Data Processing Agreement

Standard DPA for Brogilvy customers under GDPR Art. 28. Effective May 28, 2026. Terms. Privacy.

1. Parties

Processor: Valued BV / Markomatic, Belgium (“Brogilvy”).
Controller:The legal entity that signed up for Brogilvy and accepted the Terms of Service (“Customer”).

2. Subject matter & duration

This DPA governs Brogilvy's processing of personal data on behalf of Customer in connection with the Brogilvy service. Duration: for as long as Customer's Brogilvy subscription is active, plus the retention periods set out in our Privacy Policy.

3. Nature & purpose of processing

Brogilvy processes Customer's prompts, brand context, conversation history, and the AI-generated outputs derived from them, in order to: (a) generate the content Customer asks for, (b) store and display it back to Customer, (c) bill Customer based on usage, (d) operate, secure, and improve the service.

4. Categories of data + data subjects

Data subjects:Customer's authorized users (typically employees / contractors), and any individuals named in Customer's prompts or brand context.

Data categories: identification data (email, name), workspace content (prompts, conversations, artifacts, inventory items, brand context fields), and usage metadata (timestamps, token counts, cost cents).

Customer is responsible for not submitting special-category data (Art. 9 GDPR — health, race, religion, biometric, etc.) into Brogilvy. Brogilvy is not designed for such data and may not have the safeguards your jurisdiction requires.

5. Obligations of the processor (Art. 28(3))

Brogilvy will:

• (a) Process only on documented instructions. Customer's instructions are the Terms of Service + this DPA + reasonable in-app actions.
• (b) Confidentiality. Anyone with access (employees, contractors, sub-processors) is bound by written confidentiality.
• (c) Security. Technical + organizational measures as set out in our Privacy Policy §7 (TLS, encryption-at-rest, RLS, Clerk OIDC, env-var secret management, sub-processor due diligence).
• (d) Sub-processors. The current list is in our Privacy Policy §4. We'll give 30 days' notice before adding a new sub-processor; you can object and terminate if you can't accept the new processor.
• (e) Assistance with data-subject rights. We help Customer respond to access / rectification / erasure / portability requests (typically by giving the requestor read access to their own workspace).
• (f) Breach notification. We notify Customer within 72 hours of becoming aware of a personal data breach affecting Customer's data.
• (g) DPIAs + audits. We help with Customer's DPIAs and submit to reasonable annual audits (1× per year, agreed in writing).
• (h) Deletion / return on termination. On account deletion, all Customer data is removed from production within 30 days, backups within 90.
• (i) Demonstrate compliance. We share security documentation on request.

6. International transfers

Brogilvy stores Customer's primary data in the EU (Supabase eu-central-1). The AI processing itself happens on Anthropic infrastructure in the US, as do several other sub-processors (see Privacy §4).

All US transfers rely on EU-approved Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework (DPF). Where a sub-processor is DPF-certified, we rely on that; where not, we have SCCs in place.

7. Sub-processor list

See the table in our Privacy Policy §4. We notify by email at least 30 days before adding a new sub-processor. If you object, you can terminate your subscription for cause.

8. Liability

Each party is liable for damages caused by its non-compliance with GDPR. The liability cap in our Terms of Service §9 (12-month fees) applies, except where Belgian / EU law mandates otherwise.

9. Governing law

Belgian law. Disputes go to the courts of Ghent, Belgium.

10. Conflicts

If anything in this DPA conflicts with the Terms of Service, this DPA wins for data-processing matters. For everything else (billing, IP, acceptable use), the Terms win.

Last updated May 28, 2026. Need a signed copy? kasper@valued.be.