Brewale — Data Processing Agreement

Last updated: June 18, 2026 Effective date: June 18, 2026

This Data Processing Agreement ("DPA") forms part of the Brewale Terms of Service between Ankerstjerne Labs ("Brewale", "Processor"), CVR 46507266, Paradisæblevej 54, 4. TH, 2500 Valby, Denmark, and the business Customer that accepts the Terms ("Customer", "Controller").

This DPA applies where Brewale processes personal data on Customer's behalf in connection with the Service. It is entered into to comply with Article 28 of Regulation (EU) 2016/679 ("GDPR"). By accepting the Terms of Service as a business Customer, Customer accepts this DPA.

Defined terms used but not defined here have the meaning given in the GDPR or in the Terms of Service.

1. Subject matter and details of processing

The subject matter, nature, purpose, duration, types of personal data, and categories of data subjects of the processing are set out in Annex 1.

Brewale processes personal data on Customer's behalf as a Processor, and Customer is the Controller of such data. Brewale processes personal data only on documented instructions from Customer, including those given by Customer's configuration and use of the Service, and as set out in this DPA, unless required to do so by EU or Member State law; in that case Brewale will inform Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

If Brewale considers that an instruction from Customer infringes data protection law, Brewale will inform Customer without undue delay.

2. Customer obligations

Customer warrants that:

  • it has all necessary legal bases for the processing of personal data it submits to or generates within the Service, including special-category data where applicable;
  • it has provided required notices to data subjects;
  • its instructions to Brewale comply with applicable data-protection law; and
  • it will not submit special-category personal data (GDPR Art. 9) into Customer Content unless it has implemented appropriate safeguards.

3. Confidentiality

Brewale ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations and process personal data only as needed to perform their duties.

4. Security measures

Brewale implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as further described in Annex 2, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

5. Subprocessors

Customer gives a general authorization to Brewale to engage subprocessors. The current list of subprocessors is published at /subprocessors.

Brewale will impose data-protection terms on each subprocessor that are equivalent in substance to those in this DPA.

Notice of changes. Brewale will give Customer at least 30 days' advance notice (by email and by updating the subprocessor list) before adding or replacing a subprocessor that processes Customer personal data.

Objection. Customer may object to a new subprocessor on reasonable data-protection grounds within the notice period. If the parties cannot resolve the objection, Customer may terminate the affected part of the Service and receive a pro-rata refund of any prepaid unused fees for that part.

Brewale remains liable for the acts and omissions of its subprocessors as for its own.

6. Data subject rights

Taking into account the nature of the processing, Brewale will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfil Customer's obligations to respond to requests for exercising data subject rights under GDPR Chapter III. Where a data subject makes a request directly to Brewale concerning Customer's data, Brewale will, where it can identify Customer, forward the request to Customer without undue delay and will not respond except on Customer's instructions or as required by law.

7. Personal data breach

Brewale will notify Customer without undue delay, and in any event in sufficient time to enable Customer to meet its own notification obligations under GDPR Articles 33–34, after becoming aware of a personal data breach affecting Customer personal data. The notice will include, to the extent then known, the nature of the breach, the categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

Brewale will provide reasonable assistance to Customer in fulfilling Customer's own breach-notification obligations under GDPR Articles 33–34.

8. Data protection impact assessments

Taking into account the nature of the processing and the information available to Brewale, Brewale will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities under GDPR Articles 35–36.

9. Return or deletion on termination

On termination of the Service or this DPA, Customer may export Customer Content via tools provided in the Service or, where such tools are unavailable, on written request to privacy@brewale.dev, for 30 days after termination. After that period, Brewale will delete Customer personal data from active systems. Personal data in routine backups is deleted on the normal backup-rotation schedule, within 90 days.

Brewale may retain personal data to the extent and for the duration required by EU or Member State law (in particular DK bogføringsloven § 12 for billing records). Retained data remains subject to the protections in this DPA.

10. Audits

Brewale will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and the GDPR. Customer's audit rights under GDPR Article 28(3)(h) are satisfied by:

  • Brewale's response to Customer's reasonable written questions concerning Brewale's processing;
  • provision of Brewale's then-current security overview, subprocessor list, and breach history (high-level, no other-Customer confidential information);
  • where Brewale obtains third-party security certifications or attestations in future (e.g. SOC 2, ISO 27001), provision of the relevant report on request.

Audits will be conducted no more than once per twelve months, with at least 30 days' written notice, except where required by law or following a confirmed personal-data breach.

11. International transfers

All processing under this DPA takes place within the European Union / European Economic Area. Brewale will not transfer Customer personal data outside the EU/EEA without first ensuring an adequate transfer mechanism is in place (such as an adequacy decision or the EU Standard Contractual Clauses, Module 3 where applicable for processor-to-subprocessor transfers).

If Brewale proposes to engage a subprocessor located outside the EU/EEA, the notice under Section 5 will include the proposed transfer mechanism, and Customer's objection right applies.

Where Customer connects an Integration located outside the EU/EEA (for example a GitHub repository, with GitHub located in the United States), the resulting transfer of Customer personal data to that Integration is made on Customer's documented instruction — namely its configuration of the Service to connect that Integration.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits liability that cannot be limited under applicable mandatory law, including under GDPR Article 82.

13. Term

This DPA applies for the duration of the Terms of Service and, with respect to the obligations of Section 9 (return or deletion), survives termination until those obligations have been fully performed.

14. Conflict and governing law

In the event of any conflict between this DPA and the Terms of Service in relation to the processing of personal data, this DPA prevails. This DPA is governed by Danish law and disputes are subject to the venue clause of the Terms of Service.

Annex 1 — Details of processing

Subject matter: processing of personal data necessary to provide the Brewale Service to Customer.

Duration: the term of the Terms of Service plus any retention period permitted under Section 9.

Nature and purpose: hosting, storing, transmitting, caching, backing up, and displaying personal data so that Customer can author and version coding skills and conventions and serve them to AI Agents and Integrations Customer authorizes. This includes writing and publishing Customer Content to, and reading it from, repositories or services the Customer connects (for example a GitHub repository).

Types of personal data:

  • account identity data of Customer's users (name, email, password hash, role)
  • organization membership and access-control data
  • Customer Content authored by Customer's users that may contain personal data
  • Integration credentials and Integration data fetched on Customer's authorization
  • GitHub integration metadata (repository identifiers, installation ID, connecting user, commit author and SHA)
  • billing and subscription identifiers (Polar customer ID, subscription status, seat count)
  • authentication security data (two-factor authentication secret and backup codes, stored encrypted)
  • communications between Customer's users and Brewale
  • technical and security log data (IP address, user agent, request metadata, authentication events)
  • Service usage metadata (organization, user, and content identifiers, timestamps)

Categories of data subjects:

  • Customer's authorized users (administrators, members of Customer's organization)
  • third parties whose personal data appears in Customer Content or in Integration data, to the extent Customer chooses to include such data

Annex 2 — Technical and organizational measures

Brewale implements measures including:

Access control. Access to production systems is restricted to authorized personnel using strong authentication and the principle of least privilege.

Encryption.

  • Customer data is stored in databases located within the European Union and encrypted at the storage layer by Brewale's hosting provider.
  • Sensitive credentials, including OAuth tokens for connected Integrations, are additionally encrypted at the application layer using AES-256-GCM before being written.
  • Account passwords are stored as one-way scrypt hashes; OAuth refresh tokens issued by Brewale are stored hashed.
  • Production traffic is served over TLS.

Network security. Production runs on hosting providers within the EU (Hetzner, Scaleway) with industry-standard infrastructure security.

Authentication and authorization. Multi-tenant access is enforced by organization-scoped routing and per-resource authorization. API access is gated by hashed bearer tokens.

Logging and monitoring. Authentication events and Service usage are logged for security and operational purposes, with retention as set out in the Privacy Policy.

Backup and recovery. Routine backups are taken and retained for up to 90 days.

Personnel. Personnel authorized to access personal data are bound by confidentiality obligations.

Incident response. Brewale maintains processes to detect, contain, and respond to security incidents, including the breach-notification procedure in Section 7.

Subprocessor diligence. Subprocessors are selected based on the security and data-protection assurances they provide, and are bound by data-protection terms equivalent to those in this DPA.

These measures may be updated from time to time, provided the overall level of security is not reduced.

Annex 3 — Subprocessors

The current list of subprocessors and independent third parties is maintained at /subprocessors and forms part of this DPA.