Data Processing Addendum (DPA)

 

1. Background and Purpose

This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement (“MSA”) or Proposal between MATES Unipessoal LDA (“Processor”) and the Client (“Controller”).

The purpose of this DPA is to ensure that the Processor complies with applicable data protection laws when processing Personal Data on behalf of the Controller. In the event of a conflict between this DPA and the MSA, this DPA shall prevail regarding data protection matters.

2. Definitions

  • “GDPR”: The General Data Protection Regulation (EU) 2016/679.

  • “Applicable Law”: The GDPR and the Portuguese Data Protection Law (Lei n.º 58/2019), as amended.

  • “Sub-processor”: Any third party engaged by the Processor to assist in fulfilling its obligations with respect to providing the Services.

3. General Obligations of the Processor

The Processor agrees to:

  1. Instructions: Process Personal Data only on the documented instructions of the Controller (including the MSA), unless required otherwise by EU or Member State law.

  2. Confidentiality: Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  3. Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR.

  4. Sub-processors: Not engage another processor without prior specific or general written authorization of the Controller. The current approved list is set out in Annex 3.

  5. Data Subject Rights: Assist the Controller, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the data subject’s rights (e.g., access, rectification, erasure).

  6. Breach Notification: Notify the Controller without undue delay (and in no case later than 36 hours) after becoming aware of a Personal Data Breach.

  7. Deletion: At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing, unless EU or Member State law requires storage of the Personal Data.

  8. Audits: Make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4. International Transfers

The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA) unless:

  1. The country has an “Adequacy Decision” from the European Commission; or

  2. The transfer is protected by Standard Contractual Clauses (SCCs).

5. Liability

The Processor’s liability under this DPA is subject to the exclusions and limitations of liability set out in the MSA.

ANNEX 1: DETAILS OF PROCESSING

1. Subject Matter and Duration

The subject matter is the creation of digital marketing assets and the management of Email Service Provider (ESP) accounts. The duration corresponds to the term of the MSA.

2. Nature and Purpose

The nature of processing involves accessing client ESPs (e.g., Klaviyo), downloading asset guidelines, and utilizing customer segments to schedule campaigns. The purpose is to execute the digital marketing services defined in the Scope of Work.

3. Categories of Data Subjects

  • The Controller’s subscribers/customers.

  • The Controller’s employees (contact details for project management).

4. Types of Personal Data

  • Contact Data: Name, email address, phone number.

  • Behavioral Data: Purchase history, email engagement (opens/clicks), website activity (if accessed via ESP).

  • Technical Data: IP addresses, device types.

  • Special Categories: N/A (The Processor does not knowingly process sensitive health, biometric, or political data).

ANNEX 2: SECURITY MEASURES

The Processor implements the following security measures:

  1. Access Control: strict “Least Privilege” access policy; mandatory Two-Factor Authentication (2FA) on all accounts (Google Workspace, Figma, Client ESPs).

  2. Device Security: All work is performed on encrypted devices with automatic locking and up-to-date anti-malware protection.

  3. Walled Garden: Client data is logically separated. No data is stored on local machines longer than necessary for active production; final assets are stored in secure cloud environments (Google Drive).

  4. No External Storage: The Processor does not export email lists (CSVs) to local unencrypted drives. All segmentation work is performed directly within the Client’s secured ESP environment.

ANNEX 3: AUTHORIZED SUB-PROCESSORS

The Controller authorizes the engagement of the following sub-processors:

Sub-Processor Purpose Location
Google Workspace Email, File Storage, Docs Ireland (EU)
Figma Design & Prototyping USA (SCCs apply)
Slack Internal Communication USA (SCCs apply)
OpenAI AI Copy/Code Assistance USA (SCCs apply)