Data Processing Agreement

Last updated April 24, 2026

This DPA applies automatically to every Markifact customer and is incorporated into our Terms & Conditions by reference. By using Markifact, you accept it — no signature, email, or request is required. Counter-signed copies are issued only as part of custom or enterprise plan contracts.

This Data Processing Agreement ("DPA") forms part of the Markifact Terms & Conditions (the "Agreement") between OPTIMIZATION UP L.L.C-FZ ("Markifact", "we", "us") and the customer identified in the applicable account or order ("Customer", "you").

This DPA reflects the parties' agreement on the processing of Personal Data in connection with the General Data Protection Regulation (Regulation (EU) 2016/679 — "GDPR" / "DSGVO"), the United Kingdom General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("Swiss FADP"), the California Consumer Privacy Act as amended ("CCPA"), and other applicable data protection laws (together, "Applicable Data Protection Laws").

Auto-Incorporation — No Signature Required

This DPA is automatically incorporated into and forms part of the Agreement for every Markifact customer. By creating an account and accepting the Terms & Conditions, you accept this DPA. No separate signature, request, email, or counter-signed copy is required to make this DPA effective — for any plan.

This page is your DPA. You may print it, save it as a PDF, or attach the URL to your vendor record; it forms part of the Terms & Conditions for all Markifact customers. Counter-signed copies are issued only to customers on a custom or enterprise plan as part of their negotiated contract — they are not available on standard self-serve plans.

In the event of any conflict between this DPA and the Agreement, this DPA prevails to the extent of such conflict in relation to the processing of Personal Data.

1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement or in Applicable Data Protection Laws.

  • "Customer Personal Data" means any Personal Data that Markifact processes on behalf of Customer in connection with the Service.
  • "Personal Data", "Controller", "Processor", "Data Subject", "processing", "Personal Data Breach" have the meanings given in the GDPR.
  • "Service" means the Markifact platform and related services made available to Customer.
  • "Subprocessor" means any third party engaged by Markifact to process Customer Personal Data.
  • "SCCs" means the Standard Contractual Clauses approved by European Commission Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller to Processor), as amended or replaced from time to time.
  • "UK Addendum" means the International Data Transfer Addendum to the EU SCCs (version B1.0) issued by the UK Information Commissioner's Office.

2. Roles of the Parties

For the purposes of this DPA:

  • Customer is the Controller (or, where applicable, Processor on behalf of a third-party Controller) of Customer Personal Data.
  • Markifact is the Processor (or sub-processor) acting on Customer's documented instructions.

Each party shall comply with its obligations under Applicable Data Protection Laws.

3. Scope and Purpose of Processing

Markifact will process Customer Personal Data only:

  1. to provide, maintain, secure, and improve the Service in accordance with the Agreement;
  2. to comply with Customer's documented instructions (including instructions submitted through the Service's configuration, such as workflows, integrations, and AI features that Customer chooses to enable); and
  3. as required by applicable law, in which case Markifact will (where legally permitted) inform Customer of that requirement before processing.

The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are described in Annex 1.

4. Customer Responsibilities

Customer:

  1. is responsible for the accuracy, quality, and legality of Customer Personal Data and for the lawful basis on which Customer (or its end users) collected and made it available to Markifact;
  2. must ensure it has all necessary rights, permissions, and consents to authorise Markifact's processing of Customer Personal Data, including the connection of third-party platforms (Google, Meta, TikTok, LinkedIn, Microsoft, Shopify, HubSpot, etc.) and the configuration of any AI features;
  3. must not include in Customer Personal Data any "special categories" of data (Article 9 GDPR) or sensitive personal information except where strictly necessary and lawful — Markifact does not intentionally process such data; and
  4. is responsible for using available Service controls to manage retention, deletion, and disconnection of integrations.

5. Confidentiality

Markifact ensures that any personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory) and have received appropriate training on their data protection responsibilities.

6. Security Measures

Markifact implements and maintains appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, such data. These measures are described in Annex 2 and include:

  • encryption of data in transit (TLS) and at rest;
  • encryption of OAuth integration tokens (access and refresh tokens) at rest;
  • access controls based on the principle of least privilege;
  • secure cloud infrastructure hosted in the European Union (Google Cloud Platform and Vercel for application hosting, and Neon on AWS EU regions for the production database);
  • logging and monitoring of access to production systems; and
  • documented incident response procedures.

Customer acknowledges that the security measures are subject to technical progress and may be updated by Markifact from time to time, provided that any updates do not materially decrease the overall level of protection.

7. Subprocessors

Customer generally authorises Markifact to engage Subprocessors to process Customer Personal Data, subject to the requirements of this Section 7.

7.1. Current Subprocessors. Markifact's current list of Subprocessors is published on the Trust Center and is incorporated into this DPA as Annex 3.

7.2. Notice of changes. Markifact will publish updates to its Subprocessor list at least 30 days before any new Subprocessor begins processing Customer Personal Data. The "Last updated" date on the Trust Center serves as notice of changes; Customer is responsible for periodically reviewing it.

7.3. Right to object. Within 30 days of an update, Customer may object on reasonable data-protection grounds by emailing contact@markifact.com. The parties will work in good faith to resolve the objection. If no resolution can be reached, Customer may terminate the affected portion of the Service for convenience.

7.4. Subprocessor obligations. Markifact imposes data-protection obligations on each Subprocessor that are no less protective than those in this DPA, and remains fully liable to Customer for the acts and omissions of its Subprocessors.

8. International Data Transfers

8.1. Primary location. Markifact stores and processes Customer Personal Data in the European Union. Application hosting runs on Google Cloud Platform and Vercel in EU regions, and the production PostgreSQL database is hosted on Neon in AWS EU regions.

8.2. Restricted transfers. To the extent that providing the Service involves a transfer of Customer Personal Data to a country that is not the subject of an adequacy decision under Applicable Data Protection Laws, the parties agree that the SCCs (Module Two: Controller to Processor) are incorporated into this DPA by reference and form an integral part of it. The Annexes to the SCCs are populated by Annex 1 and Annex 2 of this DPA.

8.3. EU SCCs — Clause options. For the purposes of the SCCs:

  • in Clause 7 (docking clause): the optional docking clause does not apply;
  • in Clause 9(a): Option 2 (general written authorisation) applies, with the notice period set out in Section 7.2;
  • in Clause 11(a): the optional independent dispute-resolution body language does not apply;
  • in Clause 17: the SCCs are governed by the laws of Ireland;
  • in Clause 18(b): any dispute arising from the SCCs shall be resolved before the courts of Ireland.

8.4. UK transfers. For transfers subject to the UK GDPR, the UK Addendum is incorporated by reference. Tables 1–3 are completed using the information in Annex 1 and Annex 2; in Table 4, the "importer" may end the Addendum.

8.5. Swiss transfers. For transfers subject to the Swiss FADP, the SCCs apply with the following modifications: (i) references to "Regulation (EU) 2016/679" are interpreted as references to the Swiss FADP; (ii) references to "EU", "Union", "Member State" and "EU Member State" are read as "Switzerland"; (iii) references to the "competent supervisory authority" mean the Swiss Federal Data Protection and Information Commissioner; and (iv) the SCCs are governed by Swiss law and disputes are resolved before the competent Swiss courts in respect of Customer Personal Data subject to the Swiss FADP.

9. Assistance with Data Subject Rights

Taking into account the nature of the processing, Markifact provides reasonable assistance — through appropriate technical and organisational measures and the self-service controls available in the Service — to enable Customer to fulfil its obligations to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws (access, rectification, erasure, restriction, portability, objection).

If Markifact receives a request directly from a Data Subject relating to Customer Personal Data, Markifact will (unless legally prohibited) promptly inform the Data Subject to direct the request to Customer and notify Customer of the request.

10. Assistance with DPIAs and Consultations

Markifact provides Customer with reasonable assistance, taking into account the nature of the processing and the information available to Markifact, with any data protection impact assessments and prior consultations with supervisory authorities required under Articles 35–36 GDPR.

11. Personal Data Breach Notification

Markifact will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known:

  1. a description of the nature of the Personal Data Breach (including categories and approximate number of Data Subjects and records affected);
  2. the likely consequences;
  3. the measures taken or proposed to address it and mitigate its possible adverse effects; and
  4. a contact point at Markifact for further information.

This notification is intended to assist Customer in meeting its own notification obligations (including under Article 33 GDPR) and is not, by itself, an acknowledgement of fault or liability by Markifact.

12. Deletion and Return of Customer Personal Data

12.1. During the term. Customer may delete or export Customer Personal Data at any time using the self-service controls available in the Service.

12.2. On termination. Following termination or expiry of the Agreement, Customer has 30 days to export Customer Personal Data. After this period, Markifact will delete or anonymise Customer Personal Data within a reasonable timeframe (typically within 30 days), except to the extent retention is required for legal, tax, security, or fraud-prevention purposes (for example, billing records, security logs, anonymised aggregated usage data).

12.3. Backups. Customer Personal Data residing in routine backups is overwritten in the ordinary course of Markifact's backup retention cycle.

13. CCPA — Service Provider Status

To the extent Markifact processes Personal Data subject to the CCPA on behalf of Customer, Markifact acts as a "Service Provider" and:

  1. shall not "sell" or "share" the Personal Data, as those terms are defined under the CCPA;
  2. shall not retain, use, or disclose the Personal Data outside the direct business relationship with Customer or for any purpose other than the specific purpose of providing the Service;
  3. shall not combine the Personal Data with personal information received from or on behalf of any other person, except as permitted by the CCPA; and
  4. certifies that it understands and will comply with these restrictions.

The transfer of Personal Data from Customer to Markifact under the Agreement is not a "sale" or "share" within the meaning of the CCPA.

14. Audits

Markifact makes available to Customer the information necessary to demonstrate compliance with this DPA and Article 28 GDPR through:

  1. the documentation, summaries, and information published on the Trust Center;
  2. this DPA, the Privacy Policy, Terms & Conditions, and the Subprocessor list in Annex 3; and
  3. for customers on custom or enterprise agreements, responding to reasonable written security questionnaires (no more than once per year, except where required by Applicable Data Protection Laws or following a Personal Data Breach), and on request providing summaries of independent third-party assessments where available.

Customer acknowledges that Markifact is a small organisation and that the foregoing satisfies the audit obligations under Article 28(3)(h) GDPR. Where Applicable Data Protection Laws require an on-site audit, the parties will agree in advance on scope, timing, confidentiality, and reasonable cost reimbursement.

15. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. The parties agree that any reference in the SCCs to a party's "liability" applies as between Markifact and Customer subject to those limitations.

16. Governing Law

Except where (a) the SCCs require otherwise (in which case Section 8.3 applies) or (b) Applicable Data Protection Laws require a specific governing law, this DPA is governed by the laws of the United Arab Emirates, specifically the regulations applicable to the Meydan Free Zone, Dubai, and the parties submit to the exclusive jurisdiction of the courts of Dubai, UAE, in line with the Agreement.

17. Term

This DPA takes effect on the earlier of (a) Customer's acceptance of the Agreement, or (b) Markifact's first processing of Customer Personal Data, and continues until all Customer Personal Data has been deleted in accordance with Section 12.

Annex 1 — Description of Processing

A. List of Parties

  • Data Exporter (Controller): the Customer identified in the Markifact account.
  • Data Importer (Processor): OPTIMIZATION UP L.L.C-FZ, Meydan Free Zone, Dubai, UAE. Contact: contact@markifact.com.

B. Subject Matter and Duration

Provision of the Markifact marketing automation platform for the duration of the Agreement.

C. Nature and Purpose of Processing

To operate the Service, including: account management; running workflows configured by Customer; connecting and authenticating third-party integrations; running AI features that Customer chooses to enable; logging, security, fraud prevention, support; and any other purpose described in the Agreement or this DPA.

D. Categories of Data Subjects

  • Customer's authorised users of the Service (employees, contractors).
  • Individuals whose Personal Data appears within the data Customer connects, processes, or generates through the Service (for example, end users of Customer's connected ad accounts, CRM contacts, leads, recipients of marketing messages).

E. Categories of Personal Data

  • Account data: name, email address, profile photo URL, authentication identifiers.
  • Billing data: company name, billing address, invoice records (payment card details are handled directly by Stripe).
  • Integration data: OAuth tokens (encrypted at rest) and the data made accessible through Customer-authorised scopes (for example, advertising performance, analytics, CRM records, social engagement).
  • Workflow data: inputs, outputs, and execution logs of workflows configured by Customer.
  • AI data: prompts and responses for AI steps that Customer enables.
  • Usage and log data: IP address, browser/device information, timestamps, page references, security and audit logs.

F. Special Categories of Personal Data

Markifact does not intentionally process special categories of data. Customer must not submit special categories or sensitive personal data except where strictly necessary and lawful.

G. Frequency of Processing

Continuous, for the duration of the Agreement.

H. Retention

  • Workflow execution history / logs: retained for 1–30 days depending on Customer's plan.
  • AI agent conversation history: retained until Customer deletes it.
  • Account and billing data: retained for the duration of the Agreement and as required by tax/accounting law thereafter.
  • Security and fraud-prevention logs: retained as long as necessary to protect the Service.
  • Integration data: minimised; processed primarily in real time and not stored except where required for features Customer configures.

I. Competent Supervisory Authority

Where the EU GDPR applies: the supervisory authority of the EEA Member State in which Customer is established (or, if Customer is not established in the EEA, where Customer's representative is established or where Customer's Data Subjects are predominantly located).

Annex 2 — Technical and Organisational Measures (TOMs)

Markifact implements the following measures, which may be updated from time to time provided the overall level of protection is not materially decreased.

Encryption

  • TLS 1.2+ for data in transit between Customer and the Service.
  • Encryption at rest for databases hosted on managed cloud infrastructure.
  • OAuth access and refresh tokens stored in encrypted form.

Access control

  • Role-based access for Markifact personnel based on least-privilege.
  • Strong authentication for administrative access to production systems.
  • Access to production systems limited to a small number of authorised personnel.
  • Access reviews performed periodically.

Hosting and infrastructure

  • Data stored and processed in the European Union: Google Cloud Platform and Vercel for application hosting (EU regions), and Neon on AWS EU regions for the production database.
  • Production database (Neon) hosted in an EU region.
  • Physical security of data centres delegated to underlying cloud providers, who maintain industry-recognised certifications (e.g., ISO 27001, SOC 2) for their infrastructure.

Network and application security

  • Production environments segregated from development and testing.
  • HTTPS enforced for all customer-facing endpoints.
  • Secrets and credentials managed via dedicated secret-management systems.

Logging and monitoring

  • Audit logs for production access and security-relevant events.
  • Application logs to support troubleshooting and security investigations.

Vulnerability and patch management

  • Dependency monitoring and timely patching of known vulnerabilities.
  • Use of supported, maintained runtime and infrastructure components.

Backup and disaster recovery

  • Routine backups maintained for disaster-recovery purposes (not for individual data-recovery requests).
  • Recovery procedures documented and tested.

Personnel

  • Confidentiality obligations binding on all personnel.
  • Security and privacy awareness training.

Incident response

  • Documented incident-response process covering triage, containment, investigation, remediation, communication, and post-incident review.
  • Personal Data Breach notifications in line with Section 11 of this DPA.

Sub-processor management

  • Written agreements imposing data-protection terms substantially equivalent to this DPA.
  • Public list of sub-processors maintained on the Trust Center.

Annex 3 — List of Subprocessors

The current list of approved sub-processors is published at /trust-center#subprocessors and is incorporated into this DPA by reference.

Hosting region: all Markifact application servers and the production database are configured in the European Union.

As of the last update of this DPA, the sub-processors are:

Subprocessor Purpose Data Involved
Google LLC Cloud hosting & infrastructure (Google Cloud Platform, EU region) Account data, encrypted tokens, logs, service data needed to run workflows
Vercel, Inc. Web application hosting and edge delivery (EU region) Website/app delivery data, request logs
Neon, LLC Managed PostgreSQL database (AWS EU region) Account data, workflow data, encrypted integration tokens, service metadata
Amazon Web Services, Inc. Transactional & notification email delivery (SES, EU region) Email address, email delivery metadata
Stripe, Inc. Payment processing and billing Billing details, invoices (payment-card data is handled directly by Stripe)
OpenAI, LLC AI services for user-enabled AI features (no training on customer data) Only the prompt/data sent for the specific AI request the customer triggers
Anthropic, PBC AI services for user-enabled AI features (no training on customer data) Only the prompt/data sent for the specific AI request the customer triggers
Google LLC (Gemini) AI services for user-enabled AI features (no training on customer data) Only the prompt/data sent for the specific AI request the customer triggers

For Markifact-managed AI sub-processors, we use the provider controls intended to prevent training on submitted data. Any retention is governed by the provider's API terms and Markifact's configuration with that provider.

Website cookie and analytics providers used on the public marketing website (markifact.com) are disclosed in the Cookies section of the Privacy Policy and are not Sub-processors of Customer Personal Data.

Contact

Questions about this DPA: contact@markifact.com.

For full details, see our Privacy Policy, Terms & Conditions, and Trust Center.