Data Processing Agreement

Effective Date: March 12, 2026 Last Updated: March 12, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller," "Client") and MarketDragon ("Data Processor," "we," "us"), located at 78 Veloso St. Bo Obrero, Davao City 8000, Philippines.

This DPA sets out the terms under which MarketDragon processes personal data on behalf of clients in the course of providing managed marketing services, in compliance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations.

1. Scope and Purpose

1.1 Scope

This DPA applies to all personal data that MarketDragon processes on behalf of the Client in connection with the delivery of managed marketing services, including but not limited to:

• Customer and lead contact information (names, email addresses, phone numbers).
• Social media audience data and engagement metrics.
• Website visitor data and analytics.
• Content containing personal data submitted by the Client.
• Campaign performance data linked to identifiable individuals.

1.2 Purpose of Processing

MarketDragon processes personal data solely for the following purposes:

• Executing marketing campaigns on behalf of the Client.
• Managing social media accounts and publishing content as authorized by the Client.
• Generating AI-powered marketing content using Client-provided data and brand assets.
• Managing leads, customer inquiries, and automated responses.
• Providing analytics, reports, and performance insights.
• Administering the Client's account and subscription.

1.3 Types of Data Subjects

The personal data processed may relate to the following categories of data subjects:

• The Client's customers and prospective customers.
• Social media followers and audience members.
• Website visitors.
• Leads generated through marketing campaigns.
• The Client's employees and team members who access the platform.

2. Data Processor Obligations

2.1 Processing Instructions

• MarketDragon shall process personal data only in accordance with the Client's documented instructions and the terms of the service agreement.
• We will not process personal data for any purpose other than delivering the contracted services unless required by Philippine law.
• If we believe an instruction from the Client violates applicable data privacy laws, we will notify the Client promptly.

2.2 Confidentiality

• All MarketDragon personnel involved in processing personal data are bound by confidentiality obligations.
• Access to personal data is restricted to authorized personnel who require access to perform their duties.
• We maintain strict access controls, including role-based permissions and multi-factor authentication.

2.3 Data Protection Measures

MarketDragon implements appropriate technical and organizational measures to protect personal data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Regular security assessments and vulnerability scanning.
• Intrusion detection and prevention systems.
• Secure development practices and code review processes.
• Regular employee training on data protection and security.
• Business continuity and disaster recovery plans.

2.4 Accountability and Records

• We maintain records of all data processing activities carried out on behalf of the Client.
• Processing records include the categories of data processed, purposes, recipients, and retention periods.
• Records are available for inspection by the Client upon reasonable request.

3. Sub-Processors

3.1 Authorized Sub-Processors

MarketDragon engages the following categories of sub-processors to deliver services:

3.2 Sub-Processor Requirements

• All sub-processors are bound by written agreements imposing data protection obligations no less protective than those in this DPA.
• We conduct due diligence on sub-processors before engagement to ensure they maintain adequate security and privacy practices.
• Sub-processors are required to process personal data only to the extent necessary to perform their specific function.

3.3 Changes to Sub-Processors

• We will notify the Client of any intended changes to sub-processors, including the addition or replacement of sub-processors.
• Notification will be provided at least 14 days before the new sub-processor begins processing personal data.
• The Client may object to a new sub-processor by notifying us within 14 days of receiving notice. If we cannot reasonably accommodate the objection, the Client may terminate the affected services.

3.4 Liability for Sub-Processors

MarketDragon remains liable for the acts and omissions of its sub-processors to the same extent as if we were performing the processing directly.

4. Data Security Measures

4.1 Technical Measures

• Encryption: All personal data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
• Access Controls: Role-based access controls ensure that only authorized personnel can access personal data, with the principle of least privilege applied.
• Network Security: Firewalls, intrusion detection systems, and DDoS protection safeguard our infrastructure.
• Monitoring: Continuous logging and monitoring of access to personal data, with automated alerts for suspicious activity.
• Backup and Recovery: Regular encrypted backups with tested recovery procedures to ensure data availability.

4.2 Organizational Measures

• Employee Training: All employees receive regular training on data protection, security practices, and incident response.
• Background Checks: Key personnel with access to personal data undergo background verification.
• Clean Desk Policy: Physical and digital clean desk policies to prevent unauthorized access.
• Vendor Management: Regular assessment of sub-processor security practices and compliance.

5. Data Breach Notification

5.1 Notification to Client

In the event of a personal data breach, MarketDragon will:

• Notify the Client without undue delay and no later than 48 hours after becoming aware of the breach.
• Provide an initial assessment including the nature of the breach, categories and approximate number of data subjects affected, and likely consequences.
• Provide the name and contact details of the MarketDragon representative handling the breach response.

5.2 Breach Details

The breach notification will include, to the extent available:

• Description of the nature of the personal data breach.
• Categories and approximate number of data subjects and personal data records affected.
• Likely consequences of the breach.
• Measures taken or proposed to address the breach, including measures to mitigate possible adverse effects.
• Timeline of the breach discovery and response actions.

5.3 Ongoing Communication

• MarketDragon will provide regular updates to the Client as the investigation progresses.
• We will cooperate fully with the Client in investigating and responding to the breach.
• A final breach report will be provided upon completion of the investigation, including root cause analysis and remediation actions taken.

5.4 Notification to Authorities

• The Client, as Data Controller, is responsible for notifying the National Privacy Commission and affected data subjects as required by the Philippine Data Privacy Act.
• MarketDragon will assist the Client in meeting these notification obligations by providing all necessary information and support.

6. Data Subject Rights

6.1 Assistance with Data Subject Requests

MarketDragon will assist the Client in responding to requests from data subjects exercising their rights under the Philippine Data Privacy Act, including:

• Right to Access: Providing copies of personal data held on behalf of the Client.
• Right to Correction: Updating or correcting personal data upon the Client's instruction.
• Right to Deletion: Deleting personal data as directed by the Client, subject to legal retention requirements.
• Right to Data Portability: Exporting personal data in a structured, machine-readable format.
• Right to Object: Implementing the Client's instructions to cease specific processing activities.

6.2 Response Timeframes

• MarketDragon will respond to Client requests for assistance with data subject rights within 5 business days.
• We will provide the requested information or action within 15 business days unless the request is unusually complex.

6.3 Direct Requests

If a data subject contacts MarketDragon directly with a rights request, we will:

• Promptly redirect the request to the Client.
• Not respond directly to the data subject unless instructed by the Client.
• Cooperate with the Client in fulfilling the request.

7. Cross-Border Transfers

7.1 Transfer Mechanisms

When personal data is transferred outside the Philippines, MarketDragon ensures adequate protection through:

• Written agreements with data recipients requiring compliance with Philippine data protection standards.
• Assessment of the data protection laws in the recipient country.
• Implementation of supplementary technical measures (encryption, pseudonymization) where necessary.
• Ensuring transfers are limited to what is strictly necessary for the contracted services.

7.2 Specific Transfer Safeguards

• AI Processing (OpenAI): Only the minimum necessary data is transmitted for content generation. Prompts are designed to avoid transmitting unnecessary personal data. OpenAI's data processing terms prohibit use of our data for model training.
• Social Media Platforms: Data is transferred only as explicitly authorized by the Client through account connections. Transfers are governed by each platform's data processing terms.
• Payment Processing (Xendit): Only billing-related data is transferred, secured under Xendit's PCI-DSS compliance framework.

8. Duration and Termination

8.1 Duration

This DPA remains in effect for the duration of the service agreement between the Client and MarketDragon, and for as long as MarketDragon retains any personal data processed on behalf of the Client.

8.2 Effect of Termination

Upon termination of the service agreement:

• MarketDragon will cease all processing of personal data on behalf of the Client, except as required by law.
• Within 30 days of termination, we will provide the Client with an export of all personal data in a structured, machine-readable format.
• Within 90 days of termination (or upon earlier Client instruction), we will securely delete all personal data from our active systems and backups.
• We will provide written confirmation of data deletion upon the Client's request.

8.3 Survival

Obligations regarding confidentiality, data breach notification, and cooperation with regulatory authorities survive the termination of this DPA.

9. Audit and Compliance

9.1 Audit Rights

• The Client may request evidence of MarketDragon's compliance with this DPA.
• MarketDragon will provide relevant compliance documentation, certifications, and audit reports upon reasonable request.
• On-site audits may be conducted with at least 30 days' written notice, during business hours, and subject to reasonable confidentiality requirements.

9.2 Regulatory Cooperation

• MarketDragon will cooperate with the National Privacy Commission or other relevant regulatory authorities in connection with investigations or inquiries related to data processed under this DPA.
• We will promptly notify the Client of any regulatory inquiry relating to data processed on the Client's behalf.

10. Contact Us

For questions about this Data Processing Agreement or to exercise any rights described herein:

• Email: [email protected]
• Phone: +639989392801
• Address: 78 Veloso St. Bo Obrero, Davao City 8000, Philippines

MarketDragon - Responsible Data Processing for Effective Marketing.