Data Processing Agreement (DPA)

in accordance with Art. 28 of the General Data Protection Regulation (GDPR)

between

the Customer, as defined in the Main Agreement,
(hereinafter “Controller”)

– and –

Brink FlexCo, Messingstraße 32, 5323 Ebenau, Austria,
(hereinafter “Processor”)

(collectively “Parties”)

Preamble

This Data Processing Agreement (DPA) sets out the data protection obligations of the Parties arising from the provision of the SaaS service “Brink” pursuant to the Main Agreement concluded between the Parties (consisting of the order and the Terms of Service, hereinafter “Main Agreement”). In performing the services, the Processor processes personal data on behalf of the Controller.

This DPA is not signed separately. As set out in Section 12.3 of the Processor's ToS, this DPA forms an integral and binding part of the Main Agreement upon its conclusion. It enters into force upon conclusion of the Main Agreement and fully supersedes any prior data processing agreements between the Parties.

Subject Matter, Duration, and Specification of the Data Processing

1. Subject matter: The subject matter of the data processing is the performance of the services agreed upon in the Main Agreement, in particular the provision of the SaaS service “Brink” for the AI-powered creation, management, and sharing of brand guides. This includes the processing of personal data that the Controller or its users enter into, upload to, or create within the Service (hereinafter “User Content”).
2. Duration: The duration of this data processing corresponds to the term of the Main Agreement.
3. Specification: The nature and purpose of the processing, the categories of data subjects, and the types of personal data processed are described in detail in Appendix 1 of this DPA.

Obligations of the Processor

The Processor is obligated to:

1. Processing under instruction: Process personal data only on documented instructions from the Controller, as set out in this DPA and the Main Agreement, unless required to do so by Union or Member State law to which the Processor is subject. The Processor shall inform the Controller without undue delay if it considers that an instruction infringes the GDPR or other data protection provisions.
2. Confidentiality: Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Data security: Take all measures required pursuant to Art. 32 GDPR to ensure the security of the processing. These measures include, in particular, the technical and organizational measures (TOMs) described in Appendix 2 of this DPA.
4. Notification of personal data breaches: If the Processor becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed for the Controller, it shall notify the Controller without undue delay. This initial notification will contain the information available at the time of the report. The Processor will provide further details as they become known in the course of the internal investigation.
5. Assistance to the controller: Assist the Controller, where possible, by appropriate technical and organizational measures, in fulfilling the Controller's obligation to respond to requests for exercising the data subject's rights. Furthermore, taking into account the nature of the processing and the information available to it, the Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR.
6. Return and deletion of data: After the completion of the provision of processing services, delete all personal data in accordance with the provisions of the Main Agreement (§ 9.4 of the ToS), unless Union or Member State law requires storage of the personal data.
7. Information and audit rights: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA. Upon the Controller's written request, the Processor shall allow for and contribute to audits, by providing suitable evidence (e.g., current attestations, reports, or certifications from independent third parties). An on-site inspection shall only be required if there is a justified, factual reason that cannot be resolved by the evidence provided.

Obligations of the Controller

1. The Controller is solely responsible for assessing the lawfulness of the collection, processing, and use of the personal data, as well as for safeguarding the rights of data subjects.
2. The Controller is responsible for informing potential data subjects about the processing of their data in accordance with applicable data protection laws (in particular, Art. 13 and 14 GDPR).

Sub-processing

1. The Controller grants the Processor general written authorization to engage other processors (hereinafter “sub-processors”).
2. A list of the sub-processors engaged by the Processor and approved by the Controller, current at the time of the conclusion of the agreement, can be found in Appendix 3.
3. If the Processor intends to replace a sub-processor or engage a new one, it will publish this change in Appendix 3 at least 14 days prior to the planned engagement and inform the Controller in an appropriate manner (e.g., through a notice in the customer account or via email).
4. The Controller has the right to object to the change in writing within 14 days of publication for an important, data protection-related reason. If no timely objection is made, consent to the change is deemed to have been given.
5. The Processor shall conclude a contract with each sub-processor that imposes on the sub-processor substantially the same data protection obligations as set out in this DPA.

Rights of Data Subjects

1. If a data subject asserts their rights directly against the Processor, the Processor shall forward the request to the Controller without undue delay.
2. Responding to the request is the sole responsibility of the Controller. The Processor shall assist the Controller in this regard within the bounds of what is technically possible and reasonable.

International Data Transfers

1. For the sub-processors listed in Appendix 3 that are located in a third country (in particular the USA), the Processor ensures compliance with European data protection standards primarily by concluding the Standard Contractual Clauses (SCCs) approved by the EU Commission.
2. Upon request, the Processor will provide the Controller with the information required for the Controller to conduct its own risk assessment of the third-country transfer.

Liability and Final Provisions

1. Liability: The liability of the Parties shall be governed by the provisions of the Main Agreement, in particular by Section 10 of the ToS. The liability provisions of Art. 82 GDPR remain unaffected.
2. Amendments: Brink is entitled to amend this DPA in accordance with the procedure described in Section 13 of the ToS. This applies in particular if amendments become necessary due to changes in the legal situation, new case law, or technical advancements.
3. Applicable law and jurisdiction: This DPA is governed exclusively by Austrian law. The exclusive place of jurisdiction is the court having subject-matter jurisdiction for Brink's registered office.
4. Text form: Amendments and supplements to this DPA must be in text form (e.g., email) to be effective. This also applies to any waiver of this formal requirement. No oral side agreements have been made.
5. Contractual language: The contractual language is German.