Data Processing Addendum (DPA)

Effective June 2026.

This Data Processing Addendum ("DPA") forms part of the agreement between you (the "Customer", acting as data controller) and YourBrief (the "Processor", acting as data processor) for the use of the YourBrief platform. It records the parties' commitments under Articles 28 and 32 of the UK GDPR / EU GDPR.

1. Subject matter and duration

The Processor processes personal data on behalf of the Customer in connection with the provision of the YourBrief client-brief intake service. The processing continues for the duration of the Customer's active subscription and any retention period specified below.

2. Nature and purpose of processing

• Hosting branded brief forms and accepting submissions from end-clients.
• Storing structured answers, attached files and basic submission metadata.
• Sending transactional email (client receipts, team notifications, reminders).
• Producing operator analytics in the admin dashboard.

3. Categories of data subjects

• The Customer's end-clients who complete brief forms.
• The Customer's own staff with admin accounts on the platform.

4. Categories of personal data

• Identification data: name, business email, optional company name.
• Submission content (free-text answers, choices, file uploads).
• Operational metadata: IP address (rate-limit + abuse), user-agent, timestamps.
• Account data for staff: name, email, hashed password, role, 2FA secret.

5. Sub-processors

The Customer authorises the use of the sub-processors listed at /sub-processors. We give 30 days' notice via email and changelog before adding or replacing a sub-processor; the Customer may object during this period and terminate if a satisfactory alternative cannot be agreed.

6. Security measures (Article 32)

• Encryption in transit (TLS 1.2+) for all platform endpoints.
• Encryption at rest for the application database and object storage.
• Per-agency role-based access control with optional TOTP two-factor authentication.
• Application-level rate limiting on authentication and public form submission.
• Daily automated backups with a configurable retention window.
• Activity log of administrator actions retained for 180 days.
• Annual review of access lists and dependency security advisories.

7. International transfers

Customer data is stored in regions operated by the platform infrastructure provider. Where personal data is transferred outside the UK / EEA, the Processor relies on the UK International Data Transfer Addendum and / or the EU Standard Contractual Clauses (Module 2 / Module 3) executed with each relevant sub-processor.

8. Data subject rights

The Processor provides the Customer with the technical means to action data subject requests, including JSON export and right-to-erasure on each individual submission. End-clients may also self-serve via a signed link included in their brief confirmation email.

9. Personal data breach notification

The Processor will notify the Customer without undue delay (and in any event within 72 hours) of becoming aware of a personal data breach affecting Customer data. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and the measures taken or proposed.

10. Audits

On reasonable written notice (no more than once per twelve-month period, except where required by a competent supervisory authority), the Processor will provide documentary evidence of its security controls. On-site audits may be arranged by agreement and at the Customer's cost.

11. Return or deletion at termination

Within 30 days of termination, the Processor will, at the Customer's choice, return all personal data via JSON export or permanently delete it from production systems and from rolling backups within 90 days.

12. Contact

Questions about this DPA, sub-processors, or to exercise audit rights: support@yourbrief.agency.