• Why Brieflodge
  • Templates
  • Changelog
  • Pricing
Start for freeSign In
Data Processing Agreement

The contractual terms that apply when Brieflodge processes personal data on behalf of customers.

Data Processing Agreement

Version 1.1 - 9 March 2026

This Data Processing Agreement (DPA) forms part of the agreement between Brieflodge and the customer using the Services (Customer) where Brieflodge processes personal data on behalf of the Customer in connection with the Services.

Quick summary

  • Customer controls the purposes for which workspace content and other customer-submitted personal data are processed.
  • Brieflodge acts as a processor or subprocessor for that data, depending on the relationship.
  • Brieflodge uses a limited number of subprocessors to operate infrastructure, email, payments, analytics, and realtime collaboration.
  • Brieflodge applies technical and organisational measures designed to protect customer data and will notify Customer without undue delay if it becomes aware of a qualifying personal data breach.
  • Transfers outside the EEA are covered by appropriate safeguards where required.

1. Parties and roles

This DPA is entered into between:

  • Customer, acting as controller or processor, as applicable; and
  • Brieflodge, acting as processor or subprocessor, as applicable.

For the purposes of this DPA, Brieflodge's contact details are:

Brieflodge
Paris, France
Email: privacy@brieflodge.com

2. Scope and duration

This DPA applies where Brieflodge processes personal data contained in briefs, comments, attachments, tasks, suggestions, workspace records, invitations, or related collaboration content on behalf of Customer.

This DPA remains in effect for as long as Brieflodge processes such personal data on behalf of Customer under the Services.

3. Subject matter, nature, and purpose of the processing

Brieflodge provides collaborative workflow and brief-management services. Processing may include hosting, storing, organising, structuring, transmitting, retrieving, synchronising, securing, exporting, and deleting personal data as necessary to provide the Services.

The purpose of the processing is to enable Customer to create, manage, review, collaborate on, and administer work through the Services.

4. Categories of data subjects and personal data

Depending on how Customer uses the Services, the processing may involve:

Data subjects

  • Customer's employees, contractors, and authorised users;
  • Customer's clients, prospects, collaborators, vendors, and other persons whose data is included in Customer Content;
  • other persons whose information Customer uploads to the Services.

Categories of personal data

  • identification and contact information;
  • job, company, and workspace information;
  • brief and project content;
  • comments, suggestions, files, and attachments;
  • workflow and task information;
  • technical and usage metadata related to Customer Content.

Customer is responsible for ensuring that the categories of data it submits are lawful, relevant, and proportionate for its intended use of the Services, including any special-category or sensitive data.

5. Customer instructions

Brieflodge will process personal data only on Customer's documented instructions, including instructions given through Customer's use and configuration of the Services, unless otherwise required by applicable law.

If Brieflodge believes that an instruction infringes applicable data protection law, Brieflodge may notify Customer and suspend the affected processing until the instruction is clarified or corrected.

6. Customer obligations

Customer is responsible for:

  • determining whether the Services are appropriate for Customer's intended processing;
  • providing any notices and obtaining any consents required under applicable law;
  • ensuring the lawful basis for the submission and processing of personal data through the Services;
  • responding to data subject requests and regulatory inquiries relating to Customer Content, except to the extent Brieflodge is required to assist under this DPA.

7. Confidentiality

Brieflodge will ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations and are given access only on a need-to-know basis.

8. Security measures

Brieflodge will implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

These measures include, as appropriate to the Services:

  • authenticated access controls and role-based permissions;
  • encrypted transmission channels and managed infrastructure security controls;
  • logical segregation of customer data;
  • monitoring, logging, and incident-response processes;
  • deletion and cleanup routines for expired or removed data;
  • vendor management and security review processes for critical providers.

9. Subprocessors

Customer authorises Brieflodge to use subprocessors that are necessary to provide the Services.

Brieflodge's current processor and infrastructure providers relevant to the Services include:

Provider Service category Country May process brief / project submission Typical role
Cloudflare Hosting, storage, and security infrastructure πŸ‡ͺπŸ‡Ί Yes Hosting, storage delivery, and security controls, including Cloudflare R2-backed file storage
Supabase Backend, database, and authentication platform πŸ‡ͺπŸ‡Ί Yes Core application data and authentication. Brieflodge stores application content in Supabase within the EU.
Directus Content management platform πŸ‡ͺπŸ‡Ί No Public content management
Resend Transactional email delivery πŸ‡ΊπŸ‡Έ Yes Service notifications and transactional messaging that may include brief or project context selected by users
Stripe Payment processing and billing πŸ‡ΊπŸ‡Έ No Subscription and invoice processing
PostHog Product analytics and monitoring πŸ‡ͺπŸ‡Ί No Diagnostics and analytics where configured
Unsplash Optional image-discovery integration πŸ‡¨πŸ‡¦ No User-initiated media discovery

Brieflodge will impose data protection obligations on subprocessors that are appropriate to the nature of the services they provide.

10. Assistance

Taking into account the nature of the processing and the information available to Brieflodge, Brieflodge will provide reasonable assistance to Customer in relation to:

  • data subject requests;
  • security incidents and personal data breaches;
  • data protection impact assessments where required;
  • consultation with supervisory authorities where required;
  • compliance with Customer's obligations under applicable data protection law, to the extent that such assistance is reasonably possible and proportionate.

11. Security incidents

If Brieflodge becomes aware of a personal data breach affecting personal data processed under this DPA, Brieflodge will notify Customer without undue delay and provide available information reasonably necessary for Customer to meet its legal obligations.

12. International transfers

Where personal data processed under this DPA is transferred outside the EEA, Brieflodge will ensure that an appropriate transfer mechanism is in place, such as standard contractual clauses or another lawful safeguard.

13. Audit and information rights

Upon reasonable written request, Brieflodge will make available information reasonably necessary to demonstrate compliance with this DPA.

Where justified and proportionate, Customer may request an audit or equivalent assurance process, subject to reasonable confidentiality, security, operational limitations, and the protection of other customers' information.

14. Return and deletion

During the term of the Services, Customer may access and manage Customer Content through the product.

On termination or deletion of the relevant Services, Brieflodge will delete or return personal data in accordance with the product's functionality, this DPA, and applicable law, subject to limited retention required for legal, security, billing, backup, and evidentiary purposes.

15. Liability and order of precedence

This DPA is subject to the liability framework of the main agreement between Brieflodge and Customer unless mandatory law requires otherwise.

If there is a conflict between this DPA and the data protection terms of the main agreement, this DPA will prevail for the relevant subject matter.

16. Contact

Questions relating to this DPA may be sent to privacy@brieflodge.com.

Made and hosted in the EU πŸ‡ͺπŸ‡Ί

Β© 2026 Brieflodge

About
  • Blog
  • Contact
Product
  • Templates
  • Cost of scope creep
  • Changelog
  • Pricing
Resources
  • Terms of Service
  • Privacy Policy
  • Data Processing Agreement
  • GDPR
  • Cookie Policy