Masterlinq
Masterlinq
All Legal Documents

Data Processing Agreement

Last Updated: January 26, 2026

Effective Date: January 26, 2026

1. Definitions

This Data Processing Agreement ("DPA") forms part of and supplements the Platform Terms of Service between Masterlinq Solutions LLC ("Masterlinq," "Processor") and you ("Controller").

  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion
  • "Data Subject" means the individual to whom Personal Data relates
  • "Controller" means the entity that determines the purposes and means of Processing Personal Data
  • "Processor" means the entity that Processes Personal Data on behalf of the Controller
  • "Sub-processor" means a third party engaged by the Processor to Process Personal Data
  • "Data Protection Laws" means GDPR, CCPA, and other applicable privacy regulations
  • "Standard Contractual Clauses" (SCCs) means the EU-approved clauses for international data transfers

2. Scope and Purpose

This DPA applies when Masterlinq Processes Personal Data on your behalf in connection with the Services. The purpose of this DPA is to ensure compliance with Data Protection Laws and to define the respective obligations of the parties.

Roles:

  • Retailers and Suppliers are Controllers for their customer and business data
  • Masterlinq acts as a Processor when handling data on behalf of Controllers
  • For some Processing activities, Masterlinq may act as an independent Controller (e.g., platform analytics, fraud prevention)

This DPA applies to all Personal Data Processed by Masterlinq in connection with providing the Services, regardless of the location of Data Subjects.

3. Data Processing Details

Categories of Data Subjects:

  • Customers who purchase products through Retailer storefronts
  • Retailer employees and account users
  • Supplier employees and account users
  • Website visitors

Types of Personal Data:

  • Contact information: names, email addresses, phone numbers, addresses
  • Account data: usernames, passwords (hashed), preferences
  • Transaction data: order history, payment records (tokenized)
  • Device data: IP addresses, browser information, cookies
  • Communication data: support tickets, messages

Processing Activities:

  • Account creation and authentication
  • Order processing and fulfillment
  • Payment processing (via Stripe)
  • Customer communication and support
  • Analytics and reporting
  • Fraud prevention and security

4. Processor Obligations

As a Processor, Masterlinq agrees to:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure persons authorized to Process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to Data Subject requests
  • Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations
  • Delete or return Personal Data upon termination, unless retention is required by law
  • Make available information necessary to demonstrate compliance and allow for audits
  • Notify the Controller immediately if an instruction violates Data Protection Laws

5. Security Measures

Masterlinq implements and maintains appropriate technical and organizational measures to protect Personal Data:

Technical Measures:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Secure authentication with multi-factor authentication support
  • Regular security testing and vulnerability assessments
  • Intrusion detection and prevention systems
  • Automated backup and disaster recovery procedures
  • Network segmentation and firewalls

Organizational Measures:

  • Access controls based on least privilege principle
  • Employee background checks and confidentiality agreements
  • Regular security awareness training
  • Documented security policies and procedures
  • Incident response plan and team
  • Regular third-party security audits (SOC 2 Type II)

6. Sub-processors

Masterlinq uses the following categories of Sub-processors:

  • Cloud Infrastructure: Amazon Web Services (AWS) - data hosting and storage
  • Payment Processing: Stripe - payment transactions and fraud prevention
  • Email Services: Mailgun - transactional and marketing emails
  • Shipping: ShipEngine, BikeFlights - shipping label generation and tracking
  • Analytics: Google Analytics, Mixpanel - platform usage analytics
  • Customer Support: Intercom - live chat and support ticketing

A complete list of Sub-processors with their locations and purposes is available upon request. We maintain contracts with all Sub-processors that impose data protection obligations no less protective than this DPA.

We will notify you of any intended changes to Sub-processors, giving you the opportunity to object. If you have a legitimate objection, we will work with you to address your concerns or you may terminate the affected Services.

7. Data Subject Rights

Masterlinq will assist you in responding to Data Subject requests to exercise their rights under Data Protection Laws:

  • Right of access: Provide copies of Personal Data
  • Right to rectification: Correct inaccurate Personal Data
  • Right to erasure: Delete Personal Data ("right to be forgotten")
  • Right to restrict processing: Limit how Personal Data is used
  • Right to data portability: Provide data in a structured, machine-readable format
  • Right to object: Stop Processing based on legitimate interests
  • Rights related to automated decision-making and profiling

If Masterlinq receives a request directly from a Data Subject, we will promptly notify you unless prohibited by law. You are responsible for responding to Data Subject requests; we will provide reasonable assistance.

Self-service tools are available in the platform for common requests (data export, account deletion). Complex requests may incur reasonable fees for assistance.

8. Data Breach Notification

In the event of a Personal Data breach, Masterlinq will:

  • Notify you without undue delay (and within 48 hours where feasible) after becoming aware of the breach
  • Provide information about the nature of the breach, categories and approximate number of Data Subjects affected, and likely consequences
  • Describe measures taken or proposed to address the breach and mitigate adverse effects
  • Document the breach and our response for regulatory compliance
  • Cooperate with your breach response and regulatory notifications

You are responsible for notifying supervisory authorities and affected Data Subjects as required by applicable law. Masterlinq will provide reasonable assistance with such notifications.

Our notification of a breach does not constitute acknowledgment of fault or liability.

9. International Transfers

Masterlinq is based in the United States. Personal Data may be transferred to and Processed in the United States and other countries where our Sub-processors operate.

Transfer Mechanisms:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreement (IDTA) for UK transfers
  • Swiss-U.S. Data Privacy Framework for Swiss transfers
  • Additional safeguards as required by applicable law

Upon request, we will execute the applicable Standard Contractual Clauses with you. The SCCs are incorporated by reference into this DPA for transfers from the EEA, UK, or Switzerland.

We conduct transfer impact assessments as required and implement supplementary measures where necessary to ensure adequate protection.

10. Audits

Masterlinq will make available information necessary to demonstrate compliance with this DPA:

  • SOC 2 Type II audit reports (available upon request under NDA)
  • Security questionnaire responses
  • Documentation of security measures and policies
  • Sub-processor information and contracts

On-site Audits:

You may conduct or commission an audit of our Processing activities, subject to:

  • Reasonable advance notice (minimum 30 days)
  • Mutual agreement on scope, timing, and auditor
  • Execution of appropriate confidentiality agreements
  • Conducting audits during normal business hours with minimal disruption
  • You bear the costs of the audit unless it reveals material non-compliance

We may satisfy audit requests by providing third-party audit reports or certifications that address your concerns.

11. Term and Termination

This DPA remains in effect for the duration of the Platform Terms of Service and for as long as Masterlinq Processes Personal Data on your behalf.

Upon Termination:

  • Masterlinq will cease Processing Personal Data except as required to wind down Services
  • You may request return or deletion of Personal Data within 30 days
  • We will delete Personal Data within 90 days of termination, unless retention is required by law
  • We will provide certification of deletion upon request
  • Some data may be retained in backups for a limited period per our retention policy

Provisions that by their nature should survive termination will remain in effect, including confidentiality, liability limitations, and dispute resolution.

12. Contact

For questions about this DPA or data protection matters:

  • Data Protection Officer: privacy@masterlinq.io
  • Privacy Team: privacy@masterlinq.io
  • Legal Department: support@masterlinq.io

For EU/EEA inquiries, our representative can be contacted at privacy@masterlinq.io.

To request execution of Standard Contractual Clauses or other data transfer agreements, contact support@masterlinq.io.

For our complete privacy practices, see our Privacy Policy. For other legal documents, visit our Legal Center.