Data Processing Agreement

Name: Margyn
Availability: InStock
Rating: 4.9 (47 reviews)
Author: Margyn

Hatálybalépés: November 1, 2025

Verzió: 1.0

DATA PROCESSING AGREEMENT (DPA)

Effective Date: November 1, 2025
Version: 1.0

PARTIES

Data Controller:

The Client who uses the Margyn Platform service
The Client's details are recorded in the Terms of Service (ToS)

Data Processor:

Company Name: Interactic Media Korlátolt Felelősségű Társaság (Limited Liability Company)
Registered Office: 1143 Budapest, Eleonóra u. 8. 4/3, Hungary
Company Registration Number: 01-09-388500
Tax Number: 10580242-2-42
EU Tax Number: HU10580242
Represented by: Máté Schubert, Managing Director
Email: mate@interacticmedia.com
Website: https://margyn.io

PREAMBLE

This Data Processing Agreement (hereinafter: "DPA") has been established pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: "GDPR").

This DPA forms an inseparable part of the Margyn Platform Terms of Service (ToS) and must be interpreted together with it.

1. DEFINITIONS

The terms used in this DPA have the same meanings as defined in Article 4 of the GDPR:

Personal Data: Any information relating to an identified or identifiable natural person
Processing: Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means
Data Controller: The natural or legal person who determines the purposes and means of the processing of personal data
Data Processor: The natural or legal person who processes personal data on behalf of the Data Controller
Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed
Data Subject: The natural person identified or identifiable by the personal data (the Client's end users, buyers)

2. SUBJECT AND DURATION OF PROCESSING

2.1. Subject of Processing

The Data Processor processes data on behalf of the Data Controller for the following purposes:

E-commerce business analytics and reporting
Campaign management and advertising optimization
Product cost management and profitability calculation
Order and customer analytics
Inventory tracking and inventory optimization
User access management (Role-Based Access Control)

2.2. Duration of Processing

The duration of processing:

During the term of the agreement (ToS)
Plus 30 days following termination of the agreement (for data deletion or return)

2.3. Nature of Processing

Data collection (via API integrations)
Data storage (in encrypted databases)
Data organization and structuring
Data analysis and aggregation
Data querying and display
Data deletion or anonymization

3. CATEGORIES OF DATA SUBJECTS

3.1. Scope of Data Subjects

The Data Controller's end users whose personal data is processed during use of the Platform:

E-commerce buyers (name, address, email, phone number)
Webshop visitors (session data, IP address)
The Client's employees (name, email, role)

3.2. Estimated Number of Data Subjects

Depends on the Client's business size:

Small business: 100–10,000 data subjects/month
Medium business: 10,000–100,000 data subjects/month
Enterprise: 100,000+ data subjects/month

4. CATEGORIES OF DATA PROCESSED

4.1. Order Data

Buyer name
Billing and shipping address
Email address
Phone number
Order amount, currency
Order date and status
Product name, quantity

4.2. Product and Inventory Data

Product SKU, name, category
Product costs
Inventory levels
Supplier information (if provided)

4.3. Campaign Management Data

Advertising campaign identifiers
Cost data (Meta Ads, Google Ads)
Conversion data
UTM parameters

4.4. User Analytics

Session identifiers (session ID)
IP addresses (hashed, anonymized)
Browser and device information
Usage statistics (PostHog, optional)

4.5. Account Management Data

Client employee names, email addresses
Roles (admin, editor, viewer)
Login timestamps (audit log)

Special categories of personal data under GDPR Article 9 (health, biometric, genetic, racial/ethnic origin, etc.) are NOT processed.

5. OBLIGATIONS OF THE DATA PROCESSOR

5.1. Following Instructions (GDPR Article 28(3)(a))

The Data Processor shall process personal data only on documented instructions from the Data Controller, unless processing is required by Union or Member State law.

Sources of instructions:

This DPA
The provisions of the ToS
Settings configured by the Data Controller through the Platform user interface
The Data Controller's written (email) instructions

If the Data Processor believes that an instruction infringes the GDPR or other data protection legislation, it shall immediately notify the Data Controller.

5.2. Confidentiality (GDPR Article 28(3)(b))

The Data Processor ensures that persons authorized to process the personal data:

Have committed to confidentiality obligations
Have received appropriate training on data protection
Access personal data only to the extent necessary for their duties

5.3. Data Security (GDPR Article 28(3)(c) and GDPR Article 32)

The Data Processor implements the following technical and organizational measures:

Technical Measures:

TLS 1.3 encryption for all data transmission (HTTPS)
AES-256 encryption at database level (at-rest encryption)
Bcrypt password hashing (cost factor 12)
Multi-Factor Authentication (MFA) support
Automatic daily backups with geo-redundancy
Firewall and DDoS protection
Vulnerability scanning

Organizational Measures:

Role-Based Access Control (RBAC)
Audit logs for all data access
Incident response protocol
Data protection training for employees
Regular review of access rights

Infrastructure Security:

Supabase (AWS Frankfurt): SOC 2 Type II, ISO 27001
Vercel (AWS Frankfurt): SOC 2, GDPR compliant
Stripe (Dublin, IE): PCI-DSS Level 1

5.4. Sub-processors (GDPR Article 28(3)(d) and Article 28(2))

The Data Processor may engage further data processors (sub-processors) based on the Data Controller's general prior written authorization.

Current sub-processors (per ToS Section 9.8):

Sub-processor	Service	Headquarters	Data Storage Location	Compliance
Supabase Inc.	Database, Auth, Storage	USA	Frankfurt, DE	SOC 2 Type II, DPA
Vercel Inc.	Web hosting	USA	Frankfurt, DE	SOC 2, GDPR, DPA
Stripe Payments Europe Ltd.	Payment processing	Dublin, IE	Dublin, IE	PCI-DSS, ISO 27001
Google LLC	AI/OCR (optional)	USA	USA	SCC, EU-US DPF
PostHog Inc.	Analytics (optional)	USA	EU Instance	SOC 2, GDPR, DPA

Engagement of new sub-processors:

The Data Processor shall notify the Data Controller at least 30 days in advance
The Data Controller may object to the new sub-processor
In case of objection, the Data Controller may terminate the agreement

The Data Processor ensures that every sub-processor provides at least the same level of data protection guarantees as this DPA.

5.5. Data Subject Rights (GDPR Article 28(3)(e))

The Data Processor shall assist the Data Controller in fulfilling data subject rights:

Right of access (GDPR Article 15): Data export in CSV/JSON format
Right to rectification (GDPR Article 16): Data modification through the Platform
Right to erasure (GDPR Article 17): Account and data deletion within 30 days
Right to data portability (GDPR Article 20): In structured, machine-readable format
Right to object (GDPR Article 21): Disabling optional features

Response time: The Data Processor shall respond to the Data Controller's requests within 5 business days.

5.6. Compliance Support (GDPR Article 28(3)(f))

The Data Processor shall assist the Data Controller in fulfilling the following:

GDPR Article 32 — Data security
GDPR Article 33 — Notification of data breaches
GDPR Article 34 — Notification of data subjects in case of breach
GDPR Article 35 — Data Protection Impact Assessment (DPIA)
GDPR Article 36 — Prior consultation with the supervisory authority

5.7. Data Deletion or Return (GDPR Article 28(3)(g))

Following termination of the agreement, the Data Processor shall, at the Data Controller's choice:

Option A — Data Deletion (default):

Permanently delete all personal data within 30 days
Issue a written certificate of deletion

Option B — Data Return:

Deliver data in structured format (CSV, JSON) within 30 days
Delete from own systems after delivery

Exceptions (not subject to deletion):

Billing data (must be retained for 8 years — Hungarian Accounting Act)
Audit logs (based on legal obligation)
Anonymized, statistical data (does not constitute personal data)

5.8. Audit and Inspection (GDPR Article 28(3)(h))

The Data Processor shall make available to the Data Controller:

This DPA and the data protection chapter of the ToS
SOC 2 Type II certificates (from sub-processors)
Data security documentation

The Data Controller or an appointed auditor is entitled to on-site or remote audit:

Prior arrangement: 30 days before the audit
Frequency: Maximum once per year (except in case of breach)
Business hours: Weekdays 9:00–17:00
Cost: Borne by the party initiating the audit

The Data Processor shall cooperate in the audit and respond to all inquiries.

6. DATA BREACH MANAGEMENT

6.1. Notification Obligation (GDPR Article 33(2))

If the Data Processor becomes aware of a data breach, it shall notify the Data Controller without undue delay and no later than 72 hours via the following channels:

Email: The Data Controller's registered email address
Subject line: URGENT - Data Breach Notification
Backup: mate@interacticmedia.com, hello@margyn.io

6.2. Content of Notification

The notification shall include:

Description of the data breach (what happened, when, how)
The scope and quantity of affected data
The estimated number of affected data subjects
The likely consequences of the breach
Remedial measures already taken and planned
Contact information for customer service for further information

6.3. Data Controller's Responsibility

The Data Controller is responsible for:

Notifying the NAIH (Hungarian National Authority for Data Protection and Freedom of Information) within 72 hours pursuant to GDPR Article 33, if the breach poses a risk
Notifying data subjects pursuant to GDPR Article 34, if the breach poses a high risk
Documenting the breach and the measures taken

6.4. Cooperation

The Data Processor shall fully cooperate with the Data Controller and, where necessary, with the supervisory authority in investigating the breach, including making all necessary information available.

7. DATA TRANSFERS TO THIRD COUNTRIES

7.1. General Rule

Data is primarily stored in the European Union, in Frankfurt, Germany (AWS eu-central-1).

7.2. Exceptions (Optional Features)

Data transfers to third countries (outside the EU) occur only based on the Data Controller's explicit decision, in the following cases:

A) Google Gemini AI (USA) — ToS Section 9.7.2

Feature: Invoice processing (OCR), AI Creative Studio
Legal basis: GDPR Article 46 — Standard Contractual Clauses (SCC), EU-US Data Privacy Framework
Processing: Session-based, not stored long-term

B) Optional Integrations — ToS Section 9.7.3

Platforms: Meta Ads, Google Ads, TikTok Ads (US-based companies)
Legal basis: GDPR Article 46 — Standard Contractual Clauses (SCC)
Responsibility: The Data Controller enables these at their own discretion

7.3. Data Controller's Rights

The Data Controller may disable these optional features at any time, thereby terminating data transfers to third countries.

8. LIABILITY AND COMPENSATION

8.1. Liability (GDPR Article 82)

The Data Controller is responsible for determining the purposes and means of processing
The Data Processor is responsible for secure processing in accordance with instructions
Shared liability: Where both parties are responsible, they shall be jointly liable

8.2. Compensation Limits

The limits of compensation are determined by GDPR Article 82 and ToS Section 10.4.12:

Indirect damages, lost profits: Maximum the sum of subscription fees for the past 12 months
Direct damages: Maximum the sum of subscription fees for the past 24 months
Exception: No limit in case of intentional or grossly negligent conduct

8.3. Towards Third Parties (Data Subjects)

Pursuant to GDPR Article 82(4), data subjects may enforce their compensation claims against both the Data Controller and the Data Processor.

9. TERM AND TERMINATION OF THE DPA

9.1. Entry into Force

This DPA automatically enters into force upon acceptance of the ToS.

9.2. Term

The DPA remains in effect as long as the ToS is in effect, plus 30 days (for data deletion/return).

9.3. Termination

The DPA terminates:

Upon termination of the ToS agreement
Upon completion of data deletion or return
By mutual agreement of the Parties

10. MISCELLANEOUS PROVISIONS

10.1. Amendments

This DPA may only be amended by written agreement, except for:

Updates to the sub-processor list (with 30 days' notice)
Amendments required by changes in legislation

10.2. Governing Law and Jurisdiction

Governing law: Hungarian law, GDPR
Jurisdiction: Pesti Központi Kerületi Bíróság (Budapest Central District Court, 1051 Budapest, Markó utca 27, Hungary)

10.3. Languages

This DPA was originally prepared in Hungarian. The English version is for informational purposes only; in case of legal dispute, the Hungarian version shall prevail.

10.4. Contact

Data Processor (Margyn) contacts:

Data protection inquiries: mate@interacticmedia.com
Breach notification: mate@interacticmedia.com (Subject: URGENT - Data Breach)
General inquiries: hello@margyn.io

10.5. Severability

If any provision of this DPA is found to be invalid, this shall not affect the validity of the remaining provisions.

11. DECLARATIONS

11.1. Data Controller Declaration

By accepting this DPA, the Data Controller declares and warrants that:

They have read and accepted the provisions of this DPA
They instruct the Data Processor to process data in accordance with this DPA
They are aware of their obligations and responsibilities under the GDPR
They provide appropriate data protection information to end users
They acknowledge the engagement of sub-processors

11.2. Data Processor Declaration

By accepting this DPA, the Data Processor declares and warrants that:

It processes data exclusively in accordance with the Data Controller's instructions
It implements appropriate technical and organizational measures
It notifies the Data Controller of any data breach within 72 hours
It cooperates in audits and investigations
It deletes or returns data after termination of the agreement

This DPA forms an inseparable part of the Margyn Platform Terms of Service (ToS) and must be interpreted together with it.

Effective Date: November 1, 2025