📋 Data Processing Agreement

ShadowCMO Legal Documentation

← Home Last Updated: November 13, 2025

Data Processing Agreement (DPA)

Effective Date: November 13, 2025
Last Updated: November 13, 2025

Parties: - Processor: ISW AI Venture trading as ShadowCMO ("we", "us", "our") - Controller: The individual or organisation using the Services ("you", "Customer")

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions and governs how ShadowCMO processes Personal Data on behalf of the Customer under GDPR, UK-GDPR, and other applicable privacy laws.

By using our Services, you agree to this DPA.

1. DEFINITIONS

  • "GDPR" – EU General Data Protection Regulation (EU) 2016/679
  • "UK-GDPR" – UK General Data Protection Regulation
  • "Data Protection Laws" – GDPR, UK-GDPR, ePrivacy laws, and global frameworks (CCPA/CPRA, PIPEDA, LGPD)
  • "Processor" – ShadowCMO (ISW AI Venture)
  • "Controller" – Customer determining the purposes and means of processing
  • "Personal Data" – Any information relating to an identified or identifiable natural person
  • "Sub-processor" – Any third party engaged by the Processor to process Personal Data
  • "Services" – The SaaS platform, tools, and AI-enabled features provided by ShadowCMO
  • "Data Subject" – An identified or identifiable natural person to whom Personal Data relates

2. PURPOSE AND SCOPE

This DPA applies when ShadowCMO processes Personal Data on behalf of the Customer in connection with providing the Services.

The Processor will: - Process Personal Data only on documented instructions from the Controller - Not use Personal Data for its own purposes - Follow applicable Data Protection Laws at all times

3. TYPES OF DATA AND PROCESSING ACTIVITIES

3.1 Categories of Personal Data

Depending on Customer use, this may include: - User account details (name, email, contact information) - Technical identifiers (IP address, device data, browser information) - Instructions, prompts, or content submitted through the platform - Usage analytics and interaction data - Customer-uploaded datasets (content varies by Customer use case)

3.2 Data Subjects

May include: - Customer personnel and employees - End-users of the Customer - Prospects, leads, or contacts provided by the Customer - Any individuals contained in uploaded datasets

3.3 Processing Operations

Includes: - Storage and hosting - Transmission and transfer - Structuring, organising, and indexing - Access, retrieval, and consultation - Analysis, transformation, or generation (including AI-based processing) - Deletion, anonymisation, or archival

Duration: Processing occurs during the Subscription Term and for up to 90 days after termination (for backup/recovery purposes), unless longer retention is required by law.

4. CONTROLLER RESPONSIBILITIES

The Controller confirms that: - Personal Data has been collected lawfully - Instructions provided to the Processor comply with Data Protection Laws - Appropriate notices and consents have been obtained where required - Personal Data shared with the Processor does not violate third-party rights

The Controller must not upload: - Special category data (racial/ethnic origin, political opinions, religious beliefs, health data, biometric data, genetic data) unless explicitly permitted - Personal data of children under 16 (or applicable local minimum age) without verified parental consent - Unlawful, harmful, or prohibited content

5. PROCESSOR OBLIGATIONS

We shall:

5.1 Process Only on Documented Instructions

We will process Personal Data only for providing and improving the Services as described in the Documentation. If we believe an instruction violates Data Protection Laws, we will promptly inform you.

5.2 Confidentiality

All personnel with access to Personal Data are bound by strict confidentiality agreements and receive data protection training.

5.3 Security Measures

We shall implement industry-standard technical and organisational measures, including those listed in Annex III (Security Measures).

5.4 Sub-processors

We may engage Sub-processors for specific functions (e.g., cloud hosting, database services, AI model APIs, email delivery).

  • Sub-processors will be bound by obligations no less protective than this DPA
  • We maintain a current list of Sub-processors at www.shadowcmo.com/subprocessors
  • We will provide 30 days' notice before adding or replacing Sub-processors
  • The Controller may object to a new Sub-processor based on justified data-protection grounds within 14 days of notice

If you object and we cannot accommodate a reasonable alternative, either party may terminate the affected Services upon 30 days' written notice.

5.5 Data Subject Rights Assistance

We will assist you in fulfilling obligations to respond to data subject rights requests, including: - Right of access (GDPR Article 15) - Right to rectification (GDPR Article 16) - Right to erasure ("right to be forgotten") (GDPR Article 17) - Right to restriction of processing (GDPR Article 18) - Right to data portability (GDPR Article 20) - Right to object to processing (GDPR Article 21) - Rights related to automated individual decision-making, including profiling (GDPR Article 22)

Assistance provided: - Technical capability to export Customer Data in machine-readable format (JSON, CSV) - Deletion of specific data upon written request - Restriction or cessation of processing upon objection - Information about automated decision-making logic, significance, and consequences - Response within 10 business days of receiving a documented request

Controller responsibility: - Verifying identity of the Data Subject - Determining legal basis for the request - Assessing validity of objections under Article 21 - Communicating directly with the Data Subject

5.6 Breach Notification

We will notify you without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach affecting Customer Data.

Notification will include: - Nature and categories of Personal Data affected - Approximate number of Data Subjects and records concerned - Likely consequences of the breach - Measures taken or proposed to address the breach and mitigate harm - Contact point for further information

We will cooperate with you to investigate the breach and comply with applicable breach notification obligations to supervisory authorities and Data Subjects.

5.7 Data Protection Impact Assessments (DPIA)

We will provide reasonable assistance where required for DPIAs or prior consultations with supervisory authorities, including: - Description of processing operations - Security measures implemented - Technical documentation as reasonably necessary

6. INTERNATIONAL DATA TRANSFERS

Personal Data may be transferred outside the European Economic Area (EEA) and United Kingdom to countries that do not provide an adequate level of data protection.

Such transfers will be safeguarded by one or more of the following:

  • EU–US Data Privacy Framework (DPF) – For transfers to U.S.-based Sub-processors certified under the DPF
  • European Commission Standard Contractual Clauses (SCCs) – We incorporate the SCCs adopted by Commission Implementing Decision (EU) 2021/914
  • UK International Data Transfer Addendum – For transfers subject to UK-GDPR
  • Adequacy decisions – For transfers to countries recognized by the European Commission as providing adequate protection
  • Supplementary technical and organisational measures – Including encryption in transit and at rest, access controls, and contractual restrictions

A copy of applicable safeguards is available upon request to dpo@shadowcmo.com

6.1 Transfer Impact Assessment

We have conducted a transfer impact assessment and implemented supplementary measures to ensure an essentially equivalent level of protection for Personal Data transferred to third countries.

7. SUB-PROCESSORS

7.1 Current Sub-processors

A complete and current list of Sub-processors, including names, locations, and processing purposes, is available at:

www.shadowcmo.com/subprocessors

7.2 Categories of Sub-processors

Sub-processors provide the following categories of services:

  • Cloud Infrastructure Providers – Hosting, compute, and network services
  • Database and Storage Providers – Managed PostgreSQL databases and object storage
  • AI Model Providers – Natural language processing, image generation, video generation, and AI-powered analysis
  • Communication Service Providers – Transactional email delivery
  • Data Enrichment Providers – Web scraping and data extraction services
  • Media Transformation Providers – Image and video processing, transformation, and delivery

7.3 Sub-processor Agreements

Each Sub-processor must: - Implement appropriate technical and organisational security measures - Follow the principles of GDPR Article 28 - Process Personal Data only as instructed by ShadowCMO - Notify ShadowCMO of any breach affecting Customer data

We remain fully liable to you for the performance of Sub-processors.

8. RETURN OR DELETION OF DATA

Upon termination or expiration of the Services, the Processor will:

  • Provide you with 30 days to export Customer Data via the Platform interface
  • Delete or anonymise all Personal Data in our active systems within 90 days of termination
  • Retain backups only as required for legal, tax, or security purposes (maximum retention: 12 months)
  • Delete backups once the mandatory retention window expires
  • Provide written confirmation of deletion upon request

Exception: We may retain Personal Data to the extent required by EU or Member State law, in which case we will inform you of such legal requirement unless prohibited by law.

9. AUDITS AND COMPLIANCE

9.1 Documentation

The Processor will make available relevant documentation necessary to demonstrate compliance with GDPR Article 28, including: - This DPA and its annexes - Security policy summaries - Sub-processor agreements and security documentation - Technical safeguards and encryption protocols - Incident response procedures

9.2 Audit Rights

You have the right to audit our compliance with this DPA. Audits must be: - Pre-scheduled with at least 30 days' notice - Conducted during normal business hours - Limited in scope to what is necessary to verify compliance - Not disruptive to service operations - Conducted at your expense - Subject to confidentiality obligations

We prefer: - Remote audits via video conference and screen sharing - Document-based reviews - Questionnaire-based assessments

9.3 Alternative to On-Site Audit

In lieu of an on-site audit, ShadowCMO may provide: - Security documentation and policy summaries - Evidence of Sub-processor compliance (e.g., Replit SOC 2, Neon SOC 2, Google Cloud certifications) - Third-party penetration testing reports (when available) - Security Compliance Matrix documenting our technical and organisational measures

We maintain security controls aligned with industry standards including: - ISO 27001 principles (information security management) - SOC 2 Type II principles (security, availability, confidentiality) - NIST Cybersecurity Framework - CIS Controls

Note: While ShadowCMO is not independently certified under SOC 2 or ISO 27001, we leverage the certifications of our Sub-processors and implement equivalent security controls.

10. LIABILITY

Liability under this DPA follows the limitations set out in the Terms & Conditions.

Each party's liability to the other under or in connection with this DPA shall be subject to the exclusions and limitations of liability set out in the Terms.

Nothing in this DPA limits liability where prohibited by law, including: - Death or personal injury caused by negligence - Fraud or fraudulent misrepresentation - Violation of Data Subjects' rights under Data Protection Laws

11. TERM AND TERMINATION

This DPA remains in effect for the duration of the Subscription Term and will automatically terminate upon termination of the Terms & Conditions.

Survival: Sections related to data deletion, confidentiality, liability, and audit rights survive termination.

12. GOVERNING LAW AND JURISDICTION

This DPA is governed by the laws of The Netherlands.

Disputes shall be resolved exclusively by the courts of Amsterdam, The Netherlands.

Supervisory Authority: For GDPR-related complaints, the competent supervisory authority is:

Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Bezuidenhoutseweg 30
2594 AV, The Hague, The Netherlands
Website: https://autoriteitpersoonsgegevens.nl

13. CONTACT

For data protection enquiries, contact:

Data Protection Officer
Email: dpo@shadowcmo.com
Website: www.shadowcmo.com
Address: Roosbergsweg 12A, 4854PM Bavel, Netherlands

ANNEX I – DETAILS OF PROCESSING

Nature and Purpose of Processing

Purpose: To provide SaaS-based AI-powered marketing campaign creation services, including competitor analysis, content generation, image and video generation, and campaign export functionality.

Nature: Automated processing using cloud infrastructure, AI models, and data storage services.

Duration of Processing

Active Processing: During the Subscription Term
Post-Termination Retention: Up to 90 days for backup/recovery, then deletion
Legal Retention: As required by applicable law (maximum 12 months)

ANNEX II – STANDARD CONTRACTUAL CLAUSES

Where international transfers of Personal Data occur, ShadowCMO incorporates the Standard Contractual Clauses approved by the European Commission under:

Commission Implementing Decision (EU) 2021/914 of 4 June 2021

Module Two: Controller-to-Processor transfers (where applicable)
Module Three: Processor-to-Processor transfers (for Sub-processor arrangements)

Docking Clause: The SCCs are available upon request and form part of this DPA.

UK Transfers: For transfers subject to UK-GDPR, the UK International Data Transfer Addendum (IDTA) to the SCCs applies.

ANNEX III – TECHNICAL & ORGANISATIONAL SECURITY MEASURES

The following security controls are implemented and maintained by ShadowCMO:

Encryption

  • In Transit: TLS 1.2+ encryption for all data transmission via secure cloud infrastructure
  • At Rest: AES-256 encryption for all stored data via enterprise-grade managed database and storage services

Access Controls

  • Role-based access control (RBAC) with least-privilege enforcement
  • Organisation-level isolation ensuring customers cannot access other customers' data
  • Multi-factor authentication (MFA) for administrative access (planned Phase 1 enhancement)
  • Strong authentication requirements for user accounts

Password Security

  • Bcrypt hashing with 10 rounds for all password storage
  • Minimum password policy: 8 characters minimum
  • Password reset flows with time-limited tokens (1-hour expiration)
  • No plaintext password storage at any stage

Network & Infrastructure Security

  • Infrastructure isolation via managed cloud platform with network segmentation
  • DDoS protection via cloud platform provider
  • Automated failover management for high availability
  • Firewall, load balancer, and API gateway protections managed by infrastructure provider
  • TLS/SSL certificates with automatic renewal

Application Security

  • SQL injection prevention through parameterised queries (100% coverage)
  • Secure coding practices and peer code reviews
  • Dependency vulnerability monitoring with automated security updates
  • Input validation and sanitisation for all user-supplied data
  • CSRF protection (planned Phase 1 enhancement)
  • Rate limiting and abuse prevention (planned Phase 1 enhancement)

Monitoring & Incident Response

  • Logging and monitoring of critical systems and security events
  • Automated anomaly detection for unusual access patterns
  • Regular vulnerability assessments and security reviews
  • Documented incident response procedures with 72-hour breach notification commitment
  • Error logging and alerting via monitoring service (planned Phase 1 enhancement)

Data Backup & Recovery

  • Automated daily backups of all Customer Data
  • Point-in-time recovery capability (7-day retention for active subscriptions)
  • Geographically redundant storage for disaster recovery
  • Regular backup restoration testing (quarterly schedule)

Organizational Measures

  • Data protection training for all personnel with access to Personal Data
  • Confidentiality agreements for all employees and contractors
  • Security policy documentation covering access control, encryption, incident response
  • Vendor management program ensuring Sub-processors meet equivalent security standards
  • Regular security audits (quarterly internal reviews, annual third-party assessment planned)

Sub-Processor Security

All Sub-processors must demonstrate: - SOC 2 Type II, ISO 27001, or equivalent certification (or be in process of obtaining) - GDPR compliance with appropriate technical and organisational measures - Data Processing Agreements incorporating GDPR Article 28 obligations - Security incident notification commitments within 72 hours

Continuous Improvement

ShadowCMO regularly reviews and updates security measures to address: - Emerging threats and vulnerabilities - Changes in Data Protection Laws - Industry best practices and standards - Feedback from security audits and penetration tests

Phase 1 Security Enhancements (Q1 2026): - Rate limiting and API throttling - CSRF token protection - Centralized error logging (Sentry) - Audit log system for sensitive operations - Multi-factor authentication (MFA) for admin accounts

For questions about security measures or to request additional documentation, contact:

Email: dpo@shadowcmo.com
Security Documentation: Available upon request under NDA

END OF DATA PROCESSING AGREEMENT