Data Processing Agreement

This Data Processing Agreement ("DPA") applies when Pittsburgh Digital Marketing Agency processes personal data on behalf of a client ("you," "Client," or "Controller") as part of our digital marketing services.

This DPA supplements and forms part of any service agreement between us. Where this DPA conflicts with your service agreement on data processing matters, this DPA takes precedence.

The purpose of this agreement is to ensure that both parties understand their obligations regarding the handling of personal data, particularly in relation to data protection laws such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR), where applicable.

You are the Data Controller

As the client, you determine why and how personal data is collected and used. You are responsible for:

• Ensuring you have the legal basis to collect and process your customers' personal data
• Providing required privacy notices to your customers
• Obtaining any necessary consents (such as cookie consent or marketing opt-ins)
• Responding to data subject requests from your customers
• Instructing us on how to process data on your behalf

We are the Data Processor

As your marketing agency, we process personal data only on your instructions and for the purposes outlined in our service agreement. We are responsible for:

• Processing data only as you instruct us to, within the scope of our services
• Implementing appropriate technical and organizational security measures
• Assisting you with data subject requests when they involve data we process
• Notifying you promptly of any data breach
• Ensuring our team members who access data are bound by confidentiality obligations

Depending on the services we provide, we may access the following types of personal data through your marketing platforms:

Google Ads and Google Analytics

• Website visitor data (pages viewed, session duration, traffic source, device/browser information)
• Conversion data (form submissions, phone calls, purchases)
• Audience data (demographics, interests, geographic regions)
• Customer match lists (if you provide email lists for targeting)
• Search query data and click behavior

Meta (Facebook/Instagram) Advertising

• Ad interaction data (impressions, clicks, conversions)
• Pixel data (website activity tracked by Meta Pixel, if installed)
• Custom audience lists (if you provide customer data for targeting)
• Page engagement data (likes, comments, messages)

Email Marketing Platforms

• Subscriber lists (names, email addresses)
• Email engagement data (opens, clicks, unsubscribes)
• Segmentation data (tags, groups, preferences)

Other Platforms

If we manage other tools on your behalf (LinkedIn Ads, Pinterest Ads, call tracking, CRM systems, etc.), we may access similar categories of data within those platforms. The specific data accessed will be discussed and agreed upon when setting up services.

We only access data that is necessary to perform the services you've hired us for. We do not access data for our own purposes or for any other client's benefit.

We take data protection seriously and implement the following measures:

Access controls

• Platform access is limited to team members who need it to perform their work on your account
• We use individual accounts (not shared logins) for all platforms
• Two-factor authentication is required on all marketing platform accounts
• Access is revoked promptly when team members leave or are no longer assigned to your account

Technical measures

• All data in transit is encrypted via HTTPS/TLS
• Devices used to access your data are password-protected and encrypted
• We maintain up-to-date software, operating systems, and security patches
• We do not download or store your customer lists locally unless specifically required for a service (and with your approval)

Organizational measures

• All team members are bound by confidentiality agreements
• We conduct regular reviews of who has access to what
• We follow the principle of least privilege: team members only get access to the tools and data they need

In the course of providing our services, data may be processed by third-party platforms ("subprocessors"). These are the tools and platforms we use to manage your marketing:

• Google (Google Ads, Analytics, Tag Manager, Search Console): Advertising, analytics, and website performance. Google's Data Processing Terms
• Meta (Facebook Ads Manager, Instagram): Social media advertising. Meta's Data Processing Terms
• Microsoft (Bing Ads, Clarity): Search advertising and analytics, when applicable
• Email service providers: Platform varies by client (Mailchimp, Constant Contact, etc.)

Each of these platforms has their own data processing agreements and privacy policies. By using these platforms, your data is also subject to their terms.

We will notify you before adding any new subprocessor that will handle your data. If you object to a new subprocessor, we will work with you to find an alternative solution or, if that is not possible, you may terminate the affected services.

We do not maintain independent copies of your customer data. The data we access lives in the platforms you've granted us access to (Google Ads, Meta, etc.).

During our engagement

• We access data through the platforms as needed to manage your campaigns
• Performance reports and exports we create are retained for the duration of our working relationship
• If we need to download data for specific tasks (audience list uploads, data analysis), we delete local copies within 30 days of completing that task

After our engagement ends

• We remove our access from all your platforms within 14 days of contract termination
• We delete any locally stored reports or data exports within 30 days
• Data that remains in your marketing platforms is your responsibility to manage going forward
• We may retain anonymized, aggregated data (not linked to any individual) for internal benchmarking and service improvement

In the event of a personal data breach that affects data we process on your behalf, we will:

• Notify you within 48 hours of becoming aware of the breach
• Provide details about the nature of the breach, the categories and approximate number of data subjects affected, and the likely consequences
• Describe the measures we have taken or propose to take to address the breach and mitigate its effects
• Cooperate fully with your investigation and any required notifications to authorities or affected individuals
• Document the breach, including its facts, effects, and the corrective actions taken

If the breach originates from one of the third-party platforms we use (Google, Meta, etc.), we will relay their breach notification to you as quickly as possible and assist with any steps needed on your end.

As the data controller, you have the following rights:

Right to audit

You may request information about our data processing practices and security measures at any time. We will provide reasonable documentation and answer questions about how we handle your data. For on-site or third-party audits, we will cooperate within reasonable scope and with reasonable advance notice (at least 14 days).

Right to instruct

You can instruct us to process data in specific ways, restrict processing, or stop processing entirely. We will follow your instructions unless they conflict with legal requirements.

Data subject requests

If one of your customers exercises their privacy rights (access, deletion, correction, portability), and the request involves data we process, we will assist you in fulfilling that request within a reasonable timeframe. Contact us as soon as you receive such a request so we can act promptly.

Right to terminate

You may terminate our data processing activities at any time by ending the relevant services. Upon termination, we will follow the data deletion procedures described in Section 6.

We are based in the United States and primarily process data within the US. The third-party platforms we use (Google, Meta, Microsoft) may process data in various locations globally, according to their own data processing agreements.

If you have customers in the European Economic Area (EEA), United Kingdom, or other jurisdictions with cross-border transfer restrictions, please let us know so we can ensure appropriate safeguards are in place. This may include relying on the platform providers' Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.

This DPA remains in effect for as long as we process personal data on your behalf. It terminates automatically when our service agreement ends and all data processing activities have ceased.

Sections of this DPA that by their nature should survive termination (including confidentiality obligations, data deletion procedures, and liability provisions) will continue to apply after termination.

We may update this DPA to reflect changes in our practices, the platforms we use, or applicable data protection laws. When we make significant changes, we will notify active clients directly. The "Last updated" date at the top of this page reflects the most recent revision.

For active clients, material changes to this DPA will be communicated at least 30 days before they take effect.

For questions about this Data Processing Agreement or our data handling practices: