Plain-language summary.
If you are a buyer above 50 full-time employees, or if you process brief data outside the European Union, we sign a Data Processing Agreement before any brief is accepted. The template is downloadable above and includes the European Commission's Standard Contractual Clauses.
When the DPA applies
A signed DPA is required in two cases. First, any buyer organisation above 50 full-time employees, regardless of geography. Second, any buyer whose internal handling of the brief involves transferring the brief data outside the European Economic Area, even if the buyer itself is EU-based.
What the DPA covers
The DPA covers the categories of personal data processed (work email, name, brief content), the duration of processing (up to 24 months after brief submission), the rights and obligations of the controller and processor, the list of approved subprocessors, the security measures we implement, and the procedure for handling personal data breaches.
How to execute
Download the template above, complete the buyer details on the cover sheet, sign electronically, and email the executed copy to legal@xpertdirect.io. We countersign and return within two business days. No brief is accepted under the conditions above until the DPA is countersigned.
Standard Contractual Clauses
For any transfer of personal data from the EEA to a third country, the DPA incorporates the European Commission's Standard Contractual Clauses (Decision 2021/914), Module Two (controller to processor), without modification.