1. Purpose

This DPA governs the processing of personal and business data where MarineData.io acts as Data Processor on behalf of the Client (Data Controller).

2. Responsibilities

• Client: Determines the purpose and means of processing, retains ownership of all data.
• MarineData.io: Processes data only per client’s written instructions.

3. Sub-processors

• Hosting providers within the EU may act as sub-processors.
• No data transferred outside the EU without explicit client consent.

4. Security Measures

• SSO, RBAC, row-level security.
• Encryption at rest & in transit.
• Immutable logs for auditability.
• Periodic penetration testing.

5. Retention & Deletion

Data is retained only for the duration of the contract or demo. On termination, all client data is securely deleted unless otherwise required by law.

6. Audit

Client may request audit reports or certifications demonstrating compliance with GDPR.