Effective date: April 9, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between automrktr and the subscribing business entity ("Customer"). By using the Service, Customer agrees to the terms of this DPA. No separate signature is required — acceptance of the Terms of Service incorporates this DPA.
In this DPA, the following terms have the meanings given below. Capitalised terms not defined here have the meanings given in the Terms of Service.
This DPA applies where and to the extent that automrktr processes Customer Personal Data as a Processor on behalf of Customer in connection with the Service.
Customer is the Controller of Customer Personal Data. automrktr is the Processor. Each party shall comply with its obligations as Controller and Processor respectively under applicable data protection law.
This DPA does not apply to Personal Data for which automrktr is independently a Controller (e.g. account registration data, billing data, and platform usage data of Customer's users), which is governed by automrktr's Privacy Policy.
automrktr's provision of the Service to Customer, including AI content generation, social media scheduling and publishing, ad management, analytics, and conversion tracking.
For the duration of Customer's subscription, and for up to 30 days thereafter pending deletion, as described in Section 9 of this DPA.
automrktr shall process Customer Personal Data only on Customer's documented instructions, as set out in this DPA and the Terms of Service, unless required to do so by applicable law, in which case automrktr shall notify Customer before such processing unless prohibited from doing so by law.
automrktr shall ensure that personnel authorised to process Customer Personal Data are subject to appropriate confidentiality obligations and have received adequate data protection training. Access to Customer Personal Data is limited to personnel who require it to perform the Service.
automrktr shall promptly notify Customer if, in automrktr's reasonable opinion, an instruction from Customer infringes applicable data protection law. automrktr shall not be required to perform any instruction that it reasonably believes would cause either party to violate applicable law.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, automrktr implements and maintains appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, including:
automrktr may update security measures over time provided the overall level of protection is not materially reduced.
Customer provides general authorisation for automrktr to engage Sub-processors, subject to the requirements of this section. automrktr shall impose data protection obligations on all Sub-processors equivalent to those set out in this DPA, by written contract. automrktr remains liable to Customer for the acts and omissions of its Sub-processors to the same extent as if automrktr had performed the processing directly.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | USA |
| Stripe | Payment processing | USA |
| Cloudinary | Media storage and delivery | USA |
| Resend | Transactional email | USA |
| Upstash | Job queuing and scheduling | USA |
| Sentry | Error monitoring | USA |
| Anthropic | AI content generation | USA |
| Replicate | AI image generation | USA |
| Cloudflare | CDN, edge compute, DNS | USA / Global |
automrktr will provide at least 14 days' prior written notice (by email or in-platform notice) before adding or replacing a Sub-processor. Customer may object to a new Sub-processor on reasonable data protection grounds by emailing privacy@automrktr.io within 14 days of notice. If the parties cannot resolve the objection, Customer may terminate the affected portion of the Service without penalty by providing written notice within 30 days of automrktr's notice.
automrktr shall, taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures in fulfilling Customer's obligation to respond to requests from Data Subjects exercising their rights under applicable data protection law (including rights of access, rectification, erasure, restriction, portability, and objection).
If automrktr receives a request directly from a Data Subject relating to Customer Personal Data, automrktr will promptly forward the request to Customer and will not respond to the Data Subject directly except to confirm that the request has been forwarded, unless required by applicable law. Customer is responsible for responding to Data Subject requests within applicable legal timeframes.
automrktr shall notify Customer without undue delay, and in any event within 72 hours of becoming aware of a confirmed Security Incident affecting Customer Personal Data. The notification will include, to the extent then known:
Where not all information is available within 72 hours, automrktr will provide available information and supplement it as further details become known. Notification under this section does not constitute an admission of fault or liability by automrktr.
Customer is solely responsible for determining whether the Security Incident requires notification to Data Subjects or Supervisory Authorities and for making any such notifications. automrktr will reasonably cooperate with Customer in preparing any required notifications.
Upon expiry or termination of the Terms of Service, automrktr shall, at Customer's election made within 30 days of termination:
If Customer does not make an election within 30 days, automrktr will delete all Customer Personal Data. automrktr may retain Customer Personal Data for longer periods where required by applicable law, in which case automrktr will continue to protect it in accordance with this DPA.
automrktr shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and shall, upon Customer's written request (no more than once per 12-month period, unless there is a reasonable basis to suspect a Security Incident), allow for and contribute to audits conducted by Customer or an independent auditor appointed by Customer and approved by automrktr (such approval not to be unreasonably withheld).
Customer shall provide at least 30 days' prior written notice of any audit, conduct audits during normal business hours, minimise disruption to automrktr's operations, and bear all costs of the audit. Any third-party auditor must sign a confidentiality agreement acceptable to automrktr before commencing the audit.
In lieu of an on-site audit, automrktr may satisfy this obligation by providing Customer with up-to-date third-party audit reports, certifications, or summaries of its security controls (e.g. SOC 2 reports), where available.
automrktr is based in the United States. To the extent that automrktr processes Customer Personal Data originating from the EEA, UK, or Switzerland in the United States or another country not recognised as providing adequate data protection, such transfers are made pursuant to the following transfer mechanisms:
Where automrktr relies on SCCs or the IDTA for transfers to Sub-processors, it will ensure equivalent protections apply to onward transfers. Copies of the applicable transfer documentation are available upon written request to privacy@automrktr.io.
Customer represents, warrants, and agrees that:
Where Customer is required under applicable data protection law (including GDPR Article 35) to conduct a Data Protection Impact Assessment ("DPIA") in connection with processing activities that involve Customer Personal Data processed by automrktr, automrktr shall provide reasonable assistance to Customer in conducting such DPIA, taking into account the nature of the processing and the information available to automrktr. Such assistance may include providing information about automrktr's processing operations, security measures, Sub-processors, and this DPA.
Customer is solely responsible for determining when a DPIA is required, conducting the DPIA, and any prior consultation with a Supervisory Authority that may be necessary under GDPR Article 36. automrktr's assistance under this section does not constitute legal advice and does not guarantee regulatory compliance.
automrktr shall maintain records of all categories of processing activities carried out on behalf of Customer as required by GDPR Article 30(2), including:
automrktr will make such records available to Customer or a Supervisory Authority upon written request, to the extent required by applicable law. Customer is separately responsible for maintaining its own records of processing activities as Controller under GDPR Article 30(1).
Each party's liability to the other under or in connection with this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits either party's liability for its own acts or omissions that constitute a breach of this DPA, to the extent such limitation is not permitted by applicable data protection law.
Where a Data Subject brings a claim against automrktr for damage caused by Customer's processing, Customer shall indemnify automrktr for any such liability to the extent automrktr is held liable for Customer's acts or omissions as Controller.
This DPA takes effect on the date Customer accepts the Terms of Service and remains in force for the duration of the Terms of Service. Termination of the Terms of Service automatically terminates this DPA, subject to Section 9 (Deletion and Return of Data) and any obligations that by their nature survive termination.
This DPA is governed by the same law as the Terms of Service (the laws of the State of Utah, United States), except that where mandatory provisions of GDPR or other applicable data protection law apply, those provisions shall prevail to the extent of any conflict.
In the event of any conflict or inconsistency between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA shall prevail. In all other respects, the Terms of Service shall prevail.
Questions about this DPA or data protection matters? Contact our privacy team at privacy@automrktr.io.