Data Processing Agreement

1. Subject and Term

This agreement governs the processing of personal data on behalf of the controller in accordance with Art. 28 GDPR in the context of using MABTED.

The processor processes personal data exclusively on behalf of and according to documented instructions from the controller.

Processing begins with the conclusion of the usage contract (Terms of Service) and continues for the duration of use of the service.

2. Nature and Purpose

Purpose: Management of influencer collaborations, campaigns, and performance metrics

Type of data:

Contact data (name, email address, company name if applicable)
Influencer data (names, social media handles, follower counts, niches, contact information)
Brand data (company names, contact persons)
Campaign and engagement data (contracts, budgets, periods, deliverables, metrics)
Performance metrics (TKP, ROAS, engagement rates, revenue data)
Shopify account data and revenue information
Gmail account data and email threads

Categories of data subjects:

Employees of customers
Influencers whose data is managed by customers
Brand contact persons

3. Controller's Rights and Duties

The controller is responsible for the lawfulness of data processing. They may issue instructions for processing at any time, request changes, or demand deletion of data. They are obligated to fulfill data subject rights (e.g., access, deletion, rectification) independently.

4. Processor's Obligations

The processor commits to:

processing personal data exclusively on instruction from the controller
ensuring confidentiality of all employees
implementing appropriate technical and organizational measures (TOMs) to protect data
supporting data subjects in exercising their rights
immediately reporting data protection breaches
contractually obligating all sub-processors to comply with GDPR

5. Technical and Organizational Measures (TOMs)

The processor ensures data security through:

TLS encryption in transit and AES-256 at rest
role-based access system
encrypted API tokens and access keys
logging of all access
regular security updates
hosting on servers within the EU (Frankfurt/Amsterdam)

6. Sub-processors

Provider	Location	Purpose	Data categories	Transfer basis
Supabase Inc.	EU (Frankfurt) — pending controller confirmation	Hosting, database, storage, auth	All application data	Art. 28 GDPR
Vercel Inc.	EU (fra1, since 2026-05) / formerly USA	Frontend & serverless function hosting	All request/response payloads	Art. 28 GDPR; SCCs for US residual risk
Google Ireland Ltd. (Gmail / Workspace)	Ireland (EU/USA)	Gmail integration: send & read messages under individual OAuth grants	Email addresses, message bodies, attachments, display names	Art. 28 GDPR; DPF / SCCs
Google Ireland Ltd. (Google Analytics 4)	Ireland (EU/USA)	Aggregate web analytics (consent-gated; IP anonymisation enabled)	Pseudonymous client IDs, page paths, truncated IP	Art. 28 GDPR; DPF / SCCs
Microsoft Ireland Operations Ltd. (Microsoft Clarity)	Ireland (EU/USA)	Anonymised session replay & heatmaps (separate consent; input masked by default)	Mouse/click/scroll events, device metadata, truncated IP	Art. 28 GDPR; DPF / SCCs
Anthropic, PBC	USA	AI processing (Pearl assistant, negotiation extraction, screenshot analysis, writing-style analysis, draft generation)	Conversation content, selected Gmail messages, screenshot content	Art. 28 GDPR; SCCs (incorporated by reference in Anthropic Commercial Terms); DPF; Zero-Data-Retention requested; no use for model training
OpenAI, OpCo, LLC	USA	AI vision / research extraction (Storyclash imports)	Uploaded screenshots/PDFs with public profile data	Art. 28 GDPR; SCCs
Mistral AI SAS	France (EU)	AI OCR/vision for research imports (note: uploaded files are temporarily stored server-side)	Uploaded screenshots/PDFs	Art. 28 GDPR
Apify Technologies s.r.o.	Czech Republic (EU/US infra)	Profile-picture enrichment & Instagram story scraping	Publicly available profile data, scraped stories where applicable	Art. 28 GDPR; SCCs for US residual risk
Shopify Inc.	Canada	Coupon, order & seeding tracking	Influencer name, email, phone, shipping address (outbound); aggregated order data (inbound)	Art. 28 GDPR; Canada adequacy (commercial sector)
Stripe Payments Europe Ltd.	Ireland	Payment processing (where enabled)	Payment & invoice data	Art. 28 GDPR

The processor informs the controller of planned changes to sub-processors. The list is updated on material change; last revised 4 May 2026.

7. Deletion and Return of Data

After termination of the contractual relationship, personal data will be automatically deleted or anonymized after 30 days; deleted or exported earlier upon written request from the controller. Backup copies will be deleted after expiration of the legal retention period.

8. Audit Rights

The controller is entitled to verify compliance with this DPA. The processor provides information upon request about the technical and organizational measures taken and may provide evidence (e.g., penetration tests, audit reports).

9. Liability

Liability is governed by the provisions of the main contract (Terms of Service). In case of violations of data protection regulations, each party is liable within the scope of their responsibility.

10. Final Provisions

This agreement is deemed concluded from the moment of acceptance of the Terms of Service. It is part of the main contract and applies to all processing operations that occur in the context of using MABTED. German law applies. The place of jurisdiction is Hamburg, insofar as legally permissible.

Data Processing Agreement (DPA)