Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Data Controller: The customer ("you") who subscribes to changebrief.
Data Processor: Kristian Wigander, operating as changebrief, based in Sweden ("we", "us").

This DPA supplements and forms part of the changebrief Terms of Service.

2. Scope & purpose of processing

We process personal data solely to provide the changebrief web monitoring service. This includes:

Storing your account data (email, name, profile image from OAuth).
Taking screenshots of URLs you specify and analyzing them with AI.
Sending notifications and reports to your email address.
Maintaining change history and audit trails.

3. Categories of data subjects & personal data

Data subjects	Personal data categories
Customer users	Email, name, profile image, IP address (logs), usage data
Third parties (on monitored pages)	Any personal data visible on monitored web pages (incidental, not targeted)

4. Sub-processors

Sub-processor	Purpose	Location
Turso	Database hosting	EU (Ireland)
Vercel	Application hosting	EU-first (global edge)
OpenAI	AI image analysis	US (API, zero retention)
Resend	Email delivery	US
Polar / Stripe	Payment processing	EU / US

We will notify you before adding new sub-processors and give you 30 days to object.

5. Security measures

Encryption in transit: TLS 1.3 for all communications.
Encryption at rest: AES-256 for stored data.
Authentication: OAuth 2.0, no password storage.
Access control: Production access limited to service operator.
Monitoring: Automated uptime monitoring and error alerting.

6. Data subject rights

We will assist you in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) within the timeframes required by GDPR. Contact kristian@changebrief.io to initiate.

7. Data breach notification

In the event of a personal data breach, we will notify you without undue delay and no later than 48 hours after becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken.

8. Data retention & deletion

We retain data for the duration of the service agreement. Upon termination, all customer data is permanently deleted within 30 days. You may request earlier deletion at any time.

9. International transfers

Primary data storage is within the EU (Ireland). Where sub-processors operate outside the EU (OpenAI, Resend), transfers are governed by Standard Contractual Clauses (SCCs) or equivalent safeguards maintained by those providers.

10. Audit rights

You have the right to audit our compliance with this DPA. Audits may be conducted through written questionnaires or, upon reasonable notice, through on-site or remote inspection. We will cooperate with and provide access to relevant documentation.

11. Governing law

This DPA is governed by the laws of Sweden and subject to the jurisdiction of Swedish courts.

Signatures

Data Processor

Kristian Wigander
changebrief
kristian@changebrief.io

Signature & date

Data Controller

Company name