In this Data Processing Agreement ("DPA"), the following terms have the meanings set out below:
The roles of the parties depend on the nature of the processing activity:
| Scenario | Endromeda's Role | Customer's Role |
|---|---|---|
| Endromeda collects data from website visitors and product purchasers for its own business purposes (marketing, billing, support) | Controller Controller | Data Subject / N/A |
| Business customer uses Endromeda app and the platform processes data about that customer's own audience, leads, or users | Processor Processor | Controller |
| Done-For-You Brand — Endromeda processes client business data (audience research, brand assets, content strategy) | Processor Processor | Controller |
| Endromeda uses Sub-processors (Supabase, Stripe, Anthropic, Vercel) to deliver the Services | Controller / Sub-controller | See Section 7 (Sub-processors) |
Where Endromeda acts as a Processor, it shall process Personal Data only on documented instructions from the Controller (i.e., in the course of delivering the Services), unless required to do so by applicable law.
Subject matter: The processing of Personal Data in connection with the provision of the Services described in the Terms of Service.
Duration of processing: For the term of the customer's subscription or engagement, and as required for legal, tax, and compliance obligations thereafter (see Section 9).
Nature of processing: Storage, retrieval, analysis, display, and transmission of Personal Data within the Endromeda platform and to Sub-processors as necessary to deliver the Services.
Purposes of processing:
Types of Personal Data processed:
Categories of Data Subjects:
Where Endromeda acts as a Processor on behalf of a Controller, Endromeda shall:
4.1 Process only on instructions
Process Personal Data only in accordance with the Controller's documented instructions (including as set out in the Terms of Service and this DPA), unless processing is required by applicable law, in which case Endromeda will inform the Controller of that legal requirement before processing (unless prohibited by law on important grounds of public interest).
4.2 Confidentiality
Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to those team members who need it to provide the Services.
4.3 Security
Implement appropriate technical and organisational security measures to protect Personal Data, as described in Section 8 of this DPA and Section 08 of the Privacy Policy (Security Statement).
4.4 Sub-processors
Not engage any new Sub-processor without informing the Controller in advance and giving the Controller the opportunity to object. Current approved Sub-processors are listed in Section 7. We maintain an up-to-date sub-processor list and will notify Controllers of changes with at least 14 days' advance notice.
4.5 Data Subject Rights
Assist the Controller in fulfilling its obligations to respond to Data Subject rights requests (access, correction, deletion, portability, restriction, objection). We will promptly notify the Controller of any Data Subject request received and provide reasonable assistance to enable the Controller to respond within applicable legal deadlines.
4.6 Data Protection Impact Assessments
Provide reasonable assistance to the Controller in carrying out data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where required under Article 35 and 36 of the GDPR.
4.7 Breach Notification
Notify the Controller of any Personal Data breach affecting the Controller's data without undue delay and, where feasible, within 48 hours of becoming aware of the breach, providing sufficient information to allow the Controller to meet its own notification obligations. See Section 9 of this DPA for full breach notification terms.
4.8 Deletion or Return on Termination
At the Controller's choice, delete or return all Personal Data at the end of the service relationship, and delete existing copies, unless applicable law requires retention.
4.9 Audit Rights
Make available all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections by the Controller or a third-party auditor mandated by the Controller, subject to reasonable prior notice and appropriate confidentiality obligations.
Where a business customer acts as a Controller in connection with the Services, that Controller agrees to:
Endromeda operates globally and may process Personal Data in countries outside the European Economic Area (EEA) or United Kingdom, including the United States. Where such transfers occur, Endromeda relies on appropriate safeguards to ensure an adequate level of protection:
Transfer mechanisms used:
The SCCs are incorporated into and form part of this DPA. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.
Endromeda currently uses the following Sub-processors in connection with the Services. We update this list when Sub-processors are added or removed. Controllers will be notified at least 14 days before a new Sub-processor is engaged.
| Sub-processor | Purpose | Country | Transfer Mechanism |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, serverless edge functions, file storage | United States | SCCs / SOC 2 Type II |
| Stripe, Inc. | Payment processing, subscription management, invoicing | United States | EU-US DPF / SCCs |
| Anthropic, PBC | AI language model API (script generation, content tools, MedaFlow features) | United States | SCCs |
| Vercel, Inc. | Web hosting, CDN, frontend deployment | United States | SCCs |
| Email service provider (to be updated) |
Transactional and marketing email delivery | United States | SCCs / DPF |
Controllers who wish to object to the use of a new Sub-processor must notify Endromeda in writing within 14 days of receiving notice. Objection must be based on reasonable grounds relating to data protection. If Endromeda is unable to accommodate the objection, the Controller may terminate the relevant Services on written notice without penalty, receiving a pro-rata refund for any prepaid unused period.
Endromeda implements and maintains the following technical and organisational security measures (as required by Article 32 GDPR) to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access:
Technical Measures
Organisational Measures
These measures are subject to periodic review and updated as appropriate given the evolving threat landscape and changes to the state of the art in information security.
A "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
Endromeda's obligations on becoming aware of a breach:
Controller's notification obligations: The Controller is responsible for determining whether a breach must be notified to the relevant supervisory authority (within 72 hours under GDPR Article 33) and/or to affected Data Subjects (where likely to result in high risk to their rights under GDPR Article 34). Endromeda will provide reasonable assistance to Controllers in meeting these obligations.
Taking into account the nature of the processing, Endromeda shall assist the Controller — by appropriate technical and organisational measures, insofar as possible — in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws:
| Right | GDPR Article | Endromeda's Assistance |
|---|---|---|
| Right of Access | Art. 15 | Provide extract of Personal Data held for the Data Subject upon written request within 5 business days. |
| Right to Rectification | Art. 16 | Update inaccurate or incomplete Personal Data upon Controller instruction. |
| Right to Erasure | Art. 17 | Securely delete Personal Data upon Controller instruction, subject to legal retention requirements. Confirm deletion in writing. |
| Right to Data Portability | Art. 20 | Provide Personal Data in a structured, commonly used, machine-readable format (JSON or CSV) upon request. |
| Right to Restriction | Art. 18 | Restrict processing to storage only upon Controller instruction while a dispute is resolved. |
| Right to Object | Art. 21 | Cease processing upon Controller instruction where processing was based on legitimate interests. |
Endromeda will promptly notify the Controller of any Data Subject rights request received directly, and will not respond to such requests independently without the Controller's authorisation, unless required by applicable law.
During the service relationship: Endromeda retains Personal Data for as long as necessary to provide the Services and fulfil the purposes described in this DPA and the Privacy Policy.
On termination or expiry: Within 30 days of the end of the service relationship (or upon written request from the Controller), Endromeda will, at the Controller's choice:
Legal retention exceptions: Notwithstanding the above, Endromeda may retain Personal Data to the extent and for the duration required by applicable law (e.g., financial records retained for 7 years for tax purposes), in which case Endromeda will: (i) inform the Controller of the legal obligation; (ii) process the retained data only as required by law; and (iii) delete it promptly once the legal retention period expires.
Backups: Encrypted backup copies of deleted data may persist in automated backup systems for up to 90 days before being overwritten. During this period, backups are not actively accessible and are protected by the same security measures as live data.
Each party is responsible for its own compliance with applicable Data Protection Laws.
As between the parties, and to the maximum extent permitted by law:
Nothing in this DPA limits or excludes either party's liability in respect of death or personal injury caused by negligence, fraud, or any liability that cannot be excluded or limited under applicable law.
Duration: This DPA is effective from the date a customer first accepts the Terms of Service and shall remain in force for the duration of the service relationship, and thereafter for so long as Endromeda processes Personal Data on behalf of the Controller.
Termination: This DPA terminates automatically when the underlying service relationship ends and all Personal Data has been deleted or returned in accordance with Section 11.
Governing law: This DPA is governed by the same law as the Terms of Service. Where the SCCs or UK IDTA apply, those instruments are governed by the law specified within them.
Precedence: In the event of any conflict between this DPA and the Terms of Service, this DPA shall take precedence with respect to data protection matters. In the event of any conflict between this DPA and the Standard Contractual Clauses, the SCCs shall prevail.
Amendments: We may update this DPA from time to time to reflect changes in applicable law, our processing activities, or our Sub-processor list. Material changes will be notified in advance per the process described in Section 7 (Sub-processors) and in our Terms of Service.
For all enquiries relating to this DPA, data protection matters, Sub-processor objections, Data Subject rights assistance, or breach notifications, please contact us:
Include "DPA Enquiry" or "Data Breach Notification" in the subject line. We aim to respond to all data protection enquiries within 5 business days and to breach notifications within 48 hours.
If you are a business customer and require a countersigned copy of this DPA for your own compliance records, please request one at the address above and we will arrange execution.