Browse Legal docs

Data Processing Agreement (DPA)

⚠️ DRAFT — NOT YET IN EFFECT

This document is a draft framework and has not been reviewed by legal counsel. It must be reviewed and approved by a qualified attorney before publication or enforcement. Do not publish or reference this document as binding terms until legal review is complete.

Last updated: [DATE TBD on legal review] Governing law: [JURISDICTION TBD]

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the master service agreement ("Service Agreement") between the parties identified below. It sets out the terms on which MoonFactory Creative Lab processes Personal Data on behalf of the Client in connection with the MoonFactory client portal and related services.

In the event of any conflict between this DPA and the Service Agreement, this DPA prevails to the extent of the conflict, but only with respect to the processing of Personal Data.

|---| | Online billing partner | Issuing invoices and processing payments | | Transactional email service | Delivering account, support, and billing emails | | Website hosting infrastructure | Operating the servers and storage on which the portal and Client websites are hosted | | Analytics service | Providing consent-gated visitor analytics for Client websites | | AI service | Generating and assisting with content production at the Client's request | | Domain management services | Operating DNS hosting and managing domain registrations on the Client's behalf | | Error monitoring service | Detecting and diagnosing technical errors in the portal and related services |

MoonFactory will:

  • Inform the Client of any intended addition or replacement of a Sub-processor with reasonable advance notice (not less than 30 days save in the case of urgent security or service-continuity changes), giving the Client an opportunity to object on reasonable data-protection grounds;
  • If the Client objects on reasonable data-protection grounds and the parties cannot agree a resolution, allow the Client to terminate the affected portion of the services without penalty;
  • Remain fully liable to the Client for the acts and omissions of its Sub-processors with respect to their processing of Personal Data, as if those acts and omissions were its own.

A current list of Sub-processors, by category and identifying detail sufficient to enable the Client to assess the engagement, will be made available to the Client on request.

10. International Transfers

MoonFactory primarily stores and processes Personal Data on hosting infrastructure located in Germany (in the Falkenstein region), within the European Economic Area.

Where the provision of services involves the transfer of Personal Data to a country outside the European Economic Area or the United Kingdom, MoonFactory will ensure that an appropriate transfer mechanism recognized under Applicable Data Protection Law is in place, including (as relevant) the Standard Contractual Clauses, an adequacy decision, or any successor mechanism designated by the European Commission, the UK Information Commissioner's Office, or another competent authority.

Where the Standard Contractual Clauses apply, the parties are deemed to have entered into the relevant module of those clauses with MoonFactory acting as data importer (as processor) and the Client acting as data exporter (as controller), and the descriptions in Sections 3 to 7 of this DPA are deemed to populate the corresponding annexes.

11. Personal Data Breach Notification

MoonFactory will notify the Client without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Client. The notification will, to the extent then known and as it becomes known:

  • Describe the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
  • Communicate the name and contact details of the MoonFactory point of contact for further information;
  • Describe the likely consequences of the Personal Data Breach;
  • Describe the measures taken or proposed to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where the information cannot be provided in full at the same time, it may be provided in phases without undue further delay.

MoonFactory will also document any Personal Data Breach, comprising the facts relating to the breach, its effects, and the remedial action taken, and make that documentation available to the Client on request.

12. Liability and Indemnification

The liability of each party under or in connection with this DPA is governed by, and subject to, the limitations and exclusions of liability set out in the Service Agreement. Nothing in this DPA limits or excludes any liability that cannot lawfully be limited or excluded under Applicable Data Protection Law, including liability for breaches of the GDPR for which a processor is directly liable to a Data Subject or to a supervisory authority.

Each party will indemnify the other against losses, damages, fines, and reasonable expenses (including reasonable legal fees) suffered by the indemnified party arising out of the indemnifying party's breach of its obligations under this DPA, subject always to the liability cap and exclusions in the Service Agreement.

13. Term and Termination

This DPA continues in force for as long as MoonFactory processes Personal Data on behalf of the Client under the Service Agreement.

On termination or expiry of the Service Agreement, MoonFactory will, at the Client's choice and on reasonable written instruction:

  • Return all Personal Data to the Client in a commonly used, machine-readable format; or
  • Delete all Personal Data from its active systems.

In either case, MoonFactory will:

  • Retain Personal Data in active systems for a transition window of up to 30 days following termination, to allow the Client to retrieve, migrate, or confirm deletion of its data;
  • Retain invoice and billing records, and any other records required to be retained under applicable law, for the period required by such law (currently up to 7 years for invoices and billing records under typical accounting and tax obligations);
  • Honour valid Data Subject erasure requests received during the retention period in accordance with Applicable Data Protection Law and the Client's documented instructions;
  • Permit Personal Data to persist briefly in encrypted backups in accordance with normal backup-rotation cycles, after which it is overwritten in the ordinary course.

On final completion of the deletion or return process, MoonFactory will provide written confirmation to the Client on request.

⚠️ DRAFT — NOT YET IN EFFECT

This document is a draft framework and has not been reviewed by legal counsel. It must be reviewed and approved by a qualified attorney before publication or enforcement. Do not publish or reference this document as binding terms until legal review is complete.