Brightbrief

Data Processing Agreement

Last updated: 2026-04-25

Pre-launch notice. This DPA is a placeholder. The structure follows GDPR Art. 28 requirements but the language has not been reviewed by counsel. Replace before opening public signups.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Customer", acting as data controller) and Avack Media ("Brightbrief", acting as data processor) governing the processing of personal data on your behalf when you use Brightbrief.

1. Subject matter and duration

Brightbrief processes personal data on your instructions for the purpose of generating and delivering AI-written competitor and market briefings. Processing continues for the term of the underlying Terms.

2. Categories of personal data

  • Recipient email addresses you nominate.
  • Business-profile content you enter (company name, markets, competitors, ICP, tracked topics).
  • Briefing content (which may incidentally include third-party personal data quoted from public sources).

3. Data subjects

  • Your authorised users and recipients.
  • Persons named in publicly available material that the Brightbrief service incidentally processes when generating briefings about competitors, market activity, regulatory news, etc.

4. Sub-processors

You authorise Brightbrief to engage sub-processors as listed in the Privacy Policy (currently: Supabase, Anthropic, Resend, Paddle, Railway, Vercel). We will give you 30 days' email notice of any replacement; if you object, your remedy is to cancel the subscription without penalty before the change takes effect.

5. Security measures (Art. 32)

  • Encryption in transit (TLS 1.2+) for all customer-facing endpoints.
  • Encryption at rest provided by Supabase (Postgres) and our other sub-processors.
  • Row-level security policies isolating tenant data in our database.
  • Service-role keys (which can read across tenants) restricted to server-only environments and never exposed to client bundles or browsers.
  • Least-privilege API keys to sub-processors with scope restricted to the minimum required.
  • Trial-eligibility records stored only as peppered SHA-256 hashes; plaintext email addresses are not duplicated to that table.

6. Breach notification

We will notify you without undue delay (and within 72 hours where feasible) of any personal-data breach affecting your data, including a description of the breach, categories and approximate numbers of data subjects affected, likely consequences, and measures taken or proposed.

7. Data subject requests

We will assist you, taking into account the nature of processing, in responding to data-subject requests. Most requests can be handled by you directly via your dashboard (recipients, briefings); for trial-grant records or other internal data, contact arthur@vanacker.io.

8. Return or deletion at end of service

On termination of the service, you may export your business profile and briefings via the dashboard for 30 days. After 30 days, we will delete your tenant data, subject to retention obligations described in the Privacy Policy (notably the 24-month trial-eligibility retention).

9. Audit

On reasonable written request and no more than once per 12 months, we will provide a written summary of our security controls or, where available, an attestation report from one of our sub-processors.

10. International transfers

Where personal data is transferred outside the EEA (e.g. Anthropic, Resend), we rely on the EU Standard Contractual Clauses (SCCs) and, for US sub-processors, the EU-US Data Privacy Framework where applicable.

11. Acceptance

By creating a paid account, you accept this DPA. If your organisation requires a counter-signed copy, email arthur@vanacker.io and we will arrange one.