Legal

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between BrandPulse ("Processor") and you, the customer ("Controller"), in accordance with Article 28 of UK GDPR.

By accepting our Terms of Service you also enter into this DPA. If you require a signed copy for procurement purposes, email [email protected].

1. Definitions

"Controller" means the BrandPulse customer who determines the purposes and means of processing.

"Processor" means BrandPulse, acting on the Controller's instructions.

"Personal Data", "Processing", "Data Subject", "Sub-processor" have the meanings given in UK GDPR.

"Services" means the BrandPulse AI search visibility tracking platform.

2. Subject matter and nature of processing

BrandPulse processes personal data on the Controller's behalf solely to provide the Services. The processing activities are:

Storing brand, competitor, and prompt data submitted by the Controller.

Querying third-party AI platforms with the Controller's prompts and storing responses.

Aggregating visibility and sentiment metrics.

Providing the Controller with access to that data via the BrandPulse interface.

3. Data subjects and categories of data

The personal data processed may relate to any individuals whose names, brands, or other identifiable information the Controller includes in their tracking configuration. Categories of data may include:

Brand and company names.

Competitor names (which may coincide with personal names of sole traders).

Any free-text in prompts submitted by the Controller that references individuals.

The Controller is responsible for ensuring it has a lawful basis for any personal data submitted to BrandPulse.

4. Processor obligations

BrandPulse shall:

Process personal data only on documented instructions from the Controller (i.e. through normal use of the Services).

Ensure that persons authorised to process the data are bound by confidentiality obligations.

Implement appropriate technical and organisational security measures (see Section 7).

Assist the Controller with its obligations to respond to data subject rights requests.

Assist the Controller with security, breach notification, impact assessments, and prior consultation obligations.

Delete or return all personal data on termination of the Services, at the Controller's choice, unless retention is required by law.

Provide all information necessary to demonstrate compliance with Article 28 of UK GDPR, and cooperate with audits.

5. Sub-processors

The Controller provides general authorisation for BrandPulse to engage the sub-processors listed in our Privacy Policy. BrandPulse will:

Give the Controller at least 14 days notice before adding or replacing a sub-processor.

Impose equivalent data protection obligations on each sub-processor.

Remain liable to the Controller for the acts of its sub-processors.

6. International transfers

Our sub-processors are located in the USA. Transfers are covered by UK International Data Transfer Agreements (IDTAs) based on the ICO's international transfer mechanism. Details are provided in our Privacy Policy. If the Controller requires specific transfer documentation, contact [email protected].

7. Security measures

BrandPulse implements the following technical and organisational measures:

Encryption in transit (TLS 1.2+) and at rest via Supabase.

Row-level security (RLS) enforced in the database so each customer accesses only their own data.

CSRF token protection on all mutating requests.

Rate limiting on authentication and data-creation endpoints.

Access control: production database credentials available only to automated systems; no individual developer has standing access.

Error monitoring and alerting via Sentry.

A published Security Policy and vulnerability disclosure programme.

8. Data breach notification

BrandPulse will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of a personal data breach affecting the Controller's data. Notification will be sent to the email address associated with the Controller's account and will include the information required by Article 33(3) of UK GDPR to the extent then available.

9. Data subject rights

BrandPulse provides tools for the Controller to export and delete personal data (see "Download my data" and "Delete account" in account settings). BrandPulse will also assist the Controller with any data subject rights request that cannot be fulfilled via self-service tools within 5 business days of a written request.

10. Duration and termination

This DPA is co-extensive with the main Terms of Service. On termination of the Services, BrandPulse will delete or anonymise all personal data processed under this DPA within 30 days, unless a longer retention period is required by law (e.g. financial records).

11. Governing law

This DPA is governed by the laws of England and Wales. Any disputes arising from it are subject to the exclusive jurisdiction of the courts of England and Wales.