This Data Processing Agreement ("DPA") forms part of the Terms of Service between Marketra Labs LLC ("Processor," "we," "us") and the client ("Controller," "you") and governs the processing of personal data in connection with the services we provide. This DPA is designed to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant privacy regulations.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection law. "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction. "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
We process Personal Data solely for the purpose of providing the digital marketing services agreed upon in your service agreement. This may include processing data related to: website analytics and visitor behavior; customer contact information for outreach campaigns; email addresses for marketing automation; search engine performance data; social media audience data; and customer review and reputation data. The types of data subjects may include: your website visitors, your customers or prospects, your employees whose information appears on marketing materials, and third-party contacts for outreach purposes.
As the Controller, you are responsible for: (a) ensuring that you have a lawful basis for processing Personal Data and for sharing it with us; (b) providing any required notices to Data Subjects about the processing of their data; (c) obtaining any necessary consents from Data Subjects where required by law; (d) ensuring that your instructions to us regarding data processing comply with applicable data protection laws; (e) promptly notifying us of any changes to applicable data protection laws that may affect our processing activities.
As the Processor, we commit to: (a) processing Personal Data only on your documented instructions, unless required to do so by applicable law; (b) ensuring that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) implementing appropriate technical and organizational security measures to protect Personal Data; (d) not engaging any Sub-processor without your prior written consent; (e) assisting you in responding to requests from Data Subjects to exercise their rights under applicable data protection law; (f) assisting you in ensuring compliance with your obligations regarding data security, breach notification, data protection impact assessments, and prior consultations with supervisory authorities; (g) at your choice, deleting or returning all Personal Data after the end of the provision of services, unless applicable law requires further storage.
We implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include but are not limited to: encryption of data in transit using TLS/SSL protocols; access controls limiting data access to authorized personnel only; regular security assessments and updates; secure password policies and multi-factor authentication for critical systems; regular backups with encrypted storage; staff training on data protection and security practices; and secure disposal of data when no longer needed.
We may engage the following categories of Sub-processors to assist in delivering our services: cloud hosting and infrastructure providers; analytics and reporting platforms; email and marketing automation tools; SEO and marketing software providers; content delivery networks; and customer relationship management systems. A current list of Sub-processors will be provided upon request. We will notify you before adding or replacing any Sub-processor, giving you the opportunity to object to such changes. We ensure that all Sub-processors are bound by data protection obligations no less protective than those set out in this DPA.
If Personal Data is transferred outside of the European Economic Area (EEA), United Kingdom, or any other jurisdiction with data transfer restrictions, we will ensure that appropriate safeguards are in place, such as: Standard Contractual Clauses (SCCs) approved by the European Commission; adequacy decisions by relevant authorities; or other legally recognized transfer mechanisms. Our primary data processing occurs within the United States. For EU/EEA-based clients, we rely on Standard Contractual Clauses and implement supplementary measures as necessary.
In the event of a Personal Data breach, we will: (a) notify you without undue delay, and in any event within 72 hours of becoming aware of the breach; (b) provide you with sufficient information to allow you to meet any obligations to report the breach to supervisory authorities or Data Subjects; (c) cooperate with you and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach; (d) document the breach, including the facts relating to it, its effects, and the remedial action taken. Notification will include, to the extent available: the nature of the breach, including the categories and approximate number of Data Subjects and records affected; the likely consequences of the breach; and the measures taken or proposed to address the breach.
We will assist you in fulfilling your obligations to respond to Data Subject requests to exercise their rights under applicable data protection law, including the right to: access their Personal Data; rectify inaccurate Personal Data; erase their Personal Data ("right to be forgotten"); restrict processing of their Personal Data; data portability; object to processing; and not be subject to automated decision-making. We will promptly notify you if we receive any request directly from a Data Subject and will not respond to such requests without your prior authorization, unless required by law.
We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected and to comply with our legal obligations. Upon termination of our service agreement, we will, at your election: return all Personal Data to you in a commonly used, machine-readable format; or securely delete all Personal Data in our possession within 30 days. We may retain copies of Personal Data to the extent required by applicable law, provided that such data remains subject to the confidentiality and security obligations of this DPA.
We will make available to you all information necessary to demonstrate compliance with our obligations under this DPA. Upon reasonable notice, and no more than once per calendar year, we will allow for and contribute to audits, including inspections, conducted by you or an independent auditor mandated by you. Such audits will be conducted during normal business hours, with reasonable advance notice, and subject to appropriate confidentiality obligations.
To the extent that the California Consumer Privacy Act (CCPA) applies, we certify that we: (a) will not sell Personal Data received from you; (b) will not retain, use, or disclose Personal Data for any purpose other than the specific purpose of performing the services specified in your service agreement; (c) will not retain, use, or disclose Personal Data outside of the direct business relationship between us; (d) will comply with all applicable sections of the CCPA and provide the same level of privacy protection as required by the CCPA.
Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law to the extent that such limitation is not permitted by applicable law.
This DPA takes effect on the date you begin using our services and remains in effect until all Personal Data has been deleted or returned in accordance with this DPA. The obligations of confidentiality and data protection survive the termination of this DPA.
For questions about this DPA or to exercise any rights described herein, contact:
Marketra Labs LLC
Data Protection Contact
30 N Gould St Ste R, Sheridan, WY 82801
[email protected]