations no less protective than those set out in this DPA, as required by Data Protection Laws.

9.2 List of Sub-processors.

A current list of Sub-processors engaged by Brizy is available at: https://www.brizy.io/privacy-policy#subprocessors. Brizy shall maintain this list and update it regularly.

9.3 Notice of New Sub-processors.

Brizy will notify the Customer at least thirty (30) days in advance of authorising any new material Sub-processor that will perform a processing activity involving Partner Personal Data in a way reasonably likely to be considered significant (for example, providers of hosting, storage, payment processing, or core infrastructure services). Notification will be provided by updating the list of Sub-processors and, where available, by email to Partners who have subscribed for such updates. Brizy is not required to provide advance notice of ancillary or support vendors whose access to Partner Personal Data is limited and not material to the operation of the Services.

9.4 Objection Right.

If the Customer has a reasonable objection to Brizy’s use of a new Sub-processor that is related to data protection concerns, the Customer may notify Brizy in writing within fifteen (15) days of receiving notice. Brizy will use reasonable efforts to address the objection by (a) proposing an alternative Sub-processor, (b) removing the Sub-processor from the affected processing activities, or (c) providing other reasonable mitigation. If Brizy is unable to provide such mitigation within a reasonable time, the Customer may terminate the affected Services without penalty.

9.5 Liability for Sub-processors.

Brizy shall remain fully liable to the Customer for the performance of its Sub-processors’ obligations in connection with the Processing of Customer Personal Data, to the same extent Brizy would be liable if performing the Services itself.

10. International Data Transfers

10.1 Authorisation.

The Customer authorises Brizy to transfer and process Customer Personal Data outside the country in which it was originally collected, provided that such transfers are made in compliance with Data Protection Laws and this DPA.

10.2 Adequacy Decisions.

Where Customer Personal Data is transferred to a country that has been recognised by the European Commission, the UK Government, or the Swiss Federal Council (as applicable) as providing an adequate level of protection, such transfers shall not require additional safeguards.

10.3 Standard Contractual Clauses (SCCs).

For transfers of Customer Personal Data from the European Economic Area (EEA) or Switzerland to countries that do not benefit from an adequacy decision, the parties agree that the Standard Contractual Clauses approved by the European Commission (Decision 2021/914, dated 4 June 2021) are hereby incorporated into and form part of this DPA.

Module Two (Controller to Processor) shall apply where the Customer is a Controller and Brizy acts as Processor.
Module Three (Processor to Processor) shall apply where the Customer acts as a Processor on behalf of its own clients and Brizy acts as a Sub-processor.
The information required by the Annexes to the SCCs is set out in Annex I (Description of Processing), Annex II (Technical and Organisational Measures), and Annex III (Sub-processors) to this DPA.

10.4 UK Transfers.

For transfers of Customer Personal Data from the United Kingdom to countries that do not benefit from an adequacy decision, the parties agree that the UK Addendum to the EU SCCs (issued by the UK Information Commissioner’s Office, effective 21 March 2022) is incorporated into and forms part of this DPA.

10.5 Swiss Transfers.

For transfers of Customer Personal Data from Switzerland to countries that do not benefit from an adequacy decision, the SCCs shall apply with the modifications required under the Swiss Federal Data Protection Act (FADP).

10.6 Data Privacy Framework.

Where applicable, Brizy may rely on its or its Sub-processors’ certification to the EU–U.S. Data Privacy Framework, the UK Extension to the EU–U.S. Data Privacy Framework, or the Swiss–U.S. Data Privacy Framework as a transfer mechanism, provided that such certification remains valid.

10.7 Transfer Impact Assessments.

Brizy shall, upon reasonable request, provide the Customer with information necessary to support a transfer impact assessment (TIA) in connection with its use of the Services, taking into account the nature of the Processing and the information available to Brizy.

11. Assistance and Cooperation Obligations

11.1 Data Protection Impact Assessments.

Taking into account the nature of the Processing and the information available to Brizy, Brizy shall provide reasonable assistance to the Customer in carrying out data protection impact assessments (DPIAs) and, where required, prior consultations with Supervisory Authorities, in relation to the Processing of Customer Personal Data.

11.2 Regulator Inquiries.

If a Supervisory Authority or other competent public authority makes a legally binding request relating to Customer Personal Data, Brizy shall, unless legally prohibited, promptly notify the Customer and provide the information reasonably available to Brizy in order to enable the Customer to respond.

11.3 Third-Party Requests.

Unless prohibited by law, Brizy shall promptly inform the Customer if it receives a request for disclosure of Customer Personal Data from a third party (including regulators or data subjects). Brizy shall not disclose Customer Personal Data to such third parties except in accordance with the Customer’s documented instructions, unless required to do so by law.

11.4 General Cooperation.

Brizy shall make available to the Customer information reasonably necessary to demonstrate Brizy’s compliance with its obligations under this DPA and Data Protection Laws, provided that such information does not compromise Brizy’s security, confidentiality, or other customers’ data.

11.5 Costs.

Where assistance under this Section requires Brizy to provide effort beyond what is included in the ordinary operation of the Services, Brizy may charge the Customer for its reasonable costs, provided such charges are proportionate and permitted under Data Protection Laws.

12. Data Retention, Return, and Deletion

12.1 Access During the Term.

During the term of the Services, the Customer may access, retrieve, or delete Customer Personal Data through the functionality of the Services, subject to applicable technical limits.

12.2 Deletion Upon Termination.

Upon termination or expiry of the Services, Brizy shall, at the choice of the Customer, delete or return all Customer Personal Data (and copies thereof) processed on behalf of the Customer, unless applicable law requires storage of the data.

12.3 Retention in Backups.

Brizy may retain Customer Personal Data for a limited period in backup systems, provided that such data remains subject to the protections of this DPA and is securely deleted in accordance with Brizy’s standard retention schedule.

12.4 Certification of Deletion.

Upon written request, Brizy shall confirm in writing that Customer Personal Data has been deleted in accordance with this Section.

12.5 Customer Responsibility.

The Customer is solely responsible for exporting and securing its own Customer Personal Data prior to termination of the Services.

13. Audit Rights

13.1 Provision of Information.

Brizy shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and with its obligations as a Processor under Data Protection Laws, to the extent such information is available to Brizy and does not compromise the security or confidentiality of other customers’ data.

13.2 Independent Reports.

Where Brizy obtains third-party assessments, security summaries, or penetration test results relevant to the Services, Brizy shall make such documentation available to the Customer upon request, subject to reasonable confidentiality restrictions.

13.3 Customer Audits.

If the Customer reasonably believes that the information provided under Section 13.1 is insufficient to demonstrate Brizy’s compliance with this DPA, the Customer may, up to once per year, request to conduct an audit. Such audit shall:

be limited in scope to the facilities, systems, and processes relevant to the Processing of Customer Personal Data;
be subject to at least thirty (30) days’ prior written notice;
be conducted during normal business hours in a manner that minimises disruption to Brizy’s operations; and
be carried out either by the Customer or by an independent auditor appointed by the Customer and approved by Brizy (such approval not to be unreasonably withheld).

13.4 Costs.

Audits shall be at the Customer’s expense. If the audit reveals a material failure by Brizy to comply with this DPA, Brizy shall bear its own costs of remediation.

13.5 Confidentiality.

All information and audit results arising under this Section shall be deemed Brizy’s Confidential Information and handled in accordance with the confidentiality provisions of the Terms of Service.

14. Liability

14.1 Each Party’s Responsibility.

Each Party shall be liable for the damages it causes through any breach of its obligations under this DPA or applicable Data Protection Laws.

14.2 Brizy’s Liability as Processor.

Brizy shall be liable for the acts and omissions of its Sub-processors to the same extent that Brizy would be liable if performing the services itself.

14.3 Exclusions.

Brizy shall not be liable for any breach of this DPA to the extent such breach is caused by the Customer’s failure to comply with its own obligations under Data Protection Laws, including but not limited to:

providing lawful instructions;
ensuring an appropriate legal basis for processing;
obtaining necessary consents from Data Subjects;
configuring and using the Services in a compliant manner.

14.4 Liability Cap.

Except where otherwise required by Data Protection Laws, the total aggregate liability of Brizy under this DPA shall be subject to the same exclusions and limitations of liability as set out in the Terms of Service.

14.5 No Limitation for Wilful Misconduct.

Nothing in this DPA shall limit either Party’s liability for fraud, wilful misconduct, or liability that cannot lawfully be excluded or limited under applicable law.

15. Governing Law and Jurisdiction

15.1 Governing Law.

This DPA, and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter, shall be governed by and construed in accordance with the laws of the United Kingdom.

15.2 Jurisdiction.

Any disputes arising under or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms of Service. Where the Terms of Service do not specify, the parties agree to submit to the exclusive jurisdiction of the courts of England and Wales, without prejudice to the rights of Data Subjects or Supervisory Authorities under applicable Data Protection Laws.

15.3 Mandatory Law.

Nothing in this Section shall prevent a Data Subject from bringing a claim in the courts of their habitual residence where such right is provided under GDPR, UK GDPR, or other applicable Data Protection Laws.

16. Annexes

The following Annexes form an integral part of this DPA. Where the Standard Contractual Clauses (SCCs) apply, these Annexes shall also serve as the mandatory Annexes referenced in the SCCs.

Annex I – Description of Processing

A. Parties

Data Exporter (Controller): The Customer (including agencies, resellers, or other organisations using the Services to create/manage websites and collect data from their end users).
Data Importer (Processor): ProWebCraft LTD (“Brizy”), 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

B. Categories of Data Subjects

Customer Personal Data may concern the following categories of Data Subjects:

Customers’ authorised users (e.g., employees, contractors, collaborators).
End Clients of agencies/resellers using Brizy.
Website visitors, leads, and end users interacting with websites hosted on Brizy’s infrastructure.

C. Categories of Personal Data

The categories of Customer Personal Data processed by Brizy may include:

Account and Workspace Data (for Customer’s authorised users):

Name, email address, login credentials.
Project/workspace data created and managed within the Services.

End User and Website Data:

Content uploaded by Customers or End Users via websites built on Brizy (text, images, video, audio, documents, code, or other user-generated content).
Leads or form submission data collected through Customer websites (e.g., contact details, messages, preferences).

Technical and Usage Data:

IP address, device/browser type, operating system, language settings.
Interactions with hosted websites (timestamps, browsing activity, load times, referral pages).
Error logs and performance data.
Cookie and analytics data configured by the Customer (e.g., Google Analytics, Piwik PRO, Clarity).

Payment-Related Data (limited):

Where Customers configure payment functionality via Brizy-hosted sites, Brizy may process transaction-related data (e.g., partial payment details, billing address, or information passed through to third-party payment processors such as Stripe or PayPal), strictly as directed by the Customer.

D. Special Categories of Personal Data

Brizy does not intentionally require or request the processing of special categories of data under Article 9 GDPR. However, Customers or their End Users may choose to submit such data (e.g., through free-text fields on websites). In such cases, Brizy processes this data only on documented instructions from the Customer and subject to the safeguards in this DPA.

E. Nature and Purpose of Processing

Brizy processes Customer Personal Data solely for the following purposes:

Hosting and rendering Customer websites on Brizy’s infrastructure.
Enabling Customer configuration of forms, content, and integrations.
Storing data collected through Customer websites (including leads and submissions).
Performing backups, troubleshooting, and support.
Detecting, preventing, and investigating fraud, abuse, or security incidents.
Ensuring reliability, availability, and security of the Services.
Complying with legal obligations applicable to Brizy as Processor.

F. Frequency and Duration of Processing

Frequency: Continuous, for the duration of Customer’s use of the Services.
Duration: Until termination or expiry of the Services, subject to deletion or return as set out in Section 12 of this DPA.

G. Roles of the Parties

Customer: Controller (or Processor where acting for its own End Clients).
Brizy: Processor with respect to Customer Personal Data.

Annex II – Description of Processing

Brizy implements the following technical and organisational measures to ensure a level of security appropriate to the risk, as required under GDPR Article 32 and equivalent provisions under UK GDPR and the Swiss FADP. These measures are subject to ongoing review and improvement.

1. Physical Access Control

Measures to prevent unauthorised persons from gaining access to data processing facilities:

Hosting with Amazon Web Services (AWS) in secure data centres with 24/7 on-site security.
Biometric access controls and manual lock systems at data centre facilities.
Video surveillance at all facility entrances.
Visitor registration, escort protocols, and doorbell/camera systems.

2. Logical Access Control

Measures to prevent unauthorised access to systems where personal data is processed:

Access restricted by individual usernames and strong passwords.
Multi-factor authentication (MFA/2FA) for critical systems.
Role-based access control (RBAC) to limit access according to job function.
Centralised Single Sign-On (SSO) for internal systems.
Firewalls and intrusion detection/prevention systems.
Logging and monitoring of all system and database access.

3. Authorisation Control

Measures to ensure authorised personnel access only the data they are permitted to:

Access rights assigned on a “least privilege” basis.
Regular review of user access rights.
Limitation of administrative rights to a restricted group.
Secure SSL/TLS encryption for all administrative access.
Audit logs maintained for access attempts and changes.

4. Separation Control

Measures to ensure that data collected for different purposes is processed separately:

Logical separation of test, development, staging, and production environments.
Multi-tenancy controls to ensure segregation of customer environments.
Production data never used in development/testing environments.

5. Transfer Control

Measures to protect personal data during transmission:

Encrypted transmission protocols (TLS/HTTPS, SFTP, VPN).
Secure encrypted channels for data exchange with Sub-processors and vendors.
Logging of transfer activities to enable review.

6. Input Control

Measures to ensure personal data can only be entered, modified, or deleted by authorised personnel:

User rights restricted to necessary functions.
Change logs and version control in applications.
Monitoring and review of system logs, both automated and manual.

7. Availability and Resilience

Measures to protect against accidental destruction or loss of data:

Redundant storage across geographically distributed AWS regions.
Automated snapshots and backups (including AWS RDS and S3 with versioning).
Disaster recovery planning with AWS CloudFormation.
Elastic Load Balancing and AWS Auto Scaling to maintain service continuity.

8. Monitoring and Alerting

Measures to ensure infrastructure integrity and quick response to incidents:

AWS CloudWatch and similar tools for real-time system monitoring.
Alerting systems for anomalies, downtime, or performance issues.
Logging of system events with retention for analysis and incident response.

9. Sub-processor and Vendor Management

Measures to ensure third parties provide an appropriate level of security:

Due diligence prior to onboarding Sub-processors.
Contractual data processing agreements in place with all vendors.
Ongoing monitoring and periodic review of Sub-processor compliance.
Non-disclosure agreements (NDAs) required for contractors and partners.

10. Personnel Security and Confidentiality

Measures to ensure Brizy staff respect confidentiality and data protection obligations:

Confidentiality obligations included in employment and contractor agreements.
Access granted only to personnel with a legitimate business need.
Security and GDPR awareness training provided regularly.

11. Data Subject Rights Management

Measures to support GDPR Chapter III rights (access, erasure, restriction, portability, etc.):

Documented internal processes to handle Data Subject Requests (DSRs).
Forwarding any DSRs received directly to the Customer without undue delay.
Logging and tracking of DSR handling to meet legal deadlines.
Cooperation with Supervisory Authorities where required.

12. Review and Improvement

Security measures are regularly reviewed and updated based on technological developments, emerging threats, and regulatory requirements.
Brizy maintains an internal incident response process and continuously monitors for vulnerabilities and risks.

Annex III – Sub-processors

Brizy engages certain third parties (“Sub-processors”) to provide infrastructure, hosting, support, analytics, communications, and other functions necessary to deliver the Services. Sub-processors process Customer Personal Data solely on documented instructions from Brizy and are bound by written agreements imposing data protection obligations no less protective than those in this DPA.

Click this link for a list of Third Parties used by our company