Skip to main content

Need a website fast? Get a custom site live in just 7 days!

Let's Go!
Brambla

DATA PROCESSING
AGREEMENT

The UK GDPR Article 28 terms that apply when we process personal data on your behalf. Forms part of our main Terms of Service.

Last updated: 27 May 2026

When this applies

This Data Processing Agreement (“DPA”) applies whenever Brambla (“Processor”, “us”) processes personal data on behalf of a client (“Controller”, “you”) under UK GDPR Article 28. Typical examples:

  • We host your website and receive form submissions from your customers on your behalf.
  • We run a marketing campaign using a customer list you've provided.
  • We import a CRM export or analytics database into a system we maintain for you.
  • We provide reporting that includes identifiable data about your customers.

This DPA does not apply to data you submit to us as a Brambla customer yourself (e.g. when you fill in our enquiry form). That's governed by our Privacy Policy, where we're the controller of your data.

1. Definitions

  • Personal Data, Data Subject, Processing — have the meanings given in UK GDPR.
  • Controller / Processor — UK GDPR roles. You are the Controller of your customers' data. Brambla is the Processor.
  • Sub-processor — a third party engaged by Brambla to process Personal Data on the Controller's behalf (e.g. our hosting provider).
  • Services — the work Brambla provides to you as set out in our Terms of Service and your Quote.

2. Scope of processing

  • Subject matter: the provision of the Services described in your Quote.
  • Duration: for as long as we provide the Services to you, plus any post-termination period required to return or delete the data (typically up to 30 days, see section 9).
  • Nature and purpose: processing Personal Data to enable the Services — typically hosting form submissions, sending emails on your behalf, providing analytics, or running campaigns.
  • Categories of Personal Data: typically names, email addresses, phone numbers, IP addresses, and message content submitted to your forms. The exact categories depend on the Service and are listed in your Quote where unusual.
  • Categories of Data Subjects: typically your customers, prospects and website visitors.

3. Our obligations as Processor

We will:

  • Process only on your documented instructions. This DPA, the Terms of Service and your Quote together constitute those instructions. We'll tell you if we believe an instruction breaches UK GDPR.
  • Confidentiality. Ensure that anyone we authorise to process Personal Data is bound by a duty of confidentiality.
  • Security. Implement appropriate technical and organisational measures to protect Personal Data — see section 5.
  • Sub-processors. Use only the sub-processors we've disclosed to you, under written contracts that impose materially the same obligations as this DPA — see section 6.
  • Assistance with rights requests. Help you respond to Data Subject Access Requests (DSARs) and other rights requests, where the data is held in a system we control.
  • Breach notification. Notify you without undue delay (within 48 hours of becoming aware) of any personal data breach affecting your data.
  • Return or delete data. On termination, return or delete Personal Data per section 9.
  • Audit cooperation. Make available the information needed to demonstrate compliance, and allow for reasonable audits (with 30 days notice and at your cost) on request.

4. Your obligations as Controller

  • Ensure you have a lawful basis (UK GDPR Article 6) for processing the Personal Data you ask us to process on your behalf.
  • Provide Data Subjects with appropriate privacy notices in line with Articles 13–14 — including mentioning Brambla as a processor where appropriate.
  • Don't instruct us to do anything that would breach UK GDPR, the Data Protection Act 2018 or other applicable data-protection law.
  • Respond to Data Subject rights requests yourself — we'll assist, but the Controller is responsible for the response.

5. Security measures

We implement and maintain the following measures, proportionate to the risk:

  • Encryption in transit (TLS 1.2+) for all data flowing to and from our systems.
  • Encryption at rest on managed databases (Supabase Postgres).
  • Access control — role-based access, allowlist-gated admin tools, multi-factor authentication on staff accounts.
  • Row-Level Security (RLS) on the Postgres database, denying access by default and granting per-table per-role policies.
  • HMAC-signed session tokens for portal authentication; constant-time comparison to prevent timing attacks.
  • Anti-scraping middleware — Cloudflare Turnstile challenge for suspicious traffic, rate limiting on public endpoints.
  • Backups — daily automated backups on managed infrastructure, retained per provider defaults.
  • Dependency hygiene — regular vulnerability scanning, patches applied to CRITICAL/HIGH severity issues promptly.
  • Audit trails — admin actions logged where reasonably feasible.
  • No service-role credentials in production application code — least privilege by design.

We don't publish detailed control inventories or formal certifications (e.g. SOC 2). For engagements requiring formal certification, we'll discuss whether a particular sub-processor (e.g. Supabase, Vercel) meets that bar, and what additional measures we can provide.

6. Sub-processors

We use the following sub-processors to deliver our services. By signing up, you authorise these:

Sub-processorPurposeRegion
SupabaseManaged Postgres database hostingEU (Ireland)
VercelApplication hosting + edge networkGlobal edge, primary region: US
CloudflareDNS, bot-protection challenge (Turnstile)Global edge
Microsoft 365Transactional email delivery (Graph API)UK / EU
Stripe Payments Europe LtdSubscription billing and payment processingEU (Ireland)
AnthropicAI tooling for internal workflow — see note belowUS (with Standard Contractual Clauses)

A note on AI sub-processors. We use Anthropic's Claude in our internal workflow for code generation, content research and design iteration. We do not feed Controller-supplied Personal Data into Anthropic's API for automated decision-making about Data Subjects. If we ever needed to (e.g. for an AI-powered feature on your site), we'd update this list with 30 days notice and you could object.

Changes to sub-processors. If we add or replace a sub-processor, we'll notify you by email at least 30 days before the change takes effect. You may object on reasonable grounds; if we can't resolve the objection, you may terminate the affected Service without penalty.

7. International transfers

Where Personal Data leaves the UK or EEA (notably for Vercel hosting, Anthropic AI tooling, or Cloudflare's global edge), the transfer is protected by the UK Addendum to the EU Standard Contractual Clauses, or equivalent UK-approved transfer mechanism. We rely on the adequacy decisions and SCC arrangements maintained by each sub-processor.

8. Personal data breach

If we become aware of a personal data breach affecting Personal Data we process on your behalf, we will:

  • Notify you without undue delay, and in any event within 48 hours of becoming aware.
  • Provide a clear description of the breach: what happened, what data was affected, when, and what we're doing about it.
  • Assist you with any notification you need to make to the ICO or affected Data Subjects.
  • Document the breach and provide records on reasonable request.

9. Return or deletion of data on termination

When our Services to you end:

  • You can request a copy of all Personal Data we hold on your behalf. We'll provide it in a structured, commonly-used format (CSV or JSON) within 14 days of the request.
  • Once we've provided the export — or 30 days after termination if no export is requested — we'll delete the Personal Data from our active systems.
  • Backups may retain a copy for up to 90 days for disaster recovery purposes, after which they're overwritten in line with our retention policy.
  • Exceptions: where we're required by law to retain certain records (e.g. invoicing data for accounting purposes), we'll keep only what's legally required, for the required period, and continue to protect it under this DPA.

10. Audits

You may request an audit of our processing activities under this DPA, on 30 days written notice, no more than once per year (or more frequently if a breach has occurred or a regulator requires it). Audits will be conducted during business hours, will not unreasonably disrupt our operations, and are at the Controller's cost. We'll cooperate in good faith and provide reasonable assistance and information.

11. Liability

Our liability under this DPA is subject to the liability limits in our Terms of Service, section 11. Nothing in this DPA limits a Data Subject's rights to claim compensation directly against either party under UK GDPR.

12. Changes to this DPA

We may update this DPA to reflect changes in our processing operations, our sub-processors, or applicable law. We'll notify you of material changes by email at least 30 days before they take effect. Non-material changes (typos, clarifications) take effect on publication.

13. Order of precedence

If there's a conflict between this DPA and any other document, the order of precedence is: (1) this DPA, (2) the Terms of Service, (3) the Quote.

14. Contact

For data-protection enquiries, breach notifications, or to request a signed copy of this DPA on letterhead, contact us at hello@brambla.co.uk with “DPA” in the subject line.

SDB Digital Ltd (Company No. 12889730), trading as Brambla. Registered office: Northlew, Devon, EX20 3BN. ICO data protection register reference available on request.

See also: Terms of Service · Acceptable Use Policy · Privacy Policy · Cookie Policy