Legal
Version 1.0 · Last updated: March 23, 2026 · Effective: April 1, 2026
Questions? legal@marvinbox.com
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between O.Dev (“Processor”) and the Customer entity identified in the Subscription (“Controller”). In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to data processing matters. It applies wherever the Processor processes Personal Data on behalf of the Controller in connection with the Service.
| Term | Meaning |
|---|---|
| Applicable Data Protection Law | Israeli Protection of Privacy Law, 5741-1981 and its regulations (including Amendment 13); and, where applicable, EU Regulation 2016/679 (GDPR). |
| Controller | The Customer — entity that determines the purposes and means of processing. |
| Processor | O.Dev — entity that processes Personal Data on behalf of the Controller. |
| Personal Data | Any information relating to an identified or identifiable natural person that the Controller submits to, or the Processor collects on behalf of the Controller through, the Service. |
| Data Subject | Typically the Controller's customers, contacts, or employees. |
| Security Incident | Any confirmed unauthorized access to, disclosure of, alteration of, or destruction of Personal Data. |
| Sub-Processor | Any third party engaged by the Processor to carry out processing activities on behalf of the Controller. |
2.1 The Processor processes Personal Data to provide the Service to the Controller as described in the Terms of Service.
2.2 Duration. Processing continues for the duration of the Controller's active Subscription and up to 30 days after termination, during which deletion or export occurs per Section 6.
2.3 Purpose. Delivering omnichannel communication (WhatsApp, Messenger, Instagram, Telegram, Microsoft Teams); storing and routing messages; running bot flows, AI-assisted reply features, and scheduled messaging; providing analytics; maintaining security.
2.4 Types of Personal Data. Contact identifiers (phone, email, social media IDs); communication content (messages, media attachments); metadata (timestamps, delivery status); profile data (names, profile pictures, language preferences); any other data the Controller submits through the Service.
2.5 Categories of Data Subjects. The Controller's customers and end-users communicating through the Service; the Controller's employees who use the Service.
4.1 Instructions. Process Personal Data only on documented instructions from the Controller, unless required otherwise by applicable law.
4.2 Confidentiality. Ensure personnel are bound by confidentiality obligations and receive data protection training.
4.3 Security. Implement appropriate technical and organizational security measures (see Annex A).
4.4 Sub-Processors. Engage Sub-Processors only with prior general authorization (see Annex B). Notify the Controller of intended additions or replacements at least 14 days in advance.
4.5 Data Subject Rights. Assist the Controller with responses to Data Subject rights requests (access, rectification, erasure, restriction, portability, objection).
4.6 Breach Notification. Notify the Controller within 72 hours of becoming aware of a confirmed Security Incident, including description, categories and approximate volume of Personal Data affected, likely consequences, and remediation.
4.7 Audit. Upon written request with 30 days' notice, and no more than once per 12-month period, make available information reasonably necessary to demonstrate compliance. May be satisfied by an up-to-date third-party audit report.
Personal Data is stored primarily on infrastructure located within the EEA or in jurisdictions recognized as providing adequate protection. Where data is transferred elsewhere, the Processor ensures appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs).
The Controller acknowledges that the Service involves third-party messaging platforms (Meta, Telegram, Microsoft) that process data in their own jurisdictions under their own terms.
6.1 Upon termination, the Processor retains Personal Data for a maximum of 30 days, during which the Controller may request an export.
6.2 After the 30-day period, the Processor deletes or irreversibly anonymizes all Personal Data from live systems, unless longer retention is required by law.
6.3 Upon written request, the Processor provides written confirmation of deletion.
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. The Processor is not liable for fines imposed on the Controller due to the Controller's own non-compliance.
Where the Controller is subject to GDPR, the parties confirm that the Controller is a “controller” and the Processor is a “processor” within the meaning of Article 4 GDPR. The Processor will process Personal Data only for the purposes described in Article 28(3) GDPR and will cooperate with supervisory authorities as required.
This DPA is governed by the laws of the State of Israel. Where the Controller is subject to GDPR, the parties acknowledge that this DPA is intended to satisfy the requirements of Article 28 GDPR.
| Category | Measures |
|---|---|
| Encryption | TLS 1.2+ in transit, AES-256 at rest; integration secrets encrypted with a dedicated key. |
| Access Control | Role-based access control (RBAC); production access restricted with MFA. |
| Network Security | Firewall rules, private networking; HMAC-SHA256 webhook validation. |
| Data Isolation | Each tenant stored in a fully isolated database; no cross-tenant access at the application layer. |
| Monitoring | Application errors and anomalies monitored via Sentry. |
| Backups | Tenant databases backed up by the underlying provider (Supabase). |
| Incident Response | Documented incident response; 72-hour Security Incident notification. |
| Sub-Processor | Country | Purpose |
|---|---|---|
| Supabase, Inc. | USA / EU | Tenant and control database hosting |
| Redis Ltd. (Redis Cloud) | USA | Job queue, cache, real-time pub/sub |
| Google Cloud (Cloud Run) | USA / EU | Backend API hosting |
| Fly.io, Inc. | USA | Worker and realtime gateway hosting |
| Vercel, Inc. | USA | Frontend hosting |
| Cloudflare, Inc. | USA | DNS, TLS, CDN, media storage (R2) |
| Meta Platforms, Inc. | USA | WhatsApp, Messenger, Instagram delivery |
| Telegram Messenger Inc. | UAE | Telegram message delivery |
| Microsoft Corporation | USA | Microsoft Teams message delivery |
| Sentry (Functional Software, Inc.) | USA | Error monitoring (no message content sent) |
The Processor will provide at least 14 days' advance notice of any changes to this list.
Processor: O.Dev — HaBarzel 38, Tel Aviv, Israel — Company Reg. 200373754
O.Dev — HaBarzel 38, Tel Aviv, Israel — legal@marvinbox.com