Skip to content

BrainCreators Data Processing Agreement

This Data Processing Agreement (DPA) and its applicable DPA Exhibits apply to the Processing of Personal Data by BrainCreators on behalf of Client (Client Personal Data) subject to the General Data Protection Regulation 2016/679 (GDPR) or any other data protection laws identified at www.braincreators.com/dpa/dpl  (together 'Data Protection Laws') in order to provide services (Services) pursuant to the Agreement between Client and BrainCreators. DPA Exhibits for each Service will be provided in the applicable Transaction Document (TD). This DPA is incorporated into the Agreement. Capitalized terms used and not defined herein have the meanings given to them in the applicable Data Protection Laws. In the event of a conflict, the DPA Exhibit prevails over the DPA which prevails over the rest of the Agreement.

1. Processing

1.1 Client is: (a) a Controller of Client Personal Data; or (b) acting as Processor on behalf of other Controllers and has been instructed by and obtained the authorization of the relevant Controller(s) to agree to the Processing of Client Personal Data by BrainCreators as Client's subprocessor as set out in this DPA. Client appoints BrainCreators as Processor to Process Client Personal Data. If there are other Controllers, Client will identify and inform BrainCreators of any such other Controllers prior to providing their Personal Data, in accordance with the DPA Exhibit.


1.2 A list of categories of Data Subjects, types of Client Personal Data, Special Categories of Personal Data and the processing activities are set out in the applicable DPA Exhibit for a Service. The duration of the Processing  corresponds to the duration of the Service unless otherwise stated in the DPA Exhibit. The purpose and subject matter of the Processing is the provision of the Service as described in the Agreement.

1.3 BrainCreators will Process Client Personal Data according to Client's documented instructions. The scope of Client's instructions for the Processing of Client Personal Data is defined by the Agreement, and, if applicable, Client's and its authorized users' use and configuration of the features of the Service. Client may provide further legally required instructions regarding the Processing of Client Personal Data (Additional Instructions) as described in Section 10.2. If BrainCreators notifies Client that an Additional Instruction is not feasible, the parties shall work together to find an alternative. If BrainCreators notifies the Client that neither the Additional Instruction nor an alternative is feasible, Client may terminate the affected Service, in accordance with any applicable terms of the Agreement. If BrainCreators believes an instruction violates the Data Protection Laws, BrainCreators will immediately inform Client, and may suspend the performance of such instruction until Client has modified or confirmed its lawfulness in documented form.

1.4 Client shall serve as a single point of contact for BrainCreators. As other Controllers may have certain direct rights against BrainCreators, Client undertakes to exercise all such rights on their behalf and to obtain all necessary permissions from the other Controllers. BrainCreators shall be discharged of its obligation to inform or notify another Controller when BrainCreators has provided such information or notice to Client. Similarly, BrainCreators will serve as a single point of contact for Client with respect to its obligations as a Processor under this DPA.

1.5 BrainCreators will comply with all Data Protection Laws in respect of the Services applicable to BrainCreators as Processor. BrainCreators is not responsible for determining the requirements of laws or regulations applicable to Client's business, or that a Service meets the requirements of any such applicable laws or regulations. As between the parties, Client is responsible for the lawfulness of the Processing of the Client Personal Data. Client will not use the Services in a manner that would violate applicable Data Protection Laws.

2. Technical and organizational measures

Client and BrainCreators agree that BrainCreators will implement and maintain the technical and organizational measures set forth in the applicable DPA Exhibit (TOMs) which ensure a level of security appropriate to the risk for BrainCreators's scope of responsibility. TOMs are subject to technical progress and further development. Accordingly, BrainCreators reserves the right to modify the TOMs provided that the functionality and security of the Services are not degraded.

3. Technical and organizational measures


3.1 BrainCreators will inform Client of requests from Data Subjects exercising their Data Subject rights (e.g., including but not limited to rectification, deletion and blocking of data) addressed directly to BrainCreators regarding Client Personal Data. Client shall be responsible to handle such requests of Data Subjects. BrainCreators will reasonably assist Client in handling such Data Subject requests in accordance with Section 10.2.

3.2 If a Data Subject brings a claim directly against BrainCreators for a violation of their Data Subject rights, Client will reimburse BrainCreators for any cost, charge, damages, expenses, or loss arising from such a claim, to the extent that BrainCreators has notified Client about the claim and given Client the opportunity to cooperate with BrainCreators in the defense and settlement of the claim. Subject to the terms of the Agreement, Client may claim from BrainCreators damages resulting from Data Subject claims for a violation of their Data Subject rights caused by BrainCreators's breach of its obligations under this DPA and the respective DPA Exhibit.

4. Third Party Requests and Confidentiality

4.1 BrainCreators will not disclose Client Personal Data to any third party, unless authorized by the Client or required by law. If a government or Supervisory Authority demands access to Client Personal Data, BrainCreators will notify Client prior to disclosure, unless such notification is prohibited by law.

4.2 BrainCreators requires all of its personnel authorized to Process Client Personal Data to commit themselves to confidentiality and not Process such Client Personal Data for any other purposes, except on instructions fro Client or unless required by applicable law.

5. Audit

5.1 BrainCreators shall allow for, and contribute to, audits, including inspections, conducted by the Client or another auditor mandated by the Client in accordance with the following procedures:

a. Upon Client's written request, BrainCreators will provide Client or its mandated auditor with the most recent certifications and/or summary audit report(s), which BrainCreators has procured to regularly test, assess and evaluate the effectiveness of the TOMs, to the extent set out in the DPA Exhibit.

b. BrainCreators will reasonably cooperate with Client by providing available additional information concerning the TOMs, to help Client better understand such TOMs.

c. If further information is needed by Client to comply with its own or other Controllers audit obligations or a competent Supervisory Authority's request, Client will inform BrainCreators in writing to enable BrainCreators to provide such information or to grant access to it.

d. To the extent it is not possible to otherwise satisfy an audit right mandated by applicable law or expressly agreed by the Parties, only legally mandated entities (such as a governmental regulatory agency having oversight of Client's operations), the Client or its mandated auditor may conduct an onsite visit of the BrainCreators facilities used to provide the Service, during normal business hours and only in a manner that causes minimal disruption to BrainCreators's business, subject to coordinating the timing of such visit and in accordance with any audit procedures described in the DPA Exhibit in order to reduce any risk to BrainCreators's other customers.

Any other auditor mandated by the Client shall not be a direct competitor of BrainCreators with regard to the Services and shall be bound to an obligation of confidentiality.

5.2 Each party will bear its own costs in respect of paragraphs a. and b. of Section 5.1, otherwise, Section 10.2 applies accordingly.

6. Return or Deletion of Client Personal Data

6.1 Upon termination or expiration of the Agreement BrainCreators will either delete or return Client Personal Data in its possession as set out in the respective DPA Exhibit, unless otherwise required by applicable law.

7. Subprocessors

7.1 Client authorizes the engagement of other Processors to Process Client Personal Data (Subprocessors). A list of the current Subprocessors is set out in the respective DPA Exhibit. BrainCreators will notify Client in advance of any addition or replacement of the Subprocessors as set out in the respective DPA Exhibit. Within 30 days after BrainCreators's notification of the intended change, Client can object to the addition of a Subprocessor on the basis that such addition would cause Client to violate applicable legal requirements. Client's objection shall be in writing and include Client's specific reasons for its objection and options to mitigate if any. If Client does not object within such period, the respective Subprocessor may be commissioned to Process Client Personal Data. BrainCreators shall impose substantially similar but no less protective data protection obligations as set out in this DPA on any approved Subprocessor prior to the Subprocessor initiating any Processing of Client Personal Data.

7.2 If Client legitimately objects to the addition of a Subprocessor and BrainCreators cannot reasonably accommodate Client's objection, BrainCreators will notify Client. Client may terminate the affected Services as set out in the Agreement, otherwise the parties shall cooperate to find a feasible solution in accordance with the dispute resolution process.

8. Transborder Data Processing

8.1 In the case of a transfer of Client Personal Data to a country not providing an adequate level of protection pursuant to the Data Protection Laws (Non-Adequate Country), the parties shall cooperate to ensure compliance with the applicable Data Protection Laws as set out in the following Sections. If Client believes the measures set out below are not sufficient to satisfy the legal requirements, Client shall notify BrainCreators and the parties shall work together to find an alternative.

8.2 By entering into the Agreement, Client is entering into EU Standard Contractual Clauses as set out in the applicable DPA Exhibit (EU SCC) with (i) each Subprocessor listed in the respective DPA Exhibit that is a BrainCreators affiliate located in a Non-Adequate Country (BrainCreators Data Importers) and (ii) BrainCreators, if located in a Non- Adequate Country, as follows:

a.  if Client is a Controller of all or part of the Client Personal Data, Client is entering into the EU SCC with respect to such Client Personal Data; and

b. if Client is acting as Processor on behalf of other Controllers of all or part of the Client Personal Data, then Client is entering into the EU SCC:

(i) as back-to-back EU SCC in accordance with Clause 11 of the EU Standard Contractual Clauses (Back-to-Back SCC), provided that Client has entered into separate EU Standard Contractual Clauses with the Controllers; or

(ii) on behalf of the other Controller(s).

Client agrees in advance that any new BrainCreators Data Importer engaged by BrainCreators in accordance with Section 7 shall become an additional data importer under the EU SCC and/or Back-to-Back SCC.

8.3 If a Subprocessor located in a Non-Adequate Country is not a BrainCreators Data Importer (Third Party Data Importer) and EU SCC are entered into in accordance with Section 8.2, then, BrainCreators or a BrainCreators Data Importer shall enter into Back-to-Back SCC with such a Third Party Data Importer. Otherwise, Client on its own behalf and/or, if required, on behalf of other Controllers shall enter into separate EU Standard Contractual Clauses or Back-to-Back SCC as provided by BrainCreators.

8.4 If Client is unable to agree to the EU SCC or Back-to-Back SCC on behalf of another Controller, as set out in section 8.2 and 8.3, Client will procure the agreement of such other Controller to enter into those agreements directly. Additionally, Client agrees and, if applicable, procures the agreement of other Controllers that the EU SCC or the Back-to-Back SCC, including any claims arising from them, are subject to the terms set forth in the Agreement, including the exclusions and limitations of liability. In case of conflict, the EU SCC and Back-to-Back SCC shall prevail.

9. Personal Data Breach

9.1 BrainCreators will notify Client without undue delay after becoming aware of a Personal Data Breach with respect to the Services. BrainCreators will promptly investigate the Personal Data Breach if it occurred on BrainCreators infrastructure or in another area BrainCreators is responsible for and will assist Client as set out in Section 10.

10. Assistance

10.1 BrainCreators will assist Client by technical and organizational measures for the fulfillment of Client's obligation to comply with the rights of Data Subjects and in ensuring compliance with Clients obligations relating to the security of Processing, the notification and communication of a Personal Data Breach and the Data Protection Impact Assessment, including prior consultation with the responsible Supervisory Authority, if required, taking into account the nature of the processing and the information available to BrainCreators.

10.2 Client will make a written request for any assistance referred to in this DPA. BrainCreators may charge Client no more than a reasonable charge to perform such assistance or an Additional Instruction, such charges to be set forth in a quote and agreed in writing by the parties, or as set forth in an applicable change control provision of the Agreement. If Client does not agree to the quote, the parties agree to reasonably cooperate to find a feasible solution in accordance with the dispute resolution process.