Data Processing Agreement

The Customer is the data controller of any personal information they upload to or instruct MarginShield to process. MarginShield is the data processor, acting on documented instructions from the Customer.

“Personal information” carries the meaning given in the Australian Privacy Act 1988 (Cth) and, where applicable, the EU General Data Protection Regulation (GDPR).

MarginShield processes the following categories of data strictly for the purpose of delivering the Service:

• Account data: user name, business email address, role, organisation name.
• Business data: product catalog, cost structure, supplier agreements, competitor observations, approval decisions, audit events.
• Usage data: authentication logs, application events, error telemetry — used for service operation and security only.

MarginShield does not knowingly process sensitive personal information (health, biometric, political, religious data) and the Customer agrees not to upload such data.

MarginShield uses a limited set of sub-processors to deliver the Service. The current list:

• Railway (USA / global) — application hosting and managed Redis.
• Neon (AU region) — managed Postgres database.
• Stripe (AU/global) — billing and payment processing. Card data is tokenised; MarginShield never stores card numbers.
• Anthropic (USA) — narrative AI explanations only. Margin calculation is deterministic and never delegated to a model.
• Sentry (USA) — error monitoring; personally identifying fields scrubbed before transmission.
• Resend (USA) — transactional email delivery.

MarginShield gives the Customer at least 30 days' notice of any new sub-processor via in-app notification and email to the registered Customer administrator, and the Customer may object in writing.

MarginShield maintains technical and organisational measures appropriate to the risk, including encryption in transit and at rest, tenant isolation, role-based access control, append-only audit logging, and incident response. Full posture published at /security.

The Customer's primary database is hosted in the Australian region. Limited transfers occur to the United States via the sub-processors named above, under contractual clauses substantially equivalent to the EU Standard Contractual Clauses where the GDPR applies.

MarginShield will assist the Customer in responding to requests from data subjects to exercise their rights of access, rectification, erasure, restriction, portability or objection. The Customer is the primary point of contact for its own users; MarginShield will action verified requests forwarded by the Customer within 30 days.

MarginShield will notify the Customer of a confirmed personal-information breach affecting the Customer's data without undue delay, and in any event within 72 hours of confirmation. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and the measures taken.

On reasonable written request and no more than once per year, MarginShield will provide a summary of its security controls (and, when available, SOC 2 / ISO 27001 attestations) sufficient to demonstrate compliance with this DPA. On-site audits may be performed by a mutually agreed independent auditor at the Customer's cost.

On termination of the Service, the Customer may export their data via the available export endpoints for 30 days. After 30 days, all Customer data is permanently deleted from active systems within 90 days, and from encrypted backups within a further 90 days, unless legal retention obligations require otherwise.

Privacy and data-protection enquiries: privacy@marginshield.io.

Customers requiring a countersigned DPA on letterhead can request one at legal@marginshield.io. Same business-day turnaround for standard requests.