Skip to content

Die englische Fassung dieses Dokuments ist maßgeblich. Diese Übersetzung dient nur der Bequemlichkeit.

Rechtliches

Data Processing Agreement

v1.0 · Gültig ab 2026-05-10

How this works. This DPA is pre-signed by Brainpercent on behalf of all customers. By accepting our Terms of Service and using the Service to process personal data of EU/UK data subjects, you ("Controller") accept this DPA as if signed. No counter-signature is required for most teams. Larger enterprises that need a signed copy under their own paper: edward@brainpercent.com.

1. Parties

  • Processor: Brainpercent, LLC ("Brainpercent," "Processor," "we").
  • Controller: The customer entity that has agreed to our Terms of Service ("Controller," "Customer," "you").

2. Definitions

Terms in this DPA have the meanings given to them in the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and, where applicable, the UK Data Protection Act 2018 + UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), and the California Consumer Privacy Act ("CCPA"). In particular: "Personal Data," "Process / Processing," "Data Subject," "Controller," "Processor," "Sub-processor," "Personal Data Breach," "Supervisory Authority," and "Standard Contractual Clauses" (the modules of the EU Commission's 2021 SCCs).

3. Scope & Roles

This DPA applies whenever Brainpercent Processes Personal Data on behalf of Controller in the course of providing the Service. Brainpercent acts as Processor and Controller is the Controller. Where Brainpercent processes Personal Data for its own purposes (e.g., billing, fraud prevention, product analytics on aggregated data), Brainpercent is an independent Controller and that processing is governed by our Privacy Policy, not this DPA.

4. Processing Details

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex 1.

5. Controller Obligations

Controller represents and warrants that:

  • It has a lawful basis under Art. 6 GDPR for all Personal Data submitted to the Service;
  • It has fulfilled its transparency obligations to Data Subjects under Art. 13 / 14 GDPR;
  • Where Sensitive Personal Data is submitted (e.g., special categories under Art. 9), Controller has secured explicit consent or other valid Art. 9(2) condition;
  • Controller will not use the Service for prohibited high-risk AI uses as listed in our AI Transparency Page.

6. Processor Obligations

Brainpercent will:

  • Process Personal Data only on documented instructions from Controller, including with regard to transfers to a third country (Art. 28(3)(a) GDPR). Controller's instructions are set forth in this DPA, the Terms of Service, and Controller's use of the Service's features.
  • Ensure that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations.
  • Assist Controller, taking into account the nature of the Processing, in fulfilling its obligation to respond to Data Subject requests under Chapter III GDPR.
  • Assist Controller with security obligations, breach notifications, data protection impact assessments, and prior consultations with Supervisory Authorities (Arts. 32–36 GDPR).
  • Provide Controller with information necessary to demonstrate compliance with Art. 28 obligations and allow for and contribute to audits under §12 below.

7. Security Measures

Brainpercent implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR). Current measures are described in Annex 2. Brainpercent may update Annex 2 over time but will maintain a level of security equivalent to or better than the version effective on the date Controller accepted these Terms.

8. Sub-processors

Controller authorizes Brainpercent to engage Sub-processors to Process Personal Data on Controller's behalf. The current list of Sub-processors is maintained at /legal/subprocessors.

Brainpercent will:

  • Impose data protection obligations on Sub-processors no less protective than those in this DPA;
  • Remain liable for Sub-processor acts and omissions to the same extent it is liable for its own;
  • Provide at least 30 days' advance notice of any intended addition or replacement of Sub-processors by updating the Subprocessors page and posting an entry in our Legal Changelog;
  • Allow Controller to object to a new Sub-processor on reasonable grounds; if the parties cannot resolve the objection, Controller may terminate the affected Service for convenience and receive a pro-rated refund of any prepaid amounts.

9. Data Subject Rights

Brainpercent will, to the extent legally permitted, promptly notify Controller of any request received directly from a Data Subject. Brainpercent will not respond to such requests except on documented instructions from Controller or as required by applicable law. Brainpercent will assist Controller with technical measures (including data export and deletion APIs) to enable Controller to respond to Data Subject access, rectification, erasure, restriction, portability, and objection requests.

10. Personal Data Breach

Brainpercent will notify Controller without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting Controller's Personal Data. The notification will include, to the extent then known: the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach and mitigate its effects.

11. International Transfers

Brainpercent primarily Processes Personal Data within the European Economic Area (EU regions on Supabase + Vercel). Where Processing requires transfer to a third country (e.g., for AI inference performed by a U.S.-based Sub-processor like Anthropic or OpenAI), such transfer is governed by:

  • The 2021 EU Commission Standard Contractual Clauses, Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor) as applicable, which are incorporated by reference into this DPA;
  • The UK International Data Transfer Addendum to the EU SCCs where UK-origin data is transferred;
  • The Swiss-specific amendments to the SCCs for FADP-origin data;
  • Any supplementary measures necessary under Schrems II (encryption-in-transit, encryption-at-rest, end-user contractual notice of access requests).

The Sub-processor list at /legal/subprocessors identifies, for each Sub-processor, the country of Processing and the applicable transfer mechanism.

12. Audit Rights

Brainpercent will make available to Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and this DPA. On reasonable prior written request (and not more than once per twelve (12) month period unless required by a Supervisory Authority or following a Personal Data Breach), Controller may conduct an audit limited to:

  • Review of Brainpercent's then-current SOC 2 Type II or equivalent report (when available); and
  • A written questionnaire (Brainpercent will respond within 30 days).

On-site audits are available only for enterprise customers under a separately negotiated agreement and at Controller's cost.

13. Deletion / Return of Personal Data

Following termination of the Service, Brainpercent will, at Controller's choice, delete or return all Personal Data to Controller, and delete existing copies, unless retention is required by Union or Member State law. Deletion will be completed within 90 days of termination unless a longer period is required by law. Controller may export Personal Data at any time during the Service term via the in-app data export feature (Settings → Privacy → Export my data).

14. Liability & Indemnity

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service. Nothing in this DPA limits or excludes either party's liability for:

  • Direct damages caused by infringement of GDPR for which the party is liable under Art. 82(2) GDPR;
  • Either party's fraud, gross negligence, or willful misconduct;
  • Liability that cannot be limited under applicable law.

15. Term & Termination

This DPA enters into force on the date Controller accepts the Terms of Service and remains in force for as long as Brainpercent Processes Personal Data on Controller's behalf. Termination of the Terms of Service automatically terminates this DPA, except for provisions that by their nature survive termination (Annex 1, Annex 2, §10 Breach Notification for breaches discovered after termination, §13 Deletion, §14 Liability).

16. Execution

This DPA is executed by Brainpercent through publication at this URL. Controller's execution is constituted by acceptance of the Terms of Service.

For Brainpercent, LLC:

Name: Edward Ilin
Title: Founder & CEO
Date: 2026-05-10
Email: edward@brainpercent.com

Annex 1: Processing Details (Art. 28(3) GDPR)

Subject matterProvision of AI-powered content generation, scheduling, and publishing services.
DurationFor the term of Controller's subscription, plus the deletion window described in §13.
Nature of ProcessingStorage, transmission, AI inference (text + image + video + audio generation), publishing via third-party platform APIs, analytics, billing.
PurposeTo enable Controller to generate, schedule, and publish marketing content using AI; to provide account, billing, and support services; to detect fraud and abuse.
Types of Personal DataAccount data (email, name, hashed password, locale, timezone), payment metadata (last 4 of card, billing country — held by Stripe, not us), content inputs that may incidentally contain Personal Data (URLs, brand assets, prompts), connected-platform tokens (encrypted), usage logs (IP address, user agent, request paths, timestamps), support correspondence.
Sensitive (Art. 9) dataNone expected. Controller represents that it will not submit Sensitive Personal Data unless it has obtained explicit consent or other valid Art. 9(2) condition.
Categories of Data SubjectsController's employees, contractors, or end-customers whose information is submitted to the Service.
Sub-processorsSee /legal/subprocessors for the up-to-date list.

Annex 2: Security Measures (Art. 32 GDPR)

Brainpercent implements the following technical and organizational measures:

  • Encryption in transit: TLS 1.2+ on all customer endpoints; HSTS enabled; TLS 1.3 preferred where supported by the client.
  • Encryption at rest: AES-256 on Supabase (Postgres), Vercel (build artifacts + logs), Cloudinary (media), Supabase Storage (user-uploaded media). All encryption-at-rest keys are managed by the underlying infrastructure provider; we do not handle raw key material.
  • Access controls: Single founder (Edward) holds production write access. SSO via Google Workspace with mandatory MFA. Read-only access for support is logged.
  • Row-level security (RLS): All user-scoped tables use Supabase RLS policies. The service-role key is never exposed to client code.
  • Secret management: API keys + secrets stored in Vercel environment variables, never committed to git. Pre-commit hooks scan for accidental secret commits.
  • Backups: Supabase point-in-time recovery enabled (7-day window on production). Backups encrypted at rest.
  • Logging: Application logs and infrastructure logs retained for 30 days for security investigation; longer retention requires Controller-specific request.
  • Vulnerability management: Dependabot enabled on the production repository; critical-severity advisories patched within 7 days. Annual penetration test performed by an independent third party (next test: 2026-Q3).
  • Incident response: 24-hour acknowledgment, 72-hour Controller notification, public post-mortem for any material breach. See our Legal Changelog for a running record of incidents.
  • Webhook authentication: Stripe, GetLate, and AI provider webhooks all validated with HMAC signatures or constant-time comparison.
  • Sub-processor due diligence: Before engaging a new Sub-processor, we review their certifications (ISO 27001, SOC 2 Type II, GDPR compliance statement) and verify their location + transfer mechanism.
  • Personnel training: Single-operator at present (Edward). Any future hire must complete privacy + security onboarding before receiving access to Personal Data.

Last updated 2026-05-10. Brainpercent will maintain a level of security equivalent to or better than the version effective on the date Controller accepted these Terms.