Start free trial
FeaturesPricingCompareDocs Start free trial — no card Start free as a Collector
Legal

Data Processing Addendum

Last updated: June 6, 2026

This Data Processing Addendum (“DPA”) supplements the Brick Pulse Terms of Service (the “Agreement”) between Brick Pulse, LLC (“Brick Pulse,” “Processor”) and the customer agreeing to it (“Customer,” “Controller”). It applies where Brick Pulse processes Personal Data on Customer's behalf in connection with the Service and where data protection laws such as the GDPR or UK GDPR apply. If there is a conflict between this DPA and the Agreement on data protection, this DPA controls. To put this DPA in place for your account, contact [email protected].

1. Definitions

“Data Protection Laws” means all laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, and applicable U.S. state privacy laws. “Personal Data,” “processing,” “controller,” “processor,” “data subject,” and “personal data breach” have the meanings given in the GDPR. “Sub-processor” means a third party engaged by Brick Pulse to process Personal Data.

2. Roles and Scope

For Personal Data that Brick Pulse processes on Customer's behalf to provide the Service (such as the inventory, listing, order, and related marketplace data Customer syncs, and any buyer information contained in it), Customer is the Controller and Brick Pulse is the Processor. For Brick Pulse's own account, billing, and usage data, Brick Pulse is an independent controller as described in its Privacy Policy. The details of the processing are set out in Schedule 1.

3. Customer Instructions

Brick Pulse will process Personal Data only on Customer's documented instructions — including as set out in the Agreement and this DPA, and as needed to provide and secure the Service — unless required by law (in which case Brick Pulse will inform Customer unless legally prohibited). Customer is responsible for ensuring that its instructions and its use of the Service comply with Data Protection Laws and that it has a lawful basis for the processing.

4. Confidentiality

Brick Pulse will ensure that people authorized to process the Personal Data are bound by appropriate confidentiality obligations.

5. Security

Brick Pulse will implement appropriate technical and organizational measures to protect Personal Data, as described in Schedule 2, taking into account the state of the art, the costs of implementation, and the nature, scope, and purposes of processing.

6. Sub-processors

Customer provides general authorization for Brick Pulse to engage the Sub-processors listed in Schedule 3 (and at brickpulse.app/subprocessors). Brick Pulse will impose data protection obligations on each Sub-processor that are no less protective than this DPA and remains responsible for their performance. Brick Pulse will give Customer notice of any intended addition or replacement of a Sub-processor (for example, by updating the Sub-processors page or by email), and Customer may object on reasonable data protection grounds within 14 days, after which the parties will work in good faith to address the concern.

7. Data Subject Requests

Taking into account the nature of the processing, Brick Pulse will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights. If Brick Pulse receives such a request directly, it will, where permitted, refer the data subject to Customer.

8. Assistance

Brick Pulse will provide reasonable assistance to Customer with data protection impact assessments, prior consultations with supervisory authorities, and the security and breach obligations under Data Protection Laws, taking into account the information available to Brick Pulse.

9. Personal Data Breach

Brick Pulse will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer's Personal Data and will provide information reasonably available to it to help Customer meet its own notification obligations.

10. Deletion or Return

On termination of the Service, Brick Pulse will delete or, if requested, return Customer's Personal Data within the timeframe described in its Privacy Policy (generally within 30 days), except where retention is required by law.

11. Audits

Brick Pulse will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates, subject to reasonable confidentiality and security limits and on reasonable prior notice. Providing relevant documentation will normally satisfy this obligation.

12. International Transfers

Where Brick Pulse processes Personal Data subject to the GDPR or UK GDPR in a country without an adequacy decision, the parties agree that the European Commission's Standard Contractual Clauses (and, for UK data, the UK International Data Transfer Addendum) are incorporated into this DPA and apply, with the module and elections set out in Schedule 4.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

Schedule 1 — Details of Processing

  • Subject matter: Provision of the Brick Pulse inventory-management and synchronization Service.
  • Duration: For as long as Customer uses the Service, plus any retention period in the Privacy Policy.
  • Nature and purpose: Hosting, storing, reading, writing, and synchronizing inventory and related data across connected marketplaces.
  • Types of Personal Data: Identifiers and contact details contained in marketplace order and listing data (for example, buyer names, addresses, and order details), and Customer's account contact data.
  • Categories of data subjects: Customer's buyers and customers, and Customer's authorized users.

Schedule 2 — Technical and Organizational Measures

  • Encryption of sensitive data in transit (TLS) and of marketplace credentials at rest (for example, AES-256-GCM).
  • Access controls and least-privilege access to production systems.
  • Network and application security controls provided through Cloudflare.
  • Logging and monitoring for security and troubleshooting.
  • Secure software-development and secrets-management practices.
  • Periodic review of security measures.

Schedule 3 — Authorized Sub-processors

As listed at brickpulse.app/subprocessors (currently Cloudflare, Stripe, Resend, Rebrickable, and Brickognize), each engaged for the purpose stated there.

Schedule 4 — Standard Contractual Clauses Elections

  • Module: Module Two (Controller-to-Processor) applies, with Brick Pulse as “data importer” and Customer as “data exporter.”
  • Clause 7 (docking clause): applies.
  • Clause 9 (sub-processors): Option 2 (general written authorization), with the notice period in Section 6 of this DPA.
  • Clause 11 (redress): the optional independent dispute-resolution language does not apply.
  • Clause 17 (governing law): the law of Ireland.
  • Clause 18 (choice of forum): the courts of Ireland, without prejudice to data subjects' rights.
  • UK transfers: the UK Addendum applies, treating the SCCs as the “Approved EU SCCs.”

Contact

[email protected]