PoliciesDPA

Last updated: April 1, 2026

Data Processing Addendum

Brazen.AI's standard DPA for customers processing personal data through the platform, with EU SCCs and UK Addendum.

On this page

This page describes the Data Processing Addendum (“DPA”) Brazen.AI offers to customers whose use of the platform involves the processing of personal data for which the customer is the controller (or business, under US state law) and Brazen.AI is the processor (or service provider).

Overview

Our standard DPA is available for download upon request. It incorporates the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and the Swiss FDPIC addendum, and reflects the requirements of GDPR Article 28, the UK GDPR, the Swiss Federal Act on Data Protection, the CCPA/CPRA, and the analogous US state laws.

Our standard DPA is available for download at request — contact legal@brazen.ai.

Who needs a DPA

You should request a DPA if any of the following are true:

  • You will upload, ingest, or instruct Brazen.AI to process personal data of your customers, prospects, or end-users.
  • You are subject to the GDPR, the UK GDPR, the Swiss FADP, the CCPA/CPRA, or another comprehensive privacy law.
  • Your procurement, security, or legal team requires a signed DPA before approving SaaS vendors.

How to request

Email legal@brazen.ai with the subject line “DPA Request” and include the following:

  • The legal name of the contracting entity and its registered address.
  • The name and email of the signatory.
  • Whether you require execution by signature or whether you accept our pre-signed standard form.
  • Any required supplementary materials, such as your TOMs (technical and organizational measures) questionnaire or a SIG Lite.

We typically return a countersigned DPA within 5 business days.

Standard terms summary

The standard DPA covers, at minimum:

  • Subject matter, duration, and nature and purpose of processing.
  • Categories of data subjects and personal data processed.
  • Brazen.AI's obligations as a processor, including processing only on documented instructions and ensuring confidentiality of authorized personnel.
  • Security measures applied to customer personal data.
  • Sub-processor authorization and notification of changes.
  • Assistance with data subject rights requests and with the controller's obligations under Articles 32–36 of the GDPR.
  • Personal-data breach notification obligations.
  • Deletion or return of personal data on termination.
  • Audit rights, with limits.

Sub-processors

Our current sub-processor list is published at /subprocessors. We will notify customers at least 30 days before engaging a new sub-processor that will process customer personal data, and customers may object on reasonable grounds related to data protection.

International transfers

For transfers of personal data from the EEA, the UK, and Switzerland to the United States or to other jurisdictions without an adequacy decision, we rely on the Standard Contractual Clauses and the respective UK and Swiss addenda incorporated into the DPA, together with appropriate supplementary measures.

Audit rights

Customers may request audit information no more than once per calendar year, with reasonable notice and during business hours. Where Brazen.AI's audit reports (such as SOC 2 or ISO 27001) cover the requested scope, we will provide those reports under NDA in lieu of an on-site audit. Direct on-site audits are available where required by law or where standard reports are insufficient, subject to reasonable cost-recovery terms.

Security

Brazen.AI's technical and organizational measures are described in our Security Overview and incorporated into the DPA by reference.

Contact

Legal: legal@brazen.ai
Privacy: privacy@brazen.ai