Data processing addendum

This DPA forms part of the membership terms between Brandstudioz BV and the member organisation. It governs the processing of personal data on behalf of members in connection with use of the members' area.

Members are the data controller for the personal data they introduce into the members' area (team contacts, brief content, attached files). Brandstudioz BV is the data processor for that data.

• Hetzner Cloud (DE) — primary infrastructure, EU region.
• Cloudflare (EU) — DNS, CDN, Turnstile bot mitigation.
• Postmark (EU) — transactional email.
• Plausible (EU) — privacy-respecting analytics.
• Tigris EU — encrypted object storage for delivery files.

• AES-256 at rest, TLS 1.3 in transit.
• Single-tenant database per member organisation, isolated by row-level security.
• Quarterly third-party penetration tests; annual SOC 2 Type II readiness assessment.
• Bcrypt-hashed invitation codes, single-use, IP-bound sessions.
• Backups encrypted with rotating keys, restored monthly as part of disaster-recovery drills.

Members will be notified at least thirty days before any new sub-processor is engaged, with a right to object.

Members may request an annual audit summary, including the latest penetration test report. Direct on-site audits are scheduled by appointment.

Brandstudioz BV will notify affected members within 48 hours of confirming a personal-data breach, with a written incident summary inside ten business days.

[email protected]