Last revised 2025-01-08
This Data Processing Addendum (“DPA”) forms a part of the Terms between BrainFreeze and You to the extent You are a legal entity or operating a business. If You are a natural person, this DPA does not apply. If applicable, this DPA is incorporated into the Terms by reference and describes the Parties’ obligations regarding the Processing of Personal Information. You enter into this DPA on behalf of Yourself and, to the extent required under Applicable Data Protection Laws, in the name of and on behalf of Your Authorized Affiliates, if and to the extent that BrainFreeze Processes Personal Information for such Authorized Affiliates that qualify as a Controller. BrainFreeze is acting as a Service Provider and Processor. All capitalized terms not defined shall have the meanings provided in the Terms. In the event of a conflict between the terms of the Terms and the DPA, this DPA shall prevail.
1. Definitions.
“Affiliates” means any legal entity controlling, controlled by or under common control with a party to this DPA, for so long as such Control relationship exists.
“Authorized Affiliates” means Your Affiliates that, if agreed upon by BrainFreeze, are authorized to utilize the Services as Accounts pursuant to the Terms.
“Applicable Data Protection Law(s)” means any applicable law, ordinance, statute, regulation, or other binding restriction to which the Personal Information is subject, including but not limited to CCPA, GDPR, UK GDPR, Data Protection Act 2018 and Non-EU Data Protection Laws, and all amendments thereof.
“Control” means the ownership of more than 50% of the applicable entity or the ability in fact to direct the management decisions of such entity.
“Your Personal Information” means Personal Information belonging to You or Your Accounts that is processed by BrainFreeze in the course of providing the Services under the Terms.
“Data Controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Information.
“Data Subject” has the meaning assigned to the term “data subject” or “consumer” under Applicable Data Protection Laws and shall include identified or identifiable natural persons to whom the Personal Information relates.
“GDPR” means the EU General Data Protection Regulation 2016/679.
“Non-EU Data Protection Laws” means US state comprehensive privacy laws, including but not limited to the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any implementing regulations or guidance provided by the California Attorney General (“CCPA”) and Canada’s Personal Information Protection and Electronic Documents Act, S.C., 2000, ch. 5 (“PIPEDA”) and any provincial legislation deemed substantially similar to PIPEDA pursuant to the procedures set forth within PIPEDA, and all amendments to the CCPA, PIPEDA and similar legislation, as they may be enacted, from time to time.
“Personal Information” means any data provided by You or Your Authorized Affiliates to BrainFreeze that identifies or, alone or in combination with any other data, could reasonably be used to identify, locate, or contact a natural person or household, or any other information that is considered “personally identifiable information,” “personal information,” “personal data,” or other similar terms under Applicable Data Protection Laws, but does not include data or information that is publicly available within the meaning of such section or that has been de-identified within the meaning of Applicable Data Protection Laws.
“Process” or “Processing” means any operation or set of operations that are performed upon Personal Information, whether or not by automatic means, such as collection, accessing, processing, use, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, transmittal, alignment or combination, blocking, erasure, destruction or otherwise used as set out in the Applicable Data Protection Laws.
“Security Incident” means any situation in which BrainFreeze confirms that Personal Information under its direct control has been accessed, acquired, disclosed, altered, lost, destroyed, or used by unauthorized persons in an unauthorized manner having a material impact on You or Your Affiliates or on Data Subject rights.
“Sell,” “selling,” “sale,” or “sold” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Data Subject’s Personal Information to a third party for monetary or other valuable consideration.
“Share”, “sharing”, or “shared” means the provision of Personal Information to support targeted advertising across unaffiliated websites based on online behavioral profiling.
“Service Provider” means an entity that processes information on behalf of You and to which You discloses a Data Subject’s Personal Information for a business purpose pursuant to a written contract.
“Sub-Processor(s)” means any third-party service provider of BrainFreeze and to whom BrainFreeze provides or makes available Personal Information for Processing to be carried out on behalf of You or Your Authorized Affiliates. For clarity, Sub-processors do not include Third-Party Services with whom You or Your Authorized Affiliates directs BrainFreeze to interact with or disclose Personal Information. BrainFreeze may disclose Personal Information to such Third-Party Services, and BrainFreeze shall have no responsibility for the use of any Personal Information by any such third parties.
2. Service Provider Relationship; Restrictions and Use of Personal Information.
You appoint BrainFreeze as a Service Provider of Personal Information and is disclosing Personal Information to BrainFreeze in that capacity exclusively for the execution of Services detailed in the Terms. You and Your Authorized Affiliates agree that BrainFreeze may use Personal Information for purposes of performing its obligations under the Terms and as otherwise contemplated in the Terms. BrainFreeze agrees: (i) anyone handling Personal Information will be subject to a duty of confidentiality; (ii) it will promptly notify You upon determining BrainFreeze can no longer meet its obligations under relevant Applicable Data Protection Laws or this DPA; (iii) it will not retain, use, or disclose Personal Information for any purpose not permitted by the Terms or Applicable Data Protection Laws; (iv) it will not Sell or Share Personal Information; (v) it will not combine or update Personal Information received in connection with performing Services under the Terms and this DPA with Personal Information BrainFreeze receives from another source; and (vi) it will not attempt to or actually re-identify any aggregated, de-identified, or anonymized Your Data.
3. Your Obligations.
You and Your Authorized Affiliates warrant that they: (i) will comply with obligations under Applicable Data Protection Laws, including applicable obligations as a Data Controller; (ii) have provided all notices and obtained all consents and rights necessary under Applicable Data Protection Laws for BrainFreeze to Process Personal Information and provide the Services; (iii) will ensure that there is at all times a sufficient legal basis for BrainFreeze’s Processing as permitted under this DPA; and (iv) will limit the provisioning of Personal Information to BrainFreeze only to the amount and kinds of data adequate, relevant, and necessary for performing the Services. Without limiting any payment obligations under the Terms, You shall immediately notify BrainFreeze and cease use of the Services in the event any required authorization or legal basis for Processing is revoked or terminated, or, for notification purposes only, promptly notify BrainFreeze if it discovers any unauthorized access to Your Data.
4. Privacy Inquiries and Requests.
You are responsible for handling any Privacy Inquiry and Privacy Request (as defined below) from Data Subjects with respect to their Personal Information Processed by BrainFreeze. BrainFreeze agrees to assist You and provide You the information and assistance required under Applicable Data Protection Laws to enable You to respond to: (i) questions or complaints received from Data Subjects regarding Personal Information (“Privacy Inquiry”); and (ii) requests from Data Subjects exercising their rights in Personal Information granted to them under Applicable Data Protection Laws (“Privacy Request”). BrainFreeze will respond within a reasonable time which permits You to respond to the Privacy Inquiry or Privacy Request in accordance with the timelines set forth in Applicable Data Protection Laws. If BrainFreeze is directly contacted with a Privacy Inquiry or Privacy Request, BrainFreeze will promptly forward such inquiry to You. You shall inform BrainFreeze of any Data Subject request made pursuant to Applicable Data Protection Laws with which BrainFreeze is required to comply and will provide all reasonable information necessary for BrainFreeze to comply with the request. Privacy-related requests may be submitted to [email protected]. If You are a parent or legal guardian of a child 12 years or younger, You have the right to review, confirm, and erase such child’s personal information BrainFreeze collects when providing the Services.
5. Data Protection Impact Assessment.
Taking into account the Services provided and the information available to BrainFreeze, BrainFreeze shall cooperate with You, at Your expense, to enable You to conduct data protection impact assessment(s) required for You to comply with Applicable Data Protection Laws.
6. Security.
BrainFreeze has implemented and shall maintain reasonable and appropriate technical and organizational measures designed to protect Personal Information from a Security Incident and to protect the rights of the relevant Data Subjects as defined in Applicable Data Protection Laws. Such security measures are further detailed in the attached Annex II.
7. Security Incident.
Upon becoming aware of a Security Incident, BrainFreeze will inform You without undue delay and provide timely information to enable You to timely fulfill Your reporting obligations required under Applicable Data Protection Laws. If the Security Incident was caused by BrainFreeze, BrainFreeze shall further take reasonable measures to remedy or mitigate the effects of the Security Incident and will keep You reasonably informed of such measures.
8. Audits.
Upon Your written request, and subject to the confidentiality obligations set forth in the Terms, BrainFreeze shall make available to You or, subject to BrainFreeze’s approval, Your independent, third-party auditor (provided You remains responsible for an approved auditor’s compliance with the confidentiality obligations in the Terms) information regarding BrainFreeze’s compliance with the obligations set forth in this DPA in the form of, at BrainFreeze’s option, (i) answering a security questionnaire, or, as available, (ii) providing any available third-party certifications and audits. BrainFreeze shall respond within a reasonable timeframe to Your request for documentation that verifies that it no longer retains or uses Personal Information that has been subject to a valid deletion request by You.
9. Deletion or Return of Data.
Upon termination or expiry of the Terms, BrainFreeze may delete You Data pursuant to the Terms, or, subject to You paying applicable fees, return Your Data to You, unless retention is required by law. You acknowledge that BrainFreeze is not a system of record and, accordingly, You will maintain Your own copies of Your essential business records.
10. Sub-processor(s).
You hereby provide general authorization to BrainFreeze to engage third party Sub-processors to Process any Personal Information, with the current list of Sub-processors shown in the attached Annex III (“Sub-Processor Table”). BrainFreeze will impose data protection terms on any Sub-processor it appoints designed to protect the Personal Information with substantially the same standard provided for by this DPA. BrainFreeze may make changes to its Sub-Processors in its sole discretion, provided: (i) it shall inform You of any intended changes concerning its Sub-Processors; and (ii) You may object in writing to BrainFreeze’s appointment of a new Sub-Processor within thirty (30) days of such appointment so long as the objection is based on reasonable data privacy or security concerns. BrainFreeze will not use a new Sub-Processor until such thirty (30) days have passed (except in the event of an emergency). If You submit an objection to a new Sub-Processor, the Parties will work together to find an agreed upon solution. If no solution is agreed upon within the thirty (30) day period, You may terminate the Terms.
11. International Transfers.
If BrainFreeze Processes, accesses, or stores Personal Information in a third country (as defined in the GDPR and UK GDPR), then the Parties agree that, and only to the extent applicable, the Standard Contractual Clauses for the transfer of Personal Information to data processors established in third countries set out in the Commission Decision of 5 February 2010 (C(2010) 593), as amended by EU Commission Implementing Decision 2021/914 of 4 June 2021, and as may be further amended from time to time (“SCCs”) shall be deemed agreed and incorporated herein by reference, and if applicable, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0, in force March 21, 2022 (“UK Addendum”), applies to the relevant exports from the United Kingdom (with Tables 1-3 being interpreted in accordance with the SCCs Controller to Processor (Module 2); Table 2 being the “version of the Approved EU SCCs which this Addendum is appended to” option is selected; and Table 4 having the Importer and Exporter selected) shall also apply. If one or both of the foregoing are not applicable or Applicable Data Protection Laws require a different approach, the Parties agree that they will work together in good faith to ensure the protection of the Personal Information being transferred meet applicable requirements. To the extent that BrainFreeze and You are relying on a specific statutory mechanism to normalize international data transfers, and that mechanism is subsequently revoked or held in a court of competent jurisdiction to be invalid, BrainFreeze will, in good faith, pursue a suitable alternate mechanism that can lawfully support the transfer.
12. Data Localization Restrictions.
Notwithstanding anything to the contrary in the Terms (including this DPA), You shall not use or access the Services in a manner that would require Your Data or Personal Information to be hosted in or localized to a specific country pursuant to such country’s Applicable Data Protection Laws.
13. Artificial Intelligence Governance.
The Parties acknowledge laws and regulations relating to artificial intelligence use and provisioning are often being proposed, implemented, and changed (“AI Regulations”). If AI Regulations cause this DPA to be invalid, the Parties agree to work together in good faith to amend this DPA so that it is compliant with AI Regulations. If AI Regulations cause BrainFreeze to be unable to provide the Services, either Party may terminate the Terms provided such a termination will not relieve either Party’s obligations or liabilities incurred up to the date of the termination.
14. Miscellaneous.
You may request BrainFreeze to accept additional data privacy terms necessary to address Applicable Data Protection Laws. If BrainFreeze does not agree to such additional data privacy terms, BrainFreeze may terminate the DPA without penalty on thirty (30) days’ written notice. Except as amended by this DPA, all terms and conditions of the Terms shall remain in full force and effect. Nothing in this DPA or the Terms relieves You of Your own direct responsibilities and liabilities under Applicable Data Protection Laws.
Annex I: Description of Transfers
Categories of data subjects whose personal data is transferred
Data exporter may submit Personal Information into the BrainFreeze Service, the extent of which is determined and controlled solely by the data exporter, and which may include, but is not limited to Personal Information relating to the following categories of data subjects:
Data exporter’s employees, contractors, representatives, agents, and other individuals whom data exporter allows and is permitted to use the BrainFreeze Service, as well as Personal Information relating to the data exporter’s partners, Accounts, vendors, and other categories as otherwise contemplated by the Terms.
Categories of personal data transferred
Data exporter may submit Personal Information to the Services, the extent of which is determined and controlled solely by data exporter, and which may include, but is not limited to the following Personal Information:
First and last name, contact information such as address, telephone number, and email address, IP address, user identifier, and other categories as otherwise contemplated by the Terms. Data exporter is prohibited from inputting any Personal Information of a child that is 15 years old or younger.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Sensitive Personal Information is not contemplated in the Terms.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis until termination or expiration of the Terms.
Nature of the processing
The performance of the Services pursuant to the Terms.
Purpose(s) of the data transfer and further processing
The performance of the Services pursuant to the Terms.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the Terms until it is deleted in accordance with the Terms.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As stated above, and as may be further detailed in the Sub-Processor Table made available and updated by BrainFreeze from time to time.
ANNEX II: Security Measures
TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
BrainFreeze’s information security program, as established through its internal controls and procedures, is designed to ensure: (i) Your Data BrainFreeze processes is protected against accidental, unlawful, or unauthorized loss, access, or disclosure; (ii) reasonably foreseeable risks relating to security and unauthorized access are identified and protected against; and (iii) security risks are minimized by implementing, maintaining, and regularly assessing such controls.
Access Controls
BrainFreeze uses access control management: (i) governing the security of BrainFreeze’s information, networks, applications, and systems aimed to prevent unauthorized access to such items; and (ii) relating to BrainFreeze’s networks, applications, and systems to ensure only authorized users access appropriate information based on their role and to prevent unauthorized access to the same.
Encryption and Key Management
All encryptions for data and relating to key management shall be end-to-end and be performed in accordance with industry standards, including NIST SP 800-57. The below represents BrainFreeze’s encryption methods for at-rest and in-transit data.
- At-Rest: AES 256-bit symmetric encryption
- In-Transit: TLS 1.2 (minimum)
Asset Management
BrainFreeze appropriately identifies and classifies its assets to ensure their security and integrity. Protection levels are established pursuant to the corresponding asset’s importance and exposure to sensitive information, and are designed to prohibit unauthorized disclosures, loss, damage, or destruction of information in relation to the asset.
Contingency Planning
BrainFreeze has ensured redundancy controls to eliminate single points of failure and minimize the impact of possible physical and environmental risks are instituted. It also may use Business Continuity and Disaster Recovery Plans to help ensure the Services’ continuity.
Security Incident Response
BrainFreeze minimizes a security incident’s impact, including as it relates to the availability and confidentiality of the Services through its security processes. These processes help BrainFreeze to efficiently respond, mitigate, handle, and communicate issues relating to a security incident.
Risk Management
- Internal – BrainFreeze manages potentials risks, including conducting risk assessments and corresponding mitigation efforts regarding loss, unavailability, damage, or unauthorized access to BrainFreeze’s information, networks, or controls when necessary.
- External (Including System Governance) – BrainFreeze vets its vendors to establish appropriate security measures, including contract reviews to ensure appropriate controls and systems are in place and conducting due diligence to effectively on-board and off-board BrainFreeze vendors. Once a vendor is on-boarded, BrainFreeze has instituted policies relating to the monitoring, developing, and supporting of the on-boarded systems and solutions.
Security Controls
- Network – BrainFreeze protects its network generally, including protecting the transferring of information, network security, segregated networks, and network services as information is processed and transferred.
- Operational – BrainFreeze ensures the secure management of its information technology systems relating to system integrity, protecting against the exploitation of technical vulnerabilities, malware, and data loss, and standardizing backups, logging, installations, and change management.
- Physical – BrainFreeze protects against physical and environmental threats by identifying security and access controls regarding personnel, visitors, equipment, secure/controlled areas, threat detection, destruction of data, and documentation and organization management to prohibit unauthorized access and the loss or damage to BrainFreeze’s systems, data, and operations.
- Personnel – BrainFreeze ensures its hiring standards and procedures, including appropriate vetting of prospective personnel or contractors, background check requirements, and utilizing appropriate confidentiality and employment or contractor-related terms. BrainFreeze ensures on-going security and data privacy training for personnel or contractors’ personnel (where applicable) are given to protect BrainFreeze’s systems, networks, and controls during the entire employment or contractor lifecycle.
Annex III: Sub-Processor Table
| Sub-Processor | Services Provided | Location* | Contact Information |
| Airia LLC | Web and mobile
application services |
USA | Airia LLC
Headquarters: 233 1st Street, Miami Beach, FL 33139 Mailing address: PO Box 190778, Miami Beach, FL, 33119 Email: [email protected]
|