BROKLY — DATA PROCESSING ADDENDUM (DPA)
Last Updated: July 6, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service or other agreement between Brokly Inc., a Delaware corporation ("Brokly" or "Processor"), and the customer identified in the applicable Order or account ("Customer" or "Controller") governing Customer's use of the Brokly platform (the "Agreement"). This DPA applies to the extent Brokly processes Personal Data on Customer's behalf in providing the Service.
In case of conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA prevails.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person that Brokly processes on Customer's behalf in connection with the Service — principally Lead Data: personal information of Customer's prospects and clients (names, phone numbers, conversation content, preferences, budgets, appointment details) and, in Enterprise accounts, data of Customer's authorized agents processed under Customer's instructions.
- "Data Protection Laws" means all laws applicable to the processing of Personal Data under this DPA, which may include, depending on Customer's market: Colombia's Law 1581 of 2012 and Decree 1377 of 2013; Brazil's LGPD (Law 13,709/2018); Mexico's LFPDPPP; applicable U.S. state privacy laws (e.g., California CCPA/CPRA); Canada's PIPEDA; and any other applicable data protection or privacy legislation.
- "Processing," "Controller," "Processor," "Data Subject," "Personal Data Breach" and similar terms have the meanings given by applicable Data Protection Laws (including local equivalents such as "responsable," "encargado," and "titular").
- "Subprocessor" means a third party engaged by Brokly to process Personal Data on Customer's behalf.
2. Roles and Scope
2.1 Roles. For Personal Data covered by this DPA, Customer is the Controller (or a processor acting on behalf of a third-party controller, in which case Customer warrants it has the necessary authority) and Brokly is the Processor. The subject matter, duration, nature and purpose of processing, categories of Personal Data, and categories of Data Subjects are described in Annex 1.
2.2 Customer account data excluded. Personal data for which Brokly is the controller (Customer's own account, billing, and usage data) is governed by Brokly's Privacy Policy, not this DPA.
2.3 Customer responsibilities. Customer is responsible for (a) the accuracy, quality, and lawfulness of Personal Data and the means by which it was obtained; (b) providing all legally required notices to, and obtaining all required consents and authorizations from, Data Subjects (including its Leads) for the processing described in Annex 1, including processing through automated/AI-assisted conversations; (c) issuing lawful processing instructions; and (d) complying with any registration or documentation obligations applicable to it as Controller (e.g., database registration with Colombia's RNBD where applicable).
3. Processing Instructions
3.1 Brokly will process Personal Data only (a) to provide, maintain, secure, and support the Service in accordance with the Agreement; (b) as documented in this DPA and its Annexes; and (c) per Customer's other documented lawful instructions, including instructions given through the Service's configuration tools. The Agreement, this DPA, and Customer's use of the Service's features constitute Customer's complete instructions.
3.2 Brokly will inform Customer if, in its opinion, an instruction infringes applicable Data Protection Laws, and may suspend execution of that instruction until it is clarified.
3.3 No sale. Brokly will not sell Personal Data, retain, use, or disclose it outside the direct business relationship with Customer or for any purpose other than providing the Service (except as permitted for de-identified data under Section 9 and as required by law). Where the CCPA/CPRA applies, Brokly acts as a "service provider" and certifies that it understands and will comply with these restrictions.
4. Confidentiality
Brokly ensures that personnel authorized to process Personal Data are bound by confidentiality obligations (contractual or statutory) and access Personal Data only on a need-to-know basis for the purposes of the Agreement.
5. Security
5.1 Brokly implements and maintains appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex 2. These measures take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.
5.2 Brokly may update the measures in Annex 2 from time to time, provided the updates do not materially reduce the overall level of protection.
5.3 Customer is responsible for securing its own credentials, devices, user access management, and configuration choices.
6. Subprocessors
6.1 General authorization. Customer authorizes Brokly to engage Subprocessors to provide the Service. Brokly's current Subprocessors are listed in Annex 3 (including AWS, PlanetScale, Cloudflare, Stripe, Kapso/Meta, OpenAI, and Google).
6.2 Requirements. Brokly will (a) impose on each Subprocessor data protection obligations materially no less protective than those in this DPA, to the extent applicable to the services provided; and (b) remain liable to Customer for the performance of its Subprocessors' obligations.
6.3 Changes. Brokly will give Customer notice (e.g., by email or by updating the Subprocessor page with a notification mechanism) at least 15 days before authorizing a new Subprocessor to process Personal Data. Customer may object on reasonable data-protection grounds within that period; the parties will work in good faith to resolve the objection (e.g., alternative configuration), and if no resolution is reasonably available, Customer may terminate the affected subscription and receive a pro-rata refund of prepaid unused fees as its exclusive remedy.
7. Assistance to Customer
7.1 Data Subject requests. Taking into account the nature of the processing, Brokly will assist Customer, through the Service's functionality (export, correction, deletion tools) and, where necessary, reasonable additional assistance, in fulfilling Customer's obligations to respond to Data Subject requests (access, correction, deletion, objection, portability, and local equivalents such as "consultas y reclamos"). If a Data Subject contacts Brokly directly regarding data processed under this DPA, Brokly will, where the Data Subject identifies the Customer, forward the request to Customer without undue delay and will not respond on the merits except as instructed by Customer or required by law.
7.2 Compliance assistance. Taking into account the nature of the processing and the information available to it, Brokly will provide reasonable assistance with Customer's obligations regarding security, breach notification, and data protection impact assessments, where required by applicable Data Protection Laws.
8. Personal Data Breach
Brokly will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA, and in any event within the timeframe required by applicable law. The notification will describe, to the extent known: the nature of the breach, the categories and approximate number of Data Subjects and records affected, likely consequences, measures taken or proposed, and a contact point. Brokly will take reasonable steps to contain and remediate the breach. Brokly's notification is not an acknowledgment of fault or liability. Customer is responsible for any notifications to authorities or Data Subjects required of it as Controller.
9. De-identified Data; Service Improvement
Customer acknowledges and instructs that Brokly may create de-identified and/or aggregated data from Personal Data — such as interaction patterns, conversation structures, qualification flows, and outcome metrics — and use it to improve Brokly's models, prompts, and Service, provided that (a) such data does not identify, and cannot reasonably be used to identify, Customer or any Data Subject; (b) Brokly maintains and does not attempt to reverse the de-identification; and (c) sensitive personal information is excluded from improvement datasets. De-identified data is not Personal Data under this DPA.
10. International Transfers
Customer acknowledges that Personal Data will be processed in the United States and in other countries where Brokly's Subprocessors operate. Brokly will (a) transfer Personal Data only to Subprocessors bound by contractual protections consistent with Section 6.2; and (b) where applicable Data Protection Laws require a specific transfer mechanism or additional safeguards for international transfers, cooperate with Customer to implement them (including executing standard contractual clauses or local equivalents where required). Customer, as Controller, is responsible for confirming that the transfer is permissible under its local law and obtaining any required authorizations from Data Subjects or authorities.
11. Audits and Information
11.1 Upon Customer's written request (no more than once per 12-month period, absent a Personal Data Breach or evidence of material non-compliance), Brokly will make available information reasonably necessary to demonstrate compliance with this DPA, which may include security documentation, certifications, or third-party audit summaries where available.
11.2 If the information provided is insufficient and applicable Data Protection Laws grant Customer an audit right, Customer (or an independent auditor bound by confidentiality, not a Brokly competitor) may conduct an audit at Customer's expense, during business hours, with at least 30 days' notice, in a manner that does not disrupt Brokly's operations or compromise other customers' data.
12. Return and Deletion
Upon termination or expiration of the Agreement, or upon Customer's deletion of specific Personal Data or of its account, Brokly will delete the Personal Data from its production databases within 15 business days, except (a) data Brokly must retain under applicable law (retained only as long as required and then deleted), and (b) residual copies in encrypted backups, deleted in the ordinary backup rotation cycle and not restored to production except for disaster recovery. During the active term (including any post-cancellation access period), Customer may export its Personal Data using the Service's tools or by request. Upon Customer's written request, Brokly will confirm deletion in writing.
13. Enterprise Accounts
In Enterprise accounts, the Controller is the contracting entity (agency, firm, or developer), and Personal Data processed under the account — including data relating to the entity's individual agents acting as Users — is processed under the entity's instructions. The entity is responsible for its internal authorizations, role management, and lawful basis for processing its agents' and Leads' data.
14. Liability; Term; General
14.1 Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, which apply in the aggregate across the Agreement and this DPA, except to the extent applicable Data Protection Laws prohibit such limitation.
14.2 This DPA takes effect upon acceptance of the Agreement (or execution of this DPA, if signed separately) and remains in force as long as Brokly processes Personal Data on Customer's behalf.
14.3 If any provision of this DPA is invalid under applicable Data Protection Laws, the parties will replace it with a valid provision that most closely reflects its intent; the remainder stays in effect. This DPA is governed by the law governing the Agreement, except where applicable Data Protection Laws mandatorily provide otherwise.
ANNEX 1 — DETAILS OF PROCESSING
Subject matter: Provision of the Brokly platform: an AI-powered operations service for real estate professionals that responds to, qualifies, and schedules the Customer's leads via WhatsApp and manages the Customer's pipeline, inventory, and calendar.
Duration: The term of the Agreement plus the deletion period in Section 12.
Nature and purpose of processing: Receipt, storage, analysis, and generation of conversational messages; lead qualification and scoring; property matching against Customer's inventory; appointment scheduling and reminders; CRM/pipeline record creation and updates; reporting to Customer; security and support.
Categories of Data Subjects:
- Customer's prospects, leads, and clients ("Leads");
- Customer's authorized users/agents (Enterprise accounts);
- Other individuals whose data Customer submits through the Service (e.g., property owners or tenants referenced in listings or conversations).
Categories of Personal Data:
- Identification and contact data: name, phone number, WhatsApp identifiers, email where provided;
- Conversation content and metadata (timestamps, channel);
- Commercial preference data: property interests, budget, desired zones, intended use, household composition as voluntarily stated by the Lead;
- Appointment and visit data: dates, times, locations, attendance status;
- Pipeline/CRM data: stage, notes, qualification scores;
- Owner/tenant data included in listings or transaction records, as submitted by Customer.
Sensitive data: Not intended to be processed. Customer must not submit or solicit sensitive categories of data (health, biometrics, racial or ethnic origin, religious or political beliefs, etc.) or data of minors as Leads. Incidental sensitive data volunteered by a Data Subject in free-text messages will be stored as part of the conversation but is excluded from Service-improvement datasets per Section 9.
ANNEX 2 — TECHNICAL AND ORGANIZATIONAL MEASURES
- Encryption: Personal Data encrypted in transit (TLS) between clients, the platform, and Subprocessors; encryption at rest on managed infrastructure (AWS/PlanetScale).
- Access control: Role-based access; access to production data limited to authorized personnel on a need-to-know basis; authentication requirements for personnel access; logging of administrative access.
- Network and infrastructure security: Managed cloud infrastructure (AWS, Cloudflare) with network protections, DDoS mitigation, and environment segregation between production and non-production.
- Application security: Secure development practices; dependency and vulnerability management; tenant isolation so each Customer accesses only its own data.
- Subprocessor management: Contractual data protection requirements; restriction on AI model providers using Personal Data for their own training; exclusion of sensitive personal information from data sent for improvement purposes.
- Backups and resilience: Encrypted backups with defined rotation; disaster-recovery procedures.
- Incident response: Procedures for detecting, escalating, containing, and notifying Personal Data Breaches (Section 8).
- Data minimization and retention: Collection limited to what the Service requires; deletion per Section 12; de-identification/aggregation before use for Service improvement.
- Personnel: Confidentiality commitments; security awareness expectations for staff with data access.
ANNEX 3 — AUTHORIZED SUBPROCESSORS (as of July 6, 2026)
| Subprocessor | Purpose | Location of processing |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting and storage | United States [/other regions used] |
| PlanetScale | Managed database | United States [/other regions used] |
| Cloudflare | Network, CDN, security infrastructure | Global (edge network) |
| Stripe | Payment processing (Customer billing data) | United States |
| Kapso | WhatsApp Business Solution Provider (message transmission) | [Location] |
| Meta Platforms (WhatsApp Business Platform) | Message delivery infrastructure | United States / global |
| OpenAI | AI model inference for conversational responses | United States |
| AI model inference for conversational responses | United States / global | |
| [Open-source model hosting provider(s)] | AI model inference | [Location] |
The current list is maintained at [URL]. Brokly will provide notice of changes per Section 6.3.