Data Processing Agreement
Data Processing Agreement (DPA) for MARLVEL.AI — GDPR Article 28 processor terms for business customers.
Version v1.2 · Effective July 10, 2026
1. Roles & Scope
This Data Processing Agreement (the "DPA") is entered into between MARLVEL.AI, a French simplified joint-stock company (société par actions simplifiée) with share capital of 5,000 €, registered with the RCS de Lyon under SIREN 993 573 666, VAT FR56993573666, with its registered office at 254 Rue Vendôme, 69003 Lyon, France ("Marlvel", "we", "us"), and the business customer that subscribes to the Marlvel service (the "Customer", "you").
For the purposes of this DPA and Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR"):
- the Customer is the data controller (or, where the Customer itself acts on behalf of its own customers, the processor) of the personal data processed through the Marlvel service;
- Marlvel is the data processor (or sub-processor) acting on the Customer's behalf.
This DPA forms an integral part of, and is incorporated into, the Marlvel Terms of Service (the "Terms"). It applies whenever Marlvel processes personal data on the Customer's behalf in the course of providing the service. Capitalised terms not defined here have the meaning given in the Terms; terms such as "personal data", "processing", "data subject", "controller" and "processor" have the meaning given in the GDPR.
Geographic scope. The Marlvel service is offered to customers worldwide except in mainland China. We do not knowingly offer the service to, or process personal data of, users located in the People's Republic of China (mainland). The Customer agrees not to use the service to process personal data subject to the data-export laws of mainland China.
2. Subject-Matter, Duration, Nature & Purpose
Marlvel provides an AI-powered mobile app intelligence platform, delivered as SaaS via marlvel.ai. The details of the processing are as follows:
- Subject-matter — the processing of personal data necessary for Marlvel to provide the service to the Customer under the Terms.
- Duration — processing lasts for the term of the Terms, plus any period required for return or deletion of data as set out in §10.
- Nature of the processing — collection, storage, hosting, structuring, analysis, generation of AI-assisted insights, transmission and deletion of personal data, by automated means.
- Purpose — to operate, secure, maintain and improve the Marlvel service, including authentication, account management, product analytics, AI-powered features and customer support.
The service is offered under Free (limited usage, subject to fair use), Pro ($20/month), Business ($200/month) and Enterprise (custom) plans. This DPA applies to all such plans.
3. Categories of Personal Data & Data Subjects
Data subjects. The personal data processed concerns the Customer's authorised users — the individuals to whom the Customer grants access to its Marlvel account (e.g. product managers, engineering leads, analysts and other team members).
Categories of personal data. Marlvel processes only the limited personal data needed to deliver the service:
- Account data — name, email address, account identifier, organisation and role within the workspace, and authentication credentials.
- Usage data — logs, feature interactions, search queries, and technical metadata (e.g. IP address, browser type) generated as authorised users work in the platform.
- Input & content data — the information authorised users submit into action items, comments, attachments and AI conversations, which may incidentally contain personal data of third parties chosen by the Customer.
Marlvel does not require, and the Customer should not submit, special categories of personal data (Article 9 GDPR) through the service. The Customer is responsible for the lawfulness of the personal data it routes through Marlvel and for limiting it to what is necessary.
4. Processor Obligations
In its capacity as processor, Marlvel undertakes to:
- Process only on documented instructions — process personal data solely on the Customer's documented instructions, including those given through the Terms, this DPA and the configuration options of the service, unless required to act otherwise by EU or Member State law (in which case Marlvel will inform the Customer of that legal requirement before processing, unless prohibited from doing so).
- Instruction infringement notice — immediately inform the Customer if, in Marlvel's opinion, an instruction infringes the GDPR or other EU or Member State data protection provisions (Article 28(3) GDPR).
- Confidentiality — ensure that persons authorised to process the personal data are bound by an appropriate obligation of confidentiality and are trained on their data-protection duties.
- Security — implement and maintain the technical and organisational measures described in §5.
- Sub-processing — engage sub-processors only in accordance with §6.
- Assist with data-subject requests — taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests from data subjects exercising their rights (see §7).
- Assist with compliance — assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 GDPR, including security of processing, breach notification, data protection impact assessments (DPIAs) and prior consultation, taking into account the information available to Marlvel.
- Breach notification — notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and provide the information reasonably available to enable the Customer to meet its own notification obligations under Articles 33 and 34 GDPR.
- Demonstrate compliance — make available to the Customer the information reasonably necessary to demonstrate compliance with Article 28 GDPR, as further described in §9.
5. Security Measures (TOMs)
Marlvel implements appropriate technical and organisational measures ("TOMs") under Article 32 GDPR to ensure a level of security appropriate to the risk. These are benchmarked against the commercial standards of leading AI vendors and include:
- Encryption — personal data is encrypted in transit (TLS) and at rest across our hosting and database layers.
- Access controls — role-based access control, least-privilege provisioning, and organisation-scoped data isolation so that one customer's data is not accessible to another.
- Authentication — secure session management, plus network- and application-level rate limiting and same-origin request validation to mitigate automated abuse of authentication endpoints.
- Monitoring & logging — continuous error monitoring (Sentry) and infrastructure logging subject to retention limits.
- Input masking — analytics and any session recording mask sensitive inputs by default (all input values, with stricter masking on password and email fields), as described in our Privacy Policy; PostHog product analytics run from EU infrastructure.
- Resilience & recovery — managed, backed-up infrastructure with documented disaster-recovery procedures.
Marlvel may update its TOMs over time provided the level of security is not materially diminished. A current summary is available on request at legal@marlvel.ai.
6. Sub-Processing
The Customer grants Marlvel a general authorisation to engage sub-processors to support the delivery of the service. Marlvel maintains a current list of its sub-processors, available at marlvel.ai/sub-processors. As of the date of this DPA, they include:
- Google Cloud Platform — hosting (Cloud Run) and database (Cloud SQL); primary region United States.
- PostHog — product analytics (EU).
- Amplitude — product analytics (EU).
- Sentry — error monitoring (United States; SCCs).
- Google Analytics 4 — event tracking (United States; SCCs / DPF).
- Anthropic, OpenAI and Google — LLM providers for AI features. Anthropic and OpenAI do not use Customer data submitted via their APIs to train their models under their commercial API terms; for other providers, Marlvel selects services and configurations intended to prevent Customer data from being used to train models.
- ElevenLabs — voice AI provider (speech-to-text and text-to-speech) for voice features (United States; SCCs).
- Resend — transactional email delivery (United States; SCCs).
- Stripe — payment processing and billing (United States; SCCs).
- Slack (Salesforce, Inc.) — workspace messaging integration and operational alerting (United States; SCCs).
- Meta Platforms, Inc. / WhatsApp Cloud API — messaging delivery for users who connect via WhatsApp (United States; SCCs).
- LangSmith (LangChain, Inc.) — AI tracing and observability (debugging and quality monitoring) (United States; SCCs).
- Brave Search (Brave Software, Inc.) — web search to answer in-product queries (United States; SCCs).
- Firecrawl (Mendable, Inc.) — web content retrieval (United States; SCCs).
Marlvel imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains fully liable to the Customer for the performance of each sub-processor's obligations.
Changes & right to object. Marlvel will give the Customer prior notice of any addition or replacement of a sub-processor (for example, by updating the list above and, on request, via email). The Customer may object on reasonable, data-protection grounds within 30 days of notice. If an objection cannot be resolved, the Customer may, as its sole remedy, terminate the affected portion of the service.
7. Data-Subject Rights Assistance
Where a data subject exercises a GDPR right (access, rectification, erasure, restriction, portability or objection) in relation to personal data Marlvel processes on the Customer's behalf:
- Marlvel will, where feasible, provide self-service tools within the platform enabling the Customer to access, correct, export or delete the relevant data directly.
- If Marlvel receives a request directly from a data subject, it will not respond to it itself (other than to acknowledge receipt where required) but will promptly forward it to the Customer.
- Marlvel will provide reasonable assistance to enable the Customer to fulfil its obligation to respond to such requests within the statutory time limits.
8. International Transfers
Some sub-processors process personal data outside the EU/EEA (notably in the United States). Where personal data is transferred to a country that has not received an EU adequacy decision, Marlvel relies on appropriate safeguards under Chapter V GDPR, namely:
- the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), incorporated by reference into the relevant sub-processor agreements; and
- the EU-US Data Privacy Framework, where the receiving sub-processor is certified under it.
Where required, Marlvel implements supplementary measures (such as encryption) to ensure an essentially equivalent level of protection. The service is not offered to users in mainland China (see §1), and the Customer must not use it to effect data transfers prohibited by applicable export-control or data-localisation laws.
9. Audits
Marlvel will make available to the Customer the information reasonably necessary to demonstrate compliance with Article 28 GDPR, and will allow for and contribute to audits, as follows:
- Reports & documentation — on written request (no more than once per year, save where required by a supervisory authority or following a data breach), Marlvel will provide its current TOMs summary, sub-processor list, and any applicable third-party security reports or certifications.
- Security questionnaire — Marlvel will respond, within a reasonable time, to a reasonable security and data-protection questionnaire submitted by the Customer.
- On-site audits — on-site or third-party inspections are available to Enterprise customers where the above is insufficient to satisfy a documented regulatory requirement, subject to reasonable advance notice, confidentiality undertakings, and conduct that does not disrupt Marlvel's operations or compromise other customers' data.
10. Return & Deletion on Termination
On termination or expiry of the Terms, and at the Customer's choice, Marlvel will return the Customer's personal data in a structured, commonly used format (via export tools or on request) and/or delete it, unless EU or Member State law requires further storage.
- The Customer may export or delete data at any time using the self-service tools in the platform.
- Following termination, Marlvel will delete remaining Customer personal data within a reasonable period, and will procure deletion by its sub-processors, subject to routine backup cycles after which residual copies are overwritten.
- Retention periods for specific data categories (e.g. server logs subject to operational retention limits, analytics retained up to 24 months) are described in our Privacy Policy.
11. Liability & Order of Precedence
This DPA is subject to the limitations and exclusions of liability set out in the Terms; the total aggregate liability of each party arising out of or related to this DPA is subject to the liability cap in the Terms.
In the event of any conflict between documents, the following order of precedence applies:
- first, the EU Standard Contractual Clauses (where they apply to a given transfer);
- second, this DPA;
- third, the Terms; and
- fourth, any other agreement between the parties.
This DPA is governed by French law. Any dispute relating to it falls within the exclusive jurisdiction of the courts of Lyon, France, subject to any mandatory rules of the data subject's jurisdiction.
12. Contact
For any question relating to this DPA, to exercise audit rights, to raise a sub-processor objection, or to reach our data protection contact:
- Data protection contact — legal@marlvel.ai
- Publisher — MARLVEL.AI SAS, 254 Rue Vendôme, 69003 Lyon, France — SIREN 993 573 666 (RCS de Lyon).
- President / Director of publication — Jérôme Vuillemot.
The Marlvel service is hosted on Google Cloud, contracted in the EU through Google Cloud EMEA Limited, Velasco, Clanwilliam Place, Dublin 2, Ireland. This DPA is provided as part of Marlvel's GDPR (Article 28) and EU AI Act–aware compliance posture.
Privacy Questions?
Contact our Data Protection Officer
We typically respond within 24 hours