Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller") and MDJ Marketing LLC ("Data Processor") for the use of AI-Venture.

This DPA complies with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on Personal Data
• Data Controller: You, the customer determining processing purposes and means
• Data Processor: MDJ Marketing LLC, processing data on your behalf
• Sub-processor: Third-party processors (Clerk, Supabase, Anthropic, etc.)
• Data Subject: The individual whose Personal Data is processed

3. Scope of Processing

3.1 Subject Matter

Processing of Personal Data necessary to provide AI-Venture services.

3.2 Duration

Duration of your subscription plus retention period as specified in Privacy Policy.

3.3 Nature and Purpose

• Business idea validation and analysis
• AI-powered content generation
• Account management
• Service delivery and support

3.4 Types of Personal Data

• Contact information (name, email)
• Account credentials
• Business information submitted for analysis
• Usage data and analytics
• Payment information (processed by Stripe)

3.5 Categories of Data Subjects

• Account holders (entrepreneurs, business owners)
• Authorized users of your account

4. Data Processor Obligations

We will:

• Process Personal Data only on your documented instructions
• Ensure persons authorized to process data are committed to confidentiality
• Implement appropriate technical and organizational security measures
• Only engage Sub-processors with prior written consent
• Assist you in responding to Data Subject requests
• Assist with data breach notifications
• Delete or return Personal Data upon termination
• Make available information necessary to demonstrate compliance

5. Sub-processors

We use the following Sub-processors:

You consent to our use of these Sub-processors. We will notify you of any changes to Sub-processors and you may object within 30 days.

6. International Data Transfers

Personal Data may be transferred to the United States where our Sub-processors operate. We ensure adequate safeguards through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Sub-processor certifications (SOC 2, ISO 27001)
• Additional security measures as required by GDPR

7. Security Measures

We implement appropriate technical and organizational measures:

• Encryption in transit (TLS/HTTPS)
• Encryption at rest for sensitive data
• Access controls and authentication
• Regular security audits and testing
• Incident response procedures
• Employee training and confidentiality agreements

8. Data Subject Rights

We will assist you in fulfilling Data Subject requests for:

• Access to Personal Data
• Rectification of inaccurate data
• Erasure ("right to be forgotten")
• Restriction of processing
• Data portability
• Objection to processing

9. Data Breach Notification

We will notify you without undue delay upon becoming aware of a Personal Data breach affecting your data. We will provide:

• Description of the breach
• Categories and number of affected Data Subjects
• Likely consequences
• Measures taken or proposed

10. Data Retention and Deletion

Upon termination or at your request, we will:

• Delete all Personal Data within 90 days
• Certify deletion upon request
• Retain only as required by law

11. Audit Rights

You have the right to audit our compliance with this DPA. We will provide information and access necessary to demonstrate compliance, subject to reasonable notice and confidentiality obligations.

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations in the Terms of Service. We will indemnify you against claims arising from our breach of GDPR obligations.

13. Contact for DPA Matters