Brivvy | The intelligent communications platform

This Data Processing Agreement ("DPA") supplements the Terms of Service (the "Agreement") entered into by and between Customer (as defined in the Agreement) and Brivvy, Inc., a Delaware corporation ("Brivvy"). By executing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws (defined below), in the name and on behalf of its Affiliates, if any. This DPA incorporates the terms of the Agreement, and any terms not defined in this DPA shall have the meanings set forth in the Agreement. The parties therefore agree as follows:

1. Definitions

1.1 "Affiliate" means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but only for so long as such ownership exists.

1.2 "Authorized Sub-Processor" means a third party who has a need to know or otherwise access Customer's Personal Data to enable Brivvy to perform its obligations under this DPA or the Agreement, and who is either listed in Exhibit B or subsequently authorized under Section 3.2 of this DPA.

1.3 "Customer Account Data" means Personal Data that relates to Customer's relationship with Brivvy, including the names and contact information of individuals authorized by Customer to access Customer's account and billing information associated with that account.

1.4 "Customer Usage Data" means Service usage data collected and processed by Brivvy in connection with the provision of the Services, including data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services and to investigate and prevent system abuse.

1.5 "Data Exporter" means Customer.

1.6 "Data Importer" means Brivvy.

1.7 "Data Protection Laws" means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data, including: (i) the California Consumer Privacy Act ("CCPA"), (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), (iii) the Swiss Federal Act on Data Protection, (iv) the UK GDPR as incorporated into UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, (v) the UK Data Protection Act 2018, and (vi) the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case as updated, amended, or replaced from time to time. The terms "Data Subject," "Personal Data," "Personal Data Breach," "processing," "processor," "controller," and "supervisory authority" shall have the meanings set forth in the GDPR.

1.8 "EU SCCs" means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Personal Data to countries not otherwise recognized as offering an adequate level of protection by the European Commission, as amended and updated from time to time.

1.9 "ex-EEA Transfer" means the transfer of Personal Data processed in accordance with the GDPR from the Data Exporter to the Data Importer outside the European Economic Area ("EEA"), where such transfer is not governed by an adequacy decision of the European Commission.

1.10 "ex-UK Transfer" means the transfer of Personal Data processed in accordance with the UK GDPR from the Data Exporter to the Data Importer outside the United Kingdom ("UK"), where such transfer is not governed by an adequacy decision of the UK Secretary of State.

1.11 "Services" shall have the meaning set forth in the Agreement.

1.12 "UK Addendum" means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner's Office, including all Part 2 Mandatory Clauses.

2. Relationship of the Parties; Processing of Data

2.1 The parties acknowledge that with regard to the processing of Personal Data, Customer may act as either a controller or processor and, except as expressly set forth in this DPA or the Agreement, Brivvy is a processor. Customer shall process Personal Data and provide instructions for its processing in compliance with Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Brivvy, (ii) the means by which Customer acquired that Personal Data, and (iii) the instructions it provides to Brivvy regarding processing. Customer shall not provide Brivvy with Personal Data that is inappropriate for the nature of the Services, and shall indemnify Brivvy from all claims and losses arising therefrom.

2.2 Brivvy shall not process Personal Data (i) for purposes other than those set forth in the Agreement and/or Exhibit A, (ii) in a manner inconsistent with this DPA or Customer's documented instructions, including with regard to cross-border transfers, unless required to do so by applicable law (in which case Brivvy shall inform Customer before processing, unless prohibited by law), or (iii) in violation of Data Protection Laws. Customer hereby instructs Brivvy to process Personal Data in accordance with the foregoing and as part of any processing initiated by Customer in its use of the Services.

2.3 The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects covered by this DPA are described in Exhibit A.

2.4 Following completion of the Services or termination of the Agreement, at Customer's election, Brivvy shall return or delete Customer's Personal Data, unless further retention is required or authorized by applicable law. If return or deletion is impracticable or prohibited by law, Brivvy shall take measures to block the Personal Data from further processing (except as required by law) and shall continue to protect the data remaining in its possession or control.

2.5 CCPA. Except with respect to Customer Account Data and Customer Usage Data, the parties acknowledge that Brivvy is a service provider for the purposes of the CCPA (to the extent applicable) and is receiving Personal Data from Customer solely to provide the Services, which constitutes a business purpose. Brivvy shall not sell any such Personal Data. Brivvy shall not retain, use, or disclose any Personal Data provided by Customer except as necessary to perform the Services or as otherwise permitted by the CCPA. Brivvy certifies that it understands and will comply with the restrictions of this Section 2.5.

3. Authorized Sub-Processors

3.1 Customer acknowledges and agrees that Brivvy may (i) engage its affiliates and the Authorized Sub-Processors listed in Exhibit B to access and process Personal Data in connection with the Services, and (ii) from time to time engage additional third parties for the purpose of providing the Services. By way of this DPA, Customer provides general written authorization to Brivvy to engage sub-processors as necessary to perform the Services.

3.2 The list of Authorized Sub-Processors (Exhibit B) may be updated by Brivvy from time to time. At least fifteen (15) days before enabling any new third party to access or participate in the processing of Personal Data, Brivvy will add that third party to Exhibit B and notify Customer via email. Customer may object to such engagement by providing written notice to Brivvy within ten (10) days of receiving the notification, provided that the objection is based on reasonable data protection grounds.

3.3 If Customer reasonably objects to a new sub-processor and Brivvy cannot provide a commercially reasonable alternative within a reasonable time, Customer may discontinue use of the affected Service by written notice. Discontinuation does not relieve Customer of any fees owed under the Agreement.

3.4 If Customer does not object to the engagement of a new third party within the period described in Section 3.2, that third party will be deemed an Authorized Sub-Processor for purposes of this DPA.

3.5 Brivvy will enter into a written agreement with each Authorized Sub-Processor imposing data protection obligations at least as protective as those imposed on Brivvy under this DPA. Brivvy remains liable to Customer for the performance of each Authorized Sub-Processor's obligations under such agreement.

4. Security of Personal Data

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of natural persons, Brivvy shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Exhibit C sets forth additional information about Brivvy's technical and organizational security measures.

5. Transfers of Personal Data

5.1 The parties agree that Brivvy may transfer Personal Data processed under this DPA outside the EEA, UK, or Switzerland as necessary to provide the Services. Customer acknowledges that Brivvy's primary processing operations take place in the United States and that the transfer of Customer's Personal Data to the United States is necessary for the provision of the Services. Where Brivvy transfers Personal Data to a jurisdiction lacking an EU adequacy decision, Brivvy will ensure that appropriate safeguards are in place in accordance with Data Protection Laws.

5.2 Ex-EEA Transfers. The parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into and incorporated into this DPA by reference, with the applicable module determined as follows: Module One (Controller to Controller) applies when Brivvy processes Personal Data as a controller; Module Two (Controller to Processor) applies when Customer is a controller and Brivvy is a processor; Module Three (Processor to Sub-Processor) applies when Customer is a processor and Brivvy is a sub-processor; Module Four (Processor to Controller) applies when Customer is a processor of Customer Usage Data and Brivvy processes that data as a controller.

5.3 Ex-UK Transfers. The parties agree that ex-UK Transfers are made pursuant to the UK Addendum, which is deemed entered into and incorporated into this DPA by reference. References to the GDPR in the applicable SCCs shall be read as references to the UK GDPR and the UK Data Protection Act 2018. References to supervisory authorities shall be read as references to the UK Information Commissioner.

5.4 Supplementary Measures. As of the effective date of this DPA, Brivvy has not received any formal legal requests from government intelligence or security agencies for access to Customer's Personal Data. If Brivvy receives such a request, it will attempt to redirect the relevant authority to seek data directly from Customer. If Brivvy is compelled to disclose Customer's Personal Data to a government authority, it will provide Customer with reasonable advance notice (to the extent legally permitted) to allow Customer to seek a protective order or other remedy. Brivvy shall not voluntarily disclose Customer's Personal Data to any government authority.

6. Rights of Data Subjects

6.1 Brivvy shall, to the extent permitted by law, promptly notify Customer upon receipt of a request from a Data Subject to exercise rights of access, rectification, erasure, data portability, restriction of processing, withdrawal of consent, or objection to automated decision-making (each, a "Data Subject Request"). Brivvy will advise the Data Subject to submit the request directly to Customer. Customer is responsible for responding to Data Subject Requests and for ensuring that requests for erasure, restriction, or withdrawal of consent are communicated to Brivvy as applicable.

6.2 Brivvy shall, at Customer's request and taking into account the nature of the processing, provide appropriate technical and organizational assistance to help Customer respond to Data Subject Requests, provided that (i) Customer is unable to respond without Brivvy's assistance and (ii) Brivvy is able to do so in accordance with applicable law. Customer shall be responsible for any costs arising from such assistance.

7. Cooperation, Audits, and Breach Notification

7.1 Brivvy shall provide Customer with reasonable cooperation and assistance as necessary for Customer to conduct data protection impact assessments and to fulfill its obligations under the GDPR, provided that Customer does not otherwise have access to the relevant information. Customer shall be responsible for any costs arising from such assistance.

7.2 Brivvy shall maintain records sufficient to demonstrate its compliance with this DPA and retain those records for three (3) years after termination of the Agreement. Upon reasonable written notice, Customer shall have the right to review and copy such records at Brivvy's offices during regular business hours.

7.3 Upon Customer's written request at reasonable intervals and subject to reasonable confidentiality controls, Brivvy shall either (i) make available certifications or reports demonstrating compliance with applicable data security standards, or (ii) allow Customer's independent representative to conduct an audit of Brivvy's data security infrastructure and procedures, provided that: (a) Customer provides reasonable prior written notice; (b) any audit occurs during business hours and no more than once per calendar year; and (c) the audit is restricted to data relevant to Customer. Customer shall bear the costs of any such audit.

7.4 Brivvy shall notify Customer without undue delay if, in Brivvy's opinion, any Customer instruction infringes applicable Data Protection Laws.

7.5 In the event of a Personal Data Breach, Brivvy shall, without undue delay, notify Customer and take reasonable steps to remediate the breach to the extent within Brivvy's control. Brivvy shall provide Customer with reasonable cooperation and assistance necessary for Customer to fulfill its notification obligations under the GDPR or other applicable Data Protection Laws, including notification to relevant supervisory authorities and affected Data Subjects.

8. Brivvy as a Controller

The parties acknowledge that Brivvy processes Customer Account Data and Customer Usage Data as a controller. Brivvy processes such data for the purpose of contractual necessity (i.e., to perform under the Agreement and provide the Services), to further its legitimate business interests, and to comply with applicable law. When Brivvy processes data based on contractual necessity, failure to provide such data may result in Customer's inability to use certain parts of the Services. Brivvy may also de-identify or anonymize Personal Data to further its legitimate interests in improving the Services.

9. General

9.1 Order of Precedence. In the event of any conflict between this DPA and the Agreement, this DPA shall control with respect to the subject matter hereof.

9.2 Liability. Any claims brought in connection with this DPA are subject to the terms and conditions of the Agreement, including its limitations of liability.

9.3 Severability. If any provision of this DPA is found to be unenforceable, the remaining provisions shall continue in full force.

9.4 Updates. Brivvy may update this DPA from time to time to reflect changes in Data Protection Laws or its data processing practices. Brivvy will provide reasonable notice of material changes. Continued use of the Services after the effective date of any update constitutes Customer's acceptance of the revised DPA.

Exhibit A — Details of Processing

Nature and Purpose of Processing: Brivvy processes Customer's Personal Data as necessary to provide the Services under the Agreement, including operating and maintaining the brand voice infrastructure platform, enabling brand voice configuration and enforcement, facilitating integrations with third-party tools, providing support, and improving the Services.

Duration of Processing: Brivvy processes Customer's Personal Data for as long as required to provide the Services under the Agreement, to fulfill Brivvy's legitimate business obligations, or as required by applicable law.

Categories of Data Subjects: Customer's employees, contractors, and end users who access or use the Services.

Categories of Personal Data: Name, email address, job title, authentication credentials, IP address, device identifiers, usage and activity data within the Services, and any Personal Data included in brand voice configurations or Customer Content uploaded to the platform.

Sensitive Data: The parties do not anticipate that Customer will upload special categories of data (as defined under GDPR Article 9) to the Services. Customer is responsible for ensuring that no such data is submitted without appropriate safeguards.

Exhibit B — Authorized Sub-Processors

Brivvy may engage the following categories of sub-processors to assist in providing the Services: cloud infrastructure and hosting providers (e.g., AWS or equivalent), payment processors (e.g., Stripe), analytics and monitoring providers, customer support platforms, and email and communication service providers.

A current list of specific Authorized Sub-Processors is available upon request at support@brivvy.io. Brivvy will notify Customer of any changes to this list in accordance with Section 3.2 of this DPA.

Exhibit C — Technical and Organizational Security Measures

Access Controls. Brivvy limits access to Personal Data to authorized personnel who require it to perform their job functions. Access is governed by role-based permissions and reviewed regularly.

Encryption. Personal Data is encrypted in transit using TLS and encrypted at rest using AES-256 or equivalent encryption.

Authentication. Brivvy requires strong authentication for access to systems that process Personal Data, including multi-factor authentication for administrative access.

Monitoring and Logging. Brivvy maintains audit logs of access to and activity within systems that process Personal Data and monitors for anomalous or unauthorized activity.

Incident Response. Brivvy maintains an incident response plan that includes procedures for identifying, containing, and notifying affected parties of Personal Data Breaches.

Vendor Management. Brivvy conducts due diligence on sub-processors and requires them to maintain security measures consistent with those described in this Exhibit.

Business Continuity. Brivvy maintains backup and recovery procedures to ensure the availability and integrity of Personal Data in the event of a system failure or incident.