Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between BrickGRC ("Processor", "we", "us") and the Customer ("Controller", "you") and governs the processing of personal data by BrickGRC on behalf of the Customer in connection with the BrickGRC platform. This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

"Controller" means the Customer, who determines the purposes and means of processing personal data through the use of the BrickGRC platform.

"Processor" means BrickGRC, which processes personal data on behalf of the Controller in connection with the provision of the Service.

"Data Subject" means an identified or identifiable natural person whose personal data is processed under this DPA.

"Personal Data" means any information relating to a Data Subject as defined in Article 4(1) of the GDPR.

"Processing" means any operation or set of operations performed on personal data, whether or not by automated means, as defined in Article 4(2) of the GDPR.

"Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.

"GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council.

Capitalized terms not defined in this DPA shall have the meanings given to them in the Agreement or the GDPR, as applicable.

2. Scope & Roles

The Customer acts as the Controller and BrickGRC acts as the Processor with respect to personal data processed through the Service. BrickGRC shall process personal data only on documented instructions from the Controller, including the instructions set out in this DPA and the Agreement, unless required to do so by European Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

BrickGRC shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other applicable data protection provisions of the European Union or Member States.

3. Types of Personal Data Processed

The categories of personal data processed under this DPA may include, depending on the Controller's use of the Service:

Account Data: Names, email addresses, job titles, organization names, and authentication credentials of users who access the platform.

Compliance Data: Information contained within compliance engagements, work items, maturity assessments, and related records that may include personal data about individuals within the Controller's organization.

Uploaded Documents: Files, policies, procedures, evidence documents, and other materials uploaded by the Controller that may contain personal data.

AI Interaction Data: Prompts, queries, and content submitted to AI-powered features such as the compliance assistant, document intelligence, and evidence auto-linking, which may include personal data from the Controller's compliance records.

Employee Directory Data: If the Controller uses employee directory synchronization integrations (e.g., via HR system Bricks), employee names, email addresses, departments, roles, and related organizational data may be processed.

Audit Logs: Records of user actions within the platform, including timestamps, IP addresses, user identifiers, and descriptions of activities performed.

4. Purpose of Processing

BrickGRC processes personal data solely for the purpose of providing the BrickGRC platform services as described in the Agreement, including: operating and maintaining the platform; providing compliance management, document intelligence, evidence linking, maturity scoring, and report generation features; delivering AI-powered compliance assistance; authenticating users and enforcing access controls; generating audit trails; performing backups and ensuring service continuity; and providing customer support.

BrickGRC shall not process personal data for any purpose other than as set out in this DPA and the Agreement, and shall not sell, rent, or otherwise commercially exploit personal data.

5. Duration of Processing

BrickGRC shall process personal data for the duration of the Agreement, plus any retention period required for the Controller to export their data and for BrickGRC to complete deletion in accordance with Section 12 of this DPA. Processing shall cease upon the expiration or termination of the Agreement, subject to the data deletion and return provisions set out herein.

6. Sub-Processors

The Controller grants BrickGRC general authorization to engage sub-processors to assist in the provision of the Service. A current list of sub-processors is maintained in our Privacy Policy. BrickGRC shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

BrickGRC shall notify the Controller at least 30 days in advance of any intended addition or replacement of a sub-processor, providing the Controller with sufficient information to assess the change. Notification shall be provided via email to the address associated with the Controller's account.

The Controller may object to the appointment of a new sub-processor by notifying BrickGRC in writing within 14 days of receiving the notification. The objection must be based on reasonable grounds relating to data protection. Upon receipt of an objection, BrickGRC shall work in good faith with the Controller to address the concern. If the parties cannot resolve the objection within 30 days, the Controller may terminate the affected Service without penalty by providing written notice.

BrickGRC remains fully liable to the Controller for the performance of each sub-processor's obligations under this DPA. Where a sub-processor fails to fulfill its data protection obligations, BrickGRC shall be liable to the Controller for the acts and omissions of that sub-processor as if they were BrickGRC's own.

7. Security Measures

BrickGRC implements and maintains appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, without limitation:

Encryption at Rest: Sensitive credentials and secrets are encrypted using AES-256-GCM encryption. Database storage is encrypted at the filesystem level.

Encryption in Transit: All data transmitted between the client and the Service is protected using TLS 1.2 or higher. API communications with third-party sub-processors are encrypted in transit.

Password Security: User passwords are hashed and salted using the scrypt key derivation function. Plaintext passwords are never stored or logged.

Role-Based Access Control: The platform enforces role-based access control (RBAC) with five distinct roles — Owner, Administrator, Auditor, Editor, and Viewer — each with granular permissions ensuring users can only access data and perform actions appropriate to their role.

Logical Tenant Isolation: Each organization's data is logically isolated within the platform. All database queries and API operations are scoped to the authenticated organization, preventing cross-tenant data access.

Account Lockout: User accounts are temporarily locked after 5 consecutive failed authentication attempts to protect against brute-force attacks.

Two-Factor Authentication: The platform supports two-factor authentication (2FA) using Time-based One-Time Passwords (TOTP), providing an additional layer of account security.

Security Reviews: BrickGRC conducts regular security reviews of its infrastructure, application code, and access controls to identify and remediate potential vulnerabilities.

Encrypted Backups: Database and file storage backups are encrypted and stored securely. Backup procedures are tested periodically to ensure data recoverability.

BrickGRC shall regularly assess the adequacy of these measures and update them as necessary to address evolving security risks and technological developments, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to data subjects.

8. Data Subject Rights

BrickGRC shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under the GDPR, including the rights of access, rectification, erasure, restriction of processing, data portability, and objection. Such assistance shall be provided by appropriate technical and organizational measures, insofar as this is possible.

If BrickGRC receives a request directly from a Data Subject regarding the Controller's data, BrickGRC shall promptly notify the Controller of the request and shall not respond to the Data Subject directly unless authorized by the Controller or required by applicable law.

9. Breach Notification

BrickGRC shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting the Controller's data. The notification shall be made to the email address associated with the Controller's account and, where available, through the platform's notification system.

The breach notification shall include, to the extent reasonably available: a description of the nature of the personal data breach, including the categories and approximate number of Data Subjects and personal data records affected; the name and contact details of BrickGRC's point of contact for further information; a description of the likely consequences of the breach; and a description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

Where it is not possible to provide all information at the time of initial notification, BrickGRC shall provide the information in phases without further undue delay. BrickGRC shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.

10. International Data Transfers

BrickGRC's primary infrastructure is hosted within the European Union, specifically at Hetzner data centers located in Germany. Personal data is stored and processed within the EU/EEA by default.

Where personal data is transferred to sub-processors located outside the EU/EEA (for example, to AI providers for AI-powered features), BrickGRC shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including the use of Standard Contractual Clauses (SCCs) adopted by the European Commission, adequacy decisions, or other approved transfer mechanisms.

Where the Controller configures their own third-party AI provider through the Bricks system, the Controller acknowledges that data transfers to that provider are governed by the Controller's own agreement with the provider, and the Controller is responsible for ensuring appropriate transfer safeguards are in place.

11. Audit Rights

BrickGRC shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audits shall be conducted subject to the following conditions: the Controller shall provide at least 30 days' written notice of its intention to conduct an audit; audits shall be conducted during BrickGRC's normal business hours; the Controller and its auditors shall enter into appropriate confidentiality obligations (NDA) prior to the audit; audits shall be conducted in a manner that minimizes disruption to BrickGRC's operations; and the Controller shall bear the costs of the audit unless the audit reveals material non-compliance by BrickGRC.

BrickGRC may satisfy audit requests by providing the Controller with relevant certifications, audit reports, or summaries of independent third-party assessments, where available, which the Controller may accept in lieu of an on-site audit at its discretion.

12. Data Deletion & Return

Upon expiration or termination of the Agreement, BrickGRC shall provide the Controller with a 30-day period during which the Controller may export all personal data from the platform using the available export tools. BrickGRC shall make reasonable efforts to assist the Controller with data export upon request.

Following the expiration of the 30-day export period, BrickGRC shall delete all personal data within 90 days, including all copies stored in production systems, backups, and disaster recovery environments, unless retention is required by applicable European Union or Member State law. Where retention is legally required, BrickGRC shall inform the Controller of the legal basis and limit processing to the extent required by that legal obligation.

BrickGRC shall provide written confirmation of data deletion upon the Controller's request.

13. Confidentiality

BrickGRC shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to personal data shall be limited to those personnel who require access to perform their duties in connection with the provision of the Service.

14. Data Protection Impact Assessments

BrickGRC shall provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Articles 35 and 36 of the GDPR, taking into account the nature of the processing and the information available to BrickGRC.

15. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Portuguese Republic and the applicable provisions of the GDPR. Any disputes arising from this DPA shall be submitted to the exclusive jurisdiction of the courts of Lisbon, Portugal, without prejudice to the rights of Data Subjects or supervisory authorities under the GDPR.

16. Contact

For questions regarding this Data Processing Agreement or data protection matters, please contact us at [email protected].