Data Processing Agreement

• “Controller” — the Business customer who determines the purposes and means of processing personal data.
• “Processor” — Brush Ltd, which processes personal data on behalf of the Controller.
• “Data Subject” — any identified or identifiable natural person whose personal data is processed.
• “Processing” — any operation performed on personal data, including storage, AI analysis, and export.

Brush processes personal data (including images of individuals) uploaded by the Controller through the Brush API and web platform, for the purpose of providing AI-powered photo and video editing services.

• Process personal data only on documented instructions from the Controller.
• Ensure persons authorised to process data are bound by confidentiality obligations.
• Implement appropriate technical and organisational measures (Article 32, UK/EU GDPR).
• Assist the Controller with data subject requests within 5 business days.
• Delete or return all personal data after the provision of services, at the Controller's election.
• Make available all information necessary to demonstrate compliance.

Brush uses the following categories of sub-processors to deliver the Service. We maintain a full sub-processor list at troth.shop/legal/sub-processors and will notify Controllers of material changes with 30 days' notice.

• Cloud infrastructure (Cloudflare — EU/UK data centres)
• Payment processing (Stripe)
• Transactional email (Resend)
• AI model providers (Stability AI, Replicate, Fal — with DPAs in place)

Where personal data is transferred to sub-processors outside the UK or EEA, Brush relies on UK IDTAs or EU SCCs. Copies are available on request at privacy@troth.shop.

Brush implements: TLS 1.2+ for data in transit; AES-256 encryption for data at rest; role-based access controls; automated vulnerability scanning; incident response procedures with notification within 72 hours of becoming aware of a breach.

Business-tier customers may configure custom retention periods via the API. Default: indefinite storage while the account is active. On account termination, data is deleted within 90 days unless the Controller instructs otherwise.

Controllers may request a copy of Brush's most recent third-party security audit report under NDA. On-site audits are available by arrangement with 30 days' notice.

This DPA is incorporated by reference into the Brush Terms of Service and takes effect upon a Business-tier subscription. No wet signature is required for standard DPA terms. Custom DPA amendments are available by written agreement — contact legal@troth.shop.