Skip to main content
Draft pending counsel review. This Data Processing Addendum is a working draft and has not yet been finalised by counsel. Customers requiring an executed DPA today should contact legal@brandatlas.pro for a signed version.
Effective from: (pending) Last updated: 27 May 2026 This Data Processing Addendum (“DPA”) supplements the Terms of Service between MadeBy_ (“Processor,” “we”) and the customer (“Controller,” “you”), and forms part of the agreement between us in respect of personal data processed in connection with the Service.

1. Definitions

Terms used in this DPA have the meanings given in the EU General Data Protection Regulation (GDPR) and equivalent legislation, including the UK GDPR, the Data Protection Act 2018, and the UAE Personal Data Protection Law (PDPL).

2. Roles

You are the Controller of personal data uploaded to the Service. We are the Processor, acting on your documented instructions. Where we determine the purposes and means of processing independently (for example, for our own service security and operations), we act as Controller for those limited purposes.

3. Scope of processing

We process personal data only:
  • As necessary to provide the Service.
  • On your documented instructions, including those given through your use of the Service.
  • As required by applicable law (in which case we will inform you unless prohibited).
The categories of data, data subjects, and processing activities are described in Schedule 1.

4. Confidentiality

We ensure that personnel authorised to process personal data are subject to confidentiality obligations.

5. Security

We implement appropriate technical and organisational measures, described in Security Overview. The measures address risks of accidental or unlawful destruction, loss, alteration, disclosure, or access.

6. Sub-processors

You authorise us to engage sub-processors. Current sub-processors are listed at Sub-processors. We will:
  • Impose written contractual obligations on each sub-processor at least as protective as this DPA.
  • Notify you at least 30 days before adding or replacing a sub-processor.
  • Remain liable to you for the acts and omissions of our sub-processors.
You may object to a new sub-processor within the 30-day notice period. If we cannot accommodate your objection, you may terminate the affected portion of the Service.

7. Data subject rights

We will assist you in fulfilling data subject requests where you cannot do so through the Service yourself. Reasonable assistance is included; large or repeated requests may incur reasonable costs.

8. Personal data breach

We will notify you without undue delay (within 72 hours where reasonably practicable) of becoming aware of a personal data breach affecting your data. The notification will include the information required by applicable law. See Breach Notification.

9. Data Protection Impact Assessment

We will assist you, taking into account the nature of processing and the information available to us, in carrying out Data Protection Impact Assessments and prior consultations with supervisory authorities where required.

10. Audits

You may, at your expense and with reasonable notice, audit our compliance with this DPA no more than once per year. We may satisfy audit requests by providing audit reports from independent assessors. Detailed audit clauses are in Schedule 2.

11. International transfers

Where personal data is transferred outside the EEA, UK, or relevant jurisdiction, the transfer is governed by:
  • EU Standard Contractual Clauses (Module 2: Controller to Processor) for transfers from the EEA.
  • UK International Data Transfer Addendum (IDTA) for transfers from the UK.
  • UAE-approved transfer mechanisms for transfers from the UAE under PDPL.
The applicable clauses are incorporated as Schedule 3.

12. Return and deletion

On termination of the Service, we delete or return all personal data within 30 days, unless retention is required by law. Backups are deleted in line with the retention schedule.

13. Liability

Liability under this DPA is subject to the limits in the Terms of Service.

14. Order of precedence

In case of conflict between this DPA and the Terms of Service, this DPA prevails for matters concerning personal data processing.

15. Governing law

This DPA is governed by the laws of the United Arab Emirates, with the qualification that nothing in this DPA limits rights of data subjects under their applicable data protection law.

Schedule 1 — Description of processing

  • Subject matter: Provision of the Brand Atlas service.
  • Duration: For the term of the subscription, plus the deletion/retention period thereafter.
  • Nature and purpose: Hosting, processing, and delivery of Customer Content; account administration; security; analytics.
  • Categories of data subjects: Brand owners; team members; guests; visitors.
  • Categories of personal data: Identification (name, email); authentication (hashed credentials); usage (pages, sessions); billing (where provided).
  • Special category data: None ordinarily processed.

Schedule 2 — Audit terms

(To be completed by counsel.)

Schedule 3 — Transfer mechanisms

(SCCs, IDTA, and PDPL-approved clauses to be incorporated by counsel.)

Signing

Customers requiring an executed copy of this DPA should write to legal@brandatlas.pro. A signed PDF is provided.

What changed

  • 27 May 2026: Initial draft published for counsel review.