Skip to main content
SecondBrainCore logo
Login

Data Processing Agreement (DPA)

Last updated: April 2026 · Version 1.0-DRAFT

1. Parties

This Data Processing Agreement ("DPA" or "Agreement") is entered into between:

  • Controller: The customer ("you" or "Customer") contracting SecondBrainCore services under the applicable Service Agreement.
  • Processor: SecondBrainCore, the company providing the MCP-based knowledge management platform.

This DPA is incorporated by reference into the applicable Service Agreement between the parties. In the event of a conflict between this DPA and the Service Agreement, the terms of this DPA shall prevail with respect to the processing of personal data.

2. Subject Matter and Duration

The subject matter of this DPA is to establish the terms under which SecondBrainCore will process personal data on behalf of the Customer in providing the knowledge management platform services ("Service").

The duration of this DPA coincides with the Customer's active subscription with SecondBrainCore. The DPA remains in effect for as long as SecondBrainCore retains any Customer personal data pursuant to Section 10 (Return and Deletion).

3. Nature and Purpose of Processing

SecondBrainCore processes personal data in the following activities necessary to provide the Service:

  • Authentication and access control of authorized users;
  • Storage and retrieval of knowledge management content;
  • Delivery of contracted platform features (semantic search, MCP connectors, access controls);
  • Maintenance of audit logs for compliance and security;
  • Technical support and customer service communications;
  • Service improvement based on anonymized and aggregated usage data.

4. Types of Personal Data Processed

The following categories of personal data are processed under this DPA:

  • Identification data: display name, corporate email address, unique user identifier (provided by identity provider).
  • Usage data: IP address (anonymized), browser and device information, pages accessed, session duration, feature access patterns.
  • Purchase data: name, email, company, plan of interest, and contact information for leads and purchase intents.
  • Audit logs: records of actions performed in the Service, including access, export, and configuration changes.
  • Organizational content data: documents, notes, conversations, and other knowledge data uploaded or generated by the Customer through the Service.

5. Categories of Data Subjects

The personal data processed under this DPA belongs to the following categories of data subjects:

  • Customer's employees, contractors, and authorized representatives who use the Service;
  • Corporate leads who submit contact or plan interest forms on the SecondBrainCore website;
  • Customer administrators responsible for managing platform accounts and configurations.

6. Processor Obligations

SecondBrainCore, as data processor, commits to:

  • Process only on documented instructions: Process personal data only in accordance with the Controller's documented instructions, including those set out in this DPA and the Service Agreement, unless required otherwise by law.
  • Ensure confidentiality: Ensure that persons authorized to process personal data are subject to appropriate confidentiality obligations.
  • Implement security measures: Implement appropriate technical and organizational measures as described in Section 8 (Security Measures).
  • Subprocessors: Engage subprocessors only with prior written authorization from the Controller, as described in Section 7 (Subprocessors).
  • Assist with rights requests: Assist the Controller in fulfilling its obligations to respond to data subject rights requests under LGPD Art. 18 and GDPR Arts. 15-22.
  • Delete or return data: At the Controller's choice, delete or return all personal data upon termination of the Service Agreement, as described in Section 10 (Return and Deletion).
  • Make available information: Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA.
  • Allow audits: Allow and contribute to audits, including inspections, conducted by the Controller or an auditor designated by it, with reasonable prior notice and upon agreement on scope and costs.

7. Subprocessors

The Customer authorizes SecondBrainCore to engage the subprocessors listed on the Subprocessors Page . This list will be updated when new subprocessors are added.

SecondBrainCore will notify Business and Enterprise customers at least 30 days before adding new subprocessors. Customers may register written, reasoned objections within that period. If SecondBrainCore cannot accommodate the objection, the Customer may terminate the Service Agreement without penalty.

SecondBrainCore is liable to the Controller for the performance of data protection obligations by its subprocessors to the same extent as it would be liable if it carried out the processing directly.

8. Security Measures

SecondBrainCore implements the following technical and organizational measures to protect personal data:

  • Encryption: Encryption in transit (TLS 1.2+) for all communications and encryption at rest in Cloudflare D1 for all stored data.
  • Access controls: Role-based access control (RBAC) with SSO enforcement via Cloudflare Access Zero Trust for all administrative and platform users.
  • Audit logging: Comprehensive audit logging of all data access and modifications, retained for 7 years in accordance with regulatory requirements.
  • Incident response: Documented incident response procedures with escalation paths, including 72-hour breach notification protocol as per Section 9.
  • Network protection: Web Application Firewall (WAF) and bot protection managed by Cloudflare across all Service infrastructure.
  • Tenant isolation: Strict data isolation between tenants ensures that one customer's data is never accessible to another.

9. Data Breach Notification

In the event of a personal data breach that may result in a risk to the rights and freedoms of natural persons, SecondBrainCore will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by the LGPD (Art. 48) and GDPR (Art. 33).

The notification will include, to the extent available: (a) the nature of the personal data breach; (b) the categories and approximate number of data subjects affected; (c) the likely consequences of the breach; (d) the measures taken or proposed to address the breach and mitigate its possible effects.

The Controller is responsible for notifying the competent supervisory authority (ANPD for Brazilian data) and affected data subjects as required by applicable law.

10. Return and Deletion

Upon termination of the Service Agreement, or upon request from the Controller, SecondBrainCore will, at the Controller's choice:

  • Return to the Controller all personal data in a structured, commonly used, machine-readable format (JSON or CSV); or
  • Securely delete all personal data from SecondBrainCore's systems and those of its subprocessors.

SecondBrainCore will confirm deletion in writing within 30 days. Audit logs that SecondBrainCore is required by law to retain will be preserved according to legal retention periods, even after termination.

11. Liability

Each party is liable to data subjects and regulatory authorities for violations of the LGPD/GDPR arising from its respective obligations under this DPA.

SecondBrainCore will indemnify the Controller for damages caused by LGPD/GDPR violations directly resulting from SecondBrainCore's failure to comply with its obligations under this DPA. Such indemnification is subject to the liability limitations set out in the Service Agreement.

The Controller will indemnify SecondBrainCore for damages caused by LGPD/GDPR violations directly resulting from the Controller's failure to comply with its obligations under this DPA or the Service Agreement.

12. Governing Law

This DPA is governed by Brazilian law, including the General Data Protection Law (Lei 13.709/2018 — LGPD), for Brazilian data subjects. For data subjects in the European Union, the GDPR (EU Regulation 2016/679) applies additionally.

Disputes arising from this DPA are subject to the jurisdiction of the courts of São Paulo, Brazil. The Autoridade Nacional de Proteção de Dados (ANPD) is the competent supervisory authority for Brazilian data subjects.

For questions about this DPA, please contact: legal@secondbraincore.com.