Data Processing Agreement

This Data Processing Agreement (DPA) applies to all BrandDeck customers who process personal data of their own clients or end users through the BrandDeck platform. This DPA forms part of the agreement between you (the data controller) and BrandDeck (the data processor) and is required under Article 28 of the GDPR.

By using BrandDeck to process personal data on behalf of your clients, you agree to the terms of this DPA.

1. Definitions

• Controller: the customer who determines the purposes and means of processing personal data

• Processor: BrandDeck, which processes personal data on behalf of the controller

• Personal data: any information that identifies or can identify a natural person

• Processing: any operation performed on personal data

• Sub-processor: a third party engaged by BrandDeck to assist in processing personal data

2. Subject matter and duration

BrandDeck processes personal data on your behalf solely for the purpose of providing the BrandDeck platform as described in our Terms of Service. This DPA applies for as long as BrandDeck processes personal data on your behalf.

3. Nature and purpose of processing

BrandDeck processes personal data to provide storage, organization and collaboration features for brand assets and guidelines. Processing is limited to what is strictly necessary to deliver the platform.

4. Types of personal data and categories of data subjects

The personal data processed may include names, email addresses and other information uploaded by you or your clients. Data subjects may include your clients, their team members and end users who access brand workspaces.

5. Obligations of BrandDeck as processor

BrandDeck commits to:

• Process personal data only on your documented instructions

• Ensure that authorized personnel are bound by confidentiality obligations

• Implement appropriate technical and organizational security measures

• Assist you in responding to requests from data subjects exercising their GDPR rights

• Notify you without undue delay after becoming aware of a personal data breach

• Delete or return all personal data upon termination of the service

• Make available all information necessary to demonstrate compliance with this DPA

6. Sub-processors

BrandDeck may engage sub-processors to assist in delivering the platform, including hosting providers and infrastructure services. All sub-processors are located within the European Economic Area or are subject to appropriate safeguards. BrandDeck will inform you of any intended changes to sub-processors with reasonable notice. A current list of sub-processors is available upon request via hello@branddeck.co.

7. International transfers

All personal data is stored on servers located in Germany within the European Union. BrandDeck does not transfer personal data outside the European Economic Area.

8. Security measures

BrandDeck implements technical and organizational measures to protect personal data against unauthorized access, loss or destruction. These include encrypted data storage, access controls and regular security reviews. For a full overview see our Security page at branddeck.co/security.

9. Data subject rights

BrandDeck will assist you in fulfilling your obligations to respond to data subject requests under GDPR. If a data subject contacts BrandDeck directly, we will forward the request to you without undue delay.

10. Data breach notification

In the event of a personal data breach, BrandDeck will notify you within 72 hours of becoming aware of the breach. We will provide all relevant information to help you meet your notification obligations under GDPR.

11. Termination

Upon termination of your BrandDeck subscription, all personal data will be deleted within 30 days unless you request a data export before that date or unless we are required by law to retain it longer.