Draft — pending review
This document is a working draft published for review. It has not yet been finalised by counsel and is not a binding agreement. For a signed copy, or to raise a question, email privacy@maark.ai.
Legal
Data Processing Agreement
Last updated: July 9, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between the customer (“Controller”) and Nordica Marketing ehf., operating as maark (“Processor”), and governs the processing of personal data maark carries out on the customer's behalf. It applies where maark processes personal data subject to data-protection law such as the GDPR.
1. Roles of the parties
For personal data the Controller submits to or connects with maark, the Controller acts as the data controller (or a processor acting for its own customers) and maark acts as a data processor. maark processes that personal data only on the Controller's documented instructions, including as set out in this DPA and the product's ordinary operation.
2. Subject matter, nature and purpose
The subject matter is maark's provision of its SEO and content platform. The nature and purpose of the processing is to research keywords, produce and review content, measure search and AI-answer visibility, and publish approved content, as described across the product documentation. Processing continues for the duration of the agreement.
3. Categories of data subjects and personal data
Personal data processed may include: account and contact details of the Controller's authorised users; data contained in connected Google Search Console properties; content and product data connected from a Shopify store; and any personal data the Controller chooses to include in content or keywords it submits. maark does not require special-category data and asks that it not be submitted.
4. Processor obligations
maark will: (a) process personal data only on documented instructions; (b) ensure persons authorised to process it are bound by confidentiality; (c) implement the technical and organisational measures described in Section 5; (d) assist the Controller, taking into account the nature of processing, in responding to data-subject requests and in meeting its security, breach-notification and impact-assessment obligations; and (e) at the Controller's choice, delete or return personal data at the end of the agreement, subject to legal retention requirements.
5. Security measures
maark maintains technical and organisational measures appropriate to the risk, including encryption of data in transit (TLS/HSTS), application-layer encryption of connected-account tokens, role-based access controls, audit logging, and scheduled retention and pruning. These measures are described in full on our security page. maark does not currently hold a SOC 2 or ISO 27001 certification; a security and data-processing review is available to Custom-plan customers.
6. Sub-processors
The Controller authorises maark to engage the sub-processors listed on our sub-processors page, each bound by data-protection terms consistent with this DPA. maark will make the current list available and reflect material changes there, giving the Controller a reasonable opportunity to object to a new sub-processor.
7. International transfers
Where maark or its sub-processors transfer personal data across borders, maark relies on a lawful transfer mechanism, such as the European Commission's Standard Contractual Clauses, together with any supplementary measures required.
8. Data-subject requests and breach notification
maark will promptly notify the Controller of a personal-data breach affecting the Controller's data without undue delay after becoming aware of it, and will provide reasonable assistance in responding to requests from data subjects exercising their rights.
9. Audit
maark will make available information reasonably necessary to demonstrate compliance with this DPA and will contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable confidentiality and scheduling.
10. Deletion and return
On termination, and at the Controller's choice, maark will delete or return the personal data it processes on the Controller's behalf, subject to the retention timelines in our privacy policy and any legal obligation to retain it.
11. Contact
To sign this DPA, or with any question about it, contact privacy@maark.ai.