Data Processing Agreement
Last updated: April 6, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the Customer (“Controller”) and Go Marketi LLC (“Processor”), governing the processing of personal data in connection with the NewsPulse platform. This DPA is entered into pursuant to Article 28 of the EU General Data Protection Regulation (GDPR).
1. Definitions
- “Controller” means the Customer (the newsroom organisation) that determines the purposes and means of the processing of personal data using the NewsPulse platform.
- “Processor” means Go Marketi LLC, which processes personal data on behalf of the Controller through the NewsPulse platform.
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
- “Sub-processor” means any third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.
- “Data Subject” means the individual to whom the personal data relates.
- “Processing” means any operation performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, erasure, or destruction.
- “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
2. Scope and Purpose of Processing
The Processor shall process personal data solely for the purpose of providing the NewsPulse platform services as described in the Terms of Service. The scope of processing includes:
- Categories of Data Subjects: Journalists, editors, editorial staff, newsroom administrators, and other authorised users of the Controller’s organisation.
- Types of Personal Data: Names, email addresses, job titles/roles, login credentials (hashed), editorial activity logs, and IP addresses.
- Nature of Processing: Collection, storage, organisation, retrieval, use, and erasure of personal data necessary to operate the newsroom platform, including authentication, role-based access control, editorial workflow management, and audit trail maintenance.
- Duration: Processing continues for the term of the service agreement. Upon termination, see Section 9 (Return and Deletion).
3. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
- Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as specified in Section 6.
- Not engage another processor (sub-processor) without prior specific or general written authorisation of the Controller, as detailed in Section 4.
- Assist the Controller in responding to requests for exercising Data Subject rights under Chapter III of the GDPR.
- Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor.
- At the choice of the Controller, delete or return all personal data after the end of the provision of services, as detailed in Section 9.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
4. Sub-processors
The Controller provides general authorisation for the Processor to engage the sub-processors listed below. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 14 days.
| Sub-processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, real-time subscriptions | United States (AWS) | User accounts, editorial content, organisation data, authentication tokens |
| Stripe Inc. | Payment processing, subscription management | United States | Billing contact details, payment method tokens (card numbers are processed exclusively by Stripe and never stored by the Processor) |
| Anthropic PBC (Claude AI) | AI-assisted article drafting (Scribe module) | United States | Story context, editorial notes, and generated article drafts. No personally identifiable information is included in prompts. Content is processed via API and is not used for model training under Anthropic’s commercial terms. |
| Vercel Inc. | Application hosting, edge functions, analytics | United States (Global CDN) | IP addresses, page-view analytics (anonymised), server logs |
| Resend Inc. | Transactional email delivery | United States | Recipient email addresses, email subject lines, email body content |
The Processor shall impose data protection obligations no less onerous than those set out in this DPA on each sub-processor by way of a contract or other legal act under applicable law.
5. International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA), the Processor shall ensure that appropriate safeguards are in place as required by Chapter V of the GDPR. These safeguards may include the European Commission’s Standard Contractual Clauses (SCCs), adequacy decisions, or other approved transfer mechanisms. The Controller acknowledges that the sub-processors listed in Section 4 may process data in the United States, and the Processor relies on SCCs and the sub-processors’ own data protection commitments to ensure adequate protection.
6. Data Security
The Processor implements and maintains the following technical and organisational security measures:
- Encryption at rest: AES-256 encryption for all stored data, including database contents and file storage.
- Encryption in transit: TLS 1.2+ for all data transmitted between clients, servers, and sub-processors.
- Access control: Row-Level Security (RLS) enforced at the database level for multi-tenant data isolation. Role-based access control with 9 distinct editorial roles.
- Authentication security: Password hashing with bcrypt, magic-link authentication option, session token rotation.
- Source protection: Journalist source data is encrypted with dedicated encryption keys and is access-controlled per individual journalist.
- Audit trail: Immutable, append-only audit log recording all editorial actions, approvals, and data modifications.
- Error monitoring: Sentry error tracking with anonymised error reports containing no personal data.
- Infrastructure security: All environment variables and API keys stored securely, never committed to source code repositories.
7. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under Articles 15–22 of the GDPR, including requests for access, rectification, erasure, restriction of processing, data portability, and objection. The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject and shall not respond to such request except on the Controller’s documented instructions or as required by applicable law.
8. Data Breach Notification
In the event of a Data Breach affecting personal data processed on behalf of the Controller, the Processor shall:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
- Provide the Controller with sufficient information to enable the Controller to meet its obligations to report the breach to the relevant supervisory authority and to notify affected Data Subjects, including:
- The nature of the breach, including the categories and approximate number of Data Subjects and personal data records concerned.
- The likely consequences of the breach.
- The measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects.
- Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Data Breach.
9. Return and Deletion of Data
Upon termination or expiry of the service agreement, the Processor shall, at the Controller’s choice:
- Return all personal data to the Controller in a structured, commonly used, machine-readable format (JSON or CSV export) within 30 days of the Controller’s request.
- Delete all personal data and existing copies, unless applicable law requires storage of the personal data.
- Provide written certification of deletion upon the Controller’s request.
The Controller may request data export at any time during the term of the agreement via the platform’s Settings panel or by contacting moatasem@marketshareagency.com.
10. Audit Rights
The Controller, or a third-party auditor appointed by the Controller, shall have the right to conduct audits and inspections to verify the Processor’s compliance with this DPA. Such audits shall be subject to the following conditions:
- The Controller shall provide the Processor with reasonable prior notice of at least 30 days, unless an urgent audit is required due to a Data Breach or regulatory investigation.
- Audits shall be conducted during normal business hours and in a manner that minimises disruption to the Processor’s operations.
- The Processor shall make available all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 GDPR.
- The Controller shall bear the costs of any audits initiated by the Controller, except where the audit reveals material non-compliance by the Processor.
- The Processor may satisfy audit requests by providing certifications, reports from independent third-party auditors, or other documentation that reasonably demonstrates compliance.
11. Liability and Indemnification
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party’s liability for breaches of its obligations under the GDPR to the extent such liability cannot be excluded or limited by law.
12. Term and Termination
This DPA shall remain in effect for the duration of the service agreement between the Controller and the Processor. The obligations of the Processor regarding confidentiality and data security shall survive termination of this DPA and continue as long as the Processor retains any personal data processed on behalf of the Controller.
13. Contact
For questions regarding this DPA or to exercise any rights hereunder, contact:
Go Marketi LLC
Ontario, Canada
moatasem@marketshareagency.com