Data Processing Agreement
Last updated February 3, 2026
1. Roles
For customer personal data, the client business is the data controller and Digital Monk Marketing (operating KudosMonk) is the data processor. We process personal data only on the client's documented instructions.
2. Scope of processing
Processing is limited to: sending review requests, recording funnel activity, storing private feedback, and generating reports. Categories: name, email, phone, feedback text. No special-category data is intentionally processed.
3. Security measures
Row-level tenant isolation, encryption in transit and at rest, least-privilege access, audit logging, and rate-limited public endpoints.
4. Subprocessors
Cloud hosting, email delivery, SMS delivery, payments, and AI processing providers, each bound by equivalent data-protection terms. A current list is available on request.
5. Healthcare clients
Where the client is a healthcare provider and a Business Associate Agreement is required, the BAA executed at onboarding supplements this DPA and takes precedence for PHI.
This template is a starting point and not legal advice — have counsel review before relying on it.