Marketing Campaign System
Deploy your campaign

Data Processing Agreement

Last updated: May 9, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Marketing Campaign System, Inc. (“Processor”) and the customer identified in the relevant subscription (“Controller”) and applies to the processing of Personal Data by Processor on Controller’s behalf in connection with the Service. Capitalized terms not defined here have the meaning set out in the Terms.

For Personal Data subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss FADP, or substantively equivalent laws, the parties agree as follows.

1. Subject Matter, Duration, Nature, and Purpose

  • Subject matter: Processing of Personal Data necessary to provide the Service.
  • Duration: The term of the subscription, plus any post-termination deletion period set out in Section 9.
  • Nature and purpose: Hosting, generating, transmitting, analyzing, and optimizing advertising campaigns and supporting features at Controller’s instruction.
  • Categories of Personal Data: account identifiers; usage and device data; campaign and creative content; aggregated audience signals; ad-account billing metadata.
  • Categories of Data Subjects: Controller’s personnel; recipients of Controller’s advertising; visitors and customers of Controller’s properties whose data is uploaded for audience or attribution purposes.

2. Roles

Controller is the controller of Personal Data processed under this DPA; Processor is a processor acting on Controller’s documented instructions. Where Processor processes certain data as a controller (e.g., billing data, fraud signals, aggregated service analytics), it does so under our Privacy Policy.

3. Controller’s Instructions

Controller’s use of the Service constitutes Controller’s instructions to Processor for the processing of Personal Data. Processor will process Personal Data only in accordance with such instructions, except where required by law (in which case it will notify Controller unless prohibited by law).

4. Confidentiality

Processor ensures personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.

5. Security

Processor implements appropriate technical and organizational measures to protect Personal Data, including the safeguards described in Annex A. Processor reviews these measures regularly and may update them, provided protection is not materially weakened.

6. Sub-processors

Controller provides general written authorization for Processor to engage sub-processors, listed at marketingcampaignsystem.com/subprocessors. Processor will give at least 30 days’ prior notice of changes to that list (via that page or email). Controller may object on reasonable data-protection grounds within 14 days; if the parties cannot resolve the objection, Controller may terminate the affected portion of the Service for convenience.

7. International Transfers

Where Processor transfers Personal Data of EEA, UK, or Swiss data subjects to a country not subject to an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module 2 / Module 3 as applicable, Commission Decision 2021/914), the UK International Data Transfer Addendum, and the Swiss adaptations, as applicable. Where Controller acts as a processor for an underlying controller, the parties incorporate Module 3.

8. Data Subject Rights and Cooperation

Processor provides functionality enabling Controller to fulfill data-subject rights requests (access, rectification, erasure, restriction, portability). Processor will promptly forward to Controller any data-subject request it receives directly. Processor will, on reasonable request and at Controller’s cost, assist with Data Protection Impact Assessments and supervisory-authority consultations.

9. Deletion and Return

Within 30 days of termination of the subscription, Processor will delete Personal Data from active production systems. Backups containing Personal Data are deleted in accordance with Processor’s rolling backup retention schedule (no longer than 90 days). On request before deletion, Processor will export Personal Data in a structured, commonly used format.

10. Personal Data Breach

Processor will notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting Controller’s data, with the information required for Controller to meet its notification obligations. Notice is not an admission of fault or liability.

11. Audits

Processor will make available information necessary to demonstrate compliance with this DPA, including the most recent third-party audit reports (e.g., SOC 2 Type II when available). On reasonable advance written notice, no more than once per twelve months, and subject to mutually agreed scope and confidentiality, Controller may conduct audits through an independent auditor at Controller’s expense.

12. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms.

13. Order of Precedence

In case of conflict between this DPA and the Terms with respect to processing of Personal Data, this DPA controls. The Standard Contractual Clauses, where incorporated, prevail over this DPA in case of conflict.

Annex A — Technical and Organizational Measures

  • TLS 1.2+ for all data in transit; HSTS on all public domains.
  • AES-256-GCM encryption at rest for OAuth tokens and other secret material; KMS-managed keys.
  • Role-based access control with least privilege; SSO and MFA required for staff.
  • Centralized audit logging of access to production data; tamper-evident retention.
  • Network segmentation; private subnets for data stores; bastion access only.
  • Vulnerability scanning; dependency monitoring; patch SLAs by severity.
  • Annual penetration testing once revenue and contractual commitments justify.
  • Background checks for staff with production access, where lawful.
  • Documented incident response plan with rehearsed playbooks.
  • Secure SDLC; code review; isolated environments per tenant for high-risk operations.
  • Quarterly access reviews; off-boarding within 24 hours.

Annex B — Sub-processors

See marketingcampaignsystem.com/subprocessors for the current list of authorized sub-processors and their processing locations.

Execution

This DPA is incorporated into the Terms and accepted by the same person and on the same date as the Terms. To request a counter-signed PDF copy for your records, email legal@marketingcampaignsystem.com.

Working draft · Reviewed by counsel before any production deployment.