Data Processing Agreement

Version: 6.0 · Effective Date: June 15, 2026 · Last Updated: June 15, 2026

PURPOSE AND SCOPE

Purpose

This Data Processing Agreement (“DPA”) forms part of and is incorporated into the brainCloud Terms of Service, any applicable Order Forms, and other agreements governing Customer’s access to and use of the Services (collectively, the “Agreement”).

This DPA governs the Processing of Personal Data by bitHeads Inc., operating as brainCloud (“brainCloud”), on behalf of Customer in connection with the Services.

The purpose of this DPA is to establish the parties’ respective rights and obligations regarding the Processing of Personal Data and to support compliance with applicable Data Protection Laws.

Applicability

This DPA applies solely to Personal Data processed by brainCloud on behalf of Customer where brainCloud acts as a Processor, service provider, or equivalent role under applicable Data Protection Laws.

This DPA does not apply to Personal Data processed by brainCloud as a Controller, including information processed in connection with:

website operations;
marketing and business development activities;
customer account administration;
billing and payment processing;
event registrations;
customer support interactions;
security monitoring relating to brainCloud’s own business operations; or
other activities for which brainCloud independently determines the purposes and means of Processing.

Such Processing is governed by the brainCloud Privacy Policy.

Relationship to Other Documents

This DPA shall be read together with:

the brainCloud Terms of Service;
the brainCloud Privacy Policy;
the brainCloud Service Level Agreement;
the brainCloud Subprocessor List;
applicable Order Forms; and
other documents incorporated into the Agreement.

Each document serves a distinct purpose and shall be interpreted consistently where reasonably possible.

Order of Precedence

In the event of any conflict relating specifically to the Processing of Personal Data, the following order of precedence shall apply:

1. applicable Order Form or written amendment; 2. this DPA; 3. applicable Service Level Agreement; 4. Terms of Service; 5. Privacy Policy; and 6. remaining incorporated policies.

For avoidance of doubt, this DPA controls solely with respect to Personal Data Processing obligations.

Compliance Objective

The parties intend that this DPA support compliance with applicable privacy and data protection laws, including where applicable:

Regulation (EU) 2016/679 (“GDPR”);
the United Kingdom GDPR;
Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”);
Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (Law 25);
applicable United States federal and state privacy laws; and
other applicable privacy and data protection laws.

Scope of Services

This DPA applies solely to the publicly hosted brainCloud Backend-as-a-Service platform and related services made available under the Agreement.

Customer-hosted deployments, private licensed deployments, dedicated environments, professional services engagements, consulting services, and other arrangements may be governed by separate agreements.

DEFINITIONS

For purposes of this DPA:

“AI Inputs” means prompts, instructions, content, files, data, messages, requests, queries, and other materials submitted to AI Services.

“AI Outputs” means responses, recommendations, analyses, summaries, classifications, generated content, code, and other outputs produced through AI Services.

“Controller” includes controller, business, or equivalent role under applicable Data Protection Laws.

“Customer Personal Data” means Personal Data contained within Customer Data or End User Data processed by brainCloud on behalf of Customer.

“Data Protection Laws” means all applicable privacy, data protection, information governance, consumer privacy, and related laws applicable to Processing activities governed by this DPA.

“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

“End User” means an individual who accesses, uses, or interacts with a Customer Application.

“End User Data” means information relating to End Users processed through the Services on behalf of Customer.

“Personal Data” means personal information, personal data, or similar information relating to an identified or identifiable individual as defined by applicable Data Protection Laws.

“Processor” includes processor, service provider, contractor, or equivalent role under applicable Data Protection Laws.

“Restricted Transfer” means a transfer of Personal Data that is subject to restrictions under applicable Data Protection Laws.

“Security Incident” means unauthorized access to, acquisition of, disclosure of, alteration of, destruction of, loss of, or inability to access Personal Data.

Security Incidents do not include unsuccessful attempts or activities that do not materially compromise the security, confidentiality, integrity, or availability of Personal Data, including routine scans, probes, denial-of-service attempts, firewall blocks, or similar events.

“Services” means the publicly hosted brainCloud Backend-as-a-Service platform, APIs, SDKs, administrative tools, AI Services, infrastructure, and related functionality governed by the Agreement.

“Subprocessor” means a third party engaged by brainCloud to process Personal Data on behalf of brainCloud in connection with providing the Services.

“Supervisory Authority” means any governmental, regulatory, privacy, data protection, consumer protection, or similar authority having jurisdiction over Processing activities governed by this DPA.

ROLES OF THE PARTIES

Customer as Controller

Customer acts as Controller with respect to Customer Personal Data processed through the Services.

Customer is solely responsible for:

determining the purposes of Processing;
determining the lawful basis for Processing;
establishing retention requirements;
providing required notices;
obtaining required consents and permissions;
responding to Data Subject requests; and
complying with applicable Data Protection Laws.

brainCloud as Processor

brainCloud acts as Processor solely with respect to Customer Personal Data processed on behalf of Customer through the Services.

brainCloud shall Process Customer Personal Data only:

on documented instructions from Customer;
as necessary to provide the Services;
as required by applicable law; or
as otherwise permitted under this DPA.

If brainCloud reasonably believes that a Customer instruction violates applicable Data Protection Laws, brainCloud may suspend execution of the instruction and notify Customer.

brainCloud shall inform Customer if, in its opinion, an instruction infringes applicable Data Protection Laws.

brainCloud as Independent Controller

Nothing in this DPA limits brainCloud’s role as Controller with respect to Personal Data processed for:

account administration;
billing and payment processing;
customer support;
marketing activities;
fraud prevention;
security monitoring of brainCloud systems;
legal compliance; and
business operations.

Such Processing is governed by the Privacy Policy and applicable laws.

Customer Responsibility for Customer Applications

Customer remains solely responsible for:

Customer Applications;
application functionality;
privacy notices;
consent mechanisms;
age-gating controls;
content moderation practices;
legal compliance; and
relationships with End Users.

brainCloud does not determine how Customer Applications collect, use, disclose, or otherwise process Personal Data.

No Joint Controller Relationship

Except where expressly agreed in writing, the parties do not intend to create a joint controller relationship under applicable Data Protection Laws.

PROCESSING INSTRUCTIONS

Authorized Processing

Customer instructs brainCloud to Process Customer Personal Data as reasonably necessary to:

provide the Services;
host Customer Applications;
authenticate users;
process Customer Data;
process End User Data;
operate platform functionality;
provide technical support;
maintain platform security;
prevent fraud and abuse;
perform monitoring activities;
conduct backup and recovery operations;
provide AI Services;
perform troubleshooting;
maintain operational continuity; and
fulfill obligations under the Agreement.

Customer Instructions

Customer’s documented instructions consist of:

this DPA;
the Agreement;
Customer administrative settings;
Customer configuration choices;
Customer API requests;
Customer support requests; and
other written instructions mutually agreed by the parties.

Lawful Instructions

Customer shall not instruct brainCloud to Process Personal Data in violation of applicable law.

If brainCloud reasonably believes that a Customer instruction violates Data Protection Laws, brainCloud may suspend execution of the instruction and notify Customer.

Processing Required by Law

Where brainCloud is required by applicable law to Process Customer Personal Data other than as instructed by Customer, brainCloud shall inform Customer before such Processing unless prohibited by law.

Processing Details

The subject matter, duration, categories of Data Subjects, categories of Personal Data, and purposes of Processing are described in Schedule 1 to this DPA.

Limited Processing Rights

brainCloud shall not sell Customer Personal Data and shall not Process Customer Personal Data for purposes unrelated to providing the Services except as expressly permitted by this DPA or required by applicable law.

AI PROCESSING

AI Services

brainCloud may make artificial intelligence, machine learning, large language model, generative AI, recommendation, classification, automation, and other AI-powered functionality (“AI Services”) available as part of the Services.

AI Services may be provided directly by brainCloud or through approved third-party AI providers acting on behalf of brainCloud.

AI Inputs

Customer may submit AI Inputs to AI Services in connection with Customer’s use of the Services.

Customer remains solely responsible for:

the content of AI Inputs;
determining whether AI Inputs contain Personal Data;
establishing lawful bases for Processing;
providing required notices; and
obtaining any required permissions or consents.

AI Outputs

AI Services may generate AI Outputs based upon AI Inputs.

AI Outputs may be stored, displayed, transmitted, processed, logged, or otherwise handled as necessary to provide the Services.

Customer remains solely responsible for reviewing, validating, and determining the appropriateness of AI Outputs before relying upon them.

AI Processing Instructions

Where AI Services are enabled by Customer, Customer instructs brainCloud to Process Customer Personal Data contained within AI Inputs and AI Outputs solely as necessary to:

provide AI Services;
generate requested responses;
maintain functionality;
maintain security;
prevent abuse and fraud;
troubleshoot issues;
provide support; and
comply with applicable legal obligations.

No AI Model Training Using Customer Data

brainCloud shall not use:

Customer Personal Data;
Customer Data;
End User Data;
AI Inputs; or
AI Outputs

to train artificial intelligence or machine learning models.

This restriction applies to AI Services operated by brainCloud and to AI-related Processing performed on behalf of Customer.

Third-Party AI Providers

brainCloud may engage approved third-party AI providers as Subprocessors.

Where supported by the applicable provider, brainCloud shall configure such services to prohibit the use of Customer Personal Data, AI Inputs, and AI Outputs for model training purposes.

brainCloud shall not knowingly direct any approved AI provider to use Customer Personal Data, AI Inputs, or AI Outputs for model training unless expressly instructed by Customer.

AI Service Limitations

Customer acknowledges that AI Services are probabilistic technologies and may generate inaccurate, incomplete, misleading, outdated, biased, offensive, or unexpected outputs.

Nothing in this DPA shall be interpreted as creating any guarantee regarding the accuracy, reliability, legality, or suitability of AI Outputs.

AI Providers as Subprocessors

To the extent an AI provider Processes Customer Personal Data, such provider shall be considered a Subprocessor and shall be subject to Section 12 (Subprocessors) of this DPA.

CONFIDENTIALITY

Confidentiality Obligations

brainCloud shall ensure that persons authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations.

Such obligations may arise through:

employment agreements;
contractor agreements;
professional obligations;
confidentiality agreements; or
statutory duties of confidentiality.

Access Restrictions

brainCloud shall limit access to Customer Personal Data to personnel, contractors, Subprocessors, and service providers who have a legitimate business need to access such information in connection with providing the Services.

Training and Awareness

brainCloud may maintain privacy, security, and confidentiality training programs appropriate to the nature of the Services and Customer Personal Data Processed.

Continuing Obligations

Confidentiality obligations applicable to individuals authorized to Process Customer Personal Data shall survive termination of employment, contractor relationships, or other authorized access arrangements.

Disclosure Required by Law

Nothing in this DPA prevents brainCloud from disclosing Customer Personal Data where required by applicable law, court order, governmental authority, or regulatory obligation.

Where legally permitted, brainCloud shall use commercially reasonable efforts to notify Customer prior to such disclosure.

SECURITY MEASURES

Security Program

brainCloud shall maintain administrative, technical, and organizational safeguards designed to protect Customer Personal Data against unauthorized access, disclosure, alteration, destruction, loss, misuse, or other unauthorized Processing.

Security Measures

brainCloud shall implement security measures appropriate to the nature of the Processing, taking into account:

available technology;
implementation costs;
the nature of the Services;
the sensitivity of Customer Personal Data;
risks to individuals; and
applicable legal requirements.

Security Schedule

The security measures maintained by brainCloud are described in Schedule 2 to this DPA.

brainCloud may modify security measures from time to time provided that such modifications do not materially reduce the overall level of protection provided to Customer Personal Data.

Access Controls

brainCloud shall maintain controls designed to restrict access to Customer Personal Data to authorized personnel and authorized service providers.

Encryption

brainCloud may utilize encryption technologies designed to protect Customer Personal Data during transmission and, where appropriate, during storage.

The specific encryption methods utilized may vary depending on operational requirements, deployment models, and technological developments.

Monitoring and Logging

brainCloud may maintain monitoring, logging, auditing, and diagnostic systems designed to:

identify threats;
investigate incidents;
maintain platform integrity;
prevent abuse; and
support operational requirements.

Security Testing

brainCloud may conduct vulnerability assessments, penetration testing, security reviews, audits, and other security evaluation activities designed to assess and improve the security of the Services.

Customer Responsibilities

Customer remains responsible for:

securing Customer Applications;
managing permissions;
protecting credentials;
configuring security settings appropriately;
securing customer-controlled environments; and
implementing customer-specific compliance requirements.

SECURITY INCIDENTS

Incident Response Program

brainCloud shall maintain procedures designed to identify, investigate, respond to, mitigate, remediate, and document Security Incidents.

Notification of Security Incidents

Upon becoming aware of a Security Incident affecting Customer Personal Data, brainCloud shall notify Customer without undue delay and in accordance with applicable legal and contractual requirements.

Contents of Notification

To the extent reasonably available, notifications may include:

a description of the Security Incident;
the categories of Customer Personal Data affected;
the categories of Data Subjects affected;
the likely consequences of the Security Incident;
mitigation measures undertaken; and
contact information for further inquiries.

brainCloud may provide information in phases as additional information becomes available.

Cooperation

brainCloud shall provide reasonable cooperation and assistance to Customer regarding investigation, mitigation, remediation, and legally required notifications arising from a Security Incident.

No Admission of Liability

Notification of a Security Incident does not constitute an admission of fault, liability, wrongdoing, breach of contract, or violation of law.

Customer Responsibilities

Customer remains responsible for determining whether notifications to:

Data Subjects;
customers;
governmental authorities;
regulators; or
other third parties

are required under applicable law.

Incident Records

brainCloud may maintain records relating to Security Incidents for legal, operational, compliance, security, and business continuity purposes.

Security Reporting

Customer shall promptly report suspected vulnerabilities, unauthorized access, security weaknesses, or other security concerns affecting the Services upon discovery.

Nothing in this DPA shall restrict disclosures made in accordance with applicable law or an authorized vulnerability disclosure program published by brainCloud.

Preservation of Evidence

Following a Security Incident materially affecting Customer Personal Data, brainCloud may preserve logs, records, forensic artifacts, and other relevant information for a reasonable period to support investigation, remediation, legal compliance, and defense of claims.

DATA SUBJECT REQUESTS

Assistance with Data Subject Requests

Taking into account the nature of the Processing and the information available to brainCloud, brainCloud shall provide reasonable assistance to Customer in responding to requests from Data Subjects exercising rights under applicable Data Protection Laws.

Such rights may include:

access rights;
correction rights;
deletion rights;
portability rights;
restriction rights;
objection rights;
withdrawal of consent rights; and
other rights recognized under applicable Data Protection Laws.

Customer Responsibility

Customer remains solely responsible for:

responding to Data Subject requests;
determining whether requests should be fulfilled;
verifying the identity of requesting individuals;
determining applicable legal requirements; and
complying with applicable response deadlines.

Nothing in this DPA transfers Customer’s obligations as Controller to brainCloud.

Requests Received by brainCloud

If brainCloud receives a request directly from a Data Subject relating to Customer Personal Data for which Customer acts as Controller, brainCloud may:

refer the request to Customer;
notify Customer of the request; or
take such other action as required by applicable law.

Unless required by applicable law, brainCloud shall not independently respond to such requests without Customer authorization.

Information and Tools

Where reasonably available, brainCloud may provide:

administrative functionality;
APIs;
export tools;
deletion mechanisms;
access controls; and
other capabilities

designed to assist Customer in responding to Data Subject requests.

Assistance Limitations

brainCloud shall not be required to:

collect information not otherwise maintained;
retain information solely for potential requests;
re-identify anonymized or de-identified information; or
modify Services solely to facilitate Customer compliance obligations.

Cost Recovery

Where Customer requests assistance beyond that reasonably required by applicable law or beyond standard functionality provided through the Services, brainCloud may charge reasonable fees for such assistance.

Authorized Representatives

Where permitted by applicable law, Customer remains responsible for validating the authority of agents, representatives, guardians, or other third parties submitting requests on behalf of Data Subjects.

DATA PROTECTION IMPACT ASSESSMENTS AND REGULATORY COOPERATION

Assistance with DPIAs

Taking into account the nature of the Processing and information available to brainCloud, brainCloud shall provide reasonable assistance to Customer in connection with Data Protection Impact Assessments (“DPIAs”) where required by applicable Data Protection Laws.

Scope of Assistance

Such assistance may include:

providing information regarding Processing activities;
providing information regarding security measures;
describing applicable technical and organizational safeguards;
providing information regarding Subprocessors;
providing available compliance documentation; and
providing other information reasonably available to brainCloud.

Regulatory Cooperation

brainCloud shall provide reasonable cooperation with Customer in connection with lawful inquiries, investigations, audits, inspections, or requests from Supervisory Authorities relating to Customer Personal Data Processed under this DPA.

Direct Regulatory Requests

Where brainCloud receives a legally binding request from a Supervisory Authority relating specifically to Customer Personal Data, brainCloud shall notify Customer without undue delay unless prohibited by law.

No Legal Representation

brainCloud is not responsible for representing Customer before any Supervisory Authority, court, tribunal, governmental authority, or regulatory body.

Cost Recovery

Where assistance requested by Customer exceeds assistance reasonably required by applicable law, brainCloud may recover reasonable costs associated with providing such assistance.

No Legal Advice

brainCloud does not provide legal advice.

Customer remains responsible for obtaining its own legal, privacy, regulatory, and compliance advice regarding Customer’s obligations under applicable Data Protection Laws.

Scope Limitation

brainCloud shall not be required to disclose trade secrets, source code, proprietary algorithms, confidential security information, information relating to other customers, or information that would materially increase security risks when providing assistance under this Section.

AUDIT RIGHTS

Audit Information

brainCloud shall make available information reasonably necessary to demonstrate compliance with this DPA.

Such information may include:

security documentation;
compliance documentation;
policy information;
questionnaire responses;
certifications;
audit summaries;
penetration testing summaries; and
similar materials reasonably available to brainCloud.

Audit Hierarchy

The parties agree that compliance verification shall proceed in the following order:

documentation review;
security questionnaires;
review of audit reports or summaries;
remote assessment activities; and
on-site audits only where reasonably necessary.

Customer shall use lower-impact verification methods before requesting more intrusive audit activities.

Audit Frequency

Customer may conduct or request an audit no more than once during any twelve (12) month period unless:

required by applicable law;
following a confirmed Security Incident materially affecting Customer Personal Data; or
otherwise agreed by the parties.

Notice Requirements

Customer shall provide at least thirty (30) days’ prior written notice before conducting an audit.

Business Operations Protection

Audits must:

occur during normal business hours;
avoid unreasonable disruption;
avoid access to information relating to other customers;
avoid disclosure of confidential information unrelated to Customer;
comply with reasonable security requirements established by brainCloud; and
be limited to matters directly relevant to compliance with this DPA.

Independent Auditors

Any third-party auditor engaged by Customer must:

be subject to confidentiality obligations;
not be a competitor of brainCloud;
possess appropriate qualifications relevant to the audit; and
comply with brainCloud’s reasonable security requirements.

Audit Costs

Customer shall bear its own audit costs.

Customer shall also reimburse brainCloud for reasonable costs incurred in supporting audits except where a material breach of this DPA is identified.

No Source Code or Infrastructure Access

Nothing in this DPA requires brainCloud to disclose:

source code;
trade secrets;
proprietary algorithms;
security monitoring systems;
vulnerability information;
penetration testing details; or
infrastructure information

where such disclosure would materially increase security risks or compromise brainCloud’s confidential information.

No Unlimited Audit Rights

Nothing in this DPA grants Customer unrestricted, continuous, unlimited, or real-time audit rights.

SUBPROCESSORS

Authorization

Customer hereby grants brainCloud general authorization to engage Subprocessors in connection with providing the Services.

Subprocessor Obligations

brainCloud shall impose contractual obligations on Subprocessors that are designed to provide protections for Customer Personal Data substantially similar to those required under this DPA.

Responsibility for Subprocessors

brainCloud shall remain responsible for the performance of its obligations under this DPA to the extent required by applicable Data Protection Laws.

Subprocessor List

brainCloud shall maintain an up-to-date Subprocessor List through the brainCloud Trust Center at https://getbraincloud.com/policies/subprocessors.pdf.

The Subprocessor List may identify:

Subprocessor name;
service description;
processing activities;
processing locations; and
applicable transfer mechanisms.

Changes to Subprocessors

brainCloud may add, replace, or remove Subprocessors from time to time.

Where required by applicable law or applicable agreements, brainCloud shall provide notice of material Subprocessor changes.

Objections

Where required by applicable law, Customer may object to the appointment of a new Subprocessor on reasonable data protection grounds.

Any objection must:

be submitted in writing;
identify the specific grounds for objection; and
be submitted within thirty (30) days of notice.

Resolution Process

Upon receipt of a valid objection, the parties shall work in good faith to identify a commercially reasonable resolution.

Potential resolutions may include:

alternative configurations;
alternative service arrangements;
additional safeguards; or
alternative Subprocessors where reasonably available.

Customer Remedy

If the parties cannot resolve an objection through reasonable efforts, Customer’s sole remedy shall be to discontinue use of the affected Service and terminate the affected portion of the Services in accordance with the Agreement.

Categories of Subprocessors

Subprocessors may include:

cloud infrastructure providers;
hosting providers;
communications providers;
payment processors;
support providers;
analytics providers;
security providers;
AI providers; and
other operational service providers.

Emergency Replacements

brainCloud may immediately replace a Subprocessor where reasonably necessary to:

maintain security;
prevent service disruption;
comply with legal obligations; or
address operational emergencies.

brainCloud shall provide notice of such changes where reasonably practicable.

INTERNATIONAL TRANSFERS

International Processing

Customer acknowledges that brainCloud, its Affiliates, and its Subprocessors may Process Customer Personal Data in multiple jurisdictions in connection with providing the Services.

Such jurisdictions may include Canada, the United States, member states of the European Union, the United Kingdom, and other jurisdictions in which brainCloud or its approved Subprocessors operate.

Customer acknowledges that the provision of cloud-based services may require cross-border Processing activities, including storage, transmission, support, security monitoring, backup, disaster recovery, and operational support activities.

Restricted Transfers

Where Customer Personal Data is subject to transfer restrictions under applicable Data Protection Laws, brainCloud shall implement appropriate safeguards designed to support lawful transfers.

Such safeguards shall be appropriate to the nature of the Processing, the applicable legal requirements, and the transfer mechanism relied upon.

Transfer Mechanisms

Where required by applicable Data Protection Laws, brainCloud may rely upon one or more of the following transfer mechanisms:

Standard Contractual Clauses approved by the European Commission;
the United Kingdom International Data Transfer Addendum;
adequacy decisions issued by competent authorities;
contractual safeguards;
technical safeguards;
organizational safeguards; and
other legally recognized transfer mechanisms.

The specific mechanism utilized may vary depending upon applicable law, the location of the parties, the nature of the Processing, and operational requirements.

Customer Hosting Selections

Where the Services permit Customer to select hosting regions, deployment locations, or processing locations, Customer remains responsible for determining whether such selections satisfy Customer’s legal, contractual, regulatory, and compliance obligations.

brainCloud does not provide legal advice regarding jurisdictional requirements, residency obligations, localization requirements, or transfer restrictions applicable to Customer.

Government Requests

Where legally permitted, brainCloud shall use commercially reasonable efforts to notify Customer of governmental requests seeking access to Customer Personal Data before disclosure.

Where notification is prohibited by law, brainCloud shall comply with applicable legal restrictions and may disclose Customer Personal Data only to the extent legally required.

Transfer Assessments

Where required by applicable Data Protection Laws, brainCloud may conduct or support reasonable transfer impact assessments relating to Restricted Transfers.

Such assessments may consider:

the nature of the Personal Data;
the jurisdictions involved;
applicable legal protections;
technical safeguards;
organizational safeguards; and
risks associated with the transfer.

International Subprocessors

Customer acknowledges that approved Subprocessors may participate in Restricted Transfers and may Process Customer Personal Data in jurisdictions different from those selected by Customer.

Such Processing shall remain subject to the safeguards described in this DPA.

Future Transfer Mechanisms

The parties acknowledge that applicable transfer mechanisms may evolve over time.

Where an existing transfer mechanism becomes unavailable, invalid, or legally insufficient, the parties shall cooperate in good faith to implement an alternative legally recognized transfer mechanism reasonably necessary to support continued Processing activities.

No Data Residency Commitment

Except where expressly agreed in writing, nothing in this DPA shall be interpreted as creating a commitment that Customer Personal Data will remain exclusively within any particular jurisdiction, region, country, or geographic area.

DELETION AND RETURN OF DATA

Return or Deletion Following Termination

Upon termination or expiration of the Agreement, brainCloud shall, at Customer’s election and subject to the terms of the Agreement:

return Customer Personal Data;
provide mechanisms allowing Customer to export Customer Personal Data; or
delete Customer Personal Data.

Such actions shall occur within a commercially reasonable period following termination, subject to applicable retention obligations and operational requirements.

Customer Responsibilities

Customer is responsible for exporting, retrieving, or otherwise obtaining Customer Personal Data before termination of the Services.

brainCloud is not responsible for Customer’s failure to retrieve Customer Personal Data during any applicable transition, retention, or export period.

Active System Deletion

Where deletion is requested, brainCloud shall delete Customer Personal Data from active production systems within a commercially reasonable period, subject to:

legal obligations;
security requirements;
operational requirements;
disaster recovery requirements; and
technical limitations.
1. Retention Following Termination

brainCloud may retain Customer Personal Data where reasonably necessary to:

comply with legal obligations;
preserve evidence;
respond to legal claims;
satisfy regulatory obligations;
maintain security records;
maintain backup systems;
satisfy legitimate operational requirements; or
enforce contractual rights.

Backup and Recovery Systems

Customer Personal Data may continue to exist within:

backup systems;
archival systems;
disaster recovery environments;
restoration media;
system logs; and
security monitoring systems

for reasonable periods following deletion from active systems.

brainCloud shall continue to protect such information in accordance with applicable obligations until such information is deleted, overwritten, or otherwise removed through ordinary operational processes.

De-Identified Information

Nothing in this DPA prevents brainCloud from retaining aggregated, anonymized, statistical, or de-identified information that no longer constitutes Personal Data under applicable Data Protection Laws.

Such information may be used for:

analytics;
service improvement;
operational reporting;
security analysis; and
business operations.

Legal Holds

Where Customer Personal Data is subject to:

a legal hold;
preservation obligation;
court order;
regulatory requirement; or
similar legal restriction,

brainCloud may retain such information until the applicable obligation no longer applies.

Continued Protection

Any Customer Personal Data retained pursuant to this Section shall remain subject to the confidentiality, security, and access control obligations applicable under this DPA until such information is deleted.

Certification of Deletion

Except where expressly required by applicable law or separately agreed in writing, brainCloud shall not be required to provide certificates of deletion, destruction attestations, or similar documentation.

Survival

The provisions of this Section shall survive termination or expiration of this DPA for so long as brainCloud retains Customer Personal Data pursuant to applicable legal, operational, security, or regulatory obligations.

LIABILITY

Application of Liability Provisions

The liability provisions contained in the Agreement apply to this DPA and all claims arising out of or relating to this DPA.

The parties acknowledge that this DPA forms part of the Agreement and does not constitute a separate agreement for liability purposes.

Aggregate Liability

Except as otherwise expressly provided in the Agreement, the aggregate liability of each party arising out of or relating to this DPA shall be subject to the limitations, exclusions, disclaimers, and liability caps contained in the Agreement.

All liabilities arising under this DPA shall be aggregated with liabilities arising under the Agreement for purposes of calculating applicable liability limitations.

No Expanded Liability

Nothing in this DPA shall be interpreted as:

expanding liability;
increasing liability caps;
creating separate liability caps;
eliminating exclusions of liability; or
modifying liability limitations

established under the Agreement unless expressly agreed in writing by the parties.

For clarity, this DPA does not create an independent or additional liability regime separate from the Agreement.

Regulatory Penalties

Each party shall remain responsible for fines, penalties, sanctions, damages, liabilities, and regulatory consequences arising from its own acts, omissions, or violations of applicable Data Protection Laws.

Neither party shall be responsible for penalties arising solely from the other party’s violations of applicable law.

Allocation of Responsibility

Where liability arises from the acts or omissions of both parties, responsibility shall be allocated between the parties according to:

applicable law;
relative fault;
respective responsibilities under this DPA; and
each party’s contribution to the underlying event.

No Special Privacy Damages

Except to the extent expressly required by applicable law, neither party shall be liable to the other for indirect, incidental, consequential, special, exemplary, punitive, or similar damages arising from this DPA.

Mitigation

Each party shall use commercially reasonable efforts to mitigate damages arising from Security Incidents, privacy events, regulatory actions, or other matters governed by this DPA.

Exclusive Framework

The liability framework contained in the Agreement and this DPA constitutes the exclusive allocation of risk between the parties with respect to Processing activities governed by this DPA.

GENERAL PROVISIONS

Governing Law

This DPA is governed by the governing law provisions specified in the Agreement.

Jurisdiction

The jurisdiction and venue provisions contained in the Agreement shall apply to disputes arising under this DPA.

Severability

If any provision of this DPA is determined to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect.

The parties shall replace any invalid provision with a valid provision that most closely reflects the original intent of the parties.

Amendments

brainCloud may update this DPA from time to time to reflect:

changes in law;
changes in regulatory guidance;
changes in technology;
changes in operational requirements;
changes in the Services; or
other legitimate business needs.

Material changes shall be communicated in accordance with the Agreement.

Assignment

This DPA shall bind and benefit the parties and their respective permitted successors and assigns.

No assignment shall relieve either party of obligations arising prior to the effective date of assignment.

Entire Agreement

This DPA, together with the Agreement and incorporated documents, constitutes the entire agreement between the parties regarding Processing activities governed by this DPA.

No Third-Party Beneficiaries

Except as expressly required by applicable law, this DPA does not create rights for any third party.

Waiver

No failure or delay by either party in exercising any right under this DPA shall constitute a waiver of that right.

Any waiver must be in writing and signed by the party granting the waiver.

Interpretation

Headings are included for convenience only and shall not affect interpretation.

References to laws include amendments, replacements, and successor legislation unless the context requires otherwise.

The words “including,” “includes,” and similar terms shall be interpreted to mean “including without limitation.”

Electronic Execution

Where execution is required, this DPA may be executed electronically and electronic signatures shall be deemed equivalent to original signatures to the fullest extent permitted by applicable law.

Counterparts

Where execution is required, this DPA may be executed in one or more counterparts, each of which shall be deemed an original and all of which together constitute a single instrument.

Survival

Provisions relating to:

confidentiality;
security obligations;
liability;
audit rights;
legal holds;
deletion obligations;
regulatory cooperation; and
other provisions intended by their nature to survive

shall survive termination or expiration of this DPA.

TERM

Effective Date

This DPA becomes effective upon the earliest of:

Customer’s acceptance of the Agreement;
Customer’s first access to or use of the Services;
execution of an Order Form incorporating this DPA; or
any other written agreement incorporating this DPA.

Duration

This DPA shall remain in effect for so long as brainCloud Processes Customer Personal Data on behalf of Customer.

Automatic Incorporation

This DPA is automatically incorporated into the Agreement and does not require separate execution unless expressly required by applicable law or agreed by the parties.

Termination

Termination or expiration of the Agreement automatically terminates this DPA except to the extent that provisions survive pursuant to this DPA or applicable law.

Continued Processing

Where brainCloud continues to Process Customer Personal Data following termination solely for purposes permitted under this DPA, such Processing shall remain subject to the applicable provisions of this DPA until deletion or destruction occurs.

Replacement Agreements

Where the parties enter into a replacement DPA, the replacement DPA shall supersede this DPA as of its effective date except with respect to matters arising before such replacement.

Regulatory Changes

The parties acknowledge that privacy and data protection laws may evolve over time.

The parties shall cooperate in good faith to implement modifications reasonably necessary to maintain compliance with applicable Data Protection Laws

SCHEDULE 1

DETAILS OF PROCESSING

This Schedule forms part of the Data Processing Agreement and describes the Processing activities conducted by brainCloud on behalf of Customer.

Subject Matter of Processing

The subject matter of Processing is the provision of the brainCloud Backend-as-a-Service platform and related Services, including:

authentication services;
account management services;
player management services;
cloud data storage;
game services;
social services;
analytics services;
commerce services;
communications services;
multiplayer services;
matchmaking services;
AI Services;
customer support services; and
related operational functionality.

Nature of Processing

Processing activities may include:

collection;
storage;
organization;
structuring;
transmission;
retrieval;
consultation;
use;
analysis;
modification;
disclosure by transmission;
backup;
restoration;
deletion; and
destruction.

Processing may be performed through automated and manual means.

Purpose of Processing

Customer Personal Data may be Processed for purposes including:

Service Delivery

providing the Services;
hosting Customer Applications;
authenticating users;
maintaining application functionality;
delivering requested features.

Operational Support

customer support;
troubleshooting;
diagnostics;
monitoring;
service administration.

Security

fraud prevention;
abuse prevention;
security monitoring;
vulnerability detection;
incident response.

Business Continuity

backup operations;
restoration operations;
disaster recovery;
operational continuity.

AI Services

Where enabled by Customer:

processing AI Inputs;
generating AI Outputs;
supporting AI-powered functionality.

Duration of Processing

Customer Personal Data may be Processed:

for the duration of the Agreement;
during any applicable transition period;
during any applicable retention period;
for backup and recovery purposes; and
for additional periods required by law or permitted under the DPA.

Categories of Data Subjects

Data Subjects may include:

Customer Personnel

employees;
contractors;
administrators;
support personnel;
business representatives.

Authorized Users

Individuals authorized by Customer to access or administer the Services.

End Users

Players, users, customers, community members, and other individuals who interact with Customer Applications.

Support Contacts

Individuals involved in support, billing, compliance, or administrative activities.

Other Individuals

Any other individuals whose information Customer elects to Process through the Services.

Categories of Personal Data

Depending upon Customer’s implementation, Customer Personal Data may include:

Identity Information

names;
usernames;
aliases;
account identifiers;
player identifiers.

Contact Information

email addresses;
support contact information;
communications information.

Authentication Information

authentication identifiers;
login credentials;
account access information.

Technical Information

IP addresses;
device identifiers;
browser information;
operating system information;
application identifiers.

Gameplay Information

scores;
achievements;
progression information;
statistics;
matchmaking information;
leaderboard information.

Commerce Information

purchase history;
transaction identifiers;
virtual economy information.

Communications Information

chat messages;
support messages;
community interactions.

Analytics Information

event data;
usage data;
behavioral information;
performance metrics.

AI Information

AI Inputs;
AI Outputs.

Customer-Defined Information

Any other information submitted, stored, transmitted, or otherwise Processed by Customer through the Services.

Special Categories of Data

brainCloud does not intentionally require or request the Processing of special categories of Personal Data.

If Customer elects to Process such information through the Services, Customer remains solely responsible for:

determining legality;
obtaining required permissions;
providing notices; and
complying with applicable law.

Cross-Border Processing

Customer acknowledges that Customer Personal Data may be Processed in multiple jurisdictions as described in the DPA.

SCHEDULE 2

SECURITY MEASURES

brainCloud maintains administrative, technical, and organizational safeguards designed to protect Customer Personal Data.

The specific controls implemented may evolve over time provided that the overall level of protection is not materially reduced.

Administrative Measures

brainCloud may maintain:

Policies and Procedures

security policies;
privacy policies;
acceptable use policies;
incident response procedures;
change management procedures.

Personnel Controls

confidentiality obligations;
access approval processes;
role-based responsibilities;
personnel onboarding procedures;
personnel offboarding procedures.

Training

privacy awareness training;
security awareness training;
operational security training.

Vendor Management

Subprocessor review procedures;
contractual security requirements;
risk assessments where appropriate.

Technical Measures

Access Controls

brainCloud may implement:

authentication controls;
authorization controls;
role-based access controls;
least-privilege principles;
multi-factor authentication controls for administrative access where appropriate;
administrative access restrictions.

Encryption

brainCloud may utilize encryption technologies designed to protect Customer Personal Data:

during transmission using industry-standard encryption protocols;
at rest where supported by the underlying infrastructure and deployment model.

Network Security

brainCloud may maintain:

firewalls;
network segmentation;
traffic monitoring;
intrusion detection technologies;
protective network controls.

Logging and Monitoring

brainCloud may maintain:

system logging;
security logging;
monitoring systems;
alerting systems;
audit trails where appropriate.

Vulnerability Management

brainCloud may maintain processes relating to:

vulnerability identification;
patch management;
remediation activities;
security testing.

Backup and Recovery

brainCloud may maintain:

backup systems;
restoration procedures;
disaster recovery mechanisms;
business continuity capabilities.

Organizational Measures

Security Governance

brainCloud may maintain governance processes designed to oversee:

security operations;
privacy operations;
risk management activities;
incident response activities.

Incident Response

brainCloud may maintain procedures designed to:

identify incidents;
investigate incidents;
contain incidents;
remediate incidents;
document incidents.

Business Continuity

brainCloud may maintain plans and procedures designed to support:

operational continuity;
disaster recovery;
service restoration.

Evaluation and Improvement

brainCloud may periodically evaluate, review, test, modify, improve, or replace security measures in response to:

emerging threats;
technological developments;
operational requirements;
legal requirements;
industry practices.

SCHEDULE 3

SUBPROCESSOR LIST

brainCloud maintains its current Subprocessor List through the brainCloud Trust Center at https://getbraincloud.com/subprocessors/.

The Subprocessor List may identify:

Subprocessor name;
service description;
processing activities;
processing locations;
transfer mechanisms;
categories of data processed.

The online Subprocessor List, as updated from time to time, governs for purposes of the DPA.

SCHEDULE 4

INTERNATIONAL TRANSFER MECHANISMS

Where required by applicable Data Protection Laws:

Standard Contractual Clauses may apply to Restricted Transfers;
the UK International Data Transfer Addendum may apply to applicable UK transfers;
adequacy decisions may be relied upon where available;
other legally recognized transfer mechanisms may be utilized where permitted by applicable law.

The parties shall cooperate in good faith to implement replacement transfer mechanisms where existing mechanisms become unavailable, invalid, or legally insufficient.