Data Processing Agreement

Last Updated: 24 June 2025

This Data Processing Agreement ("DPA") is entered into by and between the customer organisation ("Controller" or "you") and Marketingmary Ltd. ("Processor" or "we"), and is incorporated into and governed by the Marketingmary Terms of Service ("Terms").

This DPA is effective as of the date the Controller accepted the Terms.

INTRODUCTION

This DPA reflects the parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws. It sets out the Controller's instructions for the Processing of its Personal Data and the rights and obligations of both parties.

1. DEFINITIONS

1.1. In this DPA, the following terms shall have the meanings set out below: a) "Data Protection Laws" means all applicable data protection and privacy legislation, including the UK GDPR, the EU GDPR (General Data Protection Regulation 2016/679), and any other applicable national laws. b) "Controller," "Processor," "Data Subject," "Personal Data," "Personal Data Breach," and "Processing" shall have the same meaning as in the GDPR. c) "UK GDPR" has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018. d) "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as approved by European Commission Implementing Decision (EU) 2021/914. e) "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner.

1.2. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Terms.

2. PROCESSING OF PERSONAL DATA

2.1. Roles of the Parties. The parties acknowledge and agree that for the purposes of the Data Protection Laws, the Controller is the Controller and the Processor is the Processor of the Personal Data.

2.2. Processor's Obligations. The Processor shall only Process Personal Data on behalf of and in accordance with the Controller's documented instructions for the following purposes: (i) Processing in accordance with the Terms and this DPA; and (ii) Processing to comply with other reasonable instructions provided by the Controller where such instructions are consistent with the Terms. The Processor shall not Process Personal Data for any other purpose unless required to do so by law.

2.3. Details of the Processing. The details of the Processing of Personal Data are described in Annex I.

3. SECURITY & CONFIDENTIALITY

3.1. Technical and Organisational Measures. The Processor shall implement and maintain appropriate technical and organisational measures to protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures are detailed in Annex II.

3.2. Data Isolation. The Processor shall maintain complete logical separation of each Controller's data through its multi-tenant architecture, including implementing row-level security on all database operations and organisation-scoped API access to prevent any cross-organisation data access.

3.3. Confidentiality. The Processor shall ensure that any person it authorises to Process the Personal Data (including its staff, agents, and subcontractors) shall be subject to a strict duty of confidentiality.

4. SUB-PROCESSING

4.1. Authorised Sub-processors. The Controller provides a general written authorisation for the Processor to engage sub-processors to Process Personal Data on the Controller's behalf. The Processor shall maintain a list of its current sub-processors, as set out in Annex III.

4.2. Sub-processor Obligations. The Processor shall enter into a written agreement with each sub-processor containing data protection obligations no less protective than those in this DPA. The Processor shall remain fully liable to the Controller for the performance of the sub-processor's data protection obligations.

4.3. Changes to Sub-processors. The Processor shall provide the Controller with at least thirty (30) days' prior written notice of any intended changes concerning the addition or replacement of sub-processors. The Controller may object to such changes on reasonable grounds relating to data protection.

5. INTERNATIONAL TRANSFERS

5.1. Transfer Mechanisms. The Processor shall not transfer Personal Data outside the UK or the European Economic Area (EEA) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Data Protection Laws.

5.2. Transfers to the United States. For transfers of Personal Data to sub-processors located in the United States, the Processor shall rely on such sub-processors' certification under the EU-U.S. Data Privacy Framework and, where applicable, the UK Extension to that framework (the "Data Bridge"), as a valid transfer mechanism.

5.3. Other Transfers. Where transfers are not covered by an adequacy decision (such as the Data Privacy Framework), the parties agree that such transfers shall be governed by the Standard Contractual Clauses, which shall be deemed incorporated into this DPA. For transfers subject to the EU GDPR, the SCCs (Module Two) will apply. For transfers subject to the UK GDPR, the SCCs as amended by the UK Addendum will apply.

6. DATA SUBJECT RIGHTS & ASSISTANCE

6.1. Assistance. The Processor shall, taking into account the nature of the Processing, provide the Controller with reasonable assistance to enable the Controller to respond to requests from Data Subjects seeking to exercise their rights under Data Protection Laws.

6.2. Controller's Responsibility. The Controller shall be responsible for responding to Data Subject requests. The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject.

7. PERSONAL DATA BREACH

7.1. Notification. Upon becoming aware of a Personal Data Breach affecting the Controller's Personal Data, the Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours.

7.2. Details. The notification shall include: (a) a description of the nature of the Personal Data Breach; (b) the categories and approximate number of Data Subjects and Personal Data records concerned; (c) the name and contact details of the Processor's data protection officer or other contact point; and (d) a description of the likely consequences and measures taken or proposed to be taken to address the breach.

8. DELETION AND RETURN OF DATA

8.1. Deletion. Upon termination of the Terms, the Processor shall, at the Controller's election, either delete or return all Personal Data to the Controller. The Processor shall delete existing copies unless applicable law requires storage of the Personal Data. Data will be soft-deleted immediately upon request, permanently deleted after thirty (30) days, and the Processor shall provide certification of deletion upon request.

9. AUDIT RIGHTS

9.1. Audit Information. The Processor shall make available to the Controller all information necessary to demonstrate compliance with its obligations under this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

9.2. Third-Party Reports. To satisfy this requirement, the Processor will provide, upon request, copies of its then-current third-party audit reports (e.g., SOC 2 Type II, ISO 27001), where available. Specific audits by the Controller shall be subject to sixty (60) days' prior notice and shall be conducted during normal business hours so as not to unreasonably interfere with the Processor's business activities.

ANNEX I: DETAILS OF THE PROCESSING

1. Subject Matter and Duration of the Processing The subject matter is the provision of the Marketingmary Service as described in the Terms. The duration of the Processing is the term of the Controller's subscription to the Service.
2. Nature and Purpose of the Processing The Processor will Process Personal Data for the purposes of providing, maintaining, and improving the Service, enabling the Controller to manage marketing activities, create AI-generated content, and analyse business data.
3. Categories of Data Subjects The Controller's Authorised Users, and the Controller's own customers, leads, prospective customers, and website visitors, as determined by the Controller's use of the Service.
4. Categories of Personal Data The Personal Data Processed includes:

• Contact & Account Information: Name, email address, phone number, company name, job title/role.
• Business & User Content: Any data uploaded or provided by the Controller, including business data and user-generated marketing content.
• Service Usage Data: IP address, device/browser information, usage patterns, features used, performance metrics, and audit logs.
• Platform Configuration Data: Organisation-specific settings and integration configurations.

1. Special Categories of Data (if applicable) No special categories of data are intentionally Processed.

ANNEX II: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

The Processor shall implement and maintain the following measures:

1. Data Isolation & Access Controls

• Multi-Tenant Architecture: Complete logical data isolation guaranteed through a multi-tenant architecture with row-level security (RLS) on all database tables.
• Access Control: Role-Based Access Control (RBAC) with predefined roles (e.g., Admin, Editor, Viewer) to restrict access to data and functionalities within an Organisation. API access is scoped by organisation.
• Audit Logging: Comprehensive logging of all access and significant actions taken within the Service.

2. Infrastructure & Encryption

• Encryption at Rest: All Personal Data stored at rest is encrypted using industry-standard algorithms (e.g., AES-256).
• Encryption in Transit: All Personal Data transmitted over public networks is encrypted using strong protocols (e.g., TLS 1.3).

3. Compliance & Testing

• Compliance Frameworks: The Service is designed to be GDPR compliant. The Processor plans to undergo regular third-party audits for SOC 2 Type II and ISO 27001 certifications.
• Penetration Testing: The Processor conducts regular penetration testing to identify and remediate vulnerabilities.

4. Operational Security

• Session Management: Secure session management controls, including session timeouts, are implemented to prevent unauthorised access.
• Security Updates: The Processor maintains a process for regularly applying security updates to its infrastructure and software.
• DDoS Protection: Measures are in place to protect against Distributed Denial of Service (DDoS) attacks.

ANNEX III: LIST OF SUB-PROCESSORS

The Controller authorises the Processor to use the following sub-processors. For transfers to the USA, the Processor relies on the EU-U.S. Data Privacy Framework and the UK Extension thereto.