Data Processing Agreement
Version 1.1 - 9 March 2026
This Data Processing Agreement (DPA) forms part of the agreement between Brieflodge and the customer using the Services (Customer) where Brieflodge processes personal data on behalf of the Customer in connection with the Services.
Quick summary
- Customer controls the purposes for which workspace content and other customer-submitted personal data are processed.
- Brieflodge acts as a processor or subprocessor for that data, depending on the relationship.
- Brieflodge uses a limited number of subprocessors to operate infrastructure, email, payments, analytics, and realtime collaboration.
- Brieflodge applies technical and organisational measures designed to protect customer data and will notify Customer without undue delay if it becomes aware of a qualifying personal data breach.
- Transfers outside the EEA are covered by appropriate safeguards where required.
1. Parties and roles
This DPA is entered into between:
- Customer, acting as controller or processor, as applicable; and
- Brieflodge, acting as processor or subprocessor, as applicable.
For the purposes of this DPA, Brieflodge's contact details are:
Brieflodge
Paris, France
Email: privacy@brieflodge.com
2. Scope and duration
This DPA applies where Brieflodge processes personal data contained in briefs, comments, attachments, tasks, suggestions, workspace records, invitations, or related collaboration content on behalf of Customer.
This DPA remains in effect for as long as Brieflodge processes such personal data on behalf of Customer under the Services.
3. Subject matter, nature, and purpose of the processing
Brieflodge provides collaborative workflow and brief-management services. Processing may include hosting, storing, organising, structuring, transmitting, retrieving, synchronising, securing, exporting, and deleting personal data as necessary to provide the Services.
The purpose of the processing is to enable Customer to create, manage, review, collaborate on, and administer work through the Services.
4. Categories of data subjects and personal data
Depending on how Customer uses the Services, the processing may involve:
Data subjects
- Customer's employees, contractors, and authorised users;
- Customer's clients, prospects, collaborators, vendors, and other persons whose data is included in Customer Content;
- other persons whose information Customer uploads to the Services.
Categories of personal data
- identification and contact information;
- job, company, and workspace information;
- brief and project content;
- comments, suggestions, files, and attachments;
- workflow and task information;
- technical and usage metadata related to Customer Content.
Customer is responsible for ensuring that the categories of data it submits are lawful, relevant, and proportionate for its intended use of the Services, including any special-category or sensitive data.
5. Customer instructions
Brieflodge will process personal data only on Customer's documented instructions, including instructions given through Customer's use and configuration of the Services, unless otherwise required by applicable law.
If Brieflodge believes that an instruction infringes applicable data protection law, Brieflodge may notify Customer and suspend the affected processing until the instruction is clarified or corrected.
6. Customer obligations
Customer is responsible for:
- determining whether the Services are appropriate for Customer's intended processing;
- providing any notices and obtaining any consents required under applicable law;
- ensuring the lawful basis for the submission and processing of personal data through the Services;
- responding to data subject requests and regulatory inquiries relating to Customer Content, except to the extent Brieflodge is required to assist under this DPA.
7. Confidentiality
Brieflodge will ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations and are given access only on a need-to-know basis.
8. Security measures
Brieflodge will implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
These measures include, as appropriate to the Services:
- authenticated access controls and role-based permissions;
- encrypted transmission channels and managed infrastructure security controls;
- logical segregation of customer data;
- monitoring, logging, and incident-response processes;
- deletion and cleanup routines for expired or removed data;
- vendor management and security review processes for critical providers.
9. Subprocessors
Customer authorises Brieflodge to use subprocessors that are necessary to provide the Services.
Brieflodge's current processor and infrastructure providers relevant to the Services include:
| Provider | Service category | Country | May process brief / project submission | Typical role |
|---|---|---|---|---|
| Cloudflare | Hosting, storage, and security infrastructure | πͺπΊ | Yes | Hosting, storage delivery, and security controls, including Cloudflare R2-backed file storage |
| Supabase | Backend, database, and authentication platform | πͺπΊ | Yes | Core application data and authentication. Brieflodge stores application content in Supabase within the EU. |
| Directus | Content management platform | πͺπΊ | No | Public content management |
| Resend | Transactional email delivery | πΊπΈ | Yes | Service notifications and transactional messaging that may include brief or project context selected by users |
| Stripe | Payment processing and billing | πΊπΈ | No | Subscription and invoice processing |
| PostHog | Product analytics and monitoring | πͺπΊ | No | Diagnostics and analytics where configured |
| Unsplash | Optional image-discovery integration | π¨π¦ | No | User-initiated media discovery |
Brieflodge will impose data protection obligations on subprocessors that are appropriate to the nature of the services they provide.
10. Assistance
Taking into account the nature of the processing and the information available to Brieflodge, Brieflodge will provide reasonable assistance to Customer in relation to:
- data subject requests;
- security incidents and personal data breaches;
- data protection impact assessments where required;
- consultation with supervisory authorities where required;
- compliance with Customer's obligations under applicable data protection law, to the extent that such assistance is reasonably possible and proportionate.
11. Security incidents
If Brieflodge becomes aware of a personal data breach affecting personal data processed under this DPA, Brieflodge will notify Customer without undue delay and provide available information reasonably necessary for Customer to meet its legal obligations.
12. International transfers
Where personal data processed under this DPA is transferred outside the EEA, Brieflodge will ensure that an appropriate transfer mechanism is in place, such as standard contractual clauses or another lawful safeguard.
13. Audit and information rights
Upon reasonable written request, Brieflodge will make available information reasonably necessary to demonstrate compliance with this DPA.
Where justified and proportionate, Customer may request an audit or equivalent assurance process, subject to reasonable confidentiality, security, operational limitations, and the protection of other customers' information.
14. Return and deletion
During the term of the Services, Customer may access and manage Customer Content through the product.
On termination or deletion of the relevant Services, Brieflodge will delete or return personal data in accordance with the product's functionality, this DPA, and applicable law, subject to limited retention required for legal, security, billing, backup, and evidentiary purposes.
15. Liability and order of precedence
This DPA is subject to the liability framework of the main agreement between Brieflodge and Customer unless mandatory law requires otherwise.
If there is a conflict between this DPA and the data protection terms of the main agreement, this DPA will prevail for the relevant subject matter.
16. Contact
Questions relating to this DPA may be sent to privacy@brieflodge.com.