Data Processing Agreement
Effective: May 23, 2026 · For Brokerage Plan subscribers and enterprise clients
This Data Processing Agreement ("DPA") supplements the Bricks Terms of Service and applies where the Client is a brokerage, team, or enterprise organization that processes personal data of third parties (e.g., property owners, agents) through the Bricks platform. For standard Solo agent accounts, the Privacy Policy alone governs data processing.
1. Definitions
"Controller" means the Client who determines the purposes and means of processing personal data of their agents, staff, and property owners.
"Processor" means Bricks Media Inc., which processes personal data on behalf of the Controller in connection with the Bricks platform.
"Sub-Processor" means a third party engaged by Bricks to assist in processing personal data.
"Personal Data" means any information relating to an identified or identifiable natural person processed through the Bricks platform in connection with the Controller's use of the service.
"Applicable Law" means PIPEDA and any applicable provincial privacy legislation including Ontario's privacy framework.
2. Subject Matter and Nature of Processing
Bricks processes Personal Data on behalf of the Controller solely for the purpose of providing the platform services described in the Terms of Service, including: managing agent accounts, processing property bookings, dispatching photographers, delivering media, managing subscription credits, and generating billing records.
Bricks will not process Personal Data for any purpose other than those specified in the Terms of Service and this DPA without the Controller's prior written instruction, except where required by applicable law.
3. Categories of Data Subjects and Personal Data
| Data Subjects | Categories of Personal Data |
|---|---|
| Client's agents and staff | Name, email, phone, booking history, credit usage, schedule, login credentials (hashed), device identifiers |
| Property sellers / owners | Property address, shoot date and time (indirectly, through booking records) |
| Brokerage administrators | Name, email, administrative activity logs |
4. Bricks's Obligations as Processor
Bricks will:
- Process Personal Data only on documented instructions from the Controller (as set out in this DPA and the Terms of Service) or as required by applicable law.
- Ensure that Bricks personnel authorized to process Personal Data are subject to confidentiality obligations.
- Implement appropriate technical and organizational security measures as described in Section 6.
- Not engage a new Sub-Processor without providing the Controller advance notice and the opportunity to object.
- Assist the Controller in responding to requests from data subjects exercising their rights under Applicable Law, to the extent technically feasible.
- Notify the Controller of any Personal Data breach affecting the Controller's data without undue delay and in any event within 72 hours of becoming aware.
- Upon termination of the service, delete or return all Personal Data as instructed by the Controller within 90 days, except where retention is required by applicable law.
5. Controller's Obligations
The Controller warrants that it has a lawful basis for processing Personal Data entered into the Bricks platform and that it has obtained all necessary consents from its agents, staff, and relevant third parties for the processing described in this DPA.
6. Security Measures
Bricks implements the following security measures to protect Personal Data:
- Encryption in transit (TLS 1.2 or higher) for all data transmission.
- Encrypted at-rest storage via Supabase and Cloudflare R2.
- Role-based access control limiting data access to personnel with a legitimate business need.
- Authentication controls including bcrypt-hashed passwords and JWT-based session management.
- Periodic security reviews and vulnerability assessments.
- Audit logging for all administrative actions affecting account data.
7. Sub-Processors
The Controller hereby provides general authorization for Bricks to engage the following Sub-Processors. Bricks will maintain this list current and notify the Controller of any changes:
| Sub-Processor | Role | Data Location |
|---|---|---|
| Supabase Inc. | Database, authentication, real-time infrastructure | US East (AWS) |
| Cloudflare Inc. | CDN, R2 file storage, DDoS protection | Distributed (global CDN) |
| Stripe Inc. | Payment processing, billing | United States |
| Google LLC | Maps API (geocoding), Google Sign-In, Gemini AI dispatch routing | United States |
| Resend Inc. | Transactional email delivery | United States |
| Twilio Inc. | SMS notifications | United States |
| Fotello | AI photo enhancement (property images only, no personal data) | United States |
| Autoenhance.ai | AI photo enhancement fallback (property images only, no personal data) | United Kingdom |
| BoxBrownie | Virtual staging (on-request, property images only) | Australia / International |
8. International Data Transfers
Some Sub-Processors are located outside Canada. International transfers of Personal Data are made pursuant to contractual data processing agreements consistent with PIPEDA's accountability principle, including, where applicable, standard contractual clauses or equivalent safeguards.
9. Data Breach Notification
In the event Bricks becomes aware of a confirmed breach of security safeguards involving Personal Data that creates a real risk of significant harm to affected individuals, Bricks will:
- Notify the Controller without unreasonable delay (target: within 72 hours of confirmation).
- Provide the Controller with sufficient information to meet its own notification obligations under PIPEDA's mandatory breach reporting rules.
- Cooperate with the Controller's investigation and remediation efforts.
10. Audit Rights
The Controller may, upon reasonable written notice (minimum 30 days) and no more than once per calendar year, request a summary audit report of Bricks's data processing practices relevant to this DPA. Bricks may satisfy this obligation by providing third-party audit reports, certifications, or equivalent documentation in lieu of direct on-site audits.
11. Governing Law
This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada, consistent with the Terms of Service governing law provision.
12. Contact
For DPA inquiries or to exercise Controller rights under this agreement: privacy@brxs.ca
Bricks Media Inc. · Toronto, Ontario, Canada