Data Processing Agreement

    Last updated: April 21, 2026

    1. Introduction

    This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller" or "you") and RealBlock AI Inc., operating as Brand Kit OS ("Processor," "we," or "us"), for the provision of services as described in our Terms of Service. This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to the extent that we process personal data on your behalf.

    2. Definitions

    • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").
    • "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, erasure, or destruction.
    • "Controller" means the entity that determines the purposes and means of the processing of Personal Data.
    • "Processor" means the entity that processes Personal Data on behalf of the Controller.
    • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
    • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

    3. Scope and Purpose of Processing

    The Processor shall process Personal Data solely for the purpose of providing the Brand Kit OS service to the Controller, as described in the Terms of Service and as further instructed by the Controller.

    3.1 Categories of Data Subjects

    • Controller's employees and authorized users
    • Controller's team members and collaborators
    • Individuals whose data is included in brand kit content (e.g., target audience personas)

    3.2 Types of Personal Data

    • Account information: name, email address, profile data
    • Brand kit content: brand assets, text content, uploaded files
    • Usage data: interaction logs, feature usage, session information
    • Authentication data: hashed API keys, OAuth tokens (never stored in plaintext)

    3.3 Duration of Processing

    Processing shall continue for the duration of the service agreement between the Controller and the Processor, plus any retention period required by applicable law.

    4. Obligations of the Processor

    The Processor shall:

    • Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
    • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
    • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
      • Encryption of data in transit (TLS/HTTPS) and at rest
      • SHA-256 hashing of authentication tokens
      • Role-based access controls and user data isolation
      • Rate limiting and request audit logging
      • Regular security assessments and monitoring
    • Not engage another processor without prior specific or general written authorization of the Controller.
    • Assist the Controller in ensuring compliance with obligations related to the security of processing, notification of data breaches, data protection impact assessments, and prior consultations.
    • At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires storage.
    • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.

    5. Sub-processors

    The Controller provides general authorization for the Processor to engage Sub-processors. The following Sub-processors are currently engaged:

    Sub-processor Purpose Location
    Supabase Inc. Database hosting, authentication, edge functions, file storage United States
    Stripe Inc. Payment processing and subscription management United States
    Anthropic PBC AI processing via MCP server integration United States
    Google LLC OAuth authentication, analytics United States

    The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes. All Sub-processors are bound by data processing obligations no less protective than those set out in this DPA.

    6. Data Subject Rights

    The Processor shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under GDPR, including:

    • Right of access (Article 15) — Data Subjects may request a copy of their Personal Data.
    • Right to rectification (Article 16) — Data Subjects may request correction of inaccurate data.
    • Right to erasure (Article 17) — Data Subjects may request deletion of their Personal Data.
    • Right to restriction of processing (Article 18) — Data Subjects may request limited processing.
    • Right to data portability (Article 20) — Data Subjects may request their data in a portable format.
    • Right to object (Article 21) — Data Subjects may object to certain types of processing.

    The Processor shall respond to Data Subject requests within 30 days. Requests can be submitted to support@brandkitos.com.

    7. Data Breach Notification

    In the event of a Data Breach, the Processor shall:

    • Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
    • Provide the Controller with sufficient information to allow the Controller to meet its obligations to report the breach to the relevant supervisory authority and/or affected Data Subjects.
    • Include in the notification:
      • The nature of the Personal Data breach, including the categories and approximate number of Data Subjects and records concerned
      • The likely consequences of the breach
      • The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
    • Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each Data Breach.

    8. International Data Transfers

    Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). Where such transfers occur, the Processor shall ensure appropriate safeguards are in place, including:

    • EU-approved Standard Contractual Clauses (SCCs) as adopted by the European Commission.
    • Reliance on adequacy decisions issued by the European Commission for the recipient country.
    • The EU-U.S. Data Privacy Framework, where applicable.

    The Processor shall ensure that all Sub-processors involved in international transfers provide equivalent levels of data protection.

    9. Data Retention and Deletion

    Upon termination of the service agreement:

    • The Processor shall, at the Controller's choice, delete or return all Personal Data within 30 days of receiving written instructions.
    • The Processor shall delete existing copies of Personal Data unless applicable law requires continued storage.
    • The Processor shall provide written confirmation of deletion upon request.

    During the term of the agreement, the Controller may export their data at any time using the platform's built-in export functionality or via the MCP server API.

    10. Audit Rights

    The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audits shall be conducted with reasonable prior notice (at least 30 days), during normal business hours, and shall not unreasonably disrupt the Processor's operations.

    11. Liability and Indemnification

    Each party shall be liable for damages caused by processing that infringes the GDPR or this DPA. The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside or contrary to lawful instructions of the Controller. Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.

    12. Term and Termination

    This DPA shall take effect upon the Controller's acceptance (including via account registration) and shall remain in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller. The obligations imposed on the Processor regarding data deletion and confidentiality shall survive the termination of this DPA.

    13. Governing Law

    This DPA shall be governed by and construed in accordance with the laws applicable to the Terms of Service, except where GDPR or other applicable data protection laws require otherwise. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction specified in the Terms of Service.

    14. Contact Us

    For questions about this Data Processing Agreement or to exercise your rights, please contact us at support@brandkitos.com

    Ready to Manage Your Brands?

    Join 50+ agencies and consultants who've already transformed their brand operations. Start your free trial today.

    Start Managing Your Brands
    No credit card requiredCancel anytime