Data Processing Addendum — Marketing Copilot

This Data Processing Addendum (“DPA”) supplements the Terms of Service between Synstek Internet Private Limited (“Processor”) and the customer entity that has agreed to those Terms (“Controller”) and applies where the Processor processes Personal Data on behalf of the Controller in connection with the Service.

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms of Service. The following terms have the following meaning:

"Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act ("CCPA") as amended, and India's Digital Personal Data Protection Act, 2023 ("DPDPA").
"Controller", "Processor", "Data Subject", "Personal Data", "Processing", and related terms have the meaning given in Applicable Data Protection Law (or the corresponding terms such as "Data Fiduciary" and "Data Principal" under DPDPA).
"Customer Personal Data" means Personal Data contained within Customer Data that is Processed by Processor on behalf of Controller under the Agreement.
"Sub-processor" means any third party engaged by Processor to Process Customer Personal Data.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission under Decision (EU) 2021/914 for transfers of Personal Data to third countries.

2. Roles and scope

With respect to Customer Personal Data, Controller is the controller and Processor is the processor. Processor will Process Customer Personal Data only on documented instructions from Controller as set out in the Agreement and this DPA, except where required to do so by Applicable Data Protection Law. Where required, Processor will promptly inform Controller of such legal requirement before Processing, unless that law prohibits the disclosure on important grounds of public interest.

3. Particulars of Processing

Subject matter: the provision of the Service described in the Agreement.

Duration: for the term of the Agreement, plus any period during which Processor retains Customer Personal Data in accordance with the Agreement and Applicable Data Protection Law.

Nature and purpose: hosting, storage, retrieval, analysis, and display of marketing-performance and related data; generation of insights via AI models on Controller's behalf; operation, maintenance, and security of the Service.

Categories of Data Subjects: Controller's authorized users; end users whose interactions with Controller's marketing campaigns or properties are reflected in the data retrieved from connected platforms (typically as aggregated metrics).

Categories of Personal Data: account information (name, email, organization role); usage and log data; aggregated marketing-performance data that may incidentally include identifiers (e.g., audience segment names). Controller is responsible for the categories of Personal Data submitted to or retrieved through the Service.

Sensitive Personal Data: the Service is not intended for the Processing of special categories of data under GDPR Article 9, sensitive personal data under DPDPA, or similar. Controller must not submit such data to the Service without prior written agreement.

4. Security measures

Processor will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures include those described in Annex II (Technical and Organizational Measures) and the controls summarized in our Security Overview. Processor may update the measures from time to time, provided the level of protection is not materially decreased.

5. Confidentiality of personnel

Processor will ensure that personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations and have received appropriate training.

6. Sub-processors

Controller provides general written authorization for Processor to engage Sub-processors to Process Customer Personal Data, subject to the conditions in this section.

A current list of Sub-processors is maintained in Section 5.1 of our Privacy Policy. Controller may subscribe to notifications of changes by emailing support@metty.ai.

Processor will give Controller at least 30 days' prior notice of any intended addition or replacement of a Sub-processor that Processes Customer Personal Data. Controller may object to such change on reasonable data-protection grounds within 15 days of notification. If the parties cannot resolve the objection in good faith, Controller may terminate the affected portion of the Service without penalty.

Processor will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA and remains liable for the acts and omissions of its Sub-processors.

7. Data Subject rights

Taking into account the nature of the Processing, Processor will provide reasonable assistance to Controller, by appropriate technical and organizational measures, in fulfilling Controller's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law.

If Processor receives a request directly from a Data Subject in respect of Customer Personal Data, it will promptly forward the request to Controller and will not respond except as instructed by Controller or as required by law.

8. Assistance with obligations

Taking into account the nature of Processing and the information available to Processor, Processor will provide reasonable assistance to Controller in:

Ensuring compliance with security obligations under Applicable Data Protection Law;
Notifying Personal Data breaches to supervisory authorities and Data Subjects where required;
Conducting data protection impact assessments and prior consultations with supervisory authorities, where required.

9. Personal Data breach notification

Processor will notify Controller without undue delay, and in any case within 72 hours, after becoming aware of a Personal Data breach affecting Customer Personal Data. The notification will include, to the extent known: the nature of the breach, approximate categories and number of affected Data Subjects and records, likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

10. Audits

Processor will make available to Controller information necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller, subject to the following:

Such audits will occur no more than once per 12-month period unless required by Applicable Data Protection Law or following a confirmed Personal Data breach;
Controller will give at least 30 days' prior written notice;
Audits will be conducted during business hours, in a manner that does not unreasonably interfere with Processor's operations, and subject to confidentiality obligations no less protective than those in the Agreement;
Where Processor has obtained recognized third-party audit reports (e.g., SOC 2, ISO 27001), Controller will accept those reports in lieu of an on-site audit unless not reasonably sufficient.

11. International transfers

Where Processor transfers Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country not recognized as providing an adequate level of protection, the parties agree that:

The Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated by reference and apply to such transfers;
For transfers from the United Kingdom, the UK International Data Transfer Addendum is incorporated by reference;
For transfers from Switzerland, the SCCs apply with the adaptations specified by the Swiss Federal Data Protection and Information Commissioner.

Where Processor transfers Personal Data subject to DPDPA outside India, such transfer will be made in compliance with the requirements of DPDPA and any rules issued thereunder.

12. Deletion and return

On termination or expiry of the Agreement, Processor will, at Controller's choice, delete or return all Customer Personal Data and delete existing copies, except to the extent required by Applicable Data Protection Law to retain. The default is deletion within 30 days of termination unless Controller requests return.

13. Liability

The liability of each party (and its affiliates) under or in connection with this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Terms of Service.

14. Conflict

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the Processing of Customer Personal Data. The SCCs prevail over this DPA in respect of restricted transfers governed by them.

Annex I — Description of Transfer

Data exporter: Controller, as identified in the Agreement.

Data importer: Synstek Internet Private Limited, with registered office at Patna, Bihar, India, India.

Categories of Data Subjects, Personal Data, frequency, nature, purpose, retention, and Sub-processors: as set out in this DPA and the Sub-processors page.

Competent supervisory authority: for SCC purposes, the supervisory authority of the EEA Member State of the data exporter or, if the exporter is not established in the EEA, the Irish Data Protection Commission.

Annex II — Technical and Organizational Measures

Encryption: TLS 1.2+ in transit; AES-256-GCM for OAuth tokens at rest; storage-layer encryption for databases.
Access control: least-privilege production access, MFA required, named-user accounts, periodic access reviews.
Tenant isolation: all data scoped by tenant identifier; application-layer enforcement plus row-level security.
Secure development: code review on all changes, dependency scanning, secret scanning in CI/CD.
Logging and monitoring: centralized security-event logging with at least 90-day retention; on-call response.
Backups and resilience: continuous backups with point-in-time recovery; restore tests.
Personnel: background checks where lawful; confidentiality agreements; security training.
Incident response: documented plan with defined roles, escalation, communication, and post-incident review.

Execution

This DPA is incorporated into the Terms of Service by reference and is effective on the same date as the Terms. Where a customer requires a counter-signed copy, Controller may request one at support@metty.ai.