Burnt Group, Corp.
Last updated: 18 November 2025
This Data Processing Agreement (“DPA”) forms part of any agreement between Burnt Group, Corp. (“Burnt”, “Processor”) and the customer (“Customer”, “Controller”) for the provision of Burnt’s software and services (“Services”). This DPA sets out the terms under which Burnt processes personal data on behalf of the Customer in accordance with the General Data Protection Regulation (“GDPR”).
By using the Services, the Customer enters into this DPA with Burnt.
1. Definitions
For the purposes of this DPA:
“Personal Data” means any information relating to an identified or identifiable natural person processed by Burnt on behalf of the Customer.
“Processing”, “Controller”, “Processor”, “Data Subject”, and “Supervisory Authority” have the meanings set out in the GDPR.
“Sub-processor” means any third party engaged by Burnt to process Personal Data on behalf of the Customer.
2. Scope of Processing
Burnt processes Personal Data solely for the purpose of providing the Services, performing analytics, supporting product functionality, enhancing security, and carrying out legitimate business operations strictly on behalf of the Customer. Burnt will not process Personal Data for any purpose other than those documented by the Customer.
Burnt will not sell Personal Data, use it for advertising, or train public or shared AI models on Customer data.
3. Roles and Responsibilities
The Customer is the Controller. Burnt is the Processor and acts only under the Customer’s documented instructions.
The Customer is responsible for ensuring the lawful basis for processing, providing transparency to data subjects, and ensuring the data submitted to the Services is accurate and permitted under applicable law.
Burnt will inform the Customer if an instruction violates GDPR.
4. Confidentiality
Burnt ensures that all personnel authorized to process Personal Data are bound by confidentiality obligations and receive appropriate data protection training.
5. Security Measures
Burnt implements appropriate technical and organizational measures to protect Personal Data, including:
Encryption in transit and at rest
Access controls and least privilege permissions
Multi factor authentication
Continuous monitoring and logging
Network security protections
Incident detection and response procedures
Secure development and deployment practices
A description of Burnt’s Technical and Organizational Measures (TOMs) is available upon request.
6. Sub-processors
Burnt may engage Sub-processors to support the operation of the Services. Sub-processors are bound by written agreements with data protection obligations no less protective than those in this DPA.
Burnt maintains a current list of Sub-processors and will notify the Customer of additions where legally required.
The Customer may object to new Sub-processors if they pose a reasonable data protection risk.
7. International Transfers
If Burnt transfers Personal Data outside the European Economic Area, Burnt uses GDPR approved transfer mechanisms, including:
Standard Contractual Clauses
Adequacy decisions
Technical safeguards such as encryption
Burnt conducts transfer impact assessments where required.
8. Assistance to the Controller
Burnt assists the Customer in fulfilling their GDPR obligations, including:
Responding to data subject access, correction, deletion, or portability requests
Conducting data protection impact assessments
Ensuring compliance with security and breach notification requirements
Burnt will not respond to data subjects directly unless instructed or required by law.
9. Data Breach Notification
Burnt will notify the Customer without undue delay after becoming aware of a Personal Data breach.
Notifications will include:
The nature of the breach
Categories and volume of data affected
Likely consequences
Actions taken to mitigate harm
Burnt will cooperate fully in remediation efforts.
10. Data Retention and Deletion
Upon termination of the Services, Burnt will delete or return all Personal Data, unless retention is required by law. Backups are deleted according to Burnt’s retention schedules.
Customer exports of data are available upon request at any time during the subscription.
11. Audits
Burnt will provide documentation necessary to demonstrate compliance with this DPA.
If required, Customers may carry out audits or inspections, subject to:
Reasonable notice
Non disruption of Burnt’s operations
Confidentiality commitments
Third party auditors must be independent and approved by Burnt.
12. Liability
The liability provisions of the underlying commercial agreement apply to this DPA. Nothing in this DPA limits either party’s liability for violations of data protection law.
13. Term
This DPA remains in effect as long as Burnt processes Personal Data on behalf of the Customer.
14. Contact
Questions about this DPA or data protection practices should be directed to: support@getburnt.ai.