Legal
Data Processing Agreement
Last updated: February 2026
When you hire us to manage your Google Ads, Analytics, social media advertising, or other digital marketing platforms, we may access data about your customers. This agreement explains how we handle that data, what our responsibilities are, and what rights you have.
Pittsburgh Digital Marketing Agency, LLC ("PGHDMA," "Processor," "we," "us," or "our")
Overview
This Data Processing Agreement ("DPA") applies when Pittsburgh Digital Marketing Agency processes personal data on behalf of a client ("you," "Client," or "Controller") as part of our digital marketing services.
This DPA supplements and forms part of any service agreement between us. Where this DPA conflicts with your service agreement on data processing matters, this DPA takes precedence.
The purpose of this agreement is to ensure that both parties understand their obligations regarding the handling of personal data, particularly in relation to data protection laws such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR), where applicable.
Roles and Responsibilities
You are the Data Controller
As the client, you determine why and how personal data is collected and used. You are responsible for:
- Ensuring you have the legal basis to collect and process your customers' personal data
- Providing required privacy notices to your customers
- Obtaining any necessary consents (such as cookie consent or marketing opt-ins)
- Responding to data subject requests from your customers
- Instructing us on how to process data on your behalf
We are the Data Processor
As your marketing agency, we process personal data only on your instructions and for the purposes outlined in our service agreement. We are responsible for:
- Processing data only as you instruct us to, within the scope of our services
- Implementing appropriate technical and organizational security measures
- Assisting you with data subject requests when they involve data we process
- Notifying you promptly of any data breach
- Ensuring our team members who access data are bound by confidentiality obligations
Data We Access
Depending on the services we provide, we may access the following types of personal data through your marketing platforms:
Google Ads and Google Analytics
- Website visitor data (pages viewed, session duration, traffic source, device/browser information)
- Conversion data (form submissions, phone calls, purchases)
- Audience data (demographics, interests, geographic regions)
- Customer match lists (if you provide email lists for targeting)
- Search query data and click behavior
Meta (Facebook/Instagram) Advertising
- Ad interaction data (impressions, clicks, conversions)
- Pixel data (website activity tracked by Meta Pixel, if installed)
- Custom audience lists (if you provide customer data for targeting)
- Page engagement data (likes, comments, messages)
Email Marketing Platforms
- Subscriber lists (names, email addresses)
- Email engagement data (opens, clicks, unsubscribes)
- Segmentation data (tags, groups, preferences)
Other Platforms
If we manage other tools on your behalf (LinkedIn Ads, Pinterest Ads, call tracking, CRM systems, etc.), we may access similar categories of data within those platforms. The specific data accessed will be discussed and agreed upon when setting up services.
We only access data that is necessary to perform the services you've hired us for. We do not access data for our own purposes or for any other client's benefit.
How We Protect Data
We take data protection seriously and implement the following measures:
Access controls
- Platform access is limited to team members who need it to perform their work on your account
- We use individual accounts (not shared logins) for all platforms
- Two-factor authentication is required on all marketing platform accounts
- Access is revoked promptly when team members leave or are no longer assigned to your account
Technical measures
- All data in transit is encrypted via HTTPS/TLS
- Devices used to access your data are password-protected and encrypted
- We maintain up-to-date software, operating systems, and security patches
- We do not download or store your customer lists locally unless specifically required for a service (and with your approval)
Organizational measures
- All team members are bound by confidentiality agreements
- We conduct regular reviews of who has access to what
- We follow the principle of least privilege: team members only get access to the tools and data they need
Subprocessors
In the course of providing our services, data may be processed by third-party platforms ("subprocessors"). These are the tools and platforms we use to manage your marketing:
- Google (Google Ads, Analytics, Tag Manager, Search Console): Advertising, analytics, and website performance. Google's Data Processing Terms
- Meta (Facebook Ads Manager, Instagram): Social media advertising. Meta's Data Processing Terms
- Microsoft (Bing Ads, Clarity): Search advertising and analytics, when applicable
- Email service providers: Platform varies by client (Mailchimp, Constant Contact, etc.)
Each of these platforms has their own data processing agreements and privacy policies. By using these platforms, your data is also subject to their terms.
We will notify you before adding any new subprocessor that will handle your data. If you object to a new subprocessor, we will work with you to find an alternative solution or, if that is not possible, you may terminate the affected services.
Data Retention
We do not maintain independent copies of your customer data. The data we access lives in the platforms you've granted us access to (Google Ads, Meta, etc.).
During our engagement
- We access data through the platforms as needed to manage your campaigns
- Performance reports and exports we create are retained for the duration of our working relationship
- If we need to download data for specific tasks (audience list uploads, data analysis), we delete local copies within 30 days of completing that task
After our engagement ends
- We remove our access from all your platforms within 14 days of contract termination
- We delete any locally stored reports or data exports within 30 days
- Data that remains in your marketing platforms is your responsibility to manage going forward
- We may retain anonymized, aggregated data (not linked to any individual) for internal benchmarking and service improvement
Breach Notification
In the event of a personal data breach that affects data we process on your behalf, we will:
- Notify you within 48 hours of becoming aware of the breach
- Provide details about the nature of the breach, the categories and approximate number of data subjects affected, and the likely consequences
- Describe the measures we have taken or propose to take to address the breach and mitigate its effects
- Cooperate fully with your investigation and any required notifications to authorities or affected individuals
- Document the breach, including its facts, effects, and the corrective actions taken
If the breach originates from one of the third-party platforms we use (Google, Meta, etc.), we will relay their breach notification to you as quickly as possible and assist with any steps needed on your end.
Client Rights
As the data controller, you have the following rights:
Right to audit
You may request information about our data processing practices and security measures at any time. We will provide reasonable documentation and answer questions about how we handle your data. For on-site or third-party audits, we will cooperate within reasonable scope and with reasonable advance notice (at least 14 days).
Right to instruct
You can instruct us to process data in specific ways, restrict processing, or stop processing entirely. We will follow your instructions unless they conflict with legal requirements.
Data subject requests
If one of your customers exercises their privacy rights (access, deletion, correction, portability), and the request involves data we process, we will assist you in fulfilling that request within a reasonable timeframe. Contact us as soon as you receive such a request so we can act promptly.
Right to terminate
You may terminate our data processing activities at any time by ending the relevant services. Upon termination, we will follow the data deletion procedures described in Section 6.
Cross-Border Transfers
We are based in the United States and primarily process data within the US. The third-party platforms we use (Google, Meta, Microsoft) may process data in various locations globally, according to their own data processing agreements.
If you have customers in the European Economic Area (EEA), United Kingdom, or other jurisdictions with cross-border transfer restrictions, please let us know so we can ensure appropriate safeguards are in place. This may include relying on the platform providers' Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.
Termination
This DPA remains in effect for as long as we process personal data on your behalf. It terminates automatically when our service agreement ends and all data processing activities have ceased.
Sections of this DPA that by their nature should survive termination (including confidentiality obligations, data deletion procedures, and liability provisions) will continue to apply after termination.
Changes to This Agreement
We may update this DPA to reflect changes in our practices, the platforms we use, or applicable data protection laws. When we make significant changes, we will notify active clients directly. The "Last updated" date at the top of this page reflects the most recent revision.
For active clients, material changes to this DPA will be communicated at least 30 days before they take effect.
Contact Us
For questions about this Data Processing Agreement or our data handling practices:
Pittsburgh Digital Marketing Agency, LLC
140 E Main St, STE #3
Carnegie, PA 15106
Email: [email protected]
Phone: (412) 579-3580