Data Processing Agreement

2.1 Subject Matter

This DPA governs the processing of Personal Data by the Processor in connection with the provision of the MB Suite platform as described in the Agreement.

2.2 Duration

This DPA shall remain in effect for the duration of the Agreement and until all Personal Data has been deleted or returned in accordance with Section 9.

2.3 Nature and Purpose of Processing

The Processor processes Personal Data to provide the MB Suite platform, including: hosting and storage of organization data, transmission and display of dashboard and reporting data, analysis of campaign performance metrics, AI-powered conversational assistants and content generation, email marketing campaign delivery and automation, and integration with third-party advertising and analytics platforms.

2.4 Categories of Data Subjects

• Platform users (employees and contractors of the Controller)
• Clients' contacts managed within the platform
• Email marketing recipients
• End users of client portals

2.5 Types of Personal Data

• Account data (name, email address, phone number, billing information)
• Contact data (name, email, phone, job title, organizational associations)
• Campaign and marketing data (email content, send history, engagement metrics)
• Integration data (OAuth tokens, platform performance metrics)
• AI conversation data (queries, responses, context data)
• Media files (images, documents uploaded to the platform)
• Audit log data (user actions, timestamps, IP addresses)

4.1 Authorized Sub-processors

The Controller hereby provides general authorization for the Processor to engage the following sub-processors:

4.2 Notification of Changes

The Processor shall notify the Controller at least 30 days in advance of any intended changes to the list of sub-processors, including the addition or replacement of sub-processors. The Controller may subscribe to sub-processor change notifications by contacting privacy@mb-suite.com.

4.3 Right to Object

The Controller may object to the appointment or replacement of a sub-processor by providing written notice within 14 days of receiving notification. If the Controller objects, the Processor shall make reasonable efforts to provide an alternative solution. If no alternative is available, either party may terminate the affected portion of the Agreement.

4.4 Sub-processor Obligations

The Processor shall impose data protection obligations no less protective than those set out in this DPA on any sub-processor it engages. The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations.

5.1 Notification to Controller

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification shall include:

• The nature of the Personal Data breach, including the categories and approximate number of Data Subjects and records concerned
• The name and contact details of the Processor's data protection point of contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

5.2 Notification to Supervisory Authority

Where required by GDPR Article 33, the Controller is responsible for notifying the competent supervisory authority without undue delay and, where feasible, within 72 hours. The Processor shall assist the Controller in fulfilling this obligation by providing all necessary information.

5.3 Cooperation

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any Personal Data breach.

6.1 Standard Contractual Clauses

To the extent that the processing of Personal Data involves the transfer of Personal Data from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, the parties agree to comply with the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914):

• Module 2 (Controller to Processor): Applies where the Controller transfers Personal Data to the Processor for processing on behalf of the Controller.
• Module 3 (Processor to Processor): Applies where the Processor transfers Personal Data to a sub-processor for further processing on behalf of the Controller.

6.2 Data Privacy Framework

Where sub-processors are certified under the EU-US Data Privacy Framework, UK Extension, or Swiss-US Data Privacy Framework, such certification provides an additional safeguard for transfers to the United States. Current certifications are noted in the sub-processor list in Section 4.

6.3 Supplementary Measures

In addition to the legal safeguards above, the Processor implements technical supplementary measures including: AES-256 encryption at rest, TLS 1.3 encryption in transit, role-based access controls, pseudonymization where technically feasible, and comprehensive audit logging.

7.1 Sub-processing by AI Providers

When the Controller's users utilize AI features within MB Suite, Personal Data may be transmitted to one of the authorized AI sub-processors (Google Gemini, OpenAI, or Anthropic) as selected by the Controller's agent configuration. This transmission constitutes sub-processing governed by this DPA and the respective AI provider's data processing agreement.

7.2 No Training Commitment

All AI providers engaged by the Processor are contractually prohibited from using the Controller's Personal Data to train, improve, or develop their AI models. Data is processed exclusively to generate responses to user queries and is not retained by AI providers beyond the duration necessary to complete the request.

7.3 Data Transmitted to AI Providers

The categories of data transmitted to AI providers include: organization metadata (name, category, industry), task and project information, social media post content, media plan summaries, contact names (email addresses are excluded from context summaries), knowledge document content, and conversation history. The specific data categories transmitted depend on the data sources enabled for each AI agent by the Controller.

7.4 Controller Controls

The Controller retains control over AI data processing through: selection of AI provider per agent, configuration of data sources accessible to each agent, upload and removal of knowledge documents, and the requirement for explicit user confirmation before AI-proposed actions modify any data.

8.1 Right to Audit

The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Controller shall provide reasonable prior written notice (at least 30 days) and shall conduct audits during normal business hours without unreasonably disrupting the Processor's operations.

8.2 Alternative Audit Mechanisms

The Controller agrees that the Processor may satisfy audit requirements by providing: (a) SOC 2 Type II audit reports, (b) ISO 27001 certification, or (c) other equivalent third-party audit certifications, in lieu of on-site inspections, where such reports adequately address the Controller's compliance concerns.

8.3 Cost of Audits

The Controller shall bear the costs of any audit it conducts. The Processor shall provide reasonable assistance at no additional charge.

9.1 Export Window

Upon termination of the Agreement, the Controller has a 30-day period to export its data through the platform's export features. This is consistent with the data handling provisions in the Terms & Conditions (Section 11).

9.2 Deletion

After the 30-day export period, the Processor shall permanently delete all Personal Data from active systems, unless applicable law requires further storage. Backup copies may persist in encrypted form for up to 90 days as part of disaster recovery procedures, after which they are automatically purged.

9.3 Certification

Upon request, the Processor shall provide written certification that all Personal Data has been deleted in accordance with this Section.

10.1 Encryption

• At rest: AES-256 encryption for all data stored in Firebase/Firestore, Firebase Storage, and GCP Secret Manager
• In transit: TLS 1.3 for all data transmitted between clients, servers, and third-party services

10.2 Access Controls

• Authentication: Firebase Auth with secure session cookies (httpOnly, 5-day expiry)
• Authorization: Role-based access control (RBAC) with four levels: owner, admin, member, viewer
• Multi-tenancy isolation: Organization-scoped data access enforced at the application layer

10.3 Audit Logging

Comprehensive audit logging via Firebase Realtime Database captures user actions, data modifications, authentication events, and administrative operations with timestamps and user identification.

10.4 Secret Management

OAuth tokens and sensitive credentials are stored exclusively in GCP Secret Manager, isolated from the application database. Tokens are encrypted at rest and access is logged.

10.5 Incident Response

Documented incident response procedures include: detection and classification of security incidents, containment and eradication measures, 72-hour notification to affected Controllers, post-incident review and remediation.

10.6 Data Minimization

• AI context: Token budget limits (8K tokens) for AI context windows to minimize data exposure
• Configurable data sources: Organization administrators control which data categories are accessible to each AI agent
• Contact data: Email addresses are excluded from AI context summaries

10.7 Availability and Resilience

• Hosting: Vercel edge network with global CDN distribution
• Database: Firebase multi-region replication
• Backups: Automated backups with encrypted disaster recovery copies retained for up to 90 days

11.1 Precedence

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

11.2 Amendments

This DPA may be amended by the Processor to reflect changes in applicable data protection law. Material changes will be notified to the Controller at least 30 days in advance.

11.3 Governing Law

This DPA shall be governed by the laws of the State of Delaware, USA, without regard to conflict of laws principles. For Controllers located in the EEA, the mandatory provisions of the GDPR shall apply in addition.