Brevz Data Processing Agreement

Last revision: May 20, 2021

Brevz SAS is a company registered at 4 Rue Voltaire, 44000 Nantes, France (registration number: 898446141). Our technical infrastructure is provided by Scaleway.

This Data Processing Agreement (“DPA”) is an addendum to the terms of service.

If you are accepting this DPA on behalf of your customer, you warrant that: (i) you have full legal authority to bind your customer to this DPA; (ii) you have read and understand this DPA; and (iii) you agree, on behalf of your customer, to this DPA.

These service terms incorporate the Brevz Processing Agreement” (“DPA”), when the General Data Protection regulation (“GDPR”) applies to your use of Brevz services to process visitor data as defined in the DPA. We protect and secure your visitor data to the standards set out in the agreement.

1. Definitions

Data Subject A natural person (i.e. not a company or organisation) whose personal data is being processed by a controller.

Personal Data means any information relating to an identified or identifiable physical person; an identifiable physical person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Controller, You or Customer means the company or the organization that signs up to use Brevz product.

Processor means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2. Data we collect

2.1 Personal Data. When you subscribe to Brevz, you'll have to provide an email, a name, your company's name and your VAT and also your IP address inside our logging system as explained in the Privacy Policy.

2.2 Service Data. When you integrate Brevz into your website you can send data to us about your end-users to enrich their experiences with our product. You have a responsability to understand the data they send to us and to take appropriate disclosures, precautions and responsibilities regarding the content of the service data they provide to us.

3. Data Processing

3.1 Brevz will process visitor data in accordance with instructions from the Controller through the settings of the service:

  • a. To operate, maintain and support the infrastructure
  • b. To comply with customer's instructions and processing instructions in their use, management and administration of the service
  • c. as otherwise instructed through settings of the service
  • d. to assist the Controller and cooperate with it in the event of a request made by the competent authorities, the Data Subjects and in order to comply with the obligations arising from the Data Protection Regulations;
Brevz will only process visitor data in accordance with the agreement.

3.2 Before or at the time personal information is collected, the processor identifies the purposes for which the information is collected.

3.3 The processor will use the personal data only for the defined purpose, unless the processor obtains the consent of the controller or it is required by the law.

3.4 The processor shall guarantee the confidentiality of visitor data processed hereunder by reasonable security measures designed against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure.

3.5 The data is only hosted and processed within a member of the European Union.

3.6 The Processor's core cluster (databases, apis) is hosted in Paris, France.

3.7 The Processor's content delivery network contains servers outside the European Union. These servers are used as relays to serve static content faster arround the world. Those network relays are not storing any data.

3.8 Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and up-to- date.

4. Technical Security

4.1 The processor shall guarantee the security of visitor data processed hereunder by reasonable security measures designed against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure.

  • a. Core cluster is protected by VPN
  • b. Brevz employees' computer are secured and up to date
  • c. Brevz employees are trained in data-security practices
  • d. Servers and services are running latest security updated and patched as soon as possible when a vulnerability is discovered
  • e. Encrypted communications between services
  • f. Two Factor Authentification enabled when available for our third-parties

5. Sub-processors

5.1 The Processor may only use another subcontractor ("Sub-processor") to carry out specific PRocessing activities.

5.2 The Processor ensure that each Sub-processor offers adequate guarantees with regard to the Data Protection Regulations in terms of the technical and organisational measures adopted for the Processing of the Personal Data and ensure that each Sub-processor immediately discontinues any Processing of the Personal Data in the absence of such guarantees.

5.3 The Controller reserves the right to object to any Sub-processor, provided that, in its opinion, Sub-processor data does not provide sufficient guarantees to implement appropriate technical and organizational data protection measures.

5.4 The Controller agrees to the commissioning of the following sub-processor on the condition of a contractual agreement in accordance with applicable data protection laws:

  • a. Scaleway SAS (EU, FR): Hosting the core cluster (data & servers), servers located in France.
  • b. Stripe Payments Europe, Ltd (EU, IE): Credit-card processing, servers located in US.
  • c. Google Cloud (US): To send push notificatins to chrome browsers, servers located in Belgium and Netherlands.

5.4.1 A DPA contract has been signed between our company and each of the listed sub-processors.

5.4.2 The payment method details are the only data stored at a sub-processor within the USA.

5.4.3 Only unique identifiers are transmited through Google Cloud, and registration data from Google Chrome for the end-users. It's only a network relay to send data to visitors.

6. Personal Data Breaches

6.1 In the event the Processor becomes aware of any Personal Data Breaches or incidents which may compromise the security of the Personal Data, including Personal Data Breaches resulting from the conduct of any Sub-processors and/or the Processor's Agents, the Processor shall i) notify the Controller without undue delay and ii) will take all reasonable measures to prevent and limit futher violation of the GDPR.

6.2 The Processor will, to the extent reasonable, provide all reasonable cooperation requested by the Controller in order for Controller to comply with its legal obligations relating to the identified incident.

6.3 The Processor will not be responsible for providing (correct and timely) notification to the supervisor and/or data subjects in accordance with Articles 33 and 34 of the GDPR.

7. Liability and Indemnity

7.1 Each party indemnifies the other and holds them harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party and arising directly or indirectly out of or in connection with a breach of this DPA.

8. Erasure of data

8.1 The processor may not on its own authority rectify, erase or restrict the Processing of Personal Data that is being processed on behalf of the Controller (unless if this is required by law), but shall only do so on documented instructions from the Controller and in accordance to data retention rules associated to the Controller subscription plan.

8.2 At the expiry of the DPA, the Processor shall, with the choice of the Controller, return all the Personal Data transfered and the copies to the Controller or shall delete and/or anonymize all the Personal Data in an irreversible manner then certify it to the Controller, unless the law imposed upon the Processor prevents it form returning or destroying all or part of the Personal Data Processed.

8.3 The Processor undertakes to reasonably cooperate with the User to a reasonable extent in order to guarantee that requests from Data Subjects provided for under Data Protection Regulations to exercise their rights are met within the time limits and in accordance with the procedures laid down by law and, more generally, in order to ensure full compliance with the Data Protection Regulations. In this respect, the Processor undertakes to notify the Controller of any request by a Data subject it received.

9. Audits

9.1 The Processor acknowledges and accepts that the Controller may, at its expense, have a trusted third party, recognised as an independent auditor of the Parties and appointed by the Processor, evaluate the organisational, technical and security measures adopted by the Processor in the context of the Processing of Personal Data under conditions to be defined by the Processor and the Controller and within the limits of maintaining the services and the confidentiality and the safety of the other customers but may not conduct an audit more than once per calendar year.

10. Duration

10.1 The DPA is effective as of May 21, 2021 and replaces and supersedes any previously agreed data processing agreement between you and the Processor.

10.2 Termination or expiration of this DPA shall not discharge the parties from the confidentiality obligations herein.

Signed on behalf of the Processor

Company: Brevz SAS
Name: Anthony Griffon
Title: CEO
Date: May 21, 2021