marca.dev/legal
Data Processing Addendum
- Version
- 1.0
- Effective
- May 26, 2026
1. Scope and Purpose
This Data Processing Addendum ("DPA") supplements the Terms of Service and Privacy Policy for Marca and governs the processing of personal data that Subscribers ("Data Controllers" or "you") input into or collect through the Platform — particularly data captured by the Marca Script from Reviewers and data about Operators invited to a Workspace (collectively, "Subscriber Processed Data").
For the purposes of this DPA, CAIO LLC ("Data Processor" or "we") processes Subscriber Processed Data on behalf of and under the instructions of the Subscriber. This DPA applies whenever CAIO processes Subscriber Processed Data, and applies in addition to (and not in derogation of) any specific data-protection obligations imposed on the parties by applicable law (including the California Consumer Privacy Act as amended by the CPRA, the GDPR, UK GDPR, Swiss FADP, and other applicable U.S. state privacy laws). Where applicable law imposes stricter requirements than this DPA, those requirements apply.
2. Definitions
- "Reviewer Data" means personal information of individuals who interact with the Marca Script on a Subscriber's website, including attribution data (name, email, SSO identity), Pin content, screenshots, DOM snapshots, console output, browser metadata, and IP addresses.
- "Operator Data" means personal information (names, email addresses, role, audit log entries) of individuals invited to a Subscriber's Workspace.
- "Subscriber Processed Data" means, collectively, Reviewer Data and Operator Data.
- "Personal Data" means any information that identifies or could reasonably be used to identify a natural person, as defined under applicable data protection laws.
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, transmission, and deletion.
- "Sub-processor" means a third party engaged by the Data Processor to process Subscriber Processed Data on behalf of the Data Controller.
- "Data Breach" means any unauthorized access, acquisition, use, or disclosure of unencrypted Personal Data that compromises the security, confidentiality, or integrity of the data.
3. Data Controller and Data Processor Roles
3.1 Controller
The Subscriber is the Data Controller for Subscriber Processed Data. The Subscriber determines the purposes and means of processing, including:
- What pages it installs the Marca Script on and what consent or notice it provides to Reviewers
- Which Operators it invites and what roles it assigns them
Subscriber authority warranty. The Subscriber represents, warrants, and covenants on a continuing basis that: (a) it has identified and documented a valid lawful basis under applicable data protection law (including, where applicable, GDPR Article 6) for each category of processing it instructs CAIO to perform; (b) it has provided all notices and obtained all consents required under applicable law from Reviewers, Operators, and any other data subjects whose Personal Data is processed through the Platform; (c) it has the authority to grant CAIO the rights and access necessary to provide the Service; and (d) its instructions to CAIO comply with applicable data protection law. The Subscriber indemnifies CAIO under Section 11.1 of the Terms of Service against losses arising from breach of this warranty.
3.2 Processor
CAIO is the Data Processor for Subscriber Processed Data. We process this data solely on behalf of the Subscriber and in accordance with the Subscriber's documented instructions (as expressed through Platform configuration, Workspace settings, and this DPA). We do not independently determine the purposes of processing Subscriber Processed Data.
3.3 CAIO as Controller
CAIO acts as an independent Data Controller for Subscriber account information, billing data, and Platform usage analytics, as described in our Privacy Policy. This DPA does not govern data for which CAIO is the Controller.
Platform usage analytics (for which CAIO is Controller) is limited to: aggregated feature usage metrics, performance and error telemetry, and de-identified navigation patterns on the marca.dev dashboard. Platform usage analytics does not include Reviewer Data content, Workspace business data, or information that could identify individual Reviewers or end users. Any data derived from Subscriber Processed Data — even if aggregated — is processed under CAIO's processor obligations, not its controller status.
4. Categories of Data Processed
| Category | Data Elements | Data Subjects |
|---|---|---|
| Reviewer attribution | Name, email, SSO identity (or anonymous) | Reviewers |
| Pin content | Note text, comments, status, threading | Reviewers, Operators |
| Visual capture | Screenshots of viewport at time of Pin | Reviewers (subject of capture) |
| Page state capture | DOM snapshot, console output, network errors | Whoever's data is rendered on the page |
| Browser metadata | User agent, viewport, OS, language, IP | Reviewers |
| Operator records | Name, email, role, MFA status, audit log | Subscriber team members |
IMPORTANT: The Platform is not designed to process payment card numbers, Social Security numbers, government identification numbers, full bank account numbers, protected health information, biometric identifiers, or other sensitive personal data categories for Reviewers. Subscribers are responsible for ensuring that pages on which the Marca Script is installed do not display such data. See Terms of Service, Section 7.
Pin and Brief content is treated as Subscriber Confidential Information under the Terms of Service (Section 16) and is not included in any aggregated analytics or benchmarking.
5. Processing Instructions
We will process Subscriber Processed Data only in accordance with the Subscriber's documented instructions, which include:
- Providing and maintaining the Platform features used by the Subscriber, including the Marca Script, Brief generation, and integrations.
- Storing data within the Subscriber's isolated Workspace.
- Transmitting data as necessary to deliver the Service, including:
- Routing Pin captures from the Marca Script to the Subscriber's Workspace
- Routing Brief exports to Subscriber-configured integrations
- Backing up and securing data as part of our standard infrastructure operations.
- Deleting data upon Subscriber's request or upon account termination per the Terms of Service.
Additional instructions: Subscribers may issue reasonable written processing instructions beyond those enumerated above by submitting them to [email protected]. We will comply with such instructions to the extent technically feasible and consistent with the Agreement, or notify the Subscriber within 10 business days if we are unable to comply, together with the reasons for non-compliance.
If we receive a legal request (e.g., subpoena, court order) that requires disclosure of Subscriber Processed Data, we will notify the Subscriber before complying, to the extent permitted by law, so the Subscriber can seek appropriate legal remedies.
6. Security Measures
We implement and maintain appropriate technical and organizational measures to protect Subscriber Processed Data, including:
- Encryption: TLS/HTTPS for data in transit and encryption at rest for stored data, including screenshots and DOM snapshots.
- Access controls: Role-based access on a need-to-know basis. Multi-factor authentication is required for administrative access to production systems.
- Workspace isolation: Logical separation of Workspaces at the application and database layers. Marca Script captures from a Subscriber's domain flow only into that Subscriber's Workspace.
- Infrastructure: Application and database hosting on Railway, which maintains industry-standard security practices for managed services.
- Personnel: All CAIO personnel and contractors with access to Subscriber Processed Data are bound by confidentiality obligations.
- Logging: Access to production systems is logged for security and audit purposes.
- Incident response: Documented procedures for detecting, responding to, and recovering from security incidents.
- Secrets management: Integration OAuth tokens and other credentials are stored encrypted.
7. Sub-processors
7.1 Current Sub-processors
We use sub-processors to provide hosting, infrastructure, payment processing, transactional email, error monitoring, object storage, AI inference for optional features, and related services. The authoritative list is maintained at marca.dev/sub-processors and as of the Effective Date includes:
| Sub-processor | Purpose | Location |
|---|---|---|
| Railway Corp. | Application hosting, serverless functions, managed Postgres | United States |
| Cloudflare, Inc. | CDN delivery of the Marca Script and static assets; DNS | United States (global edge) |
| Cloudflare R2 | Object storage for screenshots and capture media | United States |
| Stripe, Inc. | SaaS billing (Subscriber payments only) | United States |
| Resend, Inc. | Transactional email (account, billing, invitation, magic link) | United States |
| Sentry (Functional Software, Inc.) | Error monitoring and performance telemetry (Subscriber Processed Data is scrubbed before transmission) | United States |
| Anthropic, PBC | AI inference for the optional "Check with AI" QA feature, only when an Operator runs a check (task instruction, element DOM text, and screenshot). Used via the API with no training on inputs | United States |
7.2 Sub-processor Changes
We will notify Subscribers at least 45 days before engaging a new sub-processor that will process Subscriber Processed Data, via email and the sub-processors page. If a Subscriber reasonably objects, we will consult in good faith and consider commercially reasonable alternatives. If no alternative is available and the Subscriber maintains its objection, the Subscriber may terminate before the sub-processor is engaged and receive a pro-rata refund for any prepaid, unused period.
We remain responsible for our sub-processors' processing of Subscriber Processed Data as required by applicable law.
8. Data Subject Rights
If we receive a request from a data subject (a Reviewer or Operator) seeking to exercise their privacy rights, we will promptly notify the relevant Subscriber and not respond directly unless authorized by the Subscriber or required by law. We will provide reasonable technical assistance to help the Subscriber respond, including exporting the data subject's data, deleting specific Pins/comments/Reviewer records on instruction, and revoking Operator access on instruction. The Subscriber is responsible for responding to data subject requests within the timeframes required by applicable law.
9. Data Breach Notification
In the event of a Data Breach affecting Subscriber Processed Data, we will notify affected Subscribers without undue delay, and where legally required, within 72 hours of becoming aware of the breach. CAIO is "aware" of a breach when its security incident response team has confirmed, based on reasonably available evidence, that an event meets the definition of a Data Breach in Section 2.
We will provide information reasonably available to us about the nature of the breach, categories of data affected, and remediation steps, and cooperate with the Subscriber's reasonable investigation and any required notifications to data subjects or regulatory authorities. Additional breach-response commitments (root cause analysis timelines, forensic preservation periods, deletion certification) are addressed only in Enterprise order forms or MSAs.
10. Data Deletion and Return
Upon termination of a Subscriber's account, Subscriber Processed Data remains available for export for 90 days, after which it is permanently deleted from our active systems, with backup copies purged within an additional 30 days. Integration OAuth tokens are revoked at account deactivation.
Subscribers may request earlier deletion of Subscriber Processed Data at any time by contacting [email protected]. Deletion certification, where required, is addressed in Enterprise order forms or MSAs.
Aggregated, de-identified data derived from Subscriber Processed Data that does not identify any individual is not subject to deletion.
11. CCPA/CPRA Service Provider Certification
To the extent the California Consumer Privacy Act (CCPA) or California Privacy Rights Act (CPRA) applies to our processing of Subscriber Processed Data:
- We are a "Service Provider" as defined under CCPA/CPRA.
- We will not sell or share Subscriber Processed Data.
- We will not retain, use, or disclose Subscriber Processed Data for any purpose other than providing the Service as specified in the Agreement.
- We will not combine Subscriber Processed Data with personal information received from other sources except as permitted under CCPA/CPRA for service provider activities.
- We certify that we understand and will comply with these restrictions.
This certification extends to all sub-processors in the processing chain. We require equivalent service provider certifications from all sub-processors that process Subscriber Processed Data.
12. Audits and Compliance
Upon reasonable written request (no more than once per year unless a Data Breach has occurred), we will provide available security and compliance information sufficient to help the Subscriber verify our compliance with this DPA, including responses to written security questionnaires within a reasonable timeframe. Any broader audit rights, including third-party audits, must be agreed in a separate executed order form or MSA. We intend to pursue SOC 2 Type II certification as our security program matures; upon completion, reports will be shared with Subscribers under NDA.
13. International Data Transfers
Subscriber Processed Data is stored and processed primarily in the United States. The current sub-processor list and regions are published at marca.dev/sub-processors.
Where applicable data protection law (including the GDPR, UK GDPR, or Swiss FADP) requires an international transfer mechanism, the parties agree that the EU Standard Contractual Clauses (Commission Decision 2021/914), the UK International Data Transfer Addendum, and the Swiss FDPIC addendum (as applicable) apply between the parties by reference and are deemed executed for the purposes of any such transfer. CAIO will provide a signed counterpart of the applicable clauses on request to [email protected]. The parties will cooperate in good faith to complete any additional transfer documentation required by applicable law.
14. Term and Survival
This DPA is effective as of the date the Subscriber accepts the Terms of Service and remains in effect for the duration of the Subscriber's account. Sections relating to data security, confidentiality, data deletion, and breach notification survive termination for as long as we retain any Subscriber Processed Data.
15. Conflict
In the event of a conflict between this DPA and the Terms of Service or Privacy Policy, this DPA controls with respect to the processing of Subscriber Processed Data. For all other matters, the Terms of Service govern.
16. Contact
For DPA-related inquiries:
CAIO LLC — Data Protection
Email: [email protected]
Website: https://marca.dev