Data Processing Agreement

1. Definitions

Terms used here have the meanings in applicable data protection law (including GDPR where relevant).

"Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Sub-processor" are used as defined in GDPR Article 4 unless context requires otherwise.

Customer Instructions means documented configuration in the Briefton product, written email instructions, and the documented features of the service (HubSpot sync, brief delivery, CRM write-back, Scribe transcription).

2. Roles and scope

Customer is the Controller for CRM data, contact records, and meeting content belonging to Customer's business.

Briefton is the Processor for that data and processes it only to provide the service, maintain security, and comply with law.

Briefton is an independent Controller for account, authentication, billing, product analytics, and operational logs as described in the Privacy Policy.

3. Processing instructions

Briefton will process Personal Data only on documented Instructions from Customer, unless required by EU or Member State law — in which case Briefton will inform Customer unless prohibited.

Customer is responsible for ensuring Instructions comply with applicable law and that it has a lawful basis to share data with Briefton and connected subprocessors (HubSpot, Twilio, OpenAI, hosting providers).

4. Confidentiality and personnel

Briefton ensures that persons authorized to process Personal Data are bound by confidentiality obligations.

Access to production data is limited to personnel who need it for support, security, or engineering, and is logged where technically feasible.

5. Security measures

Briefton implements appropriate technical and organizational measures, including encryption in transit, encrypted storage for sensitive tokens and phone numbers, row-level security separating rep-private coaching from manager views, and regular dependency patching.

Details are summarized at briefton.com/security. Customer may request a security questionnaire or review call for Charter deployments.

6. Sub-processors

Customer authorizes Briefton to engage Sub-processors needed to operate the service. Current categories include:

• Cloud hosting and workflow runtime (Vercel)
• Database and authentication (Supabase)
• CRM integration (HubSpot — Customer's own tenant)
• WhatsApp delivery (Twilio)
• Speech and language models (OpenAI via Briefton's LLM layer)
• Email delivery (transactional provider)
• Optional error monitoring (Sentry, when enabled)
• Optional distributed rate limiting (Upstash, when enabled)

7. Data subject requests

Briefton will assist Customer, taking into account the nature of processing, in responding to Data Subject requests to exercise rights under applicable law.

Where a Data Subject contacts Briefton directly about CRM data, Briefton will redirect them to Customer when appropriate.

Reps may use in-product export and delete tools for their own account data as described in the Privacy Policy.

8. Personal data breach

Briefton will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data, and will provide information reasonably available to assist Customer in meeting its breach-notification obligations.

9. Return and deletion

Upon termination of the service, Briefton will delete or return Customer Personal Data within a reasonable period, except where retention is required by law or for backup cycles (typically up to 30 days).

Aggregated, anonymized metrics may be retained.

10. Audits and information

Briefton will make available information necessary to demonstrate compliance with this DPA and allow for audits mandated by applicable law, subject to reasonable notice, confidentiality, and frequency limits.

Questions and DPA execution requests: hello@briefton.com.