Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the BringBucket Terms of Service between BringBucket, Inc. ("BringBucket") and the individual or legal entity accessing the Service ("Customer"), and governs the processing of personal data in connection with the BringBucket file management service.

For the purposes of applicable data protection law, including the EU General Data Protection Regulation (GDPR) and the UK GDPR where applicable:

• Customer is the Data Controller — the entity that determines the purposes and means of processing personal data.
• BringBucket is the Data Processor — the entity that processes personal data on behalf of, and under the instructions of, the Controller.

This DPA supplements the Terms of Service and Privacy Policy. In the event of any conflict between this DPA and those documents with respect to data processing, this DPA shall prevail.

BringBucket processes personal data only as necessary to provide the Service. The details of processing are as follows:

• Categories of data subjects — Registered users of the Customer's BringBucket workspace.
• Types of personal data processed — Account identifiers (name, email address), usage logs (feature interactions, timestamps, IP addresses), and encrypted storage credentials (cloud access keys and secrets, stored exclusively in encrypted form).
• Purpose of processing — Providing and operating the BringBucket file management interface, including authentication, workspace management, storage operations, billing, and customer support.
• Duration of processing — For the term of the Customer's active service agreement with BringBucket, plus any post- termination retention period required by applicable law or as described in the Privacy Policy (maximum 90 days following account deletion).

BringBucket agrees to the following obligations as Data Processor:

• Process personal data only on the Customer's documented instructions, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by applicable law.
• Ensure that all persons authorized to process the personal data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organizational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
• Assist the Customer, to the extent reasonably practicable, in fulfilling the Customer's obligation to respond to requests from data subjects exercising their rights under applicable data protection law.
• Notify the Customer without undue delay upon becoming aware of a personal data breach affecting data processed under this DPA.
• Make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations in this DPA, and allow for audits and inspections.
• At the choice of the Customer, delete or return all personal data to the Customer after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage.

The Customer provides general authorization for BringBucket to engage sub-processors in connection with the Service. BringBucket will inform the Customer of any intended changes concerning the addition or replacement of sub-processors, giving the Customer opportunity to object. Current authorized sub-processors:

All current BringBucket sub-processors are based in the United States. Transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to these sub-processors are made pursuant to the Standard Contractual Clauses (SCCs) approved by the European Commission, or the equivalent mechanism applicable under UK data protection law.

BringBucket will not transfer personal data to any new sub-processor in a third country without ensuring an adequate data transfer mechanism is in place, and will update this DPA accordingly.

BringBucket maintains the following technical and organizational measures to protect personal data:

• Encryption at rest — All storage credentials and sensitive personal data are encrypted using AES-256-GCM. Encryption keys are stored separately from encrypted data.
• Encryption in transit — All data transmitted between clients and BringBucket servers, and between BringBucket and sub-processors, is protected using TLS 1.2 or higher.
• Access controls — Access to production systems is restricted to authorized personnel, requires multi-factor authentication, and follows the principle of least privilege.
• Security reviews — BringBucket conducts regular internal security reviews and vulnerability assessments.
• Logging and monitoring — Production systems are subject to continuous monitoring. Access logs are retained for 30 days.

This DPA is incorporated by reference into the BringBucket Terms of Service and applies automatically to all customers. If your organization requires a separately countersigned DPA for enterprise procurement, vendor management, or compliance purposes, please contact us:

legal@bringbucket.com

We will work with you to provide a countersigned copy in a format suitable for your procurement or compliance requirements. Typical turnaround for standard DPA requests is 3–5 business days.