Brand Data Processing Agreement

Version 1.0 | Last Updated: 22 April 2026 | Effective Date: 22 April 2026

Plain-language summary (not legally binding). When a brand uses the SocialGryd Marketplace, the brand becomes a separate data controller for the creator data it processes. This Brand DPA sets out the brand's obligations to the creator and to SocialGryd under GDPR Article 28/26, the UK GDPR, and similar laws. Brands must have a lawful basis, keep data secure, delete it when the campaign is done, and cooperate with creator data-subject requests. SocialGryd is not responsible for what the brand does with creator data.

1. Parties and Scope

This Brand Data Processing Agreement ("Brand DPA") forms part of the Marketplace Terms and applies between SocialGryd Limited ("SocialGryd") and any Brand that uses the Marketplace. Where this Brand DPA conflicts with the Marketplace Terms on data-protection matters, this Brand DPA prevails.

2. Roles of the Parties

In relation to personal data processed through the Marketplace:

SocialGryd is the controller for (a) operating the Marketplace platform, (b) authenticating users, (c) providing discovery and matching services, (d) internal security, fraud prevention, and integrity, and (e) compliance with SocialGryd's legal obligations.
The Brand is an independent controller for any personal data it collects, retains, or uses after a Creator accepts a campaign invitation, including the Creator's name, contact details, messages, campaign deliverables, performance metrics, invoicing data, and any personal data of third parties depicted in the Creator's content.
SocialGryd and the Brand may be joint controllers in narrow circumstances where we jointly determine the purposes and means of processing (for example, a co-branded campaign reporting flow). In those cases, we will enter into a separate Joint Controller Arrangement under GDPR Article 26.

3. Brand Obligations

The Brand undertakes to:

Have a lawful basis under GDPR Article 6 (and, where relevant, Article 9) for each purpose for which it processes Creator data
Provide the Creator with transparent information about the Brand's processing, in its own privacy notice, compliant with GDPR Articles 13 and 14
Process Creator data only for purposes connected to the specific campaign or pre-contractual negotiations
Not combine Creator data with other datasets to enrich profiles, resell, or build marketing lists outside the specific campaign, except with the Creator's separate consent
Respect the Creator's rights to access, rectification, erasure, restriction, portability, and objection, and respond directly to any Creator rights request within the statutory period (GDPR Article 12: one month, extendable by two months)
Implement appropriate technical and organisational measures to protect Creator data (Article 32), proportionate to the risk of processing
Keep records of processing activities (Article 30) where the Brand is subject to that obligation
Notify SocialGryd without undue delay (and in any event within 48 hours of awareness) of any personal data breach that affects Creator data sourced from the Marketplace
Appoint a contact point for Creator data-protection queries, and, where the GDPR requires, a Data Protection Officer
Where the Brand is outside the EEA or UK, either ensure an adequacy decision applies or implement Standard Contractual Clauses / UK IDTA with the Creator for international transfers
Include flowdown data-protection terms in any sub-processor agreement the Brand enters into in connection with a Marketplace campaign
Comply with all other applicable laws, including sector-specific rules and advertising-law disclosure requirements

4. Retention and Deletion

The Brand must:

Delete or anonymise Creator personal data when it is no longer necessary for the purpose for which it was collected, and in any event no later than 24 months after the campaign ends (or the period required by applicable tax/audit law, whichever is longer)
Delete or return (at the Creator's choice) the Creator's personal data on receipt of a valid erasure request from the Creator, subject to statutory exceptions
Not retain campaign messages, contracts, or deliverables beyond what is necessary to evidence performance

5. Security Measures

The Brand must implement at least the following measures:

Role-based access control and least-privilege for staff handling Creator data
Encryption in transit (TLS 1.2+) and encryption at rest for databases, backups, and file storage
Multi-factor authentication for administrative and privileged accounts
Regular vulnerability management, dependency patching, and logging
Written information-security policy, employee training, and confidentiality obligations
Incident-response plan with clear escalation to SocialGryd under Section 3

6. Sub-processors

If the Brand engages sub-processors (agencies, CRM vendors, analytics providers) to process Creator data sourced from the Marketplace, the Brand must: (a) enter into a written data-processing agreement with each sub-processor on terms no less protective than this Brand DPA; (b) remain fully liable to the Creator and SocialGryd for the sub-processor's acts and omissions; (c) notify the Creator where required by the Creator's own privacy notice; and (d) ensure lawful international transfers where the sub-processor is outside the EEA/UK.

7. Prohibited Uses

The Brand must not:

Sell, licence, or otherwise disclose Creator data to third parties (other than permitted sub-processors for the campaign)
Use Creator data to train generative AI models or feed it into automated enrichment services without the Creator's separate consent
Scrape additional data about the Creator from the SocialGryd Platform beyond what is available via authorised Marketplace workflows
Use Creator data for cross-context behavioural advertising
Re-identify Creator data that SocialGryd has de-identified

8. Audits and Cooperation

On reasonable written request, the Brand will provide SocialGryd with:

Copies of the Brand's privacy notice relevant to Marketplace processing
Summary information on its technical and organisational measures
Copies of any sub-processor DPAs (redacted as needed)

SocialGryd may, no more than once per year (except following a notifiable breach) and on 30 days' notice, audit the Brand's compliance with this Brand DPA, either directly or through an independent third-party auditor acting under confidentiality. SocialGryd will bear the cost unless the audit reveals material non-compliance.

9. Liability

The Brand indemnifies SocialGryd against any regulatory fines, third-party claims (including Creator claims), and reasonable legal costs arising from the Brand's breach of this Brand DPA or applicable data-protection law, subject to the limits in the Marketplace Terms and the Main Terms, and subject to mandatory consumer protections.

10. International Transfers

Where Creator data is transferred from the EEA or UK to a jurisdiction not covered by an adequacy decision, the Brand and the Creator are the relevant parties to the Standard Contractual Clauses / UK IDTA. SocialGryd will, on request, provide its own transfer documentation for data flowing through the SocialGryd Marketplace platform.

11. Term, Termination, and Survival

This Brand DPA takes effect on Brand registration and continues for as long as the Brand processes Creator data sourced from the Marketplace. Obligations that by their nature survive termination (confidentiality, deletion, breach notification, liability, audit) survive for the applicable statutory periods.

12. Changes

We may update this Brand DPA to reflect legal or operational changes. Material changes take effect after 30 days' notice under the P2B Regulation and the Marketplace Terms.

13. Contact

Brand DPA queries: privacy@socialgryd.com / dpo@socialgryd.com.

SocialGryd Limited, Narva mnt 5, Kesklinna linnaosa, Tallinn, Harju maakond 10117, Estonia.