DRAFT — NOT LEGAL ADVICE — counsel must review before go-live

Magic Sites Data Processing Addendum (DPA)

Last updated: 2026-04-23 Jurisdiction / governing law: [STATE TBD BY COUNSEL]

Counsel TODO:

• Confirm SCC module selection — Module 2 (controller-to-processor) is primary; Module 3 (processor-to-processor) applies where customer is itself a processor. Confirm we offer both.
• Confirm UK IDTA / UK Addendum to the SCCs and Swiss FDPIC addendum.
• Confirm sub-processor notification window (drafted at 30 days) and objection mechanism.
• Confirm audit rights scope — drafted to allow SOC-2-report-in-lieu-of-onsite per SCC Clause 8.9(c).
• Confirm breach-notification timing (drafted at 72 hours; GDPR Art. 33 is 72h to SA, but processor-to-controller is “without undue delay” — counsel may tighten).
• Confirm TOM Annex II content against our actual security posture (encryption, access, logging).
• Confirm execution mechanism — click-through acceptance vs counter-signature for enterprise.

1. Scope and relationship

This Data Processing Addendum (“DPA”) forms part of the Magic Sites Terms of Service between Magic Life LLC (“AMS”, “Processor”) and Customer (“Controller”) and applies to Processing of Personal Data subject to the GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, or the AU Privacy Act (collectively, “Data Protection Laws”).

In the event of a conflict, this DPA prevails over the Terms for Personal Data processing matters.

2. Definitions

Capitalized terms not defined here have the meanings in the Data Protection Laws. “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, and “Supervisory Authority” have their GDPR meanings.

3. Roles

• AMS acts as Processor for Personal Data Customer submits through the Service.
• Customer acts as Controller (or Processor where Customer’s customer is the Controller; in that case AMS is a Sub-processor).
• For Personal Data AMS collects as a service provider to Customer (account, billing, telemetry), AMS is the Controller; see Privacy Policy.

4. Processing details (SCC Annex I.B)

• Subject matter: provision of the Magic Sites platform.
• Duration: the term of the Terms plus the retention periods in the Privacy Policy.
• Nature and purpose: hosting, transmission, storage, backup, and processing as instructed by Customer.
• Data subjects: Customer’s end users, site visitors, contacts, and other individuals whose data Customer submits.
• Categories: as determined by Customer; typically name, contact info, account identifiers, device/log data, and any content Customer chooses to process through the Service.
• Special categories: none by default. Customer shall not submit special-category data without a written supplementary agreement.

5. Processor obligations

AMS will:

• Process Personal Data only on documented instructions from Customer, including as set out in the Terms and this DPA.
• Ensure persons authorized to process are bound by confidentiality.
• Implement the technical and organizational measures in Annex II.
• Assist Customer with Data Subject requests and with Articles 32–36 obligations, taking into account the nature of Processing.
• Delete or return Personal Data at termination, subject to legal retention requirements.
• Make available information to demonstrate compliance and allow audits per Section 9.

6. Sub-processors

Customer authorizes AMS to engage the Sub-processors listed in sub-processors.md. AMS will:

• Maintain an up-to-date Sub-processor list.
• Provide at least 30 days’ prior notice of changes (addition or replacement).
• Give Customer a reasonable right to object on legitimate data-protection grounds; if the parties cannot agree on a remedy, Customer may terminate the affected portion of the Service without penalty.
• Impose data-protection obligations on each Sub-processor substantially equivalent to this DPA.

7. International transfers

Where Personal Data is transferred from the EU/EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate:

• EU SCCs: Commission Implementing Decision (EU) 2021/914 — Module 2 (controller-to-processor) and Module 3 (processor-to-processor) as applicable, with the options and clauses completed per Annex I and Annex II of this DPA.
• UK Addendum: the UK International Data Transfer Addendum to the EU SCCs issued by the ICO.
• Swiss: amendments required by the Swiss FDPIC.

For AU-origin data, the parties rely on APP 8 and the contractual safeguards in this DPA.

8. Security and breach notification

AMS shall maintain the technical and organizational measures in Annex II. In the event of a Personal Data Breach, AMS will notify Customer without undue delay, and in any case within 72 hours of becoming aware, and will provide information reasonably required for Customer to meet its own notification obligations.

9. Audits

AMS will make available reasonably necessary information to demonstrate compliance. In line with SCC Clause 8.9, AMS may satisfy audit obligations by providing third-party audit reports (e.g., SOC 2 Type II, ISO 27001) where available. Onsite audits are limited to one per year, at Customer’s expense, on reasonable notice, and under confidentiality.

10. Return and deletion

On termination or expiration of the Service, AMS will delete or return all Personal Data within a reasonable period, and delete existing copies except where retention is required by applicable law. Backup deletion follows normal backup-rotation schedules.

11. Liability

Each party’s liability under this DPA is subject to the limitations in the Terms, except where Data Protection Laws prohibit such limitation for direct claims by Data Subjects.

12. Governing law

This DPA is governed by the law stated in the Terms, except that the SCCs are governed by the law of the EU Member State specified in Annex I.C.

Annex I — Parties, Processing, Competent SA

• Data Exporter: Customer.
• Data Importer: Magic Life LLC, [ADDRESS TBD BY COUNSEL], contact privacy@auramediastudios.com.
• Competent Supervisory Authority: per SCC Clause 13; Customer’s lead SA or Irish DPC where Customer has no EU establishment ([COUNSEL TO CONFIRM]).

Annex II — Technical and Organizational Measures (summary)

• Encryption in transit (TLS 1.2+) and at rest for Customer Content and backups.
• Identity and access management via WorkOS SSO/SCIM; MFA enforced for internal systems.
• Principle of least privilege; role-based access; audit logging.
• Network segmentation and Cloudflare-native edge protections (WAF, DDoS, bot mitigation).
• Secret management via 1Password / Cloudflare Secrets Store.
• Regular backups with documented restore procedures.
• Vulnerability management, dependency scanning, and patching cadence.
• Incident-response plan with 72-hour notification SLA.
• Vendor risk reviews for each Sub-processor.
• Personnel confidentiality and security training.

Annex III — Sub-processors

See sub-processors.md (incorporated by reference).