Data Processing Agreement

Data Processing Agreement for DataMCP

• 4 min read

Data Processing Agreement (DPA)

Last updated: January 1, 2024

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between DataMCP (“Processor”) and you (“Controller”) regarding the processing of personal data.

1. Definitions

  • Controller: The entity that determines the purposes and means of processing personal data
  • Processor: DataMCP, which processes personal data on behalf of the Controller
  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data
  • Data Subject: The individual whose personal data is being processed

2. Scope and Application

This DPA applies when:

  • You use DataMCP services in a business context
  • Personal data is processed as part of our service delivery
  • You act as a Controller under applicable data protection laws
  • GDPR, CCPA, or similar regulations apply

3. Data Processing Details

Categories of Data Subjects

  • Your employees and team members
  • End users of your applications
  • Database administrators and developers

Categories of Personal Data

  • Contact information (names, email addresses)
  • Account credentials and authentication data
  • Usage data and service interactions
  • Database metadata (excluding actual data content)

Processing Purposes

  • Providing database schema extraction services
  • User authentication and access control
  • Service monitoring and optimization
  • Customer support and communication
  • Billing and payment processing

4. Processor Obligations

DataMCP commits to:

  • Process personal data only as instructed by you
  • Implement appropriate technical and organizational measures
  • Ensure confidentiality of personal data
  • Assist with data subject rights requests
  • Notify you of any data breaches
  • Delete or return data upon termination

5. Technical and Organizational Measures

Security Measures

  • AES-256-GCM encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Multi-factor authentication for admin access
  • Regular security audits and penetration testing
  • SOC 2 Type II compliance (in progress)

Access Controls

  • Role-based access permissions
  • Principle of least privilege
  • Regular access reviews
  • Secure authentication mechanisms

Data Minimization

  • Collect only necessary personal data
  • Automated data retention policies
  • Regular data purging procedures
  • Privacy-by-design architecture

6. Sub-processors

We may engage sub-processors to assist in service delivery:

Current Sub-processors

  • Clerk: Authentication services
  • Vercel: Hosting and infrastructure
  • Stripe/Paddle: Payment processing
  • Resend: Email delivery services

Sub-processor Requirements

  • Equivalent data protection obligations
  • Written agreements with security requirements
  • Regular compliance monitoring
  • Right to audit and inspect

7. Data Subject Rights

We will assist you in responding to:

  • Access requests
  • Rectification requests
  • Erasure requests
  • Portability requests
  • Objection to processing
  • Restriction of processing

8. Data Transfers

International Transfers

  • Data may be processed in the United States
  • Adequate safeguards implemented
  • Standard Contractual Clauses where applicable
  • Regular adequacy decision monitoring

Transfer Mechanisms

  • EU-US Data Privacy Framework participation (pending)
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules where applicable

9. Data Breach Notification

In case of a personal data breach:

  • Notification to you within 72 hours of discovery
  • Detailed incident report provided
  • Assistance with regulatory notifications
  • Remediation measures implemented

10. Audits and Compliance

Audit Rights

  • Annual compliance reports provided
  • Right to conduct audits (with reasonable notice)
  • Third-party audit reports available
  • Compliance documentation maintained

Compliance Monitoring

  • Regular internal audits
  • External security assessments
  • Continuous monitoring systems
  • Incident response procedures

11. Data Retention and Deletion

Retention Periods

  • Account data: Duration of service agreement
  • Usage logs: 12 months maximum
  • Backup data: 90 days maximum
  • Billing records: As required by law

Deletion Procedures

  • Secure deletion within 30 days of termination
  • Certification of deletion provided
  • Backup data included in deletion
  • Recovery impossible after deletion

12. Liability and Indemnification

  • Liability limited to direct damages
  • Indemnification for processor breaches
  • Insurance coverage maintained
  • Limitation of liability applies

13. Term and Termination

This DPA:

  • Remains in effect during service provision
  • Survives termination for data deletion obligations
  • May be updated with 30 days notice
  • Terminates upon complete data deletion

14. Governing Law

This DPA is governed by:

  • Laws of the jurisdiction specified in Terms of Service
  • Applicable data protection regulations
  • International data transfer requirements

Contact Information

For DPA-related matters:

  • Email: dpo@datamcp.com
  • Subject: “Data Processing Agreement”
  • Address: [To be added]

Data Protection Officer: [To be appointed]