Data Processing Agreement (DPA)
Brick River Lab SAS — Blind Valet Effective Date: 2026-05-04
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between Brick River Lab SAS ("Brick River Lab," "Processor") and the Subscriber ("Controller"). It governs the processing of Personal Data that the Controller, or anyone acting on the Controller's behalf, enters into the Blind Valet service (the "Service") about Data Subjects other than the Controller themselves (e.g., players, club members, league participants).
This DPA reflects the requirements of Article 28 of Regulation (EU) 2016/679 (the "GDPR") and the French Data Protection Act (Loi Informatique et Libertés).
1. Definitions
Terms used but not defined here have the meaning given in the GDPR. In particular: "Personal Data," "Processing," "Controller," "Processor," "Sub-processor," "Data Subject," "Personal Data Breach," and "Supervisory Authority."
"Controller Personal Data" means Personal Data that the Controller, or its end users acting under the Controller's account, enters into the Service about Data Subjects, and that the Processor processes on the Controller's behalf.
2. Subject Matter and Duration
Subject matter. The Processor's processing of Controller Personal Data, on the Controller's behalf, for the purpose of providing the Service.
Duration. This DPA applies for as long as the Processor processes Controller Personal Data, beginning on the Effective Date and ending when the Controller's account is closed and Controller Personal Data has been deleted or returned in accordance with §10.
3. Nature and Purpose of Processing
The Processor processes Controller Personal Data for the purpose of providing the Service to the Controller, including:
- storing and retrieving tournament, club, league, and player information;
- enabling tournament management functions (clock, blinds, seating, payouts, rankings);
- displaying Personal Data to authorised users (the Controller, club staff, invited tournament directors);
- generating exports and reports as requested by the Controller;
- maintaining the security, availability, and integrity of the Service.
The Processor does not use Controller Personal Data for its own purposes, for marketing, profiling, or training of artificial-intelligence models.
4. Categories of Data Subjects and Personal Data
Categories of Data Subjects:
- Players, club members, and league participants registered by the Controller in the Service.
Categories of Personal Data:
- Names (first, last, nickname);
- Contact details where provided (email, phone — optional);
- Player rankings, statistics, and tournament history;
- Club and league memberships;
- Photos or avatars where provided;
- Any other Personal Data the Controller chooses to enter.
The Processor does not require the Controller to provide special categories of Personal Data (Article 9 GDPR), and the Service is not designed to handle such data.
5. Controller's Obligations
The Controller represents and warrants that:
(a) it has a valid lawful basis under Article 6 of the GDPR (and, where applicable, Article 9) for the Processing it instructs the Processor to perform;
(b) it has provided all required information to Data Subjects under Articles 13 and 14 of the GDPR, and has obtained any consents required by applicable law;
(c) its instructions to the Processor comply with applicable law;
(d) it is responsible for the accuracy, quality, and legality of Controller Personal Data and for honouring Data Subject rights requests directed to it as Controller.
6. Processor's Obligations
The Processor shall:
6.1 Documented instructions. Process Controller Personal Data only on the documented instructions of the Controller, including with regard to international transfers, unless required to do otherwise by EU or Member State law (in which case the Processor shall notify the Controller before processing, unless the law prohibits such notice on important grounds of public interest).
The Controller's instructions are set out in this DPA, the Terms and Conditions, and the configurations the Controller selects within the Service. The Controller may issue further reasonable instructions in writing.
6.2 Confidentiality. Ensure that personnel authorised to process Controller Personal Data are bound by confidentiality obligations.
6.3 Security. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. The measures currently in place are described in Annex 2.
6.4 Sub-processors. Engage sub-processors only in accordance with §8.
6.5 Assistance with Data Subject rights. Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR.
The Service provides the Controller with self-service tools (export, edit, delete) sufficient to handle most Data Subject requests directly. For requests requiring Processor involvement, the Processor will respond to the Controller's reasonable assistance request without undue delay.
6.6 Assistance with Articles 32–36. Assist the Controller in ensuring compliance with security obligations, breach-notification obligations, data-protection impact assessments, and prior consultation with Supervisory Authorities, taking into account the nature of Processing and the information available to the Processor.
6.7 Personal Data Breach notification. Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Controller Personal Data. The notification will include, to the extent known: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed.
6.8 Records. Maintain records of Processing activities carried out on behalf of the Controller, in accordance with Article 30(2) of the GDPR.
6.9 Audit and information. Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable confidentiality and notice requirements. In practice, the Processor will satisfy this obligation by providing existing security documentation, sub-processor information, and written responses to reasonable questionnaires. On-site audits are limited to once per twelve-month period absent a Personal Data Breach or regulatory request, are scheduled with at least thirty (30) days' notice, and are at the Controller's expense.
7. International Data Transfers
Controller Personal Data is primarily processed in the United States (Google Cloud us-central1 region), where the Realtime Database and Cloud Functions that power the Service are hosted. Where the Processor or its sub-processors transfer Controller Personal Data outside the European Economic Area, the Processor relies on one or more of the following safeguards:
(a) an adequacy decision of the European Commission (including the EU–U.S. Data Privacy Framework where the recipient is certified);
(b) Standard Contractual Clauses approved by the European Commission (the "EU SCCs," Module Two: Controller-to-Processor or Module Three: Processor-to-Sub-processor, as applicable), incorporated into agreements between the Processor and its sub-processors;
(c) supplementary technical and organisational measures where appropriate (encryption, pseudonymisation, access restrictions).
By entering into this DPA, the Controller is deemed to have entered into the EU SCCs with the Processor (and authorises the Processor to enter into back-to-back SCCs with sub-processors on the Controller's behalf), where necessary to legitimise the transfers contemplated by the Service.
8. Sub-processors
General authorisation. The Controller authorises the Processor to engage sub-processors to assist in providing the Service. The current list of sub-processors is set out in Annex 3.
Notice of changes. The Processor will notify the Controller of any intended addition or replacement of a sub-processor at least thirty (30) days in advance, by email or by updating Annex 3 with notice on the Service.
Right to object. The Controller may object to a new sub-processor on reasonable, GDPR-related grounds within thirty (30) days of notice. If the parties cannot resolve the objection, the Controller may terminate the affected portion of the Service for the unexpired term of any prepaid subscription, with a pro-rata refund.
Sub-processor obligations. The Processor remains liable to the Controller for the acts and omissions of its sub-processors as if they were its own. Each sub-processor is bound by a written agreement imposing data-protection obligations no less protective than this DPA.
9. Personal Data Breaches
In addition to §6.7, the Processor will:
- cooperate with the Controller and take reasonable steps to mitigate the effects of a Personal Data Breach;
- provide the Controller with information necessary to enable the Controller to comply with its own notification obligations to Supervisory Authorities and Data Subjects under Articles 33 and 34 of the GDPR;
- not make any public statement or notification about a Personal Data Breach affecting Controller Personal Data without the Controller's prior consent, except where required by law.
10. Return or Deletion of Data
On termination of the Controller's subscription, and at the Controller's choice, the Processor will:
(a) return all Controller Personal Data to the Controller (the Controller may export data at any time using self-service tools); and / or
(b) delete all Controller Personal Data,
in accordance with the retention provisions of the Terms and Conditions (a minimum of three (3) years for restoration purposes, after which the Processor may delete or anonymise Controller Personal Data at its discretion, subject to legal retention obligations such as billing records).
The Controller may request earlier deletion at any time, subject to the Processor's legal retention obligations.
11. Liability
The liability of each party under this DPA is subject to the limitations set out in the Terms and Conditions, except where mandatory law provides otherwise.
12. Term and Termination
This DPA enters into force on the Effective Date and remains in effect for as long as the Processor processes Controller Personal Data. Termination of the Terms and Conditions automatically terminates this DPA, subject to obligations that survive (return/deletion of data, confidentiality, audit cooperation for the period covered).
13. Governing Law and Jurisdiction
This DPA is governed by the laws of France. Disputes are subject to the jurisdiction provisions set out in the Terms and Conditions.
14. Order of Precedence
In the event of a conflict between this DPA and the Terms and Conditions, this DPA prevails with respect to the processing of Controller Personal Data. In the event of a conflict between this DPA and the EU SCCs, the EU SCCs prevail.
15. Contact
For any question or request relating to this DPA:
Brick River Lab SAS 14 Avenue des Tourterelles, 44100 Nantes, France Email: support@blindvalet.com
Annex 1 — Description of Processing
| Item | Description |
|---|---|
| Subject matter | Processing of Controller Personal Data to provide the Blind Valet service |
| Duration | Term of the Controller's subscription, plus retention period per §10 |
| Nature of processing | Hosting, storage, retrieval, display, organisation, modification, transmission, deletion, export |
| Purpose | Providing tournament and club management functions to the Controller |
| Categories of Data Subjects | Players, club members, league participants entered by the Controller |
| Categories of Personal Data | Name, optional contact details, rankings, statistics, photos, club/league associations |
| Special categories | None expected; the Service is not designed to handle special-category data |
Annex 2 — Technical and Organisational Measures
The Processor maintains the following measures, in accordance with Article 32 of the GDPR:
Encryption
- TLS 1.2 or higher for data in transit (HTTPS).
- Encryption at rest provided by underlying infrastructure (Google Cloud / Firebase).
Access controls
- Role-based access for Brick River Lab personnel; access limited to those with a need-to-know.
- Strong authentication for administrative access.
- Customer-side authentication via email/password (hashed) or SSO (Google, Apple).
Network and infrastructure security
- Hosted on Google Cloud / Firebase, which maintain physical security, redundancy, and certifications (ISO 27001, SOC 2) at the infrastructure level.
- Web Application Firewall and DDoS protection at the platform level.
Software development and change management
- Source-controlled codebase with reviewed changes.
- Separate development and production environments.
- Dependency monitoring for known vulnerabilities.
Incident response
- Procedure for detection, assessment, containment, and notification of Personal Data Breaches within the timeframes required by §6.7.
- Application error monitoring (Sentry) for proactive detection of failures.
Data minimisation and retention
- Service collects only data the Controller chooses to enter; no compulsory collection of sensitive data.
- Retention as set out in the Terms and Conditions.
Backups and resilience
- Automated backups of database state managed by Google Cloud / Firebase.
- Documented recovery procedures.
Personnel
- Access to Controller Personal Data is limited to authorised personnel under written confidentiality obligations, on a need-to-know basis.
These measures are reviewed periodically and may be updated, provided the level of protection is not reduced.
Annex 3 — List of Sub-processors
The following sub-processors are engaged by the Processor as of the Effective Date:
| Sub-processor | Service | Location of Processing | Transfer Mechanism |
|---|---|---|---|
| Stripe Payments Europe Ltd | Payment processing, subscription billing | Ireland (EU) / United States | Intra-EU (Ireland); EU SCCs and DPF for US transfers |
| Google LLC / Google Cloud / Firebase | Hosting, authentication, Realtime Database, file storage, Cloud Functions | United States (Google Cloud us-central1) | EU SCCs; EU–U.S. Data Privacy Framework |
| Sentry (Functional Software Inc.) | Application error monitoring | United States | EU SCCs |
| Mailgun Technologies Inc. | Transactional email delivery | EU / United States | EU SCCs; EU–U.S. Data Privacy Framework |
| Anthropic PBC | LLM services for content translation (system phrases only — no Controller Personal Data) | United States | EU SCCs |
| OpenAI, L.L.C. | LLM services for content translation (system phrases only — no Controller Personal Data) | United States | EU SCCs |
| Netlify Inc. | Hosting and CDN for the marketing site, the application, and the admin interface | United States | EU SCCs |
The Controller will be notified of changes to this list as set out in §8.