What is a Data Processing Agreement or “DPA”? A Data Processing Agreement or “DPA” is a contract between a data controller and a data processor that describes the roles and responsibilities of the parties when personal data is processed. A DPA must satisfy a number of requirements in order to be compliant with data privacy laws, including the EU General Data Protection Regulation (“GDPR”).

Does Branch make a DPA available to its Customers? Yes, Branch offers a DPA to its Customers here. The DPA is an agreement that sets out the legal framework under which Branch Processes Customer Data and Personal Data. The DPA covers all of Branch’s services. The DPA is an addendum or exhibit to the Main Services Agreement (“MSA”) between Branch and its Customer.

Is Branch certified under the EU-U.S. Data Privacy Framework? Branch has certified its participation in the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework. You can learn more about our certification here.

What frameworks or mechanisms for safe international data transfer does Branch provide for in its DPA? Branch utilizes Standard Contractual Clauses (legal contracts entered into between parties involved with transferring Personal Data outside of the UK or Europe) incorporated into its DPA to enhance facilitation of the safe international transfer of Personal Data

Who do the SCC’s apply to?  The SCC’s will apply to the legal entity that executes the DPA and enters into the SCCs as a data exporter, as well as any Affiliates of the Customer established in the UK (for UK SCCs) or within the European Economic Area or Switzerland (for EU SCCs).

Which Module of the SCCs will apply to a Customer’s relationship with Branch? Since the Customer acts as Controller and Branch acts as the Customer’s Processor with respect to Personal Data subject to the EU SCCs, Module 2 (Controller to Processor) applies.

Which services by Branch are covered by the SCCs? The SCCs apply to all services provided by Branch under its Main Services Agreement.

Which party is the data exporter and data importer for purposes of the SCCs? As described in the Appendix to the DPA (Annex 1 to the EU Standard Contractual Clauses), the data exporter is the Customer and authorized affiliates of Customer, as described in the agreement, and the data importer is Branch Metrics, Inc.

What happens if the terms of the DPA contradict, or conflict with, those of the UK or EU SCCs? To the extent that the terms of the DPA directly contradict the UK SCCs, the UK SCCs will control. To the extent that the terms of the DPA directly contradict the EU SCCs, the EU SCCs will control.

Why does the Branch DPA contain additional application terms for the SCCs? The “Application” sections point to specific clauses in the UK and EU SCCs and clarify their application to the SCCs in order for completion of the DPA.

Why aren’t the SCC’s included with the DPA? Due to their length, Branch has incorporated the SCCs by reference to the DPA. The SCCs are available here.

Does Branch use Sub-processors? Branch engages service providers, sub-processors and affiliates to assist with our data processing activities on behalf of our business users and to support Branch in delivering its Services. Visit https://legal.branch.io/saas/subprocessor-list/ for more information about each sub processor including location of data processing centers and the services provided by each. Customers may object to the use of a new subprocessor by using the process outlined on the sub-processor page.

How does Branch keep customer data secure? Branch maintains a comprehensive and multi-layered security program using a variety of technical and organizational controls to safeguard customer data. At Branch security is a top priority as demonstrated by internal policies, secure infrastructure and industry certification . Our Information Security & Privacy Standard details the expansive security measures that we employ to protect customer data. More information about our security certifications is available here.

Where can I find more information? Branch respects the privacy of everyone that engages with our platform, and we are committed to being transparent about our privacy practices and policies. Visit Branch’s Legal Center for more information.