About This Agreement
This Data Processing Agreement ("DPA") forms part of the Master Services Agreement or Terms of Service between Marketing Studios ("Processor", "we", "us") and the Customer ("Controller", "you") for the provision of ContractDiff services. This DPA applies to all processing of Personal Data by us on your behalf.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person as defined by applicable Data Protection Laws.
- "Data Protection Laws" means GDPR (EU), CCPA (California), PIPEDA (Canada), Privacy Act 1988 (Australia), IT Act 2000 (India), and any other applicable privacy legislation.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
- "Data Subject" means the individual to whom Personal Data relates.
- "Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Data.
2. Scope and Roles
2.1 Relationship of Parties
For the purposes of this DPA:
- You are the Data Controller who determines the purposes and means of processing Personal Data
- We are the Data Processor who processes Personal Data on your behalf according to your documented instructions
2.2 Data Processing Purpose
We process Personal Data solely to provide the ContractDiff services, including:
- Contract document analysis and comparison
- User authentication and account management
- Customer support and communication
- Service improvement and analytics (anonymized)
- Compliance with legal obligations
3. Data Processing Instructions
3.1 Documented Instructions
We will process Personal Data only on your documented instructions, including:
- Instructions in this DPA
- Instructions in the Master Services Agreement
- Instructions through the ContractDiff platform settings
- Written instructions from authorized administrators
3.2 Legal Obligations
If we are required by law to process Personal Data beyond your instructions, we will notify you before such processing (unless prohibited by law) and limit processing to that required by law.
4. Security Measures
4.1 Technical and Organizational Measures
We implement and maintain appropriate technical and organizational security measures, including:
| Category | Measures |
|---|---|
| Encryption | TLS 1.3 in transit, AES-256 at rest, encrypted backups |
| Access Control | Role-based access, MFA/2FA, SSO/SAML support, session management |
| Network Security | Cloudflare WAF, DDoS protection, firewall rules, intrusion detection |
| Data Isolation | Tenant isolation, logical data separation, access logging |
| Monitoring | 24/7 infrastructure monitoring, security alerts, audit logs |
| Business Continuity | Regular backups, disaster recovery, redundant infrastructure |
4.2 Personnel Security
- All personnel with access to Personal Data are bound by confidentiality agreements
- Background checks for employees with data access
- Regular security awareness training
- Principle of least privilege access
5. Sub-processors
5.1 Authorized Sub-processors
You authorize us to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, storage | USA (AWS regions) |
| Cloudflare Inc. | CDN, security, hosting | Global (edge locations) |
| Razorpay Software Pvt. Ltd. | Payment processing | India |
| Amazon Web Services | Cloud infrastructure (via Supabase) | USA/EU/Asia-Pacific |
5.2 New Sub-processors
We will provide at least 30 days' prior notice before engaging new sub-processors. You may object to new sub-processors by providing written notice within 14 days. If the objection cannot be resolved, you may terminate the affected services.
6. Data Subject Rights
6.1 Assistance with Requests
We will assist you in responding to Data Subject requests, including:
- Access: Providing copies of Personal Data
- Rectification: Correcting inaccurate data
- Erasure: Deleting data ("right to be forgotten")
- Restriction: Limiting processing
- Portability: Exporting data in machine-readable format
- Objection: Stopping certain processing activities
6.2 Response Time
We will respond to your assistance requests within 10 business days, or sooner if required by applicable law.
7. Security Incidents
7.1 Notification
We will notify you of any Security Incident without undue delay, and in any event within 48 hours of becoming aware of the incident.
7.2 Incident Details
Our notification will include:
- Description of the incident
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of Personal Data records affected
- Name and contact details of our Data Protection Officer
- Likely consequences of the incident
- Measures taken or proposed to address the incident
8. Data Retention and Deletion
8.1 During Subscription
We retain Personal Data for the duration of your subscription plus:
- Contract documents: Deleted or anonymized within 30 days of account termination (unless you export)
- Account data: Retained for 90 days post-termination for account recovery
- Logs and audit trails: Retained for 1 year for compliance purposes
8.2 Upon Termination
Upon termination of services, we will:
- Provide data export functionality for 30 days
- Delete or anonymize Personal Data within 90 days
- Provide written certification of deletion upon request
9. International Transfers
9.1 Transfer Mechanisms
For transfers outside the EEA, UK, or other jurisdictions with data transfer restrictions, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement (IDTA) where applicable
- Adequacy decisions where available
- Your explicit consent where other mechanisms are unavailable
9.2 Data Residency Options
Enterprise customers may request data residency in specific regions (EU, US, Asia-Pacific, India) subject to additional terms.
10. Audit Rights
10.1 Compliance Verification
We will provide you with information necessary to demonstrate compliance with this DPA, including:
- SOC 2 Type II audit reports (annually)
- Penetration test summaries (annually)
- Security questionnaire responses
- Sub-processor agreements (upon request)
10.2 On-site Audits
Enterprise customers may conduct or commission on-site audits with 30 days' notice, subject to:
- Reasonable scope and duration limitations
- Confidentiality requirements
- Cost coverage by requesting party
- Maximum one audit per year (unless required by regulators)
11. Liability and Indemnification
Our liability under this DPA is subject to the limitations in the Master Services Agreement. We will indemnify you for damages arising from our breach of this DPA or applicable Data Protection Laws, subject to the liability caps in the Agreement.
12. Term and Termination
This DPA remains in effect for the duration of our processing of Personal Data on your behalf. Upon termination, Sections 8 (Deletion), 10 (Audit), and 11 (Liability) survive.
Annex A: Personal Data Categories
| Data Category | Examples | Retention |
|---|---|---|
| Account Information | Name, email, company, role | Duration + 90 days |
| Contract Documents | Uploaded files for analysis | Duration + 30 days |
| Usage Data | Features used, session data | Duration + 1 year (anonymized) |
| Technical Data | IP address, browser, device | 90 days |
| Support Communications | Tickets, chat logs | Duration + 2 years |
Annex B: Contact Information
Data Protection Officer:
- Email: dpo@marketingstudios.in
- Address: Marketing Studios, Data Protection Officer, India
Security Team:
- Email: security@marketingstudios.in
- Incident Hotline: Available to Enterprise customers
Download Signed DPA
Enterprise customers can request a countersigned PDF version of this DPA.
Request Signed DPA