Data processing agreement

1. Introduction

This Data Processing Agreement (“DPA”) supplements and forms part of the Terms and Conditions (“Agreement”) between Brahmin Solutions Inc., a Delaware corporation (“Brahmin Solutions,” “we,” “us,” or “Processor”), and the entity agreeing to these terms (“Customer,” “you,” or “Controller”).

This DPA applies when Brahmin Solutions processes personal data on behalf of the Customer as a data processor under the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), or other applicable data protection laws.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of personal data.

2. Definitions

• Controller – the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processor – the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.
• Data Subject – an identified or identifiable natural person whose personal data is processed.
• Personal Data – any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.
• Processing – any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.
• Sub-processor – any third party engaged by the Processor to process personal data on behalf of the Controller.
• Supervisory Authority – an independent public authority established by an EU or EEA member state pursuant to the GDPR, or the UK Information Commissioner's Office under the UK GDPR.
• GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, the General Data Protection Regulation.
• UK GDPR – the GDPR as retained in United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018.
• Standard Contractual Clauses (SCCs) – the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, currently Commission Implementing Decision (EU) 2021/914.

3. Scope and roles

The Customer acts as the Controller of personal data, and Brahmin Solutions acts as the Processor with respect to personal data processed through the Service.

Processing by Brahmin Solutions is limited to what is necessary to provide the cloud-based MRP and inventory management Service as described in the Agreement. Brahmin Solutions shall not process personal data for any purpose other than as instructed by the Customer or as required by applicable law.

4. Data processing details

Categories of data subjects:

• Customer's employees and authorized users
• Customer's customers and end consumers
• Customer's suppliers and vendors
• Customer's business contacts

Types of personal data:

• Names and contact information (email addresses, phone numbers, mailing addresses)
• Order information and transaction records
• Shipping and billing addresses
• Account credentials (usernames, hashed passwords)
• Any other personal data the Customer inputs into the Service

Purpose of processing: Providing the MRP and inventory management Service, including order management, inventory tracking, production planning, purchasing, and related functionality as described in the Agreement.

Duration of processing: For the term of the subscription agreement, plus any retention period specified in the Agreement or required by applicable law.

5. Processor obligations

Brahmin Solutions shall:

• Follow instructions: Process personal data only on documented instructions from the Controller, unless required to do so by applicable law. In such a case, Brahmin Solutions shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification.
• Confidentiality: Ensure that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as further described in Section 8 of this DPA.
• Data subject rights: Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising data subject rights under applicable data protection laws.
• Data protection impact assessments: Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities, when required under applicable data protection laws.
• Deletion or return: At the Controller's choice, delete or return all personal data to the Controller upon termination of the Agreement, and delete existing copies unless applicable law requires retention of the personal data.
• Demonstrating compliance: Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and applicable data protection laws.

6. Sub-processors

The Customer provides general written authorization for Brahmin Solutions to engage sub-processors to process personal data on behalf of the Controller, subject to the conditions in this section.

Notification: Brahmin Solutions shall notify the Customer of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, providing the Customer with an opportunity to object.

Objection right: The Customer may object to a new sub-processor within 14 days of receiving notification. If the Customer raises a reasonable objection, the parties shall discuss the concern in good faith. If the parties cannot resolve the objection, the Customer may terminate the affected portion of the Service without penalty.

Current sub-processors: Brahmin Solutions currently engages the following sub-processors:

• Amazon Web Services (AWS) – cloud hosting and infrastructure
• Vercel – website hosting and content delivery
• HubSpot – forms, demo booking, visitor tracking, email marketing, and customer relationship management
• Intercom – customer messaging, live chat, and support
• PostHog – product analytics and user behavior tracking
• Sanity – content management system
• Stripe – payment processing and billing
• Google Workspace – business email and productivity tools
• Hotjar – heatmaps, session recordings, and user experience analytics
• Google (Google Analytics) – website analytics

Brahmin Solutions maintains a current list of sub-processors and will update this page when sub-processors change. The notification and objection procedures described above apply to all sub-processor changes.

Sub-processor liability: Brahmin Solutions shall remain fully liable to the Controller for the performance of each sub-processor's obligations. Brahmin Solutions shall impose data protection obligations on sub-processors that are no less protective than those set out in this DPA.

7. International data transfers

Personal data may be transferred to and processed in the United States and other countries where Brahmin Solutions and its sub-processors maintain facilities.

EU transfers: For transfers of personal data from the European Economic Area (EEA) to countries not deemed to provide an adequate level of data protection, transfers shall be governed by the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission under Commission Implementing Decision (EU) 2021/914.

UK transfers: For transfers of personal data from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner's Office) shall apply.

Supplementary measures: Brahmin Solutions implements supplementary technical and organizational measures as needed to ensure an adequate level of protection for personal data transferred internationally, taking into account the circumstances of the transfer and the laws of the destination country.

8. Security measures

Brahmin Solutions implements and maintains appropriate technical and organizational security measures to protect personal data, including but not limited to:

• Encryption: Data is encrypted in transit using TLS (Transport Layer Security) and at rest using industry-standard encryption algorithms.
• Access controls: Role-based access controls and multi-factor authentication to restrict access to personal data to authorized personnel only.
• Security assessments: Regular security assessments, vulnerability scanning, and penetration testing to identify and address potential security risks.
• Incident response: Documented incident response procedures to detect, respond to, and recover from security incidents.
• Employee training: Regular security awareness training for all employees with access to personal data.
• Business continuity: Regular data backups and disaster recovery procedures to ensure availability and resilience of processing systems.

9. Data breach notification

Brahmin Solutions shall notify the Controller without undue delay, and where feasible within 72 hours, after becoming aware of a personal data breach affecting personal data processed under this DPA.

Notification content: The notification shall include, to the extent available:

• A description of the nature of the personal data breach, including the categories and approximate number of data subjects and personal data records concerned
• The name and contact details of the point of contact where more information can be obtained
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects

Brahmin Solutions shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each personal data breach.

10. Audits

Brahmin Solutions shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and applicable data protection laws.

The Controller may conduct audits or inspections of Brahmin Solutions' data processing activities, subject to the following conditions:

• The Controller shall provide at least 30 days' prior written notice of any audit
• Audits shall be limited to once per calendar year, unless required by a supervisory authority or following a personal data breach
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt Brahmin Solutions' operations
• The Controller shall bear the costs of any audit, unless the audit reveals material non-compliance by Brahmin Solutions
• All information obtained during an audit shall be treated as confidential

Brahmin Solutions may satisfy audit requests by providing relevant third-party audit reports or certifications, where available.

11. Liability

Each party's liability under this DPA is subject to the exclusions and limitations of liability set forth in the Agreement. In no event shall either party's aggregate liability arising out of or related to this DPA exceed the limitations set forth in the Agreement.

12. Term

This DPA shall remain in effect for the duration of the Agreement. It shall automatically terminate upon termination or expiration of the Agreement, subject to Brahmin Solutions' obligations regarding deletion or return of personal data as described in Section 5.

13. Contact

For DPA-related inquiries, data protection questions, or to request a copy of the current sub-processor list, please contact us at:

privacy@brahmin-solutions.com

For general support inquiries: support@brahmin-solutions.com

Brahmin Solutions Inc.
Incorporated in Delaware, USA