mkdn

Data Processing Agreement

Information about how we process and protect your data.

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between mkdn.app ("we", "us", "our", "Processor") and the user or entity ("you", "your", "Controller") using our services (collectively, the "Parties").

This DPA reflects the Parties' agreement with respect to the processing of Personal Data by us on your behalf in connection with our services.

2. Definitions

In this DPA, the following terms shall have the meanings set out below:

  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "Personal Data" means any information relating to an identified or identifiable natural person as defined in the GDPR.
  • "Processing" means any operation or set of operations which is performed on Personal Data, as defined in the GDPR.
  • "Data Subject" means an identified or identifiable natural person to whom the Personal Data relates.
  • "Subprocessor" means any processor engaged by us to process Personal Data on your behalf.

3. Scope and Purpose of Processing

We will process Personal Data on your behalf for the purpose of providing our services as described in the Terms of Service. The types of Personal Data processed and the categories of Data Subjects are as follows:

3.1 Types of Personal Data

  • Account information (name, email address, password)
  • Profile information (profile picture, job title, organization)
  • Payment information (credit card details, billing address)
  • Usage data (IP address, browser type, device information)
  • Content data (documents, comments, and other content created or uploaded by users)

3.2 Categories of Data Subjects

  • Users of our services
  • Collaborators invited by users
  • Individuals whose information is included in content created or uploaded by users

4. Duration of Processing

We will process Personal Data for the duration of the Terms of Service, unless otherwise agreed in writing or required by applicable law.

5. Obligations of the Processor

We shall:

  • Process Personal Data only on your documented instructions, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law.
  • Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
    • The pseudonymization and encryption of Personal Data;
    • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
    • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
    • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
  • Respect the conditions for engaging Subprocessors as set out in Section 6 of this DPA.
  • Assist you, taking into account the nature of the processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of your obligation to respond to requests for exercising the Data Subject's rights.
  • Assist you in ensuring compliance with your obligations regarding security of processing, notification of Personal Data breaches, data protection impact assessments, and prior consultations with supervisory authorities.
  • At your choice, delete or return all Personal Data to you after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data.
  • Make available to you all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.

6. Subprocessors

You provide general authorization for us to engage Subprocessors to process Personal Data on your behalf. We will maintain a list of Subprocessors on our website and will inform you of any intended changes concerning the addition or replacement of Subprocessors, thereby giving you the opportunity to object to such changes.

We will ensure that any Subprocessor we engage is subject to equivalent data protection obligations as those set out in this DPA.

7. International Transfers

We may transfer Personal Data to countries outside the European Economic Area (EEA) only if one of the following conditions is met:

  • The transfer is to a country that has been determined by the European Commission to provide an adequate level of protection for Personal Data.
  • The transfer is subject to appropriate safeguards, such as standard contractual clauses approved by the European Commission.
  • The transfer is necessary for the performance of a contract between you and the Data Subject or for pre-contractual measures taken at the Data Subject's request.
  • The Data Subject has explicitly consented to the transfer after having been informed of the possible risks.
  • The transfer is necessary for the establishment, exercise, or defense of legal claims.

8. Data Breach Notification

We will notify you without undue delay after becoming aware of a Personal Data breach. The notification will:

  • Describe the nature of the Personal Data breach, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
  • Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained.
  • Describe the likely consequences of the Personal Data breach.
  • Describe the measures taken or proposed to be taken to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

9. Audit Rights

We will make available to you all information necessary to demonstrate compliance with the obligations laid down in this DPA and will allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.

10. Liability

Each Party shall be liable to the other Party for damages it causes by any breach of this DPA. Liability as between the Parties is limited to actual damage suffered. Punitive damages are specifically excluded.

11. Governing Law

This DPA shall be governed by the laws of the jurisdiction specified in the Terms of Service.

12. Termination

This DPA shall terminate automatically upon termination of the Terms of Service.

13. Contact Information

For any questions regarding this DPA, please contact us at privacy@mkdn.app.

Last updated: May 15, 2025