Data Processing Agreement

How BrieXO processes personal data on your behalf as your processor under UK data protection law.

Last updated: 10 July 2026

1. Parties and incorporation

This Data Processing Agreement (the "DPA") forms part of, and is incorporated into, the Terms of Service (the "Terms") between SFICA Limited (trading as BrieXO), a company registered in England and Wales (company number 15552143, registered office 52 Windsor Court, 3 Pennyroyal Drive, West Drayton, UB7 9GX) ("BrieXO", "we"), and the organisation that registers for or uses the BrieXO platform (the "Customer", "you").

It applies where, in the course of providing the platform, BrieXO processes personal data on the Customer's behalf. In relation to that personal data, the Customer is the controller and BrieXO is the processor. Where the Customer is itself acting as a processor for a third-party controller, BrieXO acts as a sub-processor and this DPA applies accordingly.

You accept this DPA on a click-through basis when you accept the Terms at registration or by first using the platform, whichever happens earlier. No separate signature is required, and this DPA is binding on the parties without one. Where this DPA conflicts with the Terms in relation to the processing of personal data, this DPA prevails.

In this DPA, "UK GDPR", "personal data", "processing", "data subject", "controller", "processor", "personal data breach", and "supervisory authority" have the meanings given to them in the UK GDPR and the Data Protection Act 2018. "Data protection law" means the UK GDPR and, where applicable, the EU GDPR (Regulation (EU) 2016/679), together with all other laws applicable to the processing of personal data under this DPA.

2. Details of the processing (Annex 1)

The subject matter, duration, nature, and purpose of the processing, the types of personal data, and the categories of data subjects are set out in this clause, which constitutes Annex 1 to this DPA.

  • Subject matter. BrieXO's provision of the BrieXO platform to the Customer under the Terms, and the related support and technical services.
  • Duration. The processing continues for the duration of the Customer's subscription term, and thereafter for the limited period necessary to return or delete Customer Data in accordance with clause 9.
  • Nature and purpose. Hosting, storage, organisation, retrieval, display, and transmission of Customer Data; supporting collaboration, workflow, and notification functions; generating reports and exports; and, where the Customer enables them, AI-assisted analysis and generation features. Processing is carried out solely to provide, maintain, secure, and support the platform for the Customer.
  • Categories of data subject. The Customer's employees, workers, contractors, and other personnel; and the Customer's supply-chain and project contacts, including personnel of the Customer's sub-contractors, suppliers, clients, and other project participants.
  • Categories of personal data. Identity and contact data (such as names, job roles, email addresses, and telephone numbers); competence, qualification, and training records; project and task participation records; documents, images, and evidence uploaded to the platform (which may contain personal data); and support and communications data. The Customer controls what personal data it and its users upload, and must not upload special category or criminal-offence data except where the platform is expressly designed to receive it and the Customer has a lawful basis to do so.

3. Processor obligations

BrieXO will process personal data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law that applies to BrieXO; in that case, BrieXO will (unless the law prohibits it) inform the Customer of that legal requirement before processing. The Terms, this DPA, and the Customer's use and configuration of the platform (including the settings, permissions, and features the Customer selects) together constitute the Customer's documented instructions. If BrieXO considers that an instruction infringes data protection law, it will inform the Customer.

BrieXO will ensure that persons authorised to process the personal data are subject to an appropriate duty of confidentiality, whether contractual or statutory, and are bound not to process the personal data except on instructions from BrieXO consistent with this DPA.

Taking into account the nature of the processing and the information available to it, BrieXO will assist the Customer, by appropriate technical and organisational measures and insofar as is possible, in fulfilling the Customer's obligations to respond to requests from data subjects exercising their rights under Chapter III of the UK GDPR. Where BrieXO receives a request from a data subject relating to the Customer's personal data, it will not respond directly (except to confirm that the request has been forwarded), and will forward the request to the Customer without undue delay and in any event within 5 business days of receipt.

Taking into account the nature of the processing and the information available to it, BrieXO will assist the Customer in ensuring compliance with the Customer's obligations under Articles 32 to 36 of the UK GDPR, namely security of processing (Article 32), notification of a personal data breach to the supervisory authority (Article 33) and to affected data subjects (Article 34), data protection impact assessments (Article 35), and prior consultation with the supervisory authority (Article 36).

BrieXO will make available to the Customer all information necessary to demonstrate compliance with the obligations of a processor under Article 28 of the UK GDPR, and will allow for and contribute to audits as set out in clause 8.

4. Security (Annex 2)

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks to individuals, BrieXO implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. A summary of the measures in place is set out in this clause, which constitutes Annex 2 to this DPA. BrieXO may update these measures from time to time provided that the updated measures do not materially reduce the overall level of security.

  • Hosting location. Customer Data is hosted on infrastructure located in the European Union (Germany).
  • Encryption in transit. Data transmitted between users and the platform is protected using Transport Layer Security (TLS).
  • Encryption at rest. Customer Data stored by the platform is encrypted at rest.
  • Access control. Access to Customer Data is governed by role-based, tenant-scoped access controls, so that users can access only the data belonging to their own organisation and only to the extent permitted by their assigned role.
  • Audit logging. The platform records audit logs of relevant security and administrative events.
  • Backups. Customer Data is backed up to support recovery and business continuity.
  • Environment separation. Staging and production environments are maintained separately.
  • Vulnerability management. BrieXO carries out vulnerability management to identify and remediate security issues in the platform and its supporting infrastructure.

BrieXO does not currently hold ISO 27001, SOC 2, or any other security certification, and this DPA makes no such certification claim. The measures described above reflect the controls actually deployed for the platform.

5. Sub-processors

The Customer gives BrieXO general written authorisation to engage sub-processors to process personal data in connection with the platform. BrieXO maintains an up-to-date list of its current sub-processors, together with the processing each performs, at /legal/subprocessors.

Where BrieXO engages a sub-processor to carry out specific processing activities on the Customer's behalf, it will impose on that sub-processor, by contract, data protection obligations that are substantially the same as those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. BrieXO remains fully liable to the Customer for the performance of each sub-processor's obligations.

BrieXO will give the Customer at least 30 days' advance notice of the addition or replacement of any sub-processor, by updating the list at /legal/subprocessors and by email to the Customer's registered contact. If the Customer reasonably objects to a new sub-processor on data protection grounds within that notice period, the parties will discuss the objection in good faith; if it cannot be resolved, the Customer's sole remedy is to terminate the affected features or, where the sub-processor is essential to the platform, the affected subscription.

6. International transfers

Personal data processed under this DPA is processed primarily within the United Kingdom and the European Economic Area. BrieXO will not transfer personal data to a country outside the United Kingdom or the EEA that does not benefit from an adequacy decision unless it has put in place an appropriate transfer mechanism required by data protection law.

Where such a transfer is necessary, it will be made on the basis of the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, and, where the EU GDPR applies, the EU Standard Contractual Clauses, together with any supplementary measures required to ensure an adequate level of protection. The relevant transfer mechanism is incorporated into this DPA by reference in respect of any such transfer.

7. Personal data breach notification

BrieXO will notify the Customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting the Customer's personal data.

The notification will, to the extent known to BrieXO and taking into account the information available to it, describe the nature of the personal data breach (including, where possible, the categories and approximate number of data subjects and personal data records concerned), the likely consequences of the breach, and the measures taken or proposed to address it and mitigate its possible adverse effects. Where BrieXO cannot provide all of this information at once, it may provide it in phases without undue further delay. BrieXO will co-operate with the Customer and take reasonable steps to assist the Customer in investigating, mitigating, and remediating the breach.

8. Audit

BrieXO will make available to the Customer the information necessary to demonstrate compliance with its obligations under Article 28 of the UK GDPR and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

The Customer may exercise this audit right no more than once in any 12-month period (except where required by a supervisory authority or following a personal data breach), on at least 30 days' written notice. In the first instance, an audit right is satisfied by BrieXO providing relevant documentation, policies, and any available reports. An on-site inspection may be carried out only where such documentation and reports are insufficient to demonstrate compliance, must be conducted during normal business hours in a manner that does not disrupt BrieXO's operations, is subject to appropriate confidentiality obligations, and must not provide access to the personal data or confidential information of any other customer. The Customer bears its own costs and BrieXO's reasonable costs of any on-site inspection.

9. Return and deletion of personal data

Following termination or expiry of the Terms, the Customer may export its Customer Data (including personal data) during a 30-day period beginning on the date of termination or expiry, which is consistent with section 9 of the Terms of Service. Export is available via the platform's export features or, on written request, as a copy provided in a commonly used, machine-readable format.

After the end of that 30-day export window, BrieXO will delete the personal data it processes on the Customer's behalf from its active production systems within 60 days, and will ensure that the personal data is removed from routine backups within a further 90 days through the ordinary backup rotation cycle. Until backups are overwritten in the ordinary course, any personal data retained in them remains subject to the security measures in clause 4 and is not actively processed.

BrieXO is not required to delete personal data to the extent that, and for so long as, it is required to retain a copy by law that applies to it. Where any such retention applies, BrieXO will retain the personal data only for the period and purpose required by that law, will continue to protect it in accordance with clause 4, and will delete it once the retention requirement no longer applies.

10. Liability and governing law

Each party's liability arising out of or in connection with this DPA is subject to, and counts towards, the limitations and exclusions of liability set out in the Terms of Service, section 11. Nothing in this DPA excludes or limits either party's liability to the extent it cannot be excluded or limited under data protection law or other applicable law.

This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter are governed by the law of England and Wales, and the courts of England and Wales have exclusive jurisdiction, in each case as set out in the Terms of Service.

Entity: SFICA Limited (trading as BrieXO)

Registered: England and Wales — company number 15552143

Registered office: 52 Windsor Court, 3 Pennyroyal Drive, West Drayton, UB7 9GX

ICO: Registered with the Information Commissioner's Office

Privacy enquiries: privacy@sfica.co.uk

Support: support@briexo.com