Data Processing Addendum (DPA)

Last Updated: June 6, 2025

This Data Processing Addendum (“DPA”) supplements the Terms & Conditions and reflects the parties’ agreement with respect to the Processing of Personal Data in accordance with data-protection laws including the GDPR, CCPA, and any applicable local regulations.

1  Definitions

Capitalised terms not defined here have the meaning given in the Terms & Conditions. “Controller,” “Processor,” “Data Subject,” “Personal Data,” and “Processing” carry the definitions set forth in GDPR Art. 4.

2  Roles of the Parties

For the purposes of this DPA you (the customer) act as Data Controller and The Branding Bull acts as Data Processor when Processing Personal Data on your behalf.

3  Processor Obligations

• Process Personal Data only on documented instructions from the Controller.
• Ensure that persons authorised to process the data are bound by confidentiality.
• Implement appropriate technical and organisational measures to protect the data.
• Assist the Controller in fulfilling data-subject requests and compliance duties.
• Maintain records of Processing activities as required by law.

4  Sub-processors

Controller authorises the use of sub-processors listed in our Sub-processor Registry. We will inform you of intended changes and give you the opportunity to object. Each sub-processor will be bound by data-protection obligations no less protective than those in this DPA.

5  International Transfers

Where Personal Data is transferred outside the EEA, UK, or other jurisdictions requiring adequacy, Processor will ensure such transfers comply with Standard Contractual Clauses or other approved transfer mechanisms.

6  Security Incidents

Processor will notify Controller without undue delay after becoming aware of any Personal-Data Breach and will provide reasonable assistance to remediate and meet breach-notification obligations.

7  Data Retention & Deletion

Upon termination of the Services, Processor will delete or return all Personal Data, unless retention is required by law.

8  Audits

Processor will make available information necessary to demonstrate compliance and allow for audits or inspections conducted by Controller or an independent auditor, subject to reasonable notice and confidentiality undertakings.

9  Liability

The liability of each party under this DPA is subject to the limitations set forth in the main agreement, except as prohibited by data-protection law.

10  Contact

If you have questions about this DPA, contact us at: