Draft. This document is the initial pre-launch version of the Nine·Tails Data Processing Addendum. It will be reviewed by counsel and the subprocessor list will be cross-checked against the production stack before any paid customer signs up. If your agency requires a signed copy, write to hello@ninetailsagency.com — we will execute via DocuSign.
1. Parties and incorporation
This Data Processing Addendum ("DPA") is between the customer ("Controller") and Nine Tails ("Processor," "Nine·Tails"). It is incorporated by reference into the Terms of Service the Controller has accepted at ninetailsagency.com/legal/terms.
This DPA applies whenever the Controller's use of the Service results in Nine·Tails processing Personal Data of the Controller's end clients, employees, or other identified or identifiable natural persons (collectively, "Data Subjects").
2. Definitions
Capitalized terms not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679) and the UK GDPR.
- Personal Data — any information relating to an identified or identifiable natural person.
- Processing — any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- Subprocessor — any third party engaged by Nine·Tails to process Personal Data on behalf of the Controller.
3. Subject matter and duration
Nine·Tails processes Personal Data on the Controller's behalf for the duration of the active subscription, plus a 30-day window for export, plus any retention required by law.
4. Nature and purpose of processing
Processing is limited to what is necessary to provide the Service:
- Ingesting metric data from advertising and analytics platforms the Controller authorizes.
- Generating draft reports that may include the Controller's end-client name and the period covered.
- Delivering reports the Controller approves to recipient email addresses the Controller specifies.
- Operational record-keeping (audit logs, billing, security incident response).
5. Categories of Personal Data
Typically: end-client business name, business email address, period covered. Reports do not generally include the Personal Data of the Controller's end customers (i.e. the agency's clients' clients) — they are aggregate metric reports. If a Controller intentionally embeds end-customer Personal Data into a Report, the Controller is solely responsible for the lawful basis to do so.
6. Categories of Data Subjects
- The Controller's employees who hold accounts in the Service.
- The Controller's end clients (the agency's clients) who receive Reports.
7. Controller obligations
The Controller is responsible for the lawful basis for processing — including, where required, obtaining valid consent from Data Subjects. The Controller will provide its own privacy notices to Data Subjects.