Data Processing Agreement
Effective Date: March 5, 2026
Last updated: June 1, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between CloudBriz Technologies Ltd. (“Processor,” “CloudBriz,” “we,” “us,” or “our”) and the entity subscribing to the Mediabriz service (“Controller,” “Customer,” or “you”) for the provision of the Mediabriz service (“Service”).
This DPA sets out the terms that apply to the processing of personal data by CloudBriz on behalf of the Customer in connection with the Service, in compliance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
1. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
- “Processing” means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
- “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
- “Sub-processor” means any third party engaged by CloudBriz to process Personal Data on behalf of the Customer.
- “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Roles and Scope
2.1 Roles
- The Customer is the Data Controller and determines the purposes and means of processing Personal Data.
- CloudBriz is the Data Processor and processes Personal Data solely on behalf of the Customer in accordance with this DPA and the Customer’s documented instructions.
2.2 Scope of Processing
CloudBriz processes Personal Data only on documented instructions from the Customer, as reflected in the Customer’s use of the Service, and solely as necessary to provide the Service. CloudBriz does not independently determine the purposes of processing beyond what is necessary to provide the Service.
Such processing may include:
- Media file handling and display within digital conversations
- User-driven features such as annotations, comments, and follow-ups
- Security-related processing such as malware scanning (if enabled)
- Generation of previews and derived media assets
- Usage tracking for billing and service operation purposes
- Provision of aggregate, organization-level usage analytics and scan-result reporting to the Customer’s authorized administrators (the Mediabriz Insights dashboard)
3. Categories of Data Subjects
Personal Data processed under this DPA may relate to the following categories of data subjects:
- Customer’s authorized users (agents and administrators) who access the Service through Genesys Cloud
- Conversation participants whose metadata appears in conversations processed by the Service
4. Types of Personal Data Processed
4.1 Data We Store
| Data Category | Specific Data Elements | Purpose |
|---|---|---|
| Organization identifiers | Genesys Cloud organization ID, organization name, data region | Service configuration and data routing |
| User identifiers | Genesys Cloud user ID | Annotation attribution, access control |
| Conversation metadata | Conversation ID, channel type (messaging/email), timestamps | Service functionality, billing dedup |
| Media file metadata | Media ID, file name, file type, file size, scan result, scan timestamp | Media display, scanning, billing |
| Annotation data | User-created comments, highlights, follow-up item references | User-created content storage |
| Authentication tokens | Hashed representation of access token (plaintext tokens are not stored) | Token validation caching |
| Billing records | Aggregated organizational daily usage counts per organization (conversation count, scan count, file type counts) - no personal data or individual user identifiers | Metered billing |
4.2 Data We Do NOT Store
| Data Category | Details |
|---|---|
| Message content | Text of messages and emails is not stored by CloudBriz. Message content may be retrieved via Genesys Cloud APIs for display purposes but is not persisted or analyzed. Content remains in Genesys Cloud. |
| Media file content | Media files and documents may be processed transiently as required to provide Service functionality, including preview generation, security scanning, and rendering. Temporary copies may be stored for a limited period and are automatically deleted in accordance with defined retention policies. |
| Passwords or credentials | User authentication is handled by Genesys Cloud OAuth. CloudBriz does not receive or store user passwords. |
| Direct contact information | Names, email addresses, phone numbers, and other contact information are not collected or stored beyond what is embedded in Genesys Cloud user IDs. |
5. Data Storage Locations
5.1 Regional Architecture
CloudBriz operates regionally distributed infrastructure. The Customer’s data region is selected during initial configuration, and data is stored and processed within the selected region, subject to applicable data transfer safeguards.
CloudBriz stores and processes Customer data within the region selected by the Customer. Certain limited operational data that does not contain personal data may be processed in other regions for service operation and billing purposes.
5.2 EU Data Residency
For EU organizations, CloudBriz is designed to store and process operational Personal Data within the EU. This includes conversation records, scan results, annotations, tokens, thumbnails, and temporary scan files.
Certain data that does not contain Personal Data (such as aggregate billing counters) may be stored outside the EU for centralized reporting purposes.
Certain Service features may involve processing by third-party services that operate globally. See Section 15 for applicable transfer safeguards.
The principal example of such third-party processing is the rendering of Office file previews (Word, Excel, PowerPoint), which is performed by Microsoft’s Office Online viewer (view.officeapps.live.com). When a user opens an Office file preview, Microsoft’s servers fetch the file from CloudBriz’s regional media CDN and render it on Microsoft’s global infrastructure; this rendering step is outside CloudBriz’s regional control and applies to both US and EU data-region organizations. Customers requiring strict regional containment for all preview operations may opt out of this processing by blocking outbound traffic to view.officeapps.live.com at the network or proxy level. In that case, Office file preview will be unavailable, but all other Service functionality (image and video preview, downloads, annotations, scanning) will continue to operate normally within the Customer’s selected data region.
6. Data Retention and Deletion
6.1 Retention Principles
CloudBriz retains Personal Data only for as long as necessary to provide the Service and fulfill its contractual and legal obligations.
Personal Data is deleted or anonymized when no longer required, in accordance with automated retention policies and applicable law.
Temporary and processing-related data is retained only for short durations necessary to support the functionality of the Service.
The following categories describe the general nature of data retention:
- Operational data (such as conversation records, scan results, and user annotations) is retained for a limited period and automatically deleted thereafter.
- Temporary processing data (such as document previews, media thumbnails, and scan files) is retained for short durations and automatically removed.
- Billing data consists of aggregate organizational usage counts that do not contain Personal Data and may be retained for reporting and compliance purposes.
A detailed data retention schedule is available upon request by contacting CloudBriz.
6.2 Deletion Upon Termination
Upon termination of the Customer’s subscription, operational data will be deleted in accordance with CloudBriz’s retention policies. Data subject to automated retention will continue to be removed as applicable.
The Customer may request earlier deletion of their organization’s data by contacting CloudBriz. CloudBriz will process such requests within a reasonable timeframe.
7. Confidentiality
CloudBriz ensures that persons authorized to process Personal Data on behalf of the Customer have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is restricted to personnel who require it to perform their role in providing the Service.
8. Processor Obligations
8.1 Instructions
CloudBriz shall process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. If CloudBriz is required by law to process Personal Data other than on the Customer’s instructions, CloudBriz will inform the Customer of such legal requirement before processing, unless prohibited by law from doing so.
8.2 Notification of Instruction Violations
If, in CloudBriz’s reasonable opinion, an instruction from the Customer infringes applicable data protection laws, CloudBriz will notify the Customer and may suspend the relevant processing until the instruction is clarified or modified.
8.3 Records of Processing Activities
CloudBriz maintains a record of processing activities carried out on behalf of the Customer, in accordance with Article 30(2) of the GDPR, containing:
- The name and contact details of the Processor
- The categories of processing carried out on behalf of the Customer
- Where applicable, transfers of Personal Data to third countries and the documentation of suitable safeguards
- A general description of technical and organizational security measures
9. Third-Party Services and Sub-processors
9.1 Authorized Third-Party Services and Sub-processors
CloudBriz relies on the following third-party services and sub-processors in connection with the Service:
| Service Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting services supporting application processing, storage, networking, and security | Customer data processed as part of providing the Service | us-east-1 and/or eu-west-1 (per Customer’s region) |
| Genesys Cloud (Required Platform) | Core platform integration required for the operation of the Service, including authentication, conversation data access, and media retrieval | Authentication tokens and data accessed via the Customer’s Genesys Cloud environment | Customer’s Genesys Cloud region |
| Microsoft Corporation | Document preview rendering services for Office file formats | Document files processed for preview functionality | Microsoft’s global infrastructure |
The Customer acknowledges that Mediabriz is designed to operate in conjunction with Genesys Cloud, which is a required platform dependency of the Service. CloudBriz does not control the operation of Genesys Cloud, does not determine the purposes or means of processing performed independently by Genesys Cloud, and is not responsible for Genesys Cloud’s own data processing activities.
Note on the Microsoft Office Online viewer. The Microsoft sub-processor listed above is engaged only when a user opens an in-app preview for an Office file format (Word, Excel, PowerPoint). The file is rendered in Microsoft’s Office Online viewer at view.officeapps.live.com and processed on Microsoft’s global infrastructure, which is outside CloudBriz’s regional control — this applies to both US and EU data-region organizations. Customers requiring strict regional containment for all preview operations may disable Office file preview by blocking outbound traffic to view.officeapps.live.com at the network or proxy level. In that case, Office file preview will be unavailable, but all other Service functionality (image and video preview, downloads, annotations, scanning) will continue to operate normally. CloudBriz does not determine the purposes or means of any processing performed independently by Microsoft and is not responsible for Microsoft’s own data processing activities beyond the configuration of how Office files are submitted to the Office Online viewer.
9.2 Sub-processor Obligations
Each sub-processor is contractually bound to:
- Process Personal Data only as necessary to perform their services
- Implement appropriate technical and organizational security measures
- Comply with applicable data protection laws
9.3 Changes to Sub-processors
CloudBriz may update its list of sub-processors from time to time. CloudBriz will provide notice of any new sub-processor by updating the list on its website or through other reasonable means.
The Customer may object to a new sub-processor on reasonable data protection grounds by notifying CloudBriz within 30 days of such notice.
This objection right does not apply to sub-processors that are essential to the operation of the Service, including Genesys Cloud.
In the event of a valid objection that cannot be reasonably resolved, CloudBriz may, at its discretion, (i) provide a commercially reasonable alternative, or (ii) allow the Customer to discontinue use of the affected functionality. Such objection shall not entitle the Customer to terminate the Agreement as a whole.
10. Security Measures
CloudBriz implements the following technical and organizational measures to protect Personal Data. For a comprehensive description of our security architecture, see our Security Overview.
10.1 Encryption
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2 or higher for data transmission |
| Encryption at rest | Industry-standard encryption applied to databases and storage systems |
| Secrets management | Sensitive credentials and configuration are encrypted using managed key services |
| Token protection | Hashed representations of access tokens are cached; plaintext tokens are not stored |
10.2 Access Controls
| Measure | Implementation |
|---|---|
| Authentication | Token-based authentication on service endpoints |
| Authorization | Organization-level data isolation with user identity derived from validated tokens |
| Administrative access | Authenticated administrative and service access controls |
| Administrative analytics | Access to the Mediabriz Insights analytics dashboard is restricted to users to whom the Customer has granted the corresponding Genesys Cloud permission; organization-level data isolation applies |
| Infrastructure protection | Network and application-layer protections designed to mitigate common attack patterns |
| Data protection | Production data stores are protected against unauthorized or accidental deletion |
| Backup | Appropriate backup and recovery controls are maintained for relevant production systems |
10.3 Organizational Measures
- Access to production infrastructure is restricted to authorized CloudBriz personnel
- Administrative access is authenticated and logged
- Security configurations are managed using controlled and auditable deployment processes
11. Data Breach Notification
11.1 Notification Timeline
In the event of a Data Breach affecting the Customer’s Personal Data, CloudBriz will notify the Customer without undue delay after becoming aware of the breach.
Such notification may be provided via email, through the Service interface, or other reasonable means.
11.2 Notification Content
The notification will include, to the extent reasonably available:
- A description of the nature of the Data Breach, including the categories and approximate number of data subjects and records affected
- The name and contact details of CloudBriz’s point of contact for further information
- A description of the likely consequences of the Data Breach
- A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects
11.3 Security Incidents
A security incident that does not result in unauthorized access to, or accidental or unlawful destruction, loss, alteration, or disclosure of Personal Data shall not be considered a Data Breach under this DPA. CloudBriz may, at its discretion, inform the Customer of significant security incidents that do not constitute a Data Breach.
11.4 Cooperation
CloudBriz will provide reasonable cooperation to the Customer in connection with the investigation and remediation of a Data Breach, taking into account the nature of the processing and the information available to CloudBriz.
To the extent permitted by applicable law, such assistance shall be provided at the Customer’s reasonable expense where it requires significant additional effort beyond CloudBriz’s standard obligations.
12. Data Subject Rights
12.1 Assistance
CloudBriz will provide reasonable assistance to the Customer in fulfilling its obligations to respond to Data Subject requests, taking into account the nature of the processing and the information available to CloudBriz.
Where CloudBriz receives a Data Subject request directly, it will promptly forward the request to the Customer.
12.2 Scope
Given the nature of the Service, most Personal Data processed is limited to identifiers and metadata. The Customer retains primary control over Data Subject rights through their Genesys Cloud administration.
13. Data Protection Impact Assessments
CloudBriz will provide reasonable assistance to the Customer in connection with data protection impact assessments and prior consultations with supervisory authorities where required by applicable data protection law, taking into account the nature of the processing and the information available to CloudBriz.
To the extent permitted by applicable law, such assistance shall be provided at the Customer’s reasonable expense where it requires significant additional effort beyond CloudBriz’s standard obligations.
14. Audit Rights
14.1 Customer Audits
The Customer may request information reasonably necessary to demonstrate CloudBriz’s compliance with this DPA.
CloudBriz will satisfy such requests by providing documentation, certifications, or summaries of its security and data protection practices.
Only where such information is not sufficient, the Customer may request an audit, subject to the following conditions:
- The audit must be based on reasonable written notice of at least 30 days
- Audits may be conducted no more than once per year, unless required by a supervisory authority
- Audits must be conducted during normal business hours and in a manner that does not unreasonably interfere with CloudBriz’s business operations
- Audits must be limited in scope to information relevant to this DPA
- The auditor must be independent, subject to CloudBriz’s approval, and bound by confidentiality obligations
- CloudBriz may object to an auditor on reasonable grounds
- Audits shall be conducted at the Customer’s expense, including reimbursement of CloudBriz’s reasonable costs and internal resources required to support the audit
14.2 Compliance Evidence
CloudBriz will make available, upon reasonable request, information necessary to demonstrate compliance with this DPA, including:
- Documentation of security measures and certifications, where available
- Information regarding sub-processors
- Results of third-party security assessments, where available
CloudBriz may reasonably limit the scope and frequency of such disclosures to prevent undue burden or risk to the security of its systems.
15. International Data Transfers
15.1 Data Processing Locations
CloudBriz is designed to process and store Customer Personal Data in the region selected by the Customer.
Certain Service features may involve processing by third-party services that operate globally. Where such processing involves transfers of Personal Data outside the Customer’s region, CloudBriz is designed to ensure that appropriate safeguards are in place in accordance with applicable data protection laws.
15.2 Transfer Safeguards
Where Personal Data is transferred to countries outside the European Economic Area, CloudBriz maintains appropriate safeguards, which may include:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions of the European Commission
- Other legally recognized transfer mechanisms under applicable data protection law
16. GDPR Compliance (Article 28)
This DPA is entered into in accordance with Article 28 of the GDPR. CloudBriz shall:
- Process Personal Data only on documented instructions from the Customer
- Ensure that persons authorized to process Personal Data have committed to confidentiality
- Implement appropriate technical and organizational security measures
- Assist the Customer in ensuring compliance with Articles 32–36 of the GDPR
- Delete Personal Data in accordance with this DPA and applicable law, and, where applicable and technically feasible, may provide return of Personal Data upon written request and subject to the parties’ agreement
- Make available information necessary to demonstrate compliance with Article 28
17. Term and Termination
This DPA shall remain in effect for the duration of the Customer’s Mediabriz subscription. Obligations relating to data protection, confidentiality, and data deletion survive termination of this DPA.
18. Limitation of Liability
CloudBriz’s total liability under this DPA shall be subject to the limitations set forth in the Terms of Use and EULA. Nothing in this DPA excludes or limits liability to the extent that such exclusion or limitation is not permitted under applicable data protection law.
19. Conflict
In the event of any conflict between this DPA and the Terms of Use, EULA, or any other agreement between the parties, the provisions of this DPA shall prevail with respect to data protection matters.
20. Contact
For questions about this DPA or to exercise any rights under it, please contact us.
CloudBriz Technologies Ltd.