Data Processing Addendum
The data-protection promises that supplement our Terms of Service whenever margininfo processes personal data on your behalf.
Scope and definitions
This Data Processing Addendum ("DPA") supplements the Terms of Service between Margininfo, Inc. ("margininfo") and the customer entity that operates the workspace ("Customer"). It applies whenever margininfo processes personal data on Customer's behalf in the course of providing the Service.
Capitalised terms not defined here have the meaning given in the GDPR, UK GDPR, CCPA, or other applicable data protection law. "Customer Personal Data" means personal data processed by margininfo on Customer's behalf via the Service.
Roles of the parties
For Customer Personal Data, Customer is the Controller and margininfo is the Processor. Where margininfo acts as a Sub-Processor on behalf of Customer's own controllers, the same obligations flow down by reference.
Each party will comply with applicable data protection laws in respect of its role. margininfo will process Customer Personal Data only on documented instructions from Customer, including those documented in the Terms, the product configuration, and any subsequent written instruction.
Details of processing
Subject matter and duration
Subject matter: the provision of the Service. Duration: for the term of the Terms and any post-termination retention required to enable Customer to export data.
Nature and purpose
Hosting, transmission, computation, retrieval, and analytical processing required to deliver investigations, true-profit computation, and optimization workflows to Customer's workspace.
Categories of data subjects
Customer's authorised users; Customer's end customers whose order/refund records are present in the connected systems; and individuals identified in Customer-provided contact records.
Categories of personal data
Account identifiers; transactional records (orders, refunds, shipping events); contact details; usage telemetry; and any other personal data Customer chooses to send via Connected Services.
Sub-processing
Customer authorises margininfo to engage sub-processors to assist in providing the Service. A current list, including each sub-processor's purpose, region, and certifications, is maintained at /subprocessors and is incorporated into this DPA by reference.
margininfo imposes data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains liable for each sub-processor's compliance.
Sub-processor changes
margininfo will give Customer at least 30 days' advance notice (via email to the workspace's Billing Admin and via an update to /subprocessors) before any new sub-processor begins processing Customer Personal Data.
If Customer has a reasonable, documented objection on data protection grounds, the parties will work in good faith to resolve it. If we cannot, Customer may terminate the affected Service and receive a pro-rated refund for the unused, prepaid portion.
Security measures
margininfo implements the technical and organisational measures described in Annex II to this DPA, including: TLS 1.2+ in transit and AES-256 at rest; per-workspace secret isolation; least-privilege internal access governed by SSO + MFA; quarterly access reviews; vulnerability scanning and annual third-party penetration testing; an incident response programme with 72-hour notification to Customer of any confirmed breach affecting Customer Personal Data; and the controls audited under our SOC 2 programme.
The detailed Annex II is maintained in the Security Trust Center and available under NDA in PDF form.
Audit rights
Customer may, no more than once per twelve-month period, request access to margininfo's most recent SOC 2 report and a written response to a reasonable security questionnaire. Where applicable law requires an on-site audit, the parties will agree on scope, timing, and confidentiality protections in advance; audits will be conducted under reasonable rules of engagement, during business hours, and at Customer's cost.
For regulated customers (e.g. those subject to specific financial-services oversight), margininfo will reasonably cooperate with audits required by Customer's regulator.
International transfers
Where Customer Personal Data originating in the EEA, UK, or Switzerland is transferred to a country without an adequacy decision, the parties will rely on the EU Standard Contractual Clauses (Module 2 or 3, as applicable) and, for UK data, the UK International Data Transfer Addendum. These clauses are incorporated by reference and will be executed on request.
Data-subject requests and breach notification
margininfo will assist Customer in responding to data-subject requests (access, deletion, correction, portability) using the workspace's admin tools. Where assistance beyond those tools is required, margininfo will provide reasonable cooperation at no additional cost.
margininfo will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information sufficient for Customer to meet its own notification obligations.
Return or deletion of data
On termination of the Service, Customer may export its data for 30 days. Thereafter margininfo will delete Customer Personal Data from active systems within 30 days and from encrypted backups within an additional 60 days, except where retention is required by law.
This DPA is a working draft and is being finalised by counsel. Once executed under counsel's letterhead, the executed copy supersedes this published version.