🚀 Introducing Agent Mode: Launch ads and manage campaigns with just a prompt. Try it out now →
🚀 Introducing Agent Mode: Try now →
🚀 Introducing Agent Mode: Try it out now →

AI Ads Library

Partner Program

Pricing

Book a Demo

Start Free Trial

Login

Sign Up

Start Free Trial

Data Processing Agreement

Last Updated: Apr 22, 2026

This Data Processing Agreement ("DPA") is entered into between GoMarble Technology Private Limited ("GoMarble AI," "we," or "us") and the Customer ("you") as an integral part of the Agreement governing your use of GoMarble AI's Services at gomarble.ai. You must unconditionally consent to and accept these terms and conditions (including those regulating the processing of personal data) by ticking the "I agree" box when you sign up to the Services, whereby you are entering into a legally binding agreement with GoMarble AI.

1. Nature and Purpose of the Processing

The Services provided may involve the processing of personal data by GoMarble AI and its subcontractors on behalf of the Customer. The purpose of this DPA is to establish terms and conditions governing such processing in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws, including the California Consumer Privacy Act of 2018 ("CCPA") (collectively, "Data Privacy Laws").

GoMarble AI will process personal data solely for the purpose of delivering the Services as outlined in the Agreement, and only in accordance with this DPA or documented Customer instructions that align with the Agreement. GoMarble AI will not sell Customer personal data as defined under the CCPA.

GoMarble AI enters into this DPA on behalf of itself and its affiliated group companies involved in processing personal data under this DPA and the Agreement.

All terms such as "personal data," "processing," "data subject," etc., shall have meanings as defined in the GDPR or the CCPA, as applicable.

2. Term and Termination

This DPA becomes effective upon Customer's acceptance of the Agreement and remains in effect for the duration of the Agreement and thereafter as long as necessary to finalize processing activities.

3. Processing of Personal Data

GoMarble AI acts as a data processor (or sub-processor) and the Customer acts as a data controller (or processor for a third-party controller).

Categories of data subjects:

  • Registered users of the Customer's GoMarble AI account (including agency team members)

  • End users of Customer's advertising campaigns (as audience/performance data)

  • Customer's clients, where Customer is an agency using GoMarble AI to manage client accounts

Types of personal data processed:

  • Online identifiers (IP addresses, device IDs, session IDs, cookie IDs)

  • Contact details (names, email addresses, phone numbers, billing addresses)

  • Authentication credentials and OAuth access tokens for connected advertising platforms (Meta Ads, Google Ads, Google Analytics, TikTok Ads, LinkedIn Ads, Microsoft Advertising, and others)

  • Ad performance data, campaign metrics, audience insights, and creative data from connected advertising platforms

  • Transactional and billing records

  • AI conversation transcripts and chat history processed for the AI Agent

  • AI-extracted session summaries and user preference profiles derived from conversations

  • LLM call metadata (prompts, completions, token counts, latency) logged to the Langfuse observability platform

  • Other data submitted via the Services by or on behalf of the Customer

GoMarble AI will not process personal data outside of Customer instructions unless required by law, in which case GoMarble AI will inform the Customer unless prohibited.

4. Responsibilities of the Customer

The Customer retains ownership of its personal data and is responsible for ensuring the legality, accuracy, and validity of such data. The Customer shall ensure compliance with applicable Data Privacy Laws and notify GoMarble AI without delay if instructions or this DPA do not comply with applicable law.

Where the Customer is an agency connecting third-party client ad accounts to GoMarble AI, the Customer represents that it has obtained all necessary authorizations from its clients to connect their accounts and authorize GoMarble AI to process their advertising data.

5. Assistance to the Customer

5.1 Regulatory Assistance

GoMarble AI will assist with:

  • Article 32-36 GDPR obligations (security, breach notifications, DPIAs, prior consultations), as applicable

  • Such assistance outside of normal service scope may incur additional fees

5.2 Data Subject Rights

GoMarble AI will assist with data subject requests upon Customer request. Requests received directly will be referred to the Customer.

5.3 Breach Notification

GoMarble AI will notify the Customer of data breaches involving Customer personal data without undue delay and will provide:

  • Nature and scope of the breach

  • Contact for further information

  • Possible consequences

  • Measures taken or proposed

5.4 Staged Notification

Where not immediately possible, GoMarble AI may provide breach details in phases.

6. Confidentiality and Security

6.1 Confidentiality

GoMarble AI ensures all personnel processing personal data are bound by confidentiality obligations.

6.2 Security Measures

GoMarble AI will implement appropriate technical and organizational measures, including:

  • Data encryption and pseudonymization (AES-256-GCM at rest, TLS in transit)

  • Systems integrity and availability controls

  • Access recovery protocols

  • Regular security assessments

6.3 Cooperation

GoMarble AI will cooperate with supervisory authorities and comply with legally binding decisions. Additional requests beyond the Agreement may incur fees.

7. Sub-processors and International Transfers

7.1 Authorization and Sub-processor List

Customer provides general authorization for GoMarble AI to use sub-processors. GoMarble AI will:

  • Bind sub-processors via contracts with equivalent protection

  • Inform Customer of changes via updated sub-processor list below or email notification

Current sub-processors:

Sub-processorLocationPurposeAmazon Web Services (AWS)USACloud infrastructure, compute, storage, queuingAnthropicSub-processor's own infrastructureAI inference — Claude modelsGoogle (Gemini / Vertex AI)Sub-processor's own infrastructureAI inference — Gemini modelsOpenAISub-processor's own infrastructureAI inference — GPT modelsMoonshot AISub-processor's own infrastructureAI model evaluationLangfuseEU / USALLM observability and monitoringMongoDBVariable (cloud-hosted)Database servicesStripeUSAPayment processingCashfreeIndia / USAPayment processingSendGrid (Twilio)USATransactional emailCustomer.ioVariableCustomer communications and lifecycleZoho CorporationIndia / USACRMPartneroEUAffiliate and referral trackingGoogle Cloud StorageIndia and USAFile and export storageSlack TechnologiesVariableAgent action notifications and approvals

7.2 Liability

GoMarble AI remains liable for actions of sub-processors to the extent those sub-processors process personal data on GoMarble AI's documented instructions under this DPA. GoMarble AI is not liable for: (a) independent business decisions, policy changes, enforcement actions, or account restrictions made unilaterally by sub-processors or third-party platforms (including Meta, Google, and other ad platforms) in their capacity as independent data controllers or platform operators; (b) actions taken by ad platforms' automated security, fraud detection, or bot detection systems in response to API access patterns; or (c) any loss of account access, account suspension, or data loss resulting from a third-party platform's independent enforcement decision. The liability of GoMarble AI for sub-processor actions under this DPA is further subject to the liability caps set out in the Agreement.

7.3 Objections

If the Customer objects to a sub-processor, the parties will seek resolution in good faith. If unresolved, either may terminate the Agreement with 30 days' notice.

7.4 International Data Transfers

GoMarble AI's services are hosted in the United States. AI inference sub-processors (Anthropic, Google, OpenAI) are also located in the United States. Data may therefore be transferred to and processed in the United States.

7.5 Safeguards

Such transfers will occur only:

  • (a) To countries with adequacy decisions

  • (b) Via Standard Contractual Clauses or other lawful safeguards under Article 46 GDPR

  • (c) In reliance on applicable derogations under Article 49 GDPR where necessary

7.6 Consent

The Customer consents to such transfers and authorizes GoMarble AI to enter into relevant SCCs on its behalf.

8. Data Retention

Upon termination of the Services, GoMarble AI will, at Customer's choice, delete or return all personal data, unless retention is required by law. Specific retention periods are documented in the Privacy Policy.

9. Audit

9.1 Documentation

GoMarble AI will provide necessary information to demonstrate compliance with this DPA.

9.2 Right to Audit

Customer may audit GoMarble AI (excluding competitors). Audits require 30 days' notice and must not disrupt operations. Audit costs are borne by the Customer unless material noncompliance is found.

9.3 Certifications

At this time, GoMarble AI does not offer third-party certifications or audit reports. Customers may exercise their right to audit in accordance with Section 9.2, subject to the conditions and notice requirements outlined therein.

10. Damages

GoMarble AI is liable for damages caused by its or its sub-processors' breach of this DPA. Liability limits in the Agreement also apply here.

Annexures

Notices

All legal notices under this DPA must be sent to legal@gomarble.ai (with operational security notices optionally copied to support@gomarble.ai). Notices are deemed delivered upon email transmission confirmation.

Technical & Organizational Measures (TOMs)

Governance & Access: Role-based access controls; least-privilege principles; multi-factor authentication; periodic access reviews.

Data Protection: Encryption of data in transit and at rest; secrets management; credential rotation procedures.

Network & Infrastructure: Segregated production and non-production environments; network-level access controls; endpoint hardening; dependency and vulnerability management.

Monitoring & Logging: Security event logging and alerting; log retention sufficient to support incident investigation and regulatory obligations.

Development Security: Secure development lifecycle practices; code review processes; change management controls.

Business Continuity: Encrypted backups; recovery testing; documented recovery objectives; defined backup retention periods.

Data Lifecycle: Data minimization; retention aligned to controller instructions; secure deletion upon expiry.

Personnel & Confidentiality: Confidentiality obligations for all personnel with access to personal data; security awareness training.

Incident Response: Defined incident response process; severity classification; notification to Controller without undue delay in accordance with sections 5.3 and 5.4.

Third Parties: Sub-processor due diligence; contractual data processing obligations with equivalent protections; ongoing monitoring.