— Legal / DPA

Data processing agreement.

Last updated: May 17, 2026 · Effective: May 17, 2026

This Data Processing Agreement ("DPA") forms part of the agreement (the "Principal Agreement", including any SOW and our Terms of Service) between Impact Media AI Marketing Agency ("Processor") and the Client ("Controller"). It governs the processing of Personal Data by Impact Media AI Marketing Agency on behalf of the Client in connection with the services. It is designed to satisfy the requirements of Article 28 of the EU/UK General Data Protection Regulation ("GDPR") and equivalent laws.

1. Definitions

"Personal Data", "Processing", "Controller", "Processor", "Data Subject" and "Supervisory Authority" have the meanings given in the GDPR. "Applicable Data Protection Law" means the GDPR, the UK GDPR, the Israeli Privacy Protection Law and any other privacy or data protection law applicable to the Processing.

2. Roles

The Client is the Controller and Impact Media AI Marketing Agency is the Processor with respect to Personal Data processed under the Principal Agreement. Impact Media AI Marketing Agency will Process Personal Data only on documented instructions from the Client, unless required to do otherwise by law.

3. Subject matter, duration, nature & purpose

  • Subject matter: Processing of Personal Data necessary to perform the services described in the SOW.
  • Duration: for the term of the Principal Agreement plus any post-termination period required for return or deletion of data.
  • Nature & purpose: marketing, lead generation, advertising, creative production, analytics, automation and related professional services.
  • Categories of data: contact details (name, email, phone), professional information, lead form responses, campaign engagement data, and other categories defined in the SOW.
  • Categories of data subjects: the Client's customers, prospects, leads, website visitors, employees, contractors and other individuals identified by the Client.

4. Processor obligations

Impact Media AI Marketing Agency will:

  • Process Personal Data only on documented instructions from the Client, including transfers, unless required by law (in which case we will notify the Client, unless prohibited).
  • Ensure personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
  • Implement and maintain the technical and organizational measures set out in Annex II below.
  • Assist the Client, taking into account the nature of the Processing, in responding to Data Subject requests and complying with security, breach notification, impact assessment and consultation obligations under Articles 32–36 GDPR.
  • Notify the Client without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach.
  • At the Client's choice, delete or return all Personal Data after the end of the services, and delete existing copies unless retention is required by law.
  • Make available all information necessary to demonstrate compliance with Article 28 GDPR and contribute to reasonable audits as set out below.

5. Subprocessors

The Client grants Impact Media AI Marketing Agency a general authorization to engage subprocessors to perform the services. Current categories include:

  • Cloud hosting and infrastructure providers
  • Email and communications providers
  • CRM and marketing automation platforms
  • Advertising and analytics platforms (Meta, Google, TikTok, LinkedIn and similar)
  • Project management, productivity and AI tooling providers

Impact Media AI Marketing Agency will impose data protection obligations on each subprocessor that are no less protective than those in this DPA, and remains liable for their performance. We will inform the Client of any intended addition or replacement of subprocessors on request, and the Client may reasonably object on data protection grounds; if the objection cannot be resolved, either party may terminate the affected services.

6. International transfers

Where Personal Data is transferred outside the EEA, the UK or another jurisdiction requiring a transfer mechanism, the parties will rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum, an applicable adequacy decision or another lawful transfer mechanism. The parties agree to execute additional documentation if required.

7. Data subject rights

Impact Media AI Marketing Agency will, to the extent possible, assist the Client by appropriate technical and organizational measures in fulfilling the Client's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law. If Impact Media AI Marketing Agency receives a request directly from a Data Subject relating to the Client's Personal Data, we will forward it to the Client without undue delay.

8. Personal data breach

In the event of a Personal Data Breach, Impact Media AI Marketing Agency will notify the Client without undue delay (and in any event within 72 hours of becoming aware), provide reasonable information about the nature of the breach, the categories and approximate number of Data Subjects and records concerned, likely consequences and measures taken or proposed to address it.

9. Audits

Impact Media AI Marketing Agency will make available to the Client information reasonably necessary to demonstrate compliance with Article 28 GDPR. Audits may be conducted by the Client or an independent auditor mandated by it, no more than once per twelve (12) month period, with at least thirty (30) days' prior written notice, during normal business hours, in a manner that does not unreasonably disrupt our operations and subject to confidentiality undertakings. More frequent audits are permitted only as required by Supervisory Authorities or following a confirmed Personal Data Breach.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement. To the extent permitted by law, liability under this DPA forms part of and is not in addition to any aggregate liability cap in the Principal Agreement.

11. Term & termination

This DPA takes effect on the effective date of the Principal Agreement and remains in force for as long as Impact Media AI Marketing Agency Processes Personal Data on behalf of the Client. Provisions that by their nature survive termination (including confidentiality, return/deletion of data, liability and governing law) continue to apply.

12. Governing law

This DPA is governed by the law and jurisdiction stated in the Principal Agreement, unless mandatory Applicable Data Protection Law requires otherwise.

Annex I — Description of processing

  • Controller: the Client identified in the Principal Agreement.
  • Processor: Impact Media AI Marketing Agency.
  • Purpose: performance of the marketing and lead generation services described in the SOW.
  • Categories of Data Subjects: as defined in section 3 above.
  • Categories of Personal Data: as defined in section 3 above. No special categories of data are processed unless expressly agreed in writing.
  • Frequency: continuous, for the duration of the services.
  • Retention: for the duration of the services and any post-termination period set out in the Principal Agreement.

Annex II — Technical and organizational measures

  • Encryption of Personal Data in transit using TLS 1.2 or higher.
  • Access control based on least privilege, with unique user accounts and strong authentication (including MFA where supported).
  • Logical separation of Client data within shared infrastructure.
  • Regular review of user access and prompt revocation upon role changes or termination.
  • Use of reputable cloud service providers with industry-recognized certifications (e.g. ISO 27001, SOC 2) for storage and processing.
  • Backups and recovery procedures appropriate to the services.
  • Security awareness training and confidentiality obligations for personnel.
  • Vendor due diligence and written data protection terms with subprocessors.
  • Incident response plan including breach notification within 72 hours.
  • Secure deletion or return of Personal Data at the end of the services.

Contact

  • Email: info@impact-med.com
  • Phone / WhatsApp: +972 58 434 1020

Disclaimer

This DPA is a template provided for transparency. It does not constitute legal advice. Clients with specific regulatory obligations should have it reviewed and, where appropriate, executed as a signed document by both parties.

← Back to home