← Back to Home

Data Processing Agreement Enterprise

Version 1.0 | Effective: July 15, 2026

About This Agreement

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement or Terms of Service between Marketing Studios ("Processor", "we", "us") and the Customer ("Controller", "you") for the provision of ContractDiff services. This DPA applies to all processing of Personal Data by us on your behalf.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined by applicable Data Protection Laws.
  • "Data Protection Laws" means GDPR (EU), CCPA (California), PIPEDA (Canada), Privacy Act 1988 (Australia), IT Act 2000 (India), and any other applicable privacy legislation.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Data.

2. Scope and Roles

2.1 Relationship of Parties

For the purposes of this DPA:

  • You are the Data Controller who determines the purposes and means of processing Personal Data
  • We are the Data Processor who processes Personal Data on your behalf according to your documented instructions

2.2 Data Processing Purpose

We process Personal Data solely to provide the ContractDiff services, including:

  • Contract document analysis and comparison
  • User authentication and account management
  • Customer support and communication
  • Service improvement and analytics (anonymized)
  • Compliance with legal obligations

3. Data Processing Instructions

3.1 Documented Instructions

We will process Personal Data only on your documented instructions, including:

  • Instructions in this DPA
  • Instructions in the Master Services Agreement
  • Instructions through the ContractDiff platform settings
  • Written instructions from authorized administrators

3.2 Legal Obligations

If we are required by law to process Personal Data beyond your instructions, we will notify you before such processing (unless prohibited by law) and limit processing to that required by law.

4. Security Measures

4.1 Technical and Organizational Measures

We implement and maintain appropriate technical and organizational security measures, including:

Category Measures
Encryption TLS 1.3 in transit, AES-256 at rest, encrypted backups
Access Control Role-based access, MFA/2FA, SSO/SAML support, session management
Network Security Cloudflare WAF, DDoS protection, firewall rules, intrusion detection
Data Isolation Tenant isolation, logical data separation, access logging
Monitoring 24/7 infrastructure monitoring, security alerts, audit logs
Business Continuity Regular backups, disaster recovery, redundant infrastructure

4.2 Personnel Security

  • All personnel with access to Personal Data are bound by confidentiality agreements
  • Background checks for employees with data access
  • Regular security awareness training
  • Principle of least privilege access

5. Sub-processors

5.1 Authorized Sub-processors

You authorize us to engage the following sub-processors:

Sub-processor Purpose Location
Supabase Inc. Database, authentication, storage USA (AWS regions)
Cloudflare Inc. CDN, security, hosting Global (edge locations)
Razorpay Software Pvt. Ltd. Payment processing India
Amazon Web Services Cloud infrastructure (via Supabase) USA/EU/Asia-Pacific

5.2 New Sub-processors

We will provide at least 30 days' prior notice before engaging new sub-processors. You may object to new sub-processors by providing written notice within 14 days. If the objection cannot be resolved, you may terminate the affected services.

6. Data Subject Rights

6.1 Assistance with Requests

We will assist you in responding to Data Subject requests, including:

  • Access: Providing copies of Personal Data
  • Rectification: Correcting inaccurate data
  • Erasure: Deleting data ("right to be forgotten")
  • Restriction: Limiting processing
  • Portability: Exporting data in machine-readable format
  • Objection: Stopping certain processing activities

6.2 Response Time

We will respond to your assistance requests within 10 business days, or sooner if required by applicable law.

7. Security Incidents

7.1 Notification

We will notify you of any Security Incident without undue delay, and in any event within 48 hours of becoming aware of the incident.

7.2 Incident Details

Our notification will include:

  • Description of the incident
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records affected
  • Name and contact details of our Data Protection Officer
  • Likely consequences of the incident
  • Measures taken or proposed to address the incident

8. Data Retention and Deletion

8.1 During Subscription

We retain Personal Data for the duration of your subscription plus:

  • Contract documents: Deleted or anonymized within 30 days of account termination (unless you export)
  • Account data: Retained for 90 days post-termination for account recovery
  • Logs and audit trails: Retained for 1 year for compliance purposes

8.2 Upon Termination

Upon termination of services, we will:

  1. Provide data export functionality for 30 days
  2. Delete or anonymize Personal Data within 90 days
  3. Provide written certification of deletion upon request

9. International Transfers

9.1 Transfer Mechanisms

For transfers outside the EEA, UK, or other jurisdictions with data transfer restrictions, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreement (IDTA) where applicable
  • Adequacy decisions where available
  • Your explicit consent where other mechanisms are unavailable

9.2 Data Residency Options

Enterprise customers may request data residency in specific regions (EU, US, Asia-Pacific, India) subject to additional terms.

10. Audit Rights

10.1 Compliance Verification

We will provide you with information necessary to demonstrate compliance with this DPA, including:

  • SOC 2 Type II audit reports (annually)
  • Penetration test summaries (annually)
  • Security questionnaire responses
  • Sub-processor agreements (upon request)

10.2 On-site Audits

Enterprise customers may conduct or commission on-site audits with 30 days' notice, subject to:

  • Reasonable scope and duration limitations
  • Confidentiality requirements
  • Cost coverage by requesting party
  • Maximum one audit per year (unless required by regulators)

11. Liability and Indemnification

Our liability under this DPA is subject to the limitations in the Master Services Agreement. We will indemnify you for damages arising from our breach of this DPA or applicable Data Protection Laws, subject to the liability caps in the Agreement.

12. Term and Termination

This DPA remains in effect for the duration of our processing of Personal Data on your behalf. Upon termination, Sections 8 (Deletion), 10 (Audit), and 11 (Liability) survive.

Annex A: Personal Data Categories

Data Category Examples Retention
Account Information Name, email, company, role Duration + 90 days
Contract Documents Uploaded files for analysis Duration + 30 days
Usage Data Features used, session data Duration + 1 year (anonymized)
Technical Data IP address, browser, device 90 days
Support Communications Tickets, chat logs Duration + 2 years

Annex B: Contact Information

Data Protection Officer:

Security Team:

Download Signed DPA

Enterprise customers can request a countersigned PDF version of this DPA.

Request Signed DPA

13. Related Documents