Data processing addendum

1. Purpose

This Data Processing Addendum ("DPA") forms part of the agreement between you (the "Controller") and Brily (the "Processor") covering the processing of personal data you put into the Brily platform.

2. Roles

• You are the data controller for any personal data of your end-users that you put into Brily — status page subscribers, NPS respondents, etc.
• Brilyacts as your data processor for that data. We also act as an independent controller for the account-level data you give us (your team's emails, billing info). See the privacy policy for the controller-of-our-own-data part.

3. Processing instructions

We process personal data only on your documented instructions, which include: the scope described in the product documentation; any configuration you set in the dashboard; and specific written instructions from you via our support channels. If we believe an instruction would violate law, we'll tell you and pause execution.

4. Categories of data and data subjects

• Data subjects: your end-users (status page subscribers, NPS respondents, product end-users whose identifiers you supply), and your team members.
• Data categories: contact information (email), free-text survey responses, request metadata (IP, user agent, timestamp) from monitor checks, NPS responses and comments, external user identifiers you supply.

5. Security measures

• AES-256 encryption at rest, TLS 1.2+ in transit with HSTS.
• Argon2id password hashing, MFA available on all accounts, enforced on admin roles.
• Principle of least privilege for employee access. Production data access is logged and reviewed.
• Regular backups with encrypted off-site copies. Quarterly restore drills.
• Annual third-party penetration test. Summary report available under NDA.
• Incident response plan with 24-hour initial notification to affected controllers.

6. Sub-processors

You authorise us to use sub-processors listed on the sub-processors page. We flow down equivalent data-protection terms. We give 30 days' notice before adding a new sub-processor. You may object; if we cannot accommodate, you may terminate the DPA and the main agreement for the affected service.

7. International transfers

Transfers outside the EEA, UK, or Switzerland rely on the EU Standard Contractual Clauses (2021/914) — Module 2 or Module 3 as applicable — or the UK International Data Transfer Addendum / Swiss equivalent. We perform transfer impact assessments before onboarding any sub-processor that introduces a new jurisdiction.

8. Data subject requests

If a data subject contacts us directly, we refer them to you. We assist you in responding to access, rectification, erasure, restriction, and portability requests via the self-serve tools in the dashboard and, where those are insufficient, by engineering support within 10 business days.

9. Breach notification

We notify you without undue delay — and in any event within 72 hours of becoming aware — of a personal data breach affecting your data. Notifications go to the email on file for the primary account admin.

10. Audit rights

Once per year, and on reasonable notice, you may audit our compliance with this DPA. In practice, we make available our SOC 2 Type II or equivalent report under NDA, which satisfies most audit rights. On-site audits require written justification and cover reasonable costs.

11. Deletion and return

On termination, we delete or return personal data within 30 days (90-day grace for billing reconciliation). On your request during the agreement, we export your data in a structured, commonly-used format.

12. Liability

Liability under this DPA is subject to the liability cap in the main agreement. Nothing limits statutory liability that cannot be contractually limited.

13. Getting a signed copy

Email legal@brily.app with your legal entity name and we'll send a PDF with our signature already in it. Counter-sign, email back. Done.