Data Processing Agreement (DPA)

1. Purpose and Scope

This Data Processing Agreement ("DPA") governs the processing of personal data by MarketForge (the "Processor") on behalf of Sellers (the "Controller") in connection with the provision of Platform services.

This DPA applies to customer personal data, transaction data, and communications processed through the Platform.

2. Roles and Responsibilities

You (the Seller) are the Data Controller

• You determine purposes and means of processing customer data
• You are responsible for ensuring lawful processing
• You must obtain necessary consents from customers
• You must provide a privacy policy to your customers

We (MarketForge) are the Data Processor

• We process data only on your documented instructions
• We implement appropriate security measures
• We assist with data subject rights requests
• We notify you of data breaches

3. Types of Personal Data Processed

• Customer names and contact information
• Billing and shipping addresses
• Payment information (via third-party processors)
• Purchase history and transaction records
• IP addresses and device information
• Communications between Sellers and Customers

4. Security Measures

MarketForge implements appropriate technical and organizational measures:

Technical Measures

• Encryption of data in transit (TLS/SSL) and at rest
• Multi-tenant data segregation
• Secure authentication and access controls
• Regular security updates and patches
• Intrusion detection and prevention systems

Organizational Measures

• Security policies and procedures
• Employee training on data protection
• Background checks for personnel
• Incident response procedures
• Regular security audits

5. Sub-Processors

All sub-processors are bound by data processing agreements and provide equivalent security guarantees. We will notify you of new sub-processors with 30 days to object.

6. International Data Transfers

When data is transferred outside the EEA or your jurisdiction, we ensure adequate safeguards through:

• Standard Contractual Clauses (SCCs) approved by EU Commission
• Adequacy decisions (where applicable)
• Compliance with local data residency requirements

7. Data Subject Rights

MarketForge will assist you in fulfilling data subject rights requests:

• Right to Access: Providing access to personal data
• Right to Rectification: Correcting inaccurate data
• Right to Erasure: Deleting data ("right to be forgotten")
• Right to Restriction: Limiting processing
• Right to Portability: Machine-readable data format
• Right to Object: Objecting to processing

We will respond to assistance requests within 10 business days.

8. Data Breach Notification

In the event of a personal data breach:

• We will notify you without undue delay and within 72 hours
• We will provide available information about the breach
• We will cooperate in your breach investigation
• We will take immediate steps to remediate

9. Audit Rights

You have the right to audit our compliance upon reasonable notice (at least 30 days), during normal business hours, no more than once per year. We may satisfy audit requirements through relevant certifications (ISO 27001, SOC 2) or third-party audit reports.

10. Data Deletion and Return

At the end of our agreement:

• We will delete or return all personal data (your choice)
• Deletion completed within 30 days of termination
• Certification of deletion provided upon request
• Exception: Data required by law (7-year retention for financial/tax records)

11. Your Obligations as Controller

As the Data Controller, you must:

• Ensure lawful processing of customer data
• Obtain necessary consents from customers
• Provide a privacy policy to your customers
• Respond to data subject requests
• Report data breaches to authorities (where required)

12. Contact Information

Data Protection Officer: dpo@marketforge.app

Legal/DPA Inquiries: legal@marketforge.app