Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between RendereelStudio LLC ("Processor," "we," "us") and the Tenant ("Controller," "you," "your") using the Brevvo platform ("Service") at brevvo.ai.

This DPA is entered into to ensure compliance with applicable data protection legislation, including the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and other applicable privacy laws.

1. Definitions

"Controller" (Data Controller)

The Tenant who determines the purposes and means of processing personal data through the Service. In the context of Brevvo, each Tenant is the Controller of the personal data they input, upload, or generate within their Tenant environment.

"Processor" (Data Processor)

RendereelStudio LLC, operating as Brevvo, which processes personal data on behalf of the Controller pursuant to this DPA and the Terms of Service.

"Sub-Processor"

A third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.

"Personal Data"

Any information relating to an identified or identifiable natural person ("Data Subject"), as defined in GDPR Article 4(1).

"Processing"

Any operation or set of operations performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Data Subject"

An identified or identifiable natural person whose personal data is processed. In the Brevvo context, this includes the Tenant's customers, employees, staff members, and other individuals whose data is processed through the Service.

"Supervisory Authority"

An independent public authority responsible for monitoring the application of data protection laws, as defined in GDPR Article 4(21).

"Data Subject Access Request (DSAR)"

A request from a Data Subject exercising their rights under applicable data protection law (e.g., access, rectification, erasure, portability).

"Tenant Data"

All personal data and business data uploaded, created, or generated by the Controller within their isolated Tenant environment on the Service.

"Security Incident" / "Data Breach"

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

2. Scope of Processing

2.1 Purpose of Processing

The Processor shall process personal data only for the following purposes:

• Providing and operating the Brevvo platform and its features as described in the Terms of Service.
• Executing AI agent operations on behalf of the Controller, including data analysis, recommendations, automated workflows, and content generation.
• Managing Tenant business operations including customer relationship management, scheduling, invoicing, payroll, accounting, tax preparation, marketing, and communications.
• Maintaining the security, performance, and availability of the Service.
• Providing technical support to the Controller.

2.2 Duration of Processing

Processing shall continue for the duration of the Controller's use of the Service and for such additional period as required by applicable law or as set forth in Section 12 (Term and Termination).

2.3 Nature of Processing

Processing includes automated operations performed by AI-powered agents and machine-learning models, including but not limited to: data analysis, pattern recognition, natural language processing, content generation, financial calculations, scheduling optimization, and predictive analytics.

3. Data Categories Processed

The following categories of personal data may be processed depending on the Controller's use of the Service:

Category	Examples	Data Subjects
Identity Data	Names, email addresses, phone numbers, physical addresses, profile photos	Customers, employees, contacts
Financial Data	Invoice amounts, payment records, bank account details (via Plaid integration), revenue figures, expense data, tax documents	Customers, business owners, employees
Employment Data	Job titles, schedules, performance records, compensation, W-4/I-9 forms, direct deposit information, benefits elections, PTO balances	Employees, contractors
Transaction Data	Purchase history, appointment records, service details, booking information, refund records	Customers
Communication Data	Email addresses, phone numbers, communication preferences, message content (emails, SMS), marketing consent records	Customers, leads, contacts
Technical Data	IP addresses, browser type, device information, session identifiers, usage logs	All Service users
Health Data (if applicable)	Medical history, allergies, health conditions (only when Controller operates in a health-related industry and inputs such data)	Customers/patients

4. Obligations of the Processor

The Processor shall:

1. Process on Instructions Only. Process personal data only on documented instructions from the Controller, including with respect to transfers of personal data to a third country, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
2. Confidentiality. Ensure that all personnel authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Security. Implement and maintain appropriate technical and organizational measures as described in Section 6 to ensure a level of security appropriate to the risk of processing.
4. Sub-Processor Management. Not engage another processor without prior specific or general written authorization of the Controller, subject to Section 7.
5. Assist with Data Subject Rights. Assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Controller's obligations to respond to Data Subject requests (Section 9).
6. Assist with Compliance. Assist the Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of processing and the information available to the Processor.
7. Data Deletion. At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data.
8. Audit Support. Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as described in Section 11.
9. No Independent Use. Not process Tenant Data for any purpose independent of the Controller's instructions, including but not limited to marketing, profiling, or machine-learning model training using Tenant Data.

5. Obligations of the Controller

The Controller shall:

1. Lawful Basis. Ensure that a valid legal basis exists for all processing of personal data instructed to the Processor, including obtaining any necessary consents from Data Subjects.
2. Data Accuracy. Ensure the accuracy and completeness of personal data provided to the Processor.
3. Privacy Notices. Provide appropriate privacy notices to Data Subjects informing them of the processing, including the involvement of the Processor.
4. Compliance. Comply with all applicable data protection laws in connection with the use of the Service and the instructions given to the Processor.
5. Special Category Data. Obtain explicit consent or ensure another valid legal basis under Article 9(2) GDPR before inputting any special category data into the Service.
6. Notification. Promptly notify the Processor of any Data Subject requests received directly that relate to the Processor's processing activities.

6. Security Measures

The Processor implements and maintains the following technical and organizational measures to protect personal data:

6.1 Encryption

• At Rest: AES-256-GCM encryption via AWS Key Management Service (KMS) for all stored data, including database contents, file storage, and backups.
• In Transit: TLS 1.2+ encryption for all data transmissions between clients, APIs, and internal services.

6.2 Access Controls

• Authentication: AWS Cognito-based authentication with support for multi-factor authentication (MFA).
• Authorization: Role-based access control (RBAC) ensuring users can only access data appropriate to their role within a Tenant.
• Tenant Isolation: PostgreSQL Row-Level Security (RLS) policies enforce strict data isolation between Tenants at the database level, preventing any cross-Tenant data access.
• Least Privilege: Internal systems and personnel operate under the principle of least privilege.

6.3 Audit Logging

• Comprehensive audit trails for all data access, modifications, and deletions.
• Immutable logs stored securely with retention periods compliant with applicable regulations.
• Automated alerting for anomalous access patterns.

6.4 Network Security

• AWS Web Application Firewall (WAF) protecting against OWASP Top 10 vulnerabilities.
• DDoS protection via AWS Shield.
• Virtual Private Cloud (VPC) isolation for backend services.
• Security groups and network ACLs restricting traffic to only required ports and protocols.

6.5 Incident Response

• Documented incident response plan with defined roles, severity classifications, and escalation procedures.
• Regular incident response drills and post-incident reviews.
• 24/7 monitoring and automated alerting for potential security events.

6.6 Business Continuity

• Automated database backups with point-in-time recovery.
• Multi-availability-zone deployment for high availability.
• Disaster recovery procedures documented and tested.

7. Sub-Processors

7.1 Current Sub-Processors

The Controller hereby grants general authorization for the Processor to engage the following Sub-Processor:

Sub-Processor	Purpose	Location	Certifications
Amazon Web Services, Inc.	Cloud infrastructure — compute, storage, database, networking, security, AI/ML inference, email delivery, authentication	United States (us-west-2, Oregon)	SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, FedRAMP, PCI DSS Level 1, HIPAA eligible

No other third parties have access to or process Tenant Data. We do not use third-party analytics services, advertising networks, or data brokers.

7.2 New Sub-Processors

The Processor shall notify the Controller at least 30 days in advance before engaging any new Sub-Processor. The notification shall include the identity of the Sub-Processor, the nature of the processing, and the location of processing. The Controller may object to the new Sub-Processor within 14 days of notification. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the affected Service by providing written notice.

7.3 Sub-Processor Obligations

The Processor shall impose on each Sub-Processor, by way of contract, data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of the Sub-Processor's obligations.

8. International Data Transfers

8.1 Processing Location

All Tenant Data is processed and stored within the United States, specifically in the AWS us-west-2 (Oregon) region. No Tenant Data is routinely transferred outside the United States.

8.2 Transfer Mechanisms

For Controllers located in the EU/EEA/UK, the transfer of personal data to the United States is conducted pursuant to:

• Standard Contractual Clauses (SCCs) — as adopted by the European Commission (Decision 2021/914), incorporated into this DPA by reference.
• UK International Data Transfer Agreement (IDTA) — for transfers subject to UK GDPR, as applicable.
• Supplementary Measures — including encryption, access controls, and Tenant isolation as described in Section 6, to ensure an adequate level of protection.

8.3 Government Access Requests

The Processor shall promptly notify the Controller of any request or order from a government authority for access to Tenant Data, unless prohibited by law. The Processor shall challenge any such request that the Processor reasonably believes to be unlawful or excessive.

9. Data Subject Rights

9.1 Assistance with DSARs

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject Access Requests (DSARs) and other rights requests, including:

• Right of Access (Article 15) — Providing the Controller with tools to export all personal data held about a specific Data Subject within the Tenant environment.
• Right to Rectification (Article 16) — Enabling the Controller to correct or update personal data through the Service interface.
• Right to Erasure (Article 17) — Providing the Controller with the ability to delete specific Data Subject records, with confirmation of deletion from active systems and queuing for backup purge.
• Right to Data Portability (Article 20) — Enabling export of personal data in structured, commonly used, machine-readable formats (JSON, CSV).
• Right to Restriction (Article 18) — Supporting the Controller's ability to flag and restrict processing of specific records.
• Right to Object (Article 21) — Supporting the Controller's ability to opt specific Data Subjects out of automated processing, including AI agent operations.

9.2 Direct Requests

If the Processor receives a DSAR directly from a Data Subject, the Processor shall promptly redirect the request to the relevant Controller, unless otherwise instructed or required by law. The Processor shall not independently respond to DSARs without the Controller's authorization.

9.3 Response Timelines

The Processor shall provide reasonable assistance to enable the Controller to respond to DSARs within the timeframes required by applicable law (30 days under GDPR, 45 days under CCPA).

10. Breach Notification

10.1 Notification to Controller

The Processor shall notify the Controller without undue delay and in any event within 24 hours of becoming aware of a Security Incident that affects Tenant Data. The notification shall include:

• A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and personal data records affected.
• The name and contact details of the Processor's data protection contact.
• A description of the likely consequences of the Security Incident.
• A description of the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects.

10.2 Notification to Supervisory Authorities

The Controller is responsible for notifying the relevant supervisory authority within 72 hours of becoming aware of a breach (per GDPR Article 33). The Processor shall provide all information and cooperation necessary to enable the Controller to fulfill this obligation.

10.3 Notification to Data Subjects

Where required by GDPR Article 34 or other applicable law, the Controller is responsible for notifying affected Data Subjects. The Processor shall assist the Controller in identifying affected Data Subjects and preparing notifications.

10.4 Remediation

The Processor shall take immediate steps to contain and remediate any Security Incident, including:

• Isolating affected systems to prevent further unauthorized access.
• Conducting a thorough investigation to determine the root cause and full scope of the incident.
• Implementing corrective measures to prevent recurrence.
• Providing the Controller with a written incident report upon completion of the investigation.

11. Audit Rights

11.1 Right to Audit

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

11.2 Audit Process

• Written Request: The Controller shall provide at least 30 days' written notice of an audit request.
• Scope: Audits shall be limited to the Processor's processing of the Controller's personal data and compliance with this DPA.
• Frequency: Audits may be conducted no more than once per calendar year, unless a Security Incident has occurred or a supervisory authority requires additional audits.
• Confidentiality: Auditors must agree to reasonable confidentiality obligations.
• Cooperation: The Processor shall reasonably cooperate with audit requests, including providing access to relevant documentation, systems logs, and personnel.

11.3 Compliance Evidence

As an alternative to on-site audits, the Processor may provide the Controller with:

• Summaries of independent third-party audit reports or certifications (e.g., SOC 2 Type II) covering the Processor's security controls.
• Completed security questionnaires or compliance documentation.
• Evidence of AWS infrastructure compliance certifications.
• Results of penetration testing or vulnerability assessments (in summary form).

12. Term and Termination

12.1 Term

This DPA shall remain in effect for the duration of the Controller's use of the Service and for as long as the Processor retains any personal data processed on behalf of the Controller.

12.2 Effect of Termination

Upon termination of the Service agreement:

1. Data Export. The Processor shall make available to the Controller all Tenant Data in a structured, commonly used, machine-readable format (JSON or CSV) for a period of 30 days following termination.
2. Data Deletion. After the 30-day export window, or upon the Controller's earlier written request, the Processor shall permanently delete all Tenant Data from its production systems using industry-standard secure deletion methods.
3. Backup Purge. Encrypted backups containing Tenant Data shall be purged within 90 days of the deletion of production data, in accordance with the backup retention cycle.
4. Certification. Upon the Controller's request, the Processor shall provide written certification that all Tenant Data has been deleted in accordance with this Section.

12.3 Legal Retention

Notwithstanding the above, the Processor may retain personal data to the extent required by applicable law (e.g., tax records, legal holds). Such retained data shall continue to be protected in accordance with this DPA and shall be deleted when the legal retention requirement expires. The Processor shall inform the Controller of any such retention requirements.

12.4 Survival

Sections 6 (Security Measures), 10 (Breach Notification), 11 (Audit Rights), and 12 (Term and Termination) shall survive termination of this DPA.

13. Contact Information

For questions regarding this Data Processing Agreement, data protection matters, or to submit audit requests, please contact:

RendereelStudio LLC
Data Protection Contact
Email: dpa@brevvo.ai
Privacy Inquiries: privacy@brevvo.ai
Website: https://brevvo.ai