Data Processing Agreement
Last updated: March 27, 2026
1. Parties
This Data Processing Agreement ("DPA") is entered into between you ("Data Controller") and GMBX, operated by Maor Dayan ("Data Processor"), and supplements the Terms of Service.
2. Scope and Purpose
The Processor processes personal data on behalf of the Controller solely for the purpose of providing the GMBX service: managing Google Business Profiles, generating and publishing content, responding to reviews, and related analytics.
3. Data Processor Obligations
The Processor shall: - Process personal data only on documented instructions from the Controller - Ensure persons authorized to process data are bound by confidentiality - Implement appropriate technical and organizational security measures - Assist the Controller in responding to data subject rights requests - Delete or return all personal data upon termination of service - Make available all information necessary to demonstrate compliance
4. Sub-Processors
The Controller authorizes the following sub-processors: Supabase Inc. — Database hosting (US) — data storage and retrieval Vercel Inc. — Application hosting (US) — web application infrastructure OpenAI LLC — AI processing (US) — caption and content generation Twilio Inc. — Communications (US) — WhatsApp message delivery Stripe Inc. — Payments (US) — payment processing and billing Resend Inc. — Email (US) — transactional email delivery Google LLC — GBP management (US) — Business Profile API access The Processor will notify the Controller of any intended changes to sub-processors at least 14 days in advance.
5. Security Measures
The Processor implements: - Encryption at rest (AES-256) and in transit (TLS 1.2+) - Password hashing with bcrypt (12 rounds) - JWT-based session management with httpOnly cookies - Rate limiting and account lockout mechanisms - Role-based access control for team members - Automated data purge after 30 days of account inactivity - Content moderation on AI-generated outputs - Regular dependency and security audits
6. Breach Notification
In the event of a personal data breach, the Processor shall notify the Controller without undue delay, and no later than 72 hours after becoming aware of the breach. The notification shall include: the nature of the breach, categories of data affected, approximate number of data subjects, consequences of the breach, and measures taken to address it.
7. Data Deletion
Upon termination of the service or upon request, the Processor shall delete all personal data within 30 days, unless retention is required by law. The Controller may request immediate deletion via the data deletion API endpoint or by contacting maordayann@gmail.com.
8. Data Transfer
Personal data is transferred to the United States for processing. For transfers from the EU/EEA, the Processor relies on Standard Contractual Clauses (SCCs) as adopted by the European Commission. The Controller may request a copy of the applicable SCCs.
9. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA, subject to reasonable notice and during business hours. The Processor shall cooperate with such audits and provide necessary information.
10. Contact
For DPA-related inquiries: maordayann@gmail.com