Data Processing Agreement

1. Parties and definitions

Processor: Mangleis Group Ab Oy (Business ID: 3152831-8), operating the Marketor platform at marketor.fi, Finland. ("Marketor" or "Processor")

Controller: The legal entity or individual who has agreed to the Marketor Terms of Service and is using the platform to store personal data. ("Client" or "Controller")

Applicable law: Regulation (EU) 2016/679 (GDPR), the Finnish Data Protection Act (1050/2018), and any other applicable EU or national data protection legislation.

2. Subject matter and duration

Marketor processes personal data on behalf of the Controller for the purpose of providing the Marketor CRM platform and related services as described in the Terms of Service.

This DPA is effective for the duration of the Controller's active subscription and terminates automatically when the subscription ends. The obligations regarding deletion and confidentiality survive termination.

3. Data subjects and categories of data

Data subjects

The personal data processed relates to individuals in the Controller's professional network — contacts, clients, partners, investors, and other business relationships stored by the Controller in their Marketor workspace.

Categories of personal data

The Controller may store the following categories of data in the platform. Processing is limited to what the Controller chooses to enter:

• Identification data: full name, job title, organisation name
• Contact data: email address, phone number, LinkedIn profile URL, website
• Professional context: relationship notes, interaction history, activity logs, next actions
• Categorisation data: cluster assignments, priority ratings, pipeline stage

The Controller must not store special categories of personal data (as defined in GDPR Article 9) in the Marketor platform.

Nature of processing

Collection, storage, retrieval, display, update, organisation, export, and deletion — all performed on instruction from the Controller through the platform interface.

4. Processor obligations

Marketor agrees to:

• Process personal data only on documented instructions from the Controller — which are the Controller's actions within the platform interface — except where required by applicable law
• Ensure all staff with access to Controller data are bound by appropriate confidentiality obligations
• Implement appropriate technical and organisational security measures as described in Section 7
• Not engage sub-processors without informing the Controller and providing an opportunity to object
• Assist the Controller in responding to data subject rights requests, to the extent technically feasible
• Assist the Controller with security obligations, breach notifications, data protection impact assessments, and prior consultations under GDPR Articles 32–36
• Delete or return all personal data upon termination of the agreement, as described in Section 11
• Make available all information necessary to demonstrate compliance with this DPA
• Notify the Controller if, in Marketor's opinion, an instruction violates applicable data protection law

5. Controller obligations

The Controller agrees to:

• Ensure it has a lawful basis for processing each data subject's personal data before entering it into the platform
• Provide any required privacy notices to data subjects regarding the processing carried out in Marketor
• Not store special categories of personal data in the platform
• Ensure the accuracy of personal data entered into the platform
• Comply with applicable data protection law in all use of the platform

6. Sub-processors

Marketor uses the following sub-processors to deliver the service. The Controller provides general authorisation for these sub-processors. Marketor will notify the Controller of any intended changes to sub-processors with at least 14 days advance notice:

The Controller may object to a new sub-processor within 14 days of notification. If a reasonable objection cannot be resolved, the Controller may terminate the subscription with a full refund of any prepaid fees for the unused period.

7. Security measures

Marketor implements the following technical and organisational measures in accordance with GDPR Article 32:

Technical measures

• All data transmission encrypted in transit using TLS 1.2 or higher
• All data encrypted at rest in Supabase using AES-256
• Row Level Security (RLS) enforced at the database level — users can only access data from their own workspace
• Password hashing using bcrypt via Supabase Auth
• HTTPS enforced on all platform endpoints
• Security headers applied via Netlify (_headers configuration)

Organisational measures

• Access to production systems limited to authorised personnel only
• Principle of least privilege applied to all system access
• Regular review of access rights
• Sub-processor agreements require equivalent security standards

8. Personal data breaches

In the event of a personal data breach affecting Controller data, Marketor will:

• Notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach
• Provide all information available about the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate number of records affected, and the likely consequences
• Describe the measures taken or proposed to address the breach

The Controller remains responsible for notifying the relevant supervisory authority (Tietosuojavaltuutettu in Finland) and data subjects where required under GDPR Articles 33 and 34.

9. Data subject rights

When a data subject exercises their rights under GDPR directly with Marketor, Marketor will forward the request to the Controller within 5 business days. The Controller is responsible for responding to data subject rights requests.

Marketor will provide technical assistance to support the Controller in responding to rights requests — for example, by providing data exports, supporting rectification, or carrying out deletion on instruction from the Controller.

Data subjects whose data is stored by the Controller in Marketor should direct their rights requests to the Controller, not to Marketor.

10. International data transfers

Contact data entered by the Controller is stored in Supabase's EU region (Frankfurt, Germany) and does not leave the EU under normal operation. Transfers to sub-processors in the USA (listed in Section 6) are covered by Standard Contractual Clauses (SCCs) as the appropriate safeguard under GDPR Article 46.

11. Deletion and return of data

Upon termination of the subscription:

• The Controller may export all contact data in CSV format via the platform at any time before or within 30 days of termination
• Marketor will permanently delete all Controller data within 30 days of subscription termination, except where retention is required by applicable law
• Marketor will confirm deletion in writing upon request
• Backup copies are deleted within the backup retention cycle (maximum 30 days after the primary deletion)

12. Audits and compliance

Marketor will make available all information reasonably necessary to demonstrate compliance with this DPA. This includes providing responses to compliance questionnaires within a reasonable timeframe.

The Controller may request an audit of Marketor's data processing activities with at least 30 days advance written notice. Audits are conducted at the Controller's cost and must not unreasonably disrupt Marketor's operations. Marketor may satisfy audit requirements by providing a third-party audit report where available.