Contact: sqaure@messcube.com
This DPA supplements the agreement between MessCube ("MessCube", "Processor"/"Service Provider") and the counterparty ("Customer", "Controller"/"Business") governing Customer's use of MessCube's services. Capitalized terms not defined here have the meanings in the Agreement or under applicable Data Protection Laws.
TABLE OF CONTENTS
1. Introduction
2. Definitions
3. Scope; Roles; Instructions
4. Customer Responsibilities
5. Confidentiality & Personnel
6. Sub-processors
7. Security Measures
8. Personal Data Breach
9. Data Subject Requests; Cooperation
10. Return/Deletion
11. International Transfers
12. CPRA (Service Provider Terms)
13. Audits & Documentation
14. Liability
15. Conflict; Order of Precedence
16. Governing Law; Venue
17. Execution
Exhibit A � Details of Processing
Exhibit B � Sub-processors
Exhibit C � Technical & Organizational Measures
Exhibit D � Transfer Mechanics (EU/UK/CH)
1. INTRODUCTION
This DPA applies to MessCube's processing of Personal Data on behalf of Customer in connection with the Services. Each party will comply with applicable Data Protection Laws.
2. DEFINITIONS
- "Data Protection Laws" means all laws applicable to the processing of Personal Data, including EU GDPR, UK GDPR, Swiss FADP, and California CCPA/CPRA, in each case as amended.
- "EU SCCs" means the European Commission's standard contractual clauses (2021/914).
- "UK Addendum" means the Information Commissioner's Office addendum to the EU SCCs.
- Terms such as "personal data," "processing," "controller," "processor," "business," and "service provider" have the meanings given in the relevant Data Protection Laws.
3. SCOPE; ROLES; INSTRUCTIONS
a) Roles. For Customer Data processed via the Services, Customer is the Controller/Business (or a processor to its own controller), and MessCube is the Processor/Service Provider (or sub-processor).
b) Instructions. MessCube will process Personal Data only (i) to provide and support the Services as documented in the Agreement and this DPA, (ii) per Customer's documented lawful instructions, or (iii) as required by law. If law requires processing, MessCube will notify Customer unless legally prohibited.
c) Details of processing appear in Exhibit A.
4. CUSTOMER RESPONSIBILITIES
Customer will (a) ensure it has a lawful basis and all notices/consents required to provide Personal Data to MessCube and to issue instructions; (b) provide only Personal Data that is accurate, relevant, and limited to what is necessary; and (c) not instruct processing that violates Data Protection Laws.
5. CONFIDENTIALITY & PERSONNEL
MessCube ensures that personnel with access to Personal Data are bound by confidentiality obligations and receive appropriate privacy and security training.
6. SUB-PROCESSORS
a) Authorization. Customer grants MessCube a general written authorization to use Sub-processors to deliver the Services.
b) Notice & Objection. MessCube will maintain a current list of Sub-processors and provide advance notice of changes to allow reasonable objections. If Customer reasonably objects and the parties cannot find a feasible alternative, Customer may discontinue the affected Service without penalty for that portion.
c) Flow-down & Liability. MessCube will impose data-protection obligations on Sub-processors no less protective than those in this DPA and remains responsible for their performance.
7. SECURITY MEASURES
MessCube implements appropriate technical and organizational measures designed to protect Personal Data, considering the nature, scope, context, and purposes of processing and the risks involved. Measures include encryption in transit/at rest, access controls, secure SDLC, vulnerability management, logging/monitoring, incident response, and business continuity. See Exhibit C.
8. PERSONAL DATA BREACH
MessCube will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information reasonably available to assist Customer in meeting its obligations, including notifications required by law.
9. DATA SUBJECT REQUESTS; COOPERATION
Taking into account the nature of processing, MessCube will assist Customer by appropriate technical and organizational measures, insofar as possible, with data subject requests (access, deletion, correction, portability, objection/restriction) and with data protection impact assessments and consultations with supervisory authorities as required by law.
10. RETURN/DELETION
Upon termination of the Services or upon Customer's written request, MessCube will delete or return Customer Personal Data and delete existing copies, unless retention is required by law. If deletion is impracticable, MessCube will securely isolate and protect the data. Certification of deletion is available upon request.
11. INTERNATIONAL TRANSFERS
For transfers of Personal Data from the EEA/UK/Switzerland to countries without an adequacy decision:
- EU SCCs. The parties incorporate the EU SCCs (Module 2: Controller/Processor and, where Customer acts as a processor, Module 3: Processor/Sub-processor). Clause 9 (general authorization) applies. Annexes to the SCCs are completed by Exhibits A�C of this DPA.
- UK Addendum. Where UK data is transferred, the UK Addendum is incorporated alongside the EU SCCs (Exhibit D sets out the tables).
- Switzerland. The EU SCCs apply with Swiss-specific adaptations required under Swiss FADP (e.g., references to Swiss law and FDPIC).
Where the SCCs specify governing law and forum, an EU Member State law and forum apply as required by the SCCs (e.g., Ireland), irrespective of Section 15 below.
12. CPRA (SERVICE PROVIDER TERMS)
For California Personal Information, MessCube acts as a Service Provider and will: (a) process PI only to provide the Services and for permitted business purposes; (b) not sell or share PI; (c) not retain, use, or disclose PI for any purpose other than as permitted; (d) not combine PI with other data except as permitted by CPRA; and (e) flow down equivalent obligations to Sub-processors.
13. AUDITS & DOCUMENTATION
Upon reasonable written request (no more than annually absent a confirmed incident or regulator request), MessCube will provide available compliance reports or otherwise allow audits/assessments required by law, subject to confidentiality, safety, and proportionality requirements. Customer will avoid undue disruption and protect MessCube's and third parties' confidential information.
14. LIABILITY
The parties' liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement, except to the extent prohibited by law or the SCCs.
15. CONFLICT; ORDER OF PRECEDENCE
If this DPA conflicts with the Agreement, this DPA controls to the extent of conflict with respect to data protection. If this DPA conflicts with the EU SCCs, the EU SCCs control with respect to cross-border transfers.
16. GOVERNING LAW; VENUE
Except as required by the SCCs, this DPA is governed by the laws of the State of California, and the exclusive venue for any permitted court proceedings is the state or federal courts located in the City and County of San Francisco, California.
17. EXECUTION
This DPA is effective upon the later of (a) the Effective Date above, (b) Customer's acceptance via the Agreement workflow, or (c) the parties' signatures (if applicable). Electronic signatures are valid and binding.
EXHIBITS
EXHIBIT A � DETAILS OF PROCESSING
- Subject Matter: Provision of MessCube's creative analytics and benchmarking services.
- Duration: The term of the Agreement, plus any period required by applicable law.
- Nature and Purpose: Ingesting, storing, organizing, analyzing, and returning insights on ad/creative performance; user/account administration; troubleshooting; security; service improvement as permitted.
- Data Subjects: Customer's authorized users; Customer's end-users or audiences referenced in uploaded or connected data (as applicable).
- Categories of Personal Data: Contact data (name, work email), account identifiers, role/team metadata; online identifiers and ad/account IDs; creative assets/URLs that may contain embedded metadata; engagement or event data that may include device or network identifiers; support communications.
- Sensitive Data: Not intended. If Customer provides any, Customer is responsible for lawful basis, notices, and instructions.
- Processing Activities: Collection, storage, organization, analysis, retrieval, transmission, deletion.
EXHIBIT B � SUB-PROCESSORS
MessCube maintains and updates a list of authorized Sub-processors engaged to provide hosting, storage, analytics, and related services. MessCube provides advance notice of new Sub-processors with an objection window.
EXHIBIT C � TECHNICAL & ORGANIZATIONAL MEASURES (TOMs)
- Organization & Policy: Security governance; defined roles/responsibilities; workforce privacy/security training; background checks where lawful.
- Access Control: Role-based access; least privilege; SSO/MFA; periodic access reviews; logged administrative actions.
- Data Security: Encryption in transit and at rest; key management; tenant/data segregation; secure backups and tested restores.
- Application Security: Secure SDLC; code review; dependency scanning; vulnerability management and patching SLAs; change management.
- Infrastructure Security: Network segmentation; firewalls/WAF; hardened images; endpoint detection/response; configuration baselines.
- Monitoring & Logging: Centralized logging; alerting; anomaly/threat detection; retention aligned with legal and operational needs.
- Incident Response: Documented IR plan; 24/7 on-call; containment, eradication, recovery, and post-incident review.
- Business Continuity: Redundancy; disaster recovery objectives; periodic testing.
EXHIBIT D � TRANSFER MECHANICS (EU/UK/CH)
EU SCCs: Incorporated by reference; Module 2 (Controller/Processor) and, where applicable, Module 3 (Processor/Sub-processor). UK Addendum: Incorporated with the EU SCCs for UK transfers. Switzerland: EU SCCs apply with adaptations required under Swiss FADP.
CONTACT
Questions about this DPA: sqaure@messcube.com
© 2025 MessCube Inc. All rights reserved.