Data Processing Agreement

1. Definitions

For purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion
• "Data Subject" means the individual to whom the Personal Data relates
• "Controller" means the entity that determines the purposes and means of Processing Personal Data
• "Processor" means the entity that Processes Personal Data on behalf of the Controller
• "Sub-processor" means any third party engaged by the Processor to Process Personal Data
• "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, CCPA, and similar regulations
• "GDPR" means the General Data Protection Regulation (EU) 2016/679
• "Standard Contractual Clauses" means the contractual clauses approved by the European Commission for international data transfers

2. Scope and Purpose

This DPA applies to the Processing of Personal Data by MagicDemo on behalf of Customer in connection with the provision of our interactive demo platform services. The subject matter, nature, purpose, and duration of Processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex 1 to this DPA.

MagicDemo will Process Personal Data only as necessary to provide the services requested by Customer and in accordance with Customer's documented instructions.

3. Customer Responsibilities

Customer warrants and represents that:

• It has obtained all necessary consents and authorizations to share Personal Data with MagicDemo
• It has provided appropriate notice to Data Subjects about the Processing of their Personal Data
• Its instructions for Processing comply with applicable Data Protection Laws
• It has implemented appropriate technical and organizational measures to protect Personal Data
• It will notify MagicDemo promptly of any changes to Data Protection Laws that may affect the Processing

4. MagicDemo Obligations

MagicDemo agrees to:

• Process Personal Data only on documented instructions from Customer, unless required by applicable law
• Ensure that personnel authorized to Process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Engage Sub-processors only with Customer's prior authorization
• Assist Customer in responding to Data Subject requests
• Assist Customer in ensuring compliance with security, breach notification, and impact assessment obligations
• Delete or return all Personal Data upon termination of services, at Customer's election
• Make available information necessary to demonstrate compliance with this DPA

5. Security Measures

MagicDemo implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures include:

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access Controls: Role-based access controls and multi-factor authentication
• Network Security: Firewalls, intrusion detection, and regular security monitoring
• Physical Security: Data centers with 24/7 security, biometric access, and environmental controls
• Employee Training: Regular security awareness training for all personnel
• Incident Response: Documented incident response procedures and 24/7 security team
• Vulnerability Management: Regular security assessments and penetration testing
• Business Continuity: Regular backups and disaster recovery procedures

6. Sub-processors

Customer authorizes MagicDemo to engage Sub-processors to Process Personal Data. MagicDemo maintains a current list of Sub-processors, which is available upon request. MagicDemo will:

• Enter into written agreements with Sub-processors imposing data protection obligations substantially similar to this DPA
• Remain fully liable for the acts and omissions of its Sub-processors
• Provide at least 30 days' notice before engaging any new Sub-processor
• Allow Customer to object to new Sub-processors on reasonable grounds

Current Sub-processors

Our current Sub-processors include:

• Amazon Web Services (AWS): Cloud infrastructure and hosting (USA, with EU data residency option)
• Google Cloud Platform: Analytics and data processing (USA, EU)
• Stripe: Payment processing (USA)
• Intercom: Customer support communications (USA)
• SendGrid: Transactional email delivery (USA)

7. Data Subject Rights

MagicDemo will assist Customer in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable Data Protection Laws, including:

• Right of access to Personal Data
• Right to rectification of inaccurate Personal Data
• Right to erasure ("right to be forgotten")
• Right to restriction of Processing
• Right to data portability
• Right to object to Processing
• Right not to be subject to automated decision-making

If MagicDemo receives a request directly from a Data Subject, we will promptly notify Customer and will not respond to the request without Customer's authorization unless required by law.

8. Data Breach Notification

In the event of a Personal Data breach, MagicDemo will:

• Notify Customer without undue delay and in any event within 48 hours of becoming aware of the breach
• Provide sufficient information to enable Customer to meet its breach notification obligations
• Cooperate with Customer in investigating and remediating the breach
• Take reasonable steps to mitigate the effects of the breach and prevent recurrence

The notification will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

9. International Data Transfers

Customer acknowledges that MagicDemo may transfer Personal Data to countries outside the European Economic Area (EEA). For such transfers, MagicDemo ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions where applicable
• Binding corporate rules where applicable
• Additional technical and organizational measures as necessary

Upon request, MagicDemo will provide Customer with a copy of the Standard Contractual Clauses or other transfer mechanism in use.

10. Audits and Compliance

MagicDemo will make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer.

MagicDemo maintains the following certifications and compliance programs:

• SOC 2 Type II certification
• ISO 27001 certification
• GDPR compliance program
• Regular third-party security assessments

Copies of relevant audit reports and certifications are available upon request under appropriate confidentiality agreements.

11. Data Retention and Deletion

Upon termination or expiration of the services agreement, MagicDemo will, at Customer's election:

• Return all Personal Data to Customer in a commonly used format; or
• Delete all Personal Data and certify such deletion in writing

Deletion will occur within 30 days of the request, except where retention is required by applicable law. Where retention is required, MagicDemo will inform Customer of the requirement and the duration of the retention.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of Data Protection Laws or for damages arising from gross negligence or willful misconduct.

13. Term and Termination

This DPA is effective from the date Customer accepts the Terms of Service and continues until the termination of the services agreement. The obligations relating to confidentiality and data deletion will survive termination.

14. Changes to This DPA

MagicDemo may update this DPA to reflect changes in legal requirements, our Processing activities, or our security practices. We will notify Customer of material changes at least 30 days before they take effect.

15. Contact Information

For questions about this DPA or to exercise your rights, please contact:

Data Protection Officer
Email: dpo@magicdemo.io
Subject: DPA Inquiry

For general legal inquiries:
Email: legal@magicdemo.io

Annex 1: Details of Processing

Subject Matter and Duration

The Processing relates to the provision of MagicDemo's interactive demo platform services and will continue for the duration of the services agreement.

Nature and Purpose of Processing

MagicDemo Processes Personal Data to provide, maintain, and improve the interactive demo platform, including demo creation, hosting, analytics, and lead capture features.

Types of Personal Data

• Contact information (name, email, phone number, company)
• Account credentials (username, hashed passwords)
• Usage data (demo views, interactions, engagement metrics)
• Device and browser information
• IP addresses and location data
• Content uploaded by Customer (which may contain Personal Data)

Categories of Data Subjects

• Customer's employees and authorized users
• Customer's prospects and leads who view demos
• Customer's customers who interact with demos