BriefBuilt

Data Processing Addendum

BriefBuilt Data Processing Addendum

Version and effective date: 16 July 2026

This Data Processing Addendum (“DPA”) forms part of the BriefBuilt Business Service Terms where BriefBuilt processes personal data on behalf of the Customer.

1. Roles and instructions

The Customer is controller and BriefBuilt is processor for Client Personal Data. BriefBuilt processes it only on documented instructions in the agreement, brief and authorised project actions, unless EU or Dutch law requires otherwise. BriefBuilt will inform the Customer before legally required processing unless prohibited.

2. Processing details

  • Subject: Shopify storefront design, configuration, testing, review and handover.
  • Duration: the service term plus the deletion period below.
  • Nature: access, collection, organisation, storage, review, transformation, transmission to approved subprocessors and deletion.
  • Purpose: deliver and secure the purchased Shopify project.
  • Data subjects: Customer staff, suppliers, website users and customers whose data is unavoidably present in authorised store access or supplied materials.
  • Data: identity and contact data, order or product interaction data, support content, technical identifiers and other data deliberately provided by the Customer.
  • Excluded unless separately agreed: special-category data, criminal-offence data, payment-card credentials, account passwords and large customer exports.

3. Confidentiality and security

BriefBuilt ensures authorised persons are bound by confidentiality and applies measures appropriate to risk, including least-privilege access, private repositories, encrypted credentials, restricted file permissions, signed project links and callbacks, environment-secret management and security updates. Details that would weaken security need not be publicly disclosed.

4. Subprocessors

The Customer gives general authorisation for the subprocessors listed in the Privacy Policy and a maintained subprocessor register. BriefBuilt will give reasonable advance notice of a new subprocessor that materially processes Client Personal Data. The Customer may object on reasonable data-protection grounds within 14 days. The parties will seek a solution; if none is reasonably available, the affected service may be terminated with a pro-rata refund of undelivered work. Equivalent Article 28 GDPR obligations are imposed on subprocessors.

5. International transfers

BriefBuilt will use an adequacy decision or another valid Chapter V GDPR mechanism, such as the EU Standard Contractual Clauses, for restricted transfers and will apply supplementary measures where required.

6. Assistance

Taking account of the processing and information available, BriefBuilt will reasonably assist the Customer with data-subject requests, security, breach notifications, DPIAs and regulator consultation. Work beyond ordinary service is chargeable at an agreed reasonable rate unless caused by BriefBuilt’s breach.

7. Incidents

BriefBuilt will notify the Customer without undue delay after becoming aware of a personal-data breach affecting Client Personal Data and provide available information needed for the Customer’s assessment and notification. BriefBuilt will preserve evidence and take reasonable containment and remediation steps. Notification is not an admission of fault.

8. Deletion and return

At the Customer’s choice and subject to legal retention duties, BriefBuilt will return or delete Client Personal Data through a documented manual project-closeout process after the service. Until closeout is complete, further use is restricted to secure storage, return, deletion, an agreed support period, dispute handling or compliance with law. The Customer may request written confirmation of the completed return or deletion.

9. Audit information

BriefBuilt will provide information reasonably necessary to demonstrate Article 28 GDPR compliance. No more than once per year, unless a material incident or regulator requires otherwise, the Customer may request a remote audit on reasonable notice. Audits must protect other clients, security and confidentiality and avoid unnecessary disruption. Independent reports may satisfy the request.

10. Customer duties

The Customer is responsible for lawful instructions, transparency to data subjects, legal bases, data minimisation and not providing excluded or unnecessary data. The Customer must configure staff access securely and notify BriefBuilt promptly when access should end.

11. Priority, acceptance and law

This DPA prevails over conflicting service terms for data protection. It is accepted electronically with the Business Service Terms when applicable. Dutch law and the dispute clause in those terms apply.

12. Contact

Privacy and DPA questions: support@briefbuilt.com.