Skip to main content
Back to Supabrief
Last updated: May 15, 2026

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) supplements our Terms of Service and forms part of the contract between you (“Customer”, the data controller) and Supabrief AI (“Supabrief”, the data processor) when Customer uses Supabrief to process personal data relating to data subjects.

This DPA is binding on Customer the moment Customer accepts our Terms of Service and uses the Service. A counter-signed PDF is available on request (email support@supabrief.com).

1. Definitions

Capitalised terms have the meanings given in the GDPR or, where applicable, the DPDP Act. “Customer Personal Data” means the personal data Customer submits to Supabrief or that Supabrief processes on Customer's behalf in the course of providing the Service.

2. Subject matter and duration (Art 28(3))

  • Subject matter: Provision of the Supabrief AI brief-generation service.
  • Duration: For the term of Customer's subscription, plus a 30-day post-termination period for return / deletion of data.
  • Nature and purpose: Hosting, transmission, AI processing, and storage of Customer Personal Data submitted as Input or stored in connected-integration tokens.
  • Type of personal data: Names, email addresses, employment-related data, free-text Input which may incidentally contain other categories.
  • Categories of data subjects: Customer's employees, users, customers, prospects, and any third parties referenced in Input.

3. Customer's instructions

Supabrief processes Customer Personal Data only on documented instructions from Customer, including for transfers, unless required by Indian or EU/UK law. Customer's use of the Service in accordance with the Terms constitutes those instructions.

4. Confidentiality

Supabrief ensures that personnel authorised to process Customer Personal Data are bound by confidentiality obligations.

5. Security (Art 32)

Supabrief implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those described in our Security & Trust page:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Application-layer AES-256-GCM encryption for stored credentials.
  • Row-level security on all multi-tenant database tables.
  • Hashed passwords and SHA-256 hashed IPs.
  • Access logging and least-privilege admin access.
  • Regular security review and dependency patching.

6. Subprocessors (Art 28(2)(4))

Customer authorises Supabrief to engage the subprocessors listed at /legal/subprocessors. Supabrief will:

  • Give Customer at least 30 days' notice before adding or replacing a subprocessor;
  • Impose contractual data-protection obligations on each subprocessor that are no less protective than this DPA;
  • Remain liable to Customer for the acts and omissions of subprocessors.

If Customer reasonably objects to a new subprocessor, Customer may terminate the affected subscription on written notice within 30 days; Supabrief will refund any prepaid unused fees pro rata.

7. Data subject rights

Supabrief will assist Customer in responding to data-subject rights requests (access, rectification, erasure, restriction, portability, objection) by providing the technical means via the in-product export and deletion features and, where these are insufficient, within reasonable time on Customer's written request.

8. Personal data breach (Art 33)

Supabrief will notify Customer without undue delay and in any event within 72 hours after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include all information reasonably available to Supabrief to enable Customer to meet its own breach-notification obligations.

9. International transfers

For transfers of Customer Personal Data originating from the EU/UK to third countries, the parties incorporate the 2021 EU Standard Contractual Clauses (Module 2: Controller–Processor) and the UK IDTA Addendum, which are deemed signed and agreed between the parties. The clauses apply on the following terms:

  • The optional Clause 7 (docking) is included.
  • Option 2 in Clause 9 applies (general written authorisation).
  • Option 1 in Clause 17 applies; governing law is the law of the Republic of Ireland.
  • Place of jurisdiction in Clause 18 is Ireland.
  • Annex I (parties / data) and Annex III (subprocessors) are populated by reference to this DPA and the Subprocessors page.
  • Annex II (technical measures) is populated by reference to the Security & Trust page.

10. Deletion or return at termination

Within 30 days of termination of Customer's subscription, Supabrief will delete all Customer Personal Data, except where Indian or EU/UK law requires retention (e.g., invoice records under Companies Act §128). Customer may export its data via the in-product export feature before termination.

11. Audit (Art 28(3)(h))

Customer may, on reasonable advance notice and no more than once per calendar year, request a copy of Supabrief's most recent third-party security audit (where available) and a written response to a reasonable security questionnaire. Customer-led on-site audits are limited to enterprise customers with annual contract value > USD 50,000 and require mutual NDA.

12. Liability

Each party's liability under this DPA is subject to the limitation of liability set out in the Terms of Service.

13. Order of precedence

In the event of conflict between this DPA, the Terms of Service, and the EU SCCs / UK IDTA: (1) the SCCs / IDTA prevail for EU/UK-origin transfers; (2) this DPA prevails over the Terms; (3) the Terms apply to all other matters.

14. Contact

Notices under this DPA: support@supabrief.com

Legal

TermsPrivacyCookiesRefundsSubprocessorsDPAAcceptable UseDMCASecurityGrievance OfficerImprintDo Not Sell or Share

(c) 2026 Supabrief. All rights reserved.