Data Processing Addendum

Braze Data Processing Addendum in English: Here

Braze Data Processing Addendum in Japanese (データ処理補填): Here

Braze Data Processing Addendum FAQs

These FAQs are for information purposes only and do not create any contractual commitments. These FAQs do not provide legal advice. Customers should consult with their own legal counsel.

What is the scope of the DPA?

The DPA is an agreement that sets out how Braze processes personal data of its customers in the Braze platform. The DPA uses data protection terminology from specific laws, e.g., ‘Controller’ and ‘Processor’, but it covers customers globally and incorporates applicable terms required by data protection laws and regulations.

For clarity, this includes provisions necessary under the EU and UK General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), and other U.S. state privacy laws.

What are the respective roles of Braze and the customer under the DPA?

Our customers decide what personal data they send to the Braze platform. As a result, they are ‘Data Controllers’ or ‘Businesses’. Braze acts as a ‘Processor’ or ‘Service Provider’, processing such personal data on behalf of the customer.

How does Braze handle data subject requests?

Please see Braze’s Data Protection Technical Assistance page for details on features of the Braze platform that customers can use for compliance with their legal obligations.

What security measures does Braze use to keep data secure within the Braze platform?

Braze takes data privacy and security seriously. Braze is ISO 27001 certified and annually completes a SOC 2, Type 2 audit. These are performed by independent, third-party auditors. In addition, Braze annually undergoes a third-party penetration test. We are compliant with these internationally recognized standards and codes of practice to ensure that our security standards are up-to-date and in line with leading best practices.

For details on our technical and organizational measures, please see our Security, Privacy and Architecture Datasheet.

Does Braze use sub-processors?

Yes. As part of providing the Braze services to its customers, Braze engages third-parties who have access to and process customer personal data. A list of our sub-processors may be found at www.braze.com/subprocessors. Braze provides information on the services provided by and the location of our sub-processors.

How does Braze enable transfers of personal data from the EU to countries that are not deemed to have adequate data privacy protections in place?

The Braze DPA incorporates the 2021 EU Standard Contractual Clauses, Module 2 “Controller to Processor” (“2021 SCCs”) to validate transfers of personal data from the EU to countries outside the EU without an adequacy finding. Please see here for a copy of the 2021 SCCs.

How does Braze enable data transfers of personal data from the UK to countries that are not deemed to have adequate data privacy protections in place?

The UK’s Information Commissioner has published a UK Addendum to the 2021 SCCs that validates transfers of personal data from the UK to countries without an adequacy finding by the UK. Braze relies on the UK Addendum for relevant transfers from the UK. Please see here for a copy of the UK Addendum.

Has Braze conducted a transfer impact assessment for international transfers of personal data from the EU and the UK?

Yes. Braze can provide a Transfer Impact Assessment (“TIA”) to any customers who require this as part of their own onward transfers assessment. Please reach out to privacy@braze.com for a copy of Braze’s TIA.

Can my organization use its own DPA?

No, we cannot use a customer’s template DPA. The Braze DPA is tailored to the multi-tenant Braze Services and covers the procedures that we have in place to process customer personal data in compliance with laws. The Braze DPA was drafted in alignment with Braze’s main subscription agreement (“MSA”) and other Braze documentation.

How can my organization execute the Braze DPA?

The Braze DPA is automatically incorporated into your agreement with Braze via a link in the MSA. By signing the MSA, a customer is also agreeing to the DPA.

However, if you prefer to have a signed copy of the Braze DPA, you are welcome to download and execute a copy of the DPA Please follow the instructions below.

Signing instructions

If you do not already have a DPA in place with Braze, you can sign the DPA above, as follows:

Download the Braze DPA, add your company’s full legal name and signatory details as indicated, and sign and return it by email to privacy@braze.com. Upon receipt by Braze of the validly completed DPA, dated and signed by you, the DPA will become legally binding.

What if my organization already has a DPA in place with Braze, but it was signed prior to September 2021 and does not reflect more recent privacy law updates?

Braze also offers the European Amendment 2022 to customers that have an older DPA that does not incorporate the 2021 SCCs or the UK Addendum, and the CCPA 2022 Amendment for customers that have an older DPA that does not incorporate the CCPA 2022 Amendment terms.

Please work with your legal team to determine which document you may require, then download the applicable document, add your company’s full legal name and signatory details as indicated, and sign and return it by email to privacy@braze.com. Upon receipt by Braze of the validly completed Amendment, dated and signed by you, the Amendment will become legally binding.