Back to home

Data Processing Agreement

Last updated: April 2026

1. Introduction

This Data Processing Agreement ("DPA") is entered into between Mark ("Data Processor") and you, the customer ("Data Controller"), in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR") and equivalent data protection laws.

This DPA applies when you use Mark's services and process personal data of EU residents or other individuals protected under data protection laws.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data (collection, recording, organization, storage, etc.)
  • Data Controller: The natural or legal person determining purposes and means of processing
  • Data Processor: The natural or legal person processing data on behalf of the controller
  • Data Subject: The individual to whom personal data relates
  • Sub-Processor: Any natural or legal person engaged by the processor to process personal data

3. Scope

This DPA governs the processing of personal data when you use Mark's services, including:

  • Website URL and business information you submit
  • Product descriptions and marketing copy
  • Customer data you authorize for analysis
  • Email addresses or contact information for outreach
  • Social media profiles or user data you link to Mark
  • Any other personal data you submit or authorize for processing

4. Roles and Responsibilities

You as Data Controller:

You are responsible for:

  • Determining the purposes and means of processing
  • Ensuring lawful basis for processing (consent, contract, legal obligation, etc.)
  • Providing privacy notices to data subjects
  • Obtaining necessary consents from data subjects
  • Complying with data subject rights requests (access, deletion, portability)
  • Conducting Data Protection Impact Assessments (DPIA) where required
  • Reporting data breaches to authorities within 72 hours

Mark as Data Processor:

Mark is responsible for:

  • Processing personal data only on your documented instructions
  • Ensuring persons authorized to process data are bound by confidentiality
  • Implementing appropriate technical and organizational measures
  • Engaging Sub-Processors with appropriate safeguards
  • Assisting with data subject rights requests
  • Assisting with DPIAs and compliance obligations
  • Deleting or returning data after service termination
  • Documenting and demonstrating compliance with GDPR

5. Processing Instructions

You authorize Mark to process personal data as follows:

  • Purpose: Provide AI-powered marketing strategy, content generation, and analytics
  • Processing Activities: Store, analyze, generate insights, create recommendations, maintain backups
  • Data Types: Business information, contact data, website content, usage metrics
  • Recipients: Mark employees, Sub-Processors (Anthropic, Supabase, etc.)
  • Duration: For the term of service plus 30 days after termination
  • Data Subjects: Customers, website visitors, campaign recipients

Mark may process personal data only in accordance with these documented instructions and may not change processing purposes without prior written consent.

6. Sub-Processors

Mark uses the following Sub-Processors to process personal data:

  • Anthropic Claude (USA) - AI content and strategy generation. Data transmitted for processing. See Anthropic's privacy policy.
  • Supabase (USA) - Database storage and authentication. See Supabase's privacy policy.
  • Stripe (USA) - Payment processing. Only payment-related data transmitted. See Stripe's privacy policy.
  • AWS (USA) - Cloud infrastructure and backups. Data encrypted at rest.
  • Vercel (USA) - Application hosting and CDN. See Vercel's privacy policy.

Mark will provide 30 days' notice before engaging new Sub-Processors, giving you the right to object.

7. Data Subject Rights

Mark will assist you in fulfilling data subject rights, including:

  • Right of Access: Providing copies of personal data upon request
  • Right to Rectification: Correcting inaccurate data
  • Right to Erasure: Deleting data upon request (subject to legal retention)
  • Right to Restrict Processing: Limiting how data is used
  • Right to Data Portability: Exporting data in machine-readable format
  • Right to Object: Objecting to certain processing activities
  • Rights Related to Automated Decision-Making: Not subjecting individuals to profiling alone

You retain responsibility for responding to data subject requests. Mark will provide reasonable assistance to fulfill these requests.

8. Security Measures

Mark implements the following technical and organizational measures to protect personal data:

  • Encryption: HTTPS for data in transit, encryption at rest for sensitive data
  • Access Controls: Role-based access control, authentication, authorization
  • Data Minimization: Collecting only necessary data; automatic deletion after retention periods
  • Backups: Regular encrypted backups with geographic redundancy
  • Monitoring: Intrusion detection, log monitoring, security alerts
  • Incident Response: Procedures for detecting, responding to, and reporting breaches
  • Employee Training: Data protection and confidentiality training for authorized personnel
  • Vendor Management: Due diligence and contracts requiring data protection measures
  • Penetration Testing: Regular security assessments and vulnerability scanning

While these measures are designed to meet industry standards, no security system is 100% secure. Mark will use reasonable efforts to maintain confidentiality.

9. Data Breach Notification

If Mark discovers a personal data breach, Mark will:

  • Notify you without undue delay, typically within 48 hours
  • Provide information about the nature, scope, and consequences of the breach
  • Describe measures taken or proposed to mitigate impact
  • Provide contact information for further details

You retain responsibility for notifying data subjects and regulatory authorities within required timeframes.

10. Data Transfer Mechanisms

Personal data of EU residents may be transferred to the United States and other countries. Mark relies on the following lawful mechanisms:

  • Standard Contractual Clauses (SCCs): Contracts incorporating approved EU transfer mechanisms
  • Your Consent: You consent to transfers described in this DPA
  • Other Mechanisms: Where applicable, adequacy decisions or other lawful mechanisms

Mark will monitor developments regarding international data transfer law and adjust transfer mechanisms as required.

11. Assistance with Compliance Obligations

Mark will assist you with:

  • Data Protection Impact Assessments (DPIAs)
  • Prior consultation with authorities where required
  • Responding to supervisory authority requests
  • Demonstrating compliance with GDPR requirements
  • Privacy by design and default implementation

Mark may charge for assistance that requires significant additional effort beyond the scope of the service.

12. Data Retention and Deletion

Upon termination or at your request, Mark will:

  • Delete or return all personal data within 60 days
  • Delete existing copies unless law requires retention
  • Confirm deletion in writing

You remain responsible for instructing Mark regarding deletion. Archived backups may be retained for disaster recovery but will be deleted after retention periods.

13. Audit and Inspection Rights

You have the right to:

  • Audit Mark's processing activities upon reasonable notice
  • Request evidence of compliance with security measures
  • Request copies of Sub-Processor agreements
  • Contact Mark to discuss compliance matters

Mark will not unreasonably withhold information but may charge for audits conducted more than once per year.

14. Limitation of Liability

Mark's total liability under this DPA is limited to:

  • For data breaches or security failures: Actual damages proven
  • For other breaches: Annual subscription fees paid
  • Exclusions: Indirect, consequential, or punitive damages

You remain liable for your own data controller obligations and any fines imposed by authorities.

15. Governing Law and Jurisdiction

This DPA is governed by the laws of the United States. For EU disputes, the laws of Ireland may apply in accordance with the GDPR. Disputes will be resolved through negotiation or, if necessary, litigation.

16. Changes to This DPA

Mark may update this DPA as necessary to maintain GDPR compliance or reflect changes in processing. Material changes will be communicated with at least 30 days' notice, giving you the right to terminate the agreement.

17. Contact for Data Protection Questions

For inquiries regarding this DPA and data protection:

Appendix A: Standard Contractual Clauses

Mark incorporates the EU Standard Contractual Clauses (as approved by the European Commission) for transfers of personal data from the EU to the United States. These clauses provide additional protections and are available upon request.

For a copy of the Standard Contractual Clauses, contact: legal@mark.app