Mageplaza Data Processing Addendum - DPA

1. Introduction

Mageplaza, as a leading provider of eCommerce solutions, is committed to ensuring the highest levels of privacy and security for personal data. In compliance with global data protection regulations, such as the General Data Protection Regulation (GDPR) of the European Union (EU) and other relevant privacy laws, this Data Processing Agreement (DPA) establishes the terms under which Mageplaza processes personal data on behalf of its customers.

As a Data Processor, Mageplaza processes personal data solely on the instructions of the customer, who is the Data Controller. This agreement outlines the respective roles, responsibilities, and obligations of both parties in regard to the processing of personal data when customers use Mageplaza’s services, applications, and integrated tools on their eCommerce platforms.

The DPA is a legally binding agreement that is designed to:

  • Define the scope, nature, and purpose of the data processing activities.
  • Ensure both parties’ compliance with data protection laws.
  • Provide the customer with a clear understanding of how Mageplaza processes personal data and the safeguards in place to protect it.

By agreeing to use Mageplaza’s services, customers acknowledge their responsibility as Data Controllers and agree to the terms of this DPA. This agreement complements the general terms of service between Mageplaza and the customer, adding a layer of data protection compliance as required by law.

Mageplaza is committed to helping its customers remain compliant with data protection regulations by offering robust privacy practices, transparent data management, and secure systems that safeguard personal data throughout its lifecycle.

2. Purpose of the DPA

The primary purpose of this Data Processing Agreement is to formalize the relationship between Mageplaza (the Data Processor) and the customer (the Data Controller) regarding the processing of personal data in the context of using Mageplaza’s services. The DPA establishes the obligations of each party, ensuring compliance with applicable data protection laws such as GDPR and others where relevant, including:

  • GDPR (General Data Protection Regulation): Applicable to companies operating within the European Union or dealing with data subjects located in the EU. GDPR imposes stringent requirements on the processing, storage, and handling of personal data.
  • CCPA (California Consumer Privacy Act): Relevant for businesses that handle personal data of California residents, focusing on consumer privacy rights and data transparency.
  • LGPD (Lei Geral de Proteção de Dados): Brazil’s data protection law that governs the collection and processing of personal data within the country.
  • Other regional or national privacy laws: Depending on the jurisdictions in which Mageplaza or the customer operates, compliance with other regional privacy laws might also apply.

This agreement clarifies the terms under which Mageplaza processes personal data for the customer, including how the data will be handled, the obligations of Mageplaza to secure the data, and the customer’s rights to manage their personal data.

Key goals of the DPA include:

  • Ensuring lawful processing: Mageplaza commits to processing personal data only for legitimate purposes, as outlined by the customer and in compliance with applicable data protection laws.
  • Defining data subject rights: The DPA outlines the customer’s role in facilitating and responding to data subject requests, such as requests for data access, deletion, and modification.
  • Safeguarding personal data: Mageplaza is dedicated to implementing appropriate technical and organizational measures to protect personal data from unauthorized access, alteration, loss, or destruction.
  • Transparency and Accountability: Both parties agree to maintain transparency in their data processing activities and cooperate in the event of an audit or investigation to ensure compliance with the laws.

Moreover, this agreement ensures that Mageplaza only processes personal data according to the instructions provided by the customer. It also mandates the implementation of appropriate safeguards, providing customers with confidence that their data is being handled in line with industry standards.

3. Scope and Nature of Data Processing

The scope and nature of data processing between Mageplaza and the customer will depend on the specific services and applications that Mageplaza is providing, but the general parameters are outlined below.

3.1 Types of Personal Data Processed

Mageplaza processes a variety of personal data types, depending on the nature of the services provided to the customer. The types of personal data processed may include:

  • Personal Identification Information (PII): This includes basic personal information such as names, email addresses, phone numbers, billing and shipping addresses, and customer preferences. It may also include identification numbers such as IP addresses, account identifiers, and cookies associated with user behavior.
  • Transactional Data: Data associated with the customer’s eCommerce transactions. This includes purchase history, order details, payment information (which is encrypted and handled by third-party payment processors), invoicing information, and customer billing/shipping addresses.
  • Customer Engagement Data: Information collected through the customer’s interactions with Mageplaza-powered features, including customer support interactions, feedback submissions, and email marketing engagement metrics (e.g., email opens, clicks, etc.).
  • Content Data: This includes any user-generated content such as product reviews, images, videos, or product descriptions that customers may upload through Mageplaza apps, especially those related to social media integrations (e.g., Instagram Feed, TikTok Feed) or product display features.
  • Analytics and Usage Data: Information on how customers or end-users interact with the Mageplaza app, such as login times, browsing behavior, IP addresses, device types, and browser information. This data is typically collected via analytics tools to improve service performance, personalize user experience, and provide statistical insights.
  • Communication Data: Data from communication between the customer and Mageplaza, such as support tickets, emails, and chat logs. This also includes the responses to customer queries regarding the app’s functionalities or technical issues.
  • Marketing Data: This may include email addresses, preferences, and other data related to customers’ consent for marketing communications or data shared with third-party advertising platforms.

3.2 Data Subject Categories

Mageplaza processes personal data related to a variety of data subject categories. These may include:

  • End Customers: Individuals who interact with the merchant’s store, purchase goods, leave product reviews, or interact with other content made available through Mageplaza-powered apps. Personal data of end customers may be processed for purposes such as completing orders, providing customer service, marketing, or customizing the shopping experience.
  • Employees and Contractors of the Data Controller: Individuals who are employed by or contracted with the customer to operate and manage their eCommerce store. Mageplaza may process personal data of these individuals, such as email addresses, user login credentials, roles, and access rights in the context of app administration and configuration.
  • Website Visitors: Individuals who visit the customer’s website and interact with Mageplaza apps, including those who browse without making a purchase. Data collected from website visitors may include cookies, IP addresses, session data, or details related to browsing behavior, and is used for purposes such as improving website performance and customer targeting.
  • Business Contacts: Individuals who are designated as points of contact for Mageplaza services, such as administrators, account managers, or customer service contacts within the customer’s business. This data may include names, business titles, email addresses, and other business-related details.

3.3 Purpose of Data Processing

The personal data processed by Mageplaza on behalf of the customer is used solely for the purposes of providing the contracted services. These services may include:

  • App Functionality: Enabling the use of features within Mageplaza apps, such as displaying product information, integrating social media feeds (Instagram, TikTok), and other data-driven marketing or display features that enhance the customer’s eCommerce experience.
  • Customer Support: Providing support and assistance to the customer, including handling inquiries, troubleshooting, resolving technical issues, and helping optimize the performance of Mageplaza-powered apps on the customer’s store.
  • Data Analytics: Collecting and processing data to help the customer gain insights into their customer base, sales trends, and website performance. This may involve aggregating and anonymizing data for the purpose of generating reports and analytics.
  • Marketing and Communications: Facilitating the delivery of marketing materials (such as emails, newsletters, and promotions) to the customer or their end customers, based on their preferences and consent.
  • Transaction Management: Processing transactions to fulfill orders, deliver products, manage payments, and handle customer communications related to the transaction process.
  • Compliance and Security: Ensuring compliance with applicable legal and regulatory requirements, including anti-fraud measures, tax reporting obligations, and data protection laws. Mageplaza is committed to maintaining the security and confidentiality of personal data.

Mageplaza commits to processing personal data only for the specific purposes outlined above and in accordance with the customer’s instructions. We will not use the personal data for any purpose that is not authorized by the customer, and we will take appropriate steps to ensure that data is used in a lawful, fair, and transparent manner.

3.4 Processing Locations

Personal data processed by Mageplaza may be stored or transmitted to data centers located in various jurisdictions, including but not limited to the United States, the European Union, and other countries. Mageplaza will ensure that any international data transfers comply with applicable data protection laws, such as using Standard Contractual Clauses (SCCs) or other lawful mechanisms to ensure appropriate safeguards are in place.

4. Obligations of Mageplaza (Data Processor)

As the Data Processor, Mageplaza has several critical obligations to ensure the security, privacy, and compliance of personal data processed on behalf of the customer (the Data Controller). These obligations include, but are not limited to, the following:

4.1 Data Processing Instructions

Mageplaza will process personal data only in accordance with the documented instructions provided by the customer. These instructions will outline the scope, purpose, and method of processing, and Mageplaza will not process personal data for any other purposes without explicit written consent from the customer. If Mageplaza believes that an instruction from the customer violates applicable data protection laws, it will immediately inform the customer.

4.2 Confidentiality

Mageplaza will ensure that all personnel involved in processing personal data are subject to confidentiality obligations. This includes technical, operational, and customer-facing employees, who must adhere to strict confidentiality guidelines regarding any personal data they have access to during their work. This confidentiality extends beyond the termination of their employment or contract with Mageplaza.

Mageplaza will ensure that all employees and contractors who handle personal data have been adequately trained in privacy and data protection principles. This training will include the importance of maintaining confidentiality, recognizing data protection risks, and understanding how to handle personal data securely.

4.3 Data Security Measures

Mageplaza is committed to implementing appropriate technical and organizational measures to ensure the security of personal data. These measures include, but are not limited to:

  • Encryption: Personal data will be encrypted both during transit and at rest, ensuring that any sensitive data is protected from unauthorized access.
  • Access Control: Access to personal data will be restricted to authorized personnel only, based on a need-to-know basis. This will include role-based access control (RBAC) to limit access to data.
  • Data Backup and Recovery: Mageplaza will regularly back up personal data and implement measures to recover data in case of loss or corruption.
  • Security Audits and Monitoring: Mageplaza will perform regular security audits and monitor its systems for any potential vulnerabilities or unauthorized access attempts.
  • Firewall and Anti-virus Protection: Mageplaza will use advanced firewall systems and anti-virus software to protect the infrastructure from external threats.

These security measures are designed to protect personal data from unauthorized access, disclosure, alteration, or destruction, in compliance with industry best practices and data protection laws.

4.4 Sub-processors

One critical aspect of GDPR compliance is ensuring that data controllers have full visibility and control over the appointment of sub-processors. While the Mageplaza DPA references sub-processing arrangements, it should be further strengthened to provide a more structured authorization mechanism.

Under Article 28(2) of the GDPR, processors are not permitted to engage a sub-processor without the prior written authorization of the data controller. The DPA should explicitly state:

  • Types of authorization: Whether Mageplaza uses general authorization (where controllers are pre-informed of a list of sub-processors) or specific authorization (requiring express approval for each new sub-processor).
  • Notification and objection process: Controllers should be notified in advance of any intended sub-processor changes and given a reasonable period (e.g., 30 days) to object if they have concerns about security or data protection.
  • Due diligence requirements: The DPA should outline Mageplaza’s obligations to conduct rigorous due diligence before appointing a sub-processor, ensuring that they meet GDPR standards in security, confidentiality, and legal compliance.

By clearly defining these elements, Mageplaza ensures transparency in its use of sub-processors, giving controllers a legally sound basis to approve or reject such engagements.

4.5 Assistance with Data Subject Rights

Mageplaza will provide reasonable assistance to the customer in fulfilling their obligations in response to requests from data subjects. These requests may include:

  • Access: Individuals requesting access to their personal data.
  • Rectification: Individuals requesting corrections to their personal data.
  • Erasure: Individuals requesting the deletion of their personal data.
  • Restriction: Individuals requesting a restriction on processing their personal data.
  • Data Portability: Individuals requesting a transfer of their personal data to another controller.

Mageplaza will promptly notify the customer if a data subject request is made, and it will work closely with the customer to ensure compliance with relevant laws. Mageplaza will not respond to such requests directly, unless explicitly instructed to do so by the customer.

4.6 Data Breach Notification

In the event of a data breach, Mageplaza will notify the customer without undue delay, but no later than 72 hours after becoming aware of the breach. The notification will contain the following details:

  • A description of the nature of the breach.
  • The categories and approximate number of data subjects affected.
  • The categories and approximate number of personal data records affected.
  • The measures taken or proposed to address the breach, including any mitigation actions.

Mageplaza will cooperate fully with the customer in the event of a breach, providing all necessary information and assistance to enable the customer to fulfill their obligations under applicable laws, such as the GDPR’s requirement to notify the relevant supervisory authority and affected data subjects, if necessary.

5. Obligations of the Customer (Data Controller)

As the Data Controller, the customer holds primary responsibility for ensuring that personal data is collected, processed, and managed in compliance with data protection laws. The customer is also responsible for ensuring that Mageplaza, as the Data Processor, acts in accordance with the instructions provided. The key obligations of the customer include:

5.1 Lawfulness of Processing

The customer must ensure that the collection and processing of personal data are lawful and comply with applicable data protection laws. This includes obtaining any necessary consents from data subjects or ensuring that the processing is based on another lawful basis under applicable laws.

5.2 Providing Instructions

The customer must provide clear, documented instructions to Mageplaza regarding the processing of personal data. These instructions should detail the purposes of the data processing, the types of data to be processed, and the specific operations that Mageplaza is permitted to carry out on behalf of the customer. Any new instructions or changes to the existing instructions should be communicated to Mageplaza in writing.

5.3 Transparency and Data Subject Rights

The customer must ensure that data subjects are informed about the processing of their personal data. This can be achieved through transparent privacy policies and notices that explain the purposes of the data collection, the categories of data involved, the recipients of the data, and the rights of the data subjects. The customer must also provide mechanisms for data subjects to exercise their rights, including access, correction, erasure, and portability.

5.4 Data Protection Impact Assessments (DPIAs)

A crucial requirement under GDPR is the Data Protection Impact Assessment (DPIA) process, which is mandatory when a processing activity is likely to result in a high risk to individuals’ rights and freedoms. Currently, the Mageplaza DPA references GDPR obligations but could be expanded to explicitly define the processor’s role in supporting DPIAs and regulatory inquiries.

To enhance compliance, the DPA should:

  • Assist in conducting DPIAs: Under Article 35 of the GDPR, controllers must assess the risks of certain processing activities. The DPA should include a provision requiring Mageplaza to provide necessary documentation, security measures, and technical details to support these assessments.
  • Cooperate with supervisory authorities: If a Data Protection Authority (DPA) investigation occurs (e.g., in response to a complaint or audit request), Mageplaza should outline its obligation to promptly assist by providing requested documentation and clarifications.
  • Consultation with regulators: If a DPIA identifies a high-risk processing activity requiring prior consultation with a regulator (Article 36 GDPR), Mageplaza should cooperate with the controller in engaging with the relevant authority to ensure compliance.
  • Minimizing legal risks: By defining a clear process for regulatory assistance, Mageplaza can mitigate legal exposure, ensuring that controllers have the necessary support to navigate GDPR compliance challenges.

This level of detail strengthens Mageplaza’s position as a trusted data processor and provides controllers with a more structured approach to risk management under GDPR.

5.5 Data Security and Confidentiality

While Mageplaza takes appropriate measures to safeguard personal data, the customer is also responsible for ensuring that any personal data they share with Mageplaza is securely transmitted and stored. The customer should implement internal data security practices, such as strong password management, access control, and encryption for sensitive data. The customer should also ensure that any employees or contractors who handle personal data are properly trained and understand their obligations in regard to data protection.

6. Audits and Inspections

Mageplaza will allow the customer to conduct audits or inspections of the processing activities related to personal data to ensure compliance with the terms of this DPA and applicable data protection laws.

6.1 Audit Rights

While the Mageplaza DPA acknowledges GDPR-mandated data protection obligations, it could benefit from a more comprehensive audit rights framework to reinforce accountability and compliance. The GDPR imposes strict requirements on data processors to facilitate audits by controllers to assess compliance with Article 28(3)(h).

A well-structured audit clause should specify:

  • Controller’s right to conduct audits: The DPA should explicitly grant controllers the right to conduct on-site audits, remote inspections, or request documentation (e.g., security policies, penetration testing reports, and compliance certifications such as ISO 27001).
  • Audit scope and frequency: The agreement should specify reasonable conditions under which audits can occur (e.g., annually or in the event of a suspected security breach). This balances transparency with operational efficiency.
  • Third-party audit reports: Mageplaza should provide access to independent third-party compliance reports (e.g., SOC 2, ISO 27001, or GDPR compliance assessments) as a substitute for frequent direct audits, reducing operational burdens.
  • Confidentiality & cost allocation: The DPA should define the confidentiality obligations related to audits and establish whether costs (if excessive) are to be borne by the controller or shared.

A strong audit provision ensures that controllers can confidently verify compliance without causing unnecessary disruptions to business operations.

6.2 Audit Limitations

Audits should be conducted in a way that minimizes disruption to Mageplaza’s operations. The customer is expected to cover the costs of the audit, including any reasonable fees associated with Mageplaza’s assistance in the audit process. If any non-compliance or issues are identified during the audit, Mageplaza will take immediate corrective actions, including improving security measures or updating procedures to address the identified issues.

6.3 Cooperation in Case of Regulatory Inspections

In addition to customer-requested audits, Mageplaza will cooperate with any regulatory authorities or government agencies that request information related to the processing of personal data. If Mageplaza receives an inspection or audit request from a regulatory body, it will promptly inform the customer and cooperate with the investigation.

7. International Data Transfers

In certain circumstances, personal data may need to be transferred across borders, particularly if Mageplaza or its sub-processors are located in countries outside of the customer’s jurisdiction. When transferring personal data, Mageplaza ensures compliance with applicable data protection laws, such as the General Data Protection Regulation (GDPR) for customers in the European Union.

7.1 Cross-Border Data Transfers

Any transfer of personal data to a country outside the European Economic Area (EEA) or other jurisdictions with similar data protection regulations will be subject to appropriate safeguards. Mageplaza will only transfer personal data to countries that provide an adequate level of protection for personal data as defined by applicable laws or those with appropriate safeguards in place, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). These safeguards ensure that personal data is protected when transferred to third countries, thereby maintaining the rights and freedoms of data subjects. If necessary, Mageplaza will update the terms of this DPA to reflect any changes in laws or regulations affecting cross-border data transfers.

7.2 Standard Contractual Clauses (SCCs)

To ensure that personal data transferred to non-EEA countries is adequately protected, Mageplaza may use Standard Contractual Clauses (SCCs), which are a set of legal provisions approved by the European Commission. These clauses are designed to ensure that both the data exporter (the customer) and the data importer (Mageplaza) commit to specific data protection standards. Mageplaza agrees to enter into these SCCs with the customer when transferring personal data to sub-processors or other third parties outside the EEA. These clauses provide a legally binding framework for the protection of personal data, including specific measures for ensuring data subjects’ rights are respected.

7.3 Data Transfers to Sub-processors

If Mageplaza uses sub-processors located in countries outside the EEA, these transfers will also be governed by SCCs or other appropriate mechanisms that provide adequate protection for personal data. The customer will be notified in advance of any sub-processor transfers, and Mageplaza will ensure that the sub-processor is contractually bound to the same data protection standards and obligations set forth in this DPA.

7.4 Ongoing Review and Updates

Mageplaza is committed to monitoring changes in data protection regulations and ensuring that all international data transfers continue to comply with applicable laws. If there are changes to the law or the standard contractual clauses, Mageplaza will update the agreement as necessary to maintain compliance. This could include updating SCCs, adopting new legal frameworks, or implementing additional safeguards to protect personal data in line with the evolving legal landscape.

8. Data Retention and Deletion

The retention and deletion of personal data are critical components of data protection, and Mageplaza has put in place measures to ensure that personal data is only retained for as long as necessary for its intended purposes and in compliance with legal obligations.

8.1 Retention Period

Mageplaza will retain personal data for the duration specified in the customer’s instructions or as long as necessary to fulfill the purposes of processing. If applicable laws or regulations require that personal data be retained for a certain period, Mageplaza will ensure that the data is retained for that duration. Once the purpose of processing is fulfilled, Mageplaza will either delete or anonymize the personal data in accordance with the customer’s instructions. Any data that is no longer required for processing will be securely destroyed or rendered irretrievable, ensuring that personal data is not retained beyond the legally permissible or necessary period.

8.2 Criteria for Data Retention

In determining the retention period, Mageplaza will take into account the following factors: The contractual obligations between Mageplaza and the customer, including any data processing agreements, service agreements, or legal obligations related to the processing of personal data. The type of data being processed and whether there are any specific legal requirements for retaining certain data for a period of time, such as financial or tax-related data. The purposes for which the personal data was collected, including whether the data is needed to support ongoing services, operational needs, or customer support. Any legitimate interests of Mageplaza or the customer that justify continued retention of the data. Mageplaza will keep a record of retention periods for different categories of data to ensure compliance with applicable laws and regulations.

8.3 Data Deletion

When personal data is no longer needed or upon the customer’s request, Mageplaza will securely delete or anonymize the data, ensuring that it is no longer accessible or retrievable. The customer may request the deletion of personal data at any time, in which case Mageplaza will promptly comply, subject to any legal obligations to retain certain data. If the customer wishes to receive confirmation of the deletion or anonymization of data, Mageplaza will provide such confirmation in writing or via an appropriate communication channel. Any data that is deleted or anonymized will be removed from Mageplaza’s systems and backups, ensuring that it is completely erased.

8.4 Data Retention Upon Termination

Upon termination of the agreement between Mageplaza and the customer, Mageplaza will retain personal data for a limited period as required for post-contractual purposes, such as resolving any outstanding issues or disputes. After this period, Mageplaza will delete or anonymize the data as per the customer’s instructions or in line with legal requirements.

9. Liability and Indemnification

The parties agree that the protection of personal data is of paramount importance, and both Mageplaza and the customer are committed to fulfilling their responsibilities under applicable data protection laws. In the event of non-compliance or any legal claims arising from the processing of personal data, the liability and indemnification provisions outlined in this section will apply.

9.1 Liability of Mageplaza

Mageplaza, as the Data Processor, will be liable for any damage caused by processing personal data in violation of the terms of this DPA, provided that the breach was due to Mageplaza’s failure to comply with its obligations as set out in this agreement. Mageplaza will be responsible for compensating the customer for any damages, losses, or expenses incurred as a result of a violation of data protection laws by Mageplaza, including costs related to legal defense, regulatory fines, and reputational harm.

However, Mageplaza will not be liable for any damages caused by the customer’s failure to fulfill its obligations under this DPA or any other agreement between the parties. This includes situations where the customer provides Mageplaza with incorrect or insufficient instructions or fails to comply with applicable data protection laws.

9.2 Liability of the Customer

The customer, as the Data Controller, is primarily responsible for ensuring that the collection, use, and processing of personal data complies with all applicable data protection laws. The customer will be liable for any damage resulting from the processing of personal data that violates these laws, including any penalties or regulatory actions taken against Mageplaza due to the customer’s failure to comply with its obligations. If the customer provides Mageplaza with incorrect instructions, fails to obtain necessary consents from data subjects, or processes personal data in a manner that violates data protection laws, the customer will indemnify Mageplaza for any resulting losses, damages, or claims, including regulatory fines and third-party lawsuits.

9.3 Indemnification

Both parties agree to indemnify, defend, and hold each other harmless from any third-party claims, lawsuits, damages, or expenses arising from the breach of their respective obligations under this DPA or the failure to comply with applicable data protection laws. This includes any claims brought by data subjects, regulators, or third parties, as well as any legal or regulatory costs and fines.

The indemnification obligation applies in situations where a party’s actions or omissions lead to a breach of privacy rights or violations of applicable laws, including but not limited to:

  • Data breaches
  • Failure to comply with data subject rights requests
  • Non-compliance with data protection regulations, including the GDPR
  • Any other breach of this agreement or applicable laws Both parties agree to cooperate in the defense of any such claims and provide assistance in addressing any legal matters related to personal data processing.

10. Data Security

Mageplaza understands that data security is a key component of protecting personal data, and the company is committed to implementing comprehensive technical and organizational measures to safeguard the personal data entrusted to it. These measures are designed to prevent unauthorized access, disclosure, alteration, and destruction of personal data, in accordance with best practices and regulatory requirements.

10.1 Security Measures

Mageplaza will implement a range of security measures to protect personal data from unauthorized access, loss, or alteration. These include, but are not limited to:

  • Encryption: Mageplaza uses strong encryption methods to protect data during storage and transmission. This ensures that any data exchanged between systems or processed by Mageplaza is rendered unreadable to unauthorized parties.
  • Access Controls: Strict access controls are in place to ensure that only authorized personnel have access to personal data. These access controls are managed through user authentication systems, multi-factor authentication (MFA), and role-based access policies that ensure data is only accessible to those who require it for processing purposes.
  • Network Security: Mageplaza employs firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) to monitor and protect its network infrastructure. This ensures that any unauthorized attempts to access or compromise personal data are detected and mitigated.
  • Data Integrity: Mageplaza uses data integrity controls to ensure that the personal data it processes remains accurate, consistent, and complete. This includes regular audits, data validation mechanisms, and checks for data accuracy. Physical Security: Mageplaza ensures that all data is stored in secure data centers with robust physical security measures. These include surveillance systems, secure access protocols, and personnel screening to prevent unauthorized physical access to the servers and systems where personal data is stored.

10.2 Data Breach Notification

Mageplaza is committed to promptly identifying and responding to data breaches. In the event of a data breach that involves personal data, Mageplaza will take the following actions:

  • Notification to Customer: Mageplaza will inform the customer without undue delay, and in no case later than 72 hours, after becoming aware of a data breach. The notification will provide the customer with sufficient information to enable them to fulfill their legal obligations, such as notifying data protection authorities or affected data subjects.
  • Investigation and Mitigation: Mageplaza will conduct a thorough investigation to determine the cause of the breach, assess the scope and impact, and take appropriate corrective actions to prevent future incidents. This may include revising security protocols, enhancing employee training, or making other necessary adjustments to Mageplaza’s security practices.
  • Regulatory Reporting: In compliance with applicable data protection laws, Mageplaza will cooperate with the customer in reporting the breach to the relevant regulatory authorities, including providing any information required by regulators to assess the impact of the breach.

10.3 Ongoing Security Monitoring and Improvements

Mageplaza is committed to continuously improving its security posture. The company will regularly review and update its security policies and procedures to account for emerging threats, vulnerabilities, and changes in the regulatory landscape. Additionally, Mageplaza will conduct regular security audits, penetration testing, and vulnerability assessments to identify and address potential weaknesses.

Mageplaza will also provide ongoing security training to its employees to ensure they are equipped to handle personal data securely and to recognize and mitigate potential security risks.

11. Audits and Inspections

In order to ensure compliance with the terms of this DPA and to validate Mageplaza’s data protection practices, the customer is entitled to request audits or inspections. These audits provide the customer with transparency regarding how personal data is being processed and whether Mageplaza is meeting its obligations under the DPA.

11.1 Audit Rights

The customer has the right to audit or inspect Mageplaza’s data processing operations to verify compliance with this DPA. This may include:

  • Access to Mageplaza’s records, systems, and processes related to the processing of personal data.
  • Interviews with relevant personnel involved in data processing activities.
  • Reviewing security measures, policies, and procedures to assess their effectiveness in protecting personal data.
  • Audits will be conducted at reasonable intervals, and the customer will provide Mageplaza with adequate notice in advance of any audit or inspection. The customer agrees to cooperate with Mageplaza in scheduling the audit at a mutually convenient time.

11.2 Scope of Audits

The scope of any audit or inspection will be limited to the specific requirements of this DPA and will focus on ensuring that Mageplaza is complying with its obligations regarding data protection, security, and privacy. The customer’s audit will not disrupt Mageplaza’s operations or interfere with the confidentiality of other customers’ data. Audits may be conducted by the customer directly or by a third-party auditor authorized by the customer. The third-party auditor will be subject to confidentiality obligations and will be required to follow the same procedures and guidelines set out in this DPA.

11.3 Cost and Expenses

The customer will bear the costs associated with conducting the audit unless the audit reveals a material breach of this DPA by Mageplaza. In such cases, Mageplaza will bear the cost of the audit. If Mageplaza’s systems or operations require significant modifications or improvements to comply with the customer’s requirements or any applicable data protection laws, Mageplaza may charge the customer for the reasonable costs of implementing such changes, provided these costs are directly related to the findings of the audit.

11.4 Corrective Actions

If an audit or inspection reveals any deficiencies or non-compliance with this DPA, Mageplaza will take prompt corrective actions. These actions may include:

  • Implementing or revising policies, procedures, or controls to address the identified issues.
  • Providing additional employee training or support to mitigate risks.
  • Enhancing security measures or infrastructure to ensure data protection standards are met. Mageplaza will work closely with the customer to resolve any issues and ensure that personal data is being processed in full compliance with the terms of this DPA.

11.5 Frequency and Notification

Audits will be conducted no more than once every 12 months unless the customer has a legitimate concern or if required by applicable law or regulations. Any additional audits will be subject to mutual agreement between the parties and may be requested more frequently if Mageplaza is found to have violated its data protection obligations in a previous audit. The customer will provide Mageplaza with at least 30 days’ written notice before the audit, specifying the scope, objectives, and timing of the audit. This notice period ensures that Mageplaza has sufficient time to prepare and make any necessary arrangements for the audit.

12. Termination

12.1 Termination by Customer

The customer (Data Controller) has the right to terminate the use of Mageplaza’s apps or services at any time. Upon termination, Mageplaza will immediately cease processing personal data, except where retention is necessary for compliance with applicable laws or for legitimate business purposes. The customer must notify Mageplaza in writing or through the platform of their intent to terminate the services.

12.2 Termination by Mageplaza

Mageplaza has the right to suspend or terminate the processing of personal data if the customer fails to comply with the terms of this DPA, or violates applicable data protection laws. Mageplaza will provide reasonable notice to the customer of the non-compliance and will give the customer an opportunity to remedy the situation within a reasonable timeframe. If the issue remains unresolved, Mageplaza may terminate the services and data processing arrangement.

12.3 Data Return or Deletion

Upon termination of this agreement, Mageplaza will, at the customer’s choice: Return Personal Data: Mageplaza will return all personal data provided by the customer in a commonly used, machine-readable format within a reasonable time, and will do so in a way that ensures the customer can continue processing that data or use it for its intended purposes without undue difficulty. Delete Personal Data: If requested by the customer, Mageplaza will securely delete all personal data processed under the terms of this agreement, including any data held in backups or disaster recovery systems. Data deletion will be completed in accordance with the highest standards of security and privacy.

12.4 Retention of Personal Data after Termination

In certain circumstances, Mageplaza may retain personal data after termination: Compliance with Legal Obligations: Mageplaza may need to retain personal data to comply with legal, regulatory, or tax obligations, or to defend legal claims. Legitimate Interests: If there are legitimate business interests that require retention of personal data, such as preventing fraud, ensuring compliance with contract obligations, or resolving disputes, Mageplaza may retain personal data for a limited period beyond the termination of services. In such cases, Mageplaza will continue to protect the data in accordance with the terms of this DPA.

12.5 Post-Termination Obligations

Even after the termination of this DPA and the cessation of services, Mageplaza will continue to adhere to the following obligations:

  • Confidentiality: Mageplaza will continue to treat all personal data with the highest level of confidentiality and will not use or disclose it for any purpose other than as necessary to comply with legal obligations.
  • Security of Data: Mageplaza will ensure that all retained personal data is securely stored, and appropriate security measures are implemented to prevent unauthorized access, modification, or loss.
  • Support with Data Subject Requests: If, after termination, the customer receives a request from a data subject (e.g., an individual who wishes to access, modify, or delete their data), Mageplaza will support the customer in responding to such requests. This may include providing the customer with access to relevant personal data and assisting in verifying the identity of the requestor or processing the request in compliance with applicable data protection laws.
  • Data Breach Notification: If a data breach occurs with respect to personal data that Mageplaza retained after termination, Mageplaza will promptly notify the customer and cooperate in providing any necessary information to ensure the customer can comply with data breach notification requirements under applicable laws.

13. Changes to the DPA

13.1 Modifications to the DPA

Mageplaza reserves the right to amend, update, or modify this Data Processing Agreement at any time to comply with changes in data protection laws, to reflect the introduction of new services, or to adapt to changes in Mageplaza’s business practices. If changes are made, the updated DPA will be posted on the Mageplaza website, and customers will be notified via email or other communication channels.

13.2 Customer’s Right to Object

If the customer does not accept the changes to the DPA, they have the right to object and terminate their use of Mageplaza services in accordance with the termination provisions outlined in Section 12. Upon termination, Mageplaza will cease processing personal data as per the customer’s instructions.

Any changes to this DPA will only become effective once the customer has been notified of the modifications and has either accepted them or allowed the customer relationship to continue after the notice period.

14. Governing Law

14.1 Jurisdiction

This DPA, along with any related agreements, will be governed by and construed in accordance with the laws of the jurisdiction in which Mageplaza operates. The customer and Mageplaza agree to submit to the exclusive jurisdiction of the competent courts in that jurisdiction for the resolution of any disputes arising under this DPA.

14.2 Dispute Resolution

If a dispute arises between the customer and Mageplaza regarding the processing of personal data, both parties agree to first attempt to resolve the dispute through informal discussions. If the dispute cannot be resolved informally, the parties agree to seek resolution through mediation or arbitration, as appropriate, before proceeding to litigation.

14.3 International Considerations

Where the customer is located outside of the jurisdiction in which Mageplaza operates, any disputes will be subject to the laws governing international commercial transactions, and the customer consents to the cross-border transfer of data as set out in this DPA.

15. Miscellaneous Provisions

15.1 Entire Agreement

This DPA constitutes the entire agreement between the parties with respect to the processing of personal data and supersedes any prior agreements or understandings, whether written or oral, relating to such processing.

15.2 Severability

If any provision of this DPA is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remainder of the DPA will remain in full force and effect. The parties agree to substitute a valid provision that closely reflects the intent of the invalid provision.

15.3 Waiver

Any failure by Mageplaza or the customer to enforce any provision of this DPA will not be deemed a waiver of that provision or of any other provisions of this DPA.

15.4 Assignment

Neither party may assign or transfer any rights or obligations under this DPA without the prior written consent of the other party, except that Mageplaza may assign its rights and obligations to an affiliate or in the event of a merger or acquisition.

Conclusion

By entering into this Data Processing Agreement, both Mageplaza and the customer agree to uphold the principles of data protection, security, and privacy, as required under applicable data protection laws. This DPA outlines the responsibilities of both parties in ensuring that personal data is handled in a lawful, transparent, and secure manner.

Mageplaza is committed to maintaining the highest standards of data protection and assisting our customers in meeting their obligations under GDPR and other relevant privacy laws. Customers can rest assured that Mageplaza takes every measure to protect personal data and provide a secure, compliant environment for all of our services.

If you have any questions regarding this DPA or how we handle personal data, please don’t hesitate to contact Mageplaza’s Privacy Team for further information and support.