Data Processing Agreement
Type: Data Processing Agreement · Version: 2026-04-17 · Published: 2026-04-17 11:25 UTC
════════════════════════════════════════════════════════════════
MAKRR — DATA PROCESSING AGREEMENT
Version 1.0 · Effective 2026-04-17
Trashify Tech OÜ · Registry code 16495334
════════════════════════════════════════════════════════════════
AT A GLANCE
— This DPA applies when you use MAKRR to process personal data
about third parties (people in your images/videos, device
telemetry, etc.).
— YOU ARE THE CONTROLLER. WE ARE THE PROCESSOR. This is our
Article 28 GDPR contract with you.
— We only process your data on your documented instructions,
keep it secure, assist you with data-subject rights, and
notify you of any personal-data breach within 72 hours.
— We use sub-processors listed in Annex II. We tell you before
we add or replace them and you have a right to object.
— Our primary storage is in the EU (Frankfurt). Certain training
workloads may run on our equipment in India under EU Standard
Contractual Clauses and a Transfer Impact Assessment. Other
transfers (US sub-processors) use SCCs or the EU–US Data
Privacy Framework.
────────────────────────────────────────────────────────────────
SECTION 1. PARTIES
────────────────────────────────────────────────────────────────
This Data Processing Agreement (the "DPA") is between:
TRASHIFY TECH OÜ, registry code 16495334, registered office
Gonsiori tn 29-3, Kesklinna linnaosa, 10147 Tallinn, Harju
maakond, Estonia (the "PROCESSOR"); and
the Customer identified in the MAKRR account and bound by
the MAKRR Terms of Service (the "CONTROLLER"),
each a "Party" and together the "Parties".
────────────────────────────────────────────────────────────────
SECTION 2. SCOPE AND RELATIONSHIP TO THE TERMS
────────────────────────────────────────────────────────────────
2.1 This DPA forms part of the Agreement defined in the Terms
of Service and governs the processing of Customer Personal Data
(defined below) by us on behalf of the Controller in connection
with the Service.
2.2 In case of conflict between this DPA and any other part of
the Agreement in relation to the processing of personal data,
this DPA prevails.
2.3 This DPA is an Article 28(3) GDPR processing agreement.
────────────────────────────────────────────────────────────────
SECTION 3. DEFINITIONS
────────────────────────────────────────────────────────────────
Capitalised terms not defined here have the meanings given in
the GDPR. In this DPA:
"GDPR" means Regulation (EU) 2016/679, as applied in the
EEA; and, where relevant, the UK GDPR as supplemented by
the Data Protection Act 2018.
"Customer Personal Data" means any personal data that the
Processor processes on behalf of the Controller under the
Agreement, including personal data contained in User
Content, annotations, device uploads, telemetry and related
metadata.
"Sub-processor" means any processor engaged by us to carry
out processing on behalf of the Controller.
"SCCs" means the Standard Contractual Clauses in Commission
Implementing Decision (EU) 2021/914, Module Two (controller
to processor), as updated from time to time.
"Data Subject", "Processing", "Personal Data Breach",
"Supervisory Authority" and other capitalised terms take
their GDPR meaning.
────────────────────────────────────────────────────────────────
SECTION 4. SUBJECT MATTER, DURATION, NATURE AND PURPOSE
────────────────────────────────────────────────────────────────
The subject matter, nature, purpose, duration and categories of
Customer Personal Data and data subjects are set out in Annex I
(Description of Processing) to this DPA.
────────────────────────────────────────────────────────────────
SECTION 5. CONTROLLER'S INSTRUCTIONS
────────────────────────────────────────────────────────────────
5.1 Documented instructions. We will process Customer Personal
Data only on the Controller's documented instructions, including
with regard to transfers of personal data to a third country or
international organisation, unless required to do so by Union or
Member State law. If required by law, we will inform the
Controller of that legal requirement before processing, unless
the law prohibits such information on important grounds of
public interest.
5.2 Scope of instructions. The Controller's instructions are
set out in the Agreement, this DPA, and the configuration
options and requests made through the Service. Additional
instructions must be documented in writing and are subject to
our right to charge for custom work or to decline instructions
incompatible with the Service.
5.3 Lawfulness. The Controller represents and warrants that
its instructions, and the processing of Customer Personal Data
contemplated by the Agreement, are lawful, and that it has all
necessary lawful bases under Articles 6 and, where applicable,
9 and 10 GDPR. We will inform the Controller if, in our
opinion, an instruction infringes the GDPR or other Union or
Member State data-protection provisions, and, pending further
instructions, we may suspend the processing.
────────────────────────────────────────────────────────────────
SECTION 6. CONFIDENTIALITY
────────────────────────────────────────────────────────────────
We will ensure that persons authorised to process Customer
Personal Data are bound by confidentiality obligations (whether
by employment contract or otherwise) and have received
appropriate training.
────────────────────────────────────────────────────────────────
SECTION 7. SECURITY OF PROCESSING
────────────────────────────────────────────────────────────────
7.1 Technical and organisational measures. We will implement
appropriate technical and organisational measures to ensure a
level of security appropriate to the risk, taking into account
the state of the art, cost of implementation, the nature, scope,
context and purposes of processing, and the risk to data
subjects' rights and freedoms. Current measures are described
in Annex III (Security Measures).
7.2 Updates. We may update our security measures without
notice, provided the overall level of protection is not
materially reduced.
7.3 Controller controls. The Controller is responsible for
configuration options exposed to it (including access control,
team roles, retention settings, and integrations). Failure to
configure these appropriately may reduce the effectiveness of
our measures.
────────────────────────────────────────────────────────────────
SECTION 8. SUB-PROCESSORS
────────────────────────────────────────────────────────────────
8.1 General authorisation. The Controller grants us general
written authorisation to engage Sub-processors, subject to this
clause 8.
8.2 Current Sub-processors. Annex II lists the current Sub-
processors. A live list is maintained at /legal/subprocessors.
8.3 New or replacement Sub-processors. Before engaging a new
or replacement Sub-processor to process Customer Personal Data,
we will give the Controller AT LEAST 30 DAYS' PRIOR WRITTEN
NOTICE (which may be by email, in-product notice or by a
subscription to an update feed). The Controller may object in
writing, on reasonable and documented grounds relating to the
Sub-processor's data-protection capability, within that notice
period.
8.4 Objection. If the Controller objects and we cannot resolve
the objection, the Controller may terminate the part of the
Agreement affected by the change, without liability, by giving
written notice before the new Sub-processor starts processing.
No refund is due beyond unused pre-paid fees.
8.5 Flow-down. We will impose on each Sub-processor, by
written contract, data-protection obligations that are
substantially equivalent to those in this DPA. We remain fully
liable to the Controller for the performance of Sub-processors'
obligations.
────────────────────────────────────────────────────────────────
SECTION 9. DATA SUBJECT REQUESTS
────────────────────────────────────────────────────────────────
9.1 Assistance. We will, taking into account the nature of
processing, assist the Controller by appropriate technical and
organisational measures, insofar as this is possible, to fulfil
the Controller's obligation to respond to requests for
exercising the data subject's rights under Chapter III GDPR.
9.2 No direct response. Where a data subject contacts us
directly with a rights request concerning data we hold as
processor, we will forward it to the Controller without undue
delay (and in any event within three business days) and will
not respond substantively, save to confirm we are a processor
and to direct the data subject to the Controller.
9.3 Cost. Assistance is included at no additional charge for
requests that can be fulfilled using Service functionality. For
custom or high-volume work, we may charge reasonable fees.
────────────────────────────────────────────────────────────────
SECTION 10. BREACH NOTIFICATION
────────────────────────────────────────────────────────────────
10.1 Notice to Controller. We will notify the Controller
without undue delay (and in any case within 72 HOURS) after
becoming aware of a Personal Data Breach affecting Customer
Personal Data, providing the information reasonably needed by
the Controller to meet its obligations under Articles 33–34
GDPR.
10.2 Information provided. The notice will describe, to the
extent known at the time: the nature of the breach; categories
and approximate number of data subjects and records; likely
consequences; and the measures we have taken or propose to take.
10.3 Ongoing updates. We will provide updates as more
information becomes available and support the Controller in its
own notifications to Supervisory Authorities and data subjects
where those duties apply.
10.4 No admission. Our notice is not an admission of liability.
────────────────────────────────────────────────────────────────
SECTION 11. ASSISTANCE WITH COMPLIANCE
────────────────────────────────────────────────────────────────
Taking into account the nature of processing and information
available to us, we will assist the Controller in complying with
its obligations under Articles 32–36 GDPR (security, breach
notification, data-protection impact assessments, prior
consultation). Templates and pre-filled information are made
available on request at privacy@makrr.ai.
────────────────────────────────────────────────────────────────
SECTION 12. INTERNATIONAL TRANSFERS
────────────────────────────────────────────────────────────────
12.1 Default location. Primary storage of Customer Personal
Data is in the European Union (AWS Frankfurt, eu-central-1).
12.2 Transfers outside the EEA. To the extent that provision
of the Service or use of a Sub-processor involves transfer of
Customer Personal Data outside the EEA, such transfers are made:
(a) to a country covered by an adequacy decision under
Article 45 GDPR; or
(b) under the EU–US Data Privacy Framework, where the
importer is certified; or
(c) under the SCCs, Module Two (controller to processor),
which are hereby incorporated by reference into this
DPA, with:
— Clause 7 (docking clause): ENABLED;
— Clause 9 (sub-processors): Option 2 (general
written authorisation), 30-day prior notice;
— Clause 11 (redress): optional language NOT
included;
— Clause 17 (governing law): ESTONIAN LAW;
— Clause 18 (forum): Estonian courts;
— Annex I.A (Parties): as in this DPA's Annex I;
— Annex I.B (Description of Transfer): as in this
DPA's Annex I;
— Annex I.C (Competent Supervisory Authority):
Estonian Data Protection Inspectorate (Andmekaitse
Inspektsioon), unless the Controller has a different
lead supervisory authority, in which case that
authority;
— Annex II of the SCCs (Technical and Organisational
Measures): this DPA's Annex III;
— Annex III of the SCCs (List of Sub-processors):
this DPA's Annex II.
12.3 India training infrastructure. We operate GPU training
infrastructure in India. Where Customer Personal Data is
processed on that infrastructure, we rely on:
(a) SCCs Module Two between Trashify Tech OÜ as data
exporter (controller) and Trashify Tech OÜ as data
importer in respect of its India operations
(processor). A copy of the signed SCCs is held by the
Privacy Contact and is available to the Controller on
request, subject to reasonable redaction;
(b) a Transfer Impact Assessment covering the Indian legal
environment, including the Digital Personal Data
Protection Act 2023, the Information Technology Act
2000, and Indian lawful-access regimes;
(c) supplementary measures: encryption at rest and in
transit, access controls with per-engineer audit
trails, de-identification of User Content prior to
training transfer where feasible, and exclusion of
Controllers and Customers who have opted out under
clause 6.4 of the Terms from the training set.
12.4 UK transfers. For transfers subject to the UK GDPR, the
Parties incorporate by reference the International Data
Transfer Addendum issued by the UK Information Commissioner's
Office (IDTA), with the SCCs set up as above.
12.5 Supplementary measures. We implement supplementary
measures where required by a Transfer Impact Assessment,
including encryption in transit and at rest and access controls.
────────────────────────────────────────────────────────────────
SECTION 13. AUDITS
────────────────────────────────────────────────────────────────
13.1 Reports. We will make available to the Controller all
information reasonably necessary to demonstrate compliance with
Article 28 GDPR, including, on request, summary reports of our
most recent independent audits or certifications (for example,
ISO/IEC 27001, where applicable).
13.2 On-site audit. The Controller may audit us — either
itself or through an independent, reasonably-qualified third-
party auditor who has signed an NDA on terms acceptable to us —
once per calendar year, on at least 30 days' prior written
notice, during business hours, in a manner that does not
unreasonably interrupt our business, and subject to our
reasonable confidentiality and security controls. Additional
audits may be conducted following a Personal Data Breach
affecting the Controller or a material change in the Service.
13.3 Cost. Audits are at the Controller's cost, unless the
audit reveals a material breach of this DPA, in which case we
will reimburse reasonable audit costs.
13.4 Scope carve-out. Audit rights do not extend to (a) other
Controllers' data; (b) our confidential proprietary information,
save as strictly needed to verify compliance; or (c) data
protected from disclosure by applicable law.
────────────────────────────────────────────────────────────────
SECTION 14. RETURN AND DELETION
────────────────────────────────────────────────────────────────
14.1 On termination. On termination or expiry of the Agreement,
at the Controller's choice, we will RETURN or DELETE Customer
Personal Data and delete existing copies, unless Union or Member
State law requires storage.
14.2 Mechanism. Export and deletion are available through the
Service. We will irrevocably delete Customer Personal Data within
thirty (30) days of termination (or such longer period as is
needed for backup rotation and legal retention, during which
data is isolated and protected from further processing), unless
the Controller requests earlier or later handling in writing.
14.3 Proof. On request, we will provide written confirmation
of deletion.
────────────────────────────────────────────────────────────────
SECTION 15. LIABILITY
────────────────────────────────────────────────────────────────
15.1 Under the Agreement. Liability under this DPA is subject
to the limitations in the Terms of Service, except where the
GDPR or other applicable law provides otherwise and the
limitation would be contrary to that law.
15.2 Article 82 GDPR. Nothing in the Agreement limits or
excludes each Party's direct liability to data subjects under
Article 82 GDPR.
────────────────────────────────────────────────────────────────
SECTION 16. TERM
────────────────────────────────────────────────────────────────
This DPA starts on the Effective Date and continues for as long
as we process Customer Personal Data under the Agreement.
Clauses that by their nature survive termination (including
clauses 6 (confidentiality), 14 (return/deletion) and the
surviving provisions of the SCCs) survive termination of the
Agreement.
────────────────────────────────────────────────────────────────
SECTION 17. MISCELLANEOUS
────────────────────────────────────────────────────────────────
17.1 Governing law and jurisdiction. As in clauses 18.1–18.2
of the Terms, save where mandatory EU or Member State law, or
the SCCs, require otherwise.
17.2 Notices under this DPA. To the Controller: the email
addresses on the account (admin and billing contacts). To us:
privacy@makrr.ai, with a copy to legal@makrr.ai.
17.3 Entire DPA. This DPA, including its Annexes, is the
entire agreement of the parties on its subject matter and
supersedes any prior data-processing arrangement.
════════════════════════════════════════════════════════════════
ANNEX I — DESCRIPTION OF PROCESSING
════════════════════════════════════════════════════════════════
I.A LIST OF PARTIES
DATA EXPORTER / CONTROLLER:
the Customer, as identified in the MAKRR account and
represented by the administrator user.
Contact: billing and admin contacts on the account.
Activities: uploading, annotating and processing images,
videos, device streams and related metadata through the
Service for the Controller's business purposes.
Role: Controller.
DATA IMPORTER / PROCESSOR:
Trashify Tech OÜ, registry code 16495334, Gonsiori tn 29-3,
Kesklinna linnaosa, 10147 Tallinn, Harju maakond, Estonia.
Contact: Privacy Contact, privacy@makrr.ai.
Activities: providing the MAKRR Service, hosting User
Content, running AI inference and training on Controller
instructions, deploying models to devices, operating the
device backend.
Role: Processor.
I.B DESCRIPTION OF TRANSFER
Categories of data subjects:
— individuals appearing in User Content uploaded or
captured by the Controller, who may include the
Controller's staff, customers, visitors, contractors,
suppliers or members of the public in environments the
Controller monitors;
— the Controller's administrators and users of the
Service;
— device operators and maintenance personnel.
Categories of personal data:
— identifying and biographical data within uploaded
images or video (facial images, body imagery, clothing
and accessory features, vehicle registration marks,
identifiable property);
— audio where captured;
— location data implicit in imagery and device position;
— device telemetry (IP address, device identifier,
timestamps, system metrics);
— account data of the Controller's administrators (name,
business email, role).
Special-category data (Article 9 GDPR):
only if uploaded by the Controller. Biometric data used
for uniquely identifying natural persons should not be
processed without a written variation to this DPA.
Criminal-conviction data (Article 10 GDPR):
not contemplated. If uploaded, the Controller warrants an
Article 10 lawful basis.
Frequency of transfer:
continuous for the duration of the subscription.
Nature of processing:
storage, AI-assisted annotation, human annotation, training
of models, inference, deployment to devices, analytics,
backup, and incident response.
Purpose of processing:
providing the Service to the Controller.
Retention:
as in the Privacy Policy and the Agreement; in summary,
during the subscription plus thirty (30) days after
termination, subject to legal retention requirements.
Transfers to Sub-processors:
as in Annex II.
I.C COMPETENT SUPERVISORY AUTHORITY
Estonian Data Protection Inspectorate (Andmekaitse
Inspektsioon), Tatari 39, 10134 Tallinn, info@aki.ee,
www.aki.ee — or, where the Controller has a different lead
supervisory authority under Article 56 GDPR, that authority.
════════════════════════════════════════════════════════════════
ANNEX II — LIST OF SUB-PROCESSORS
════════════════════════════════════════════════════════════════
The current list is maintained at /legal/subprocessors and
changes are notified under clause 8.3 of this DPA.
(1) Amazon Web Services EMEA SARL
Service: object storage (S3), IoT Core messaging
(MQTT), compute and ancillary cloud services
Location: Frankfurt, Germany (eu-central-1) — primary;
US for support personnel access
Transfer: No cross-border transfer for primary storage;
SCCs for US-resident personnel access via AWS
DPA.
(2) Heroku (Salesforce Tower Dublin Limited)
Service: application hosting (PaaS)
Location: [HEROKU_REGION — confirm]
Transfer: SCCs where US; intra-EU otherwise.
(3) Stripe Payments Europe Ltd
Service: payment processing, invoicing, checkout
Location: Ireland (EU) + US
Transfer: SCCs + Stripe DPA; DPF where certified.
(4) Google Ireland Limited (Workspace / Gmail API)
Service: transactional email delivery, internal admin
Location: EU + US
Transfer: SCCs + Google Cloud DPA; DPF.
(5) Google LLC (reCAPTCHA v3)
Service: bot and abuse prevention on forms
Location: US
Transfer: SCCs; DPF.
(6) Redis Ltd (Redis Cloud)
Service: cache, session store, job queue
Location: [REDIS_REGION — confirm]
Transfer: SCCs if transfer.
(7) Hugging Face, Inc.
Service: distribution of open-source pretrained model
weights (download only)
Location: France + US
Transfer: No Customer Personal Data transferred
(weights download only).
(8) Functional Software, Inc. dba Sentry
Service: error monitoring, performance tracing
Location: US (primary)
Transfer: SCCs + Sentry DPA. PII scrubbing applied
at send-time.
(9) Nvidia Corporation
Service: firmware and SDK components embedded on
devices
Location: US (device-embedded)
Transfer: device-embedded only; limited telemetry
handled under SCCs where applicable.
(10) Trashify Tech OÜ — India Training Site
Service: AI training workloads executed on GPU
hardware under our control in India
Location: India (Gurugram / Haryana region)
Transfer: SCCs Module Two (controller to processor)
plus Transfer Impact Assessment; encryption
at rest and in transit; de-identification of
training data; exclusion of opted-out content.
(11) [SMTP_PROVIDER — confirm]
Service: transactional email fallback
Location: [REGION — confirm]
Transfer: SCCs if transfer.
We may add or replace Sub-processors under clause 8.3.
════════════════════════════════════════════════════════════════
ANNEX III — TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
════════════════════════════════════════════════════════════════
We maintain a security programme that includes, at a minimum,
the following measures.
(1) Governance
— documented security and privacy policies reviewed
annually;
— a named Privacy Contact (privacy@makrr.ai) with a
formal DPO to be appointed under clause 1 of the
Privacy Policy;
— employee confidentiality agreements and security
training at onboarding and annually;
— vendor-risk review before engaging Sub-processors.
(2) Access control
— role-based access control on the platform; principle
of least privilege;
— multi-factor authentication enforced for administrator
access;
— unique accounts — no shared credentials;
— timely revocation on role change or termination;
— audited admin access.
(3) Encryption
— TLS 1.2+ for data in transit;
— AES-256 (or equivalent) at rest for object storage;
— password hashing using a current industry-standard
algorithm (Werkzeug default);
— device-to-cloud mutual TLS with per-device certificates
and HMAC-signed API keys.
(4) Network and application security
— secure software-development lifecycle, code review,
dependency management;
— CSRF protection, strong session protection (HTTP-only,
secure, SameSite cookies, session-version invalidation
on password change);
— rate limiting and bot prevention (reCAPTCHA);
— vulnerability scanning and patch management on hosts;
— segregation of environments (development, staging,
production);
— DDoS / WAF protection at the edge layer.
(5) Data handling
— production data is not replicated into non-production
environments;
— data minimisation in logs (no content bodies);
— data-subject-request tooling to locate and export or
delete user records.
(6) Business continuity
— backups in the primary region, rolling retention up to
35 days;
— documented incident-response plan with on-call paging;
— RPO and RTO published on request for enterprise
Customers.
(7) Physical security
— hosting in ISO 27001–certified data centres (AWS);
— controlled physical access to the India training site;
equipment under lock, limited personnel access.
(8) Data-subject rights assistance
— tooling to export, rectify, restrict and delete
Customer Personal Data on the Controller's instructions;
— documented workflow for forwarding data-subject requests
to the Controller within three business days.
(9) Breach management
— documented breach-identification and assessment
workflow;
— notification to Controller within 72 hours of a
confirmed Personal Data Breach.
(10) Audit and monitoring
— centralised logging of admin and authentication events;
— retention of security logs for at least 12 months;
— annual internal review of security controls.
(11) India Training Site specific measures
— dedicated workstation under our physical control in a
locked, access-controlled location;
— full-disk encryption;
— site-to-site encrypted tunnel to EU infrastructure;
— named engineer(s) only; access logged and reviewed;
— training data de-identified before leaving the EU
where feasible;
— opted-out Customer data excluded from training sets.
We will update this Annex as our programme evolves, provided the
overall level of protection is not materially reduced.
────────────────────────────────────────────────────────────────
CONTACT
────────────────────────────────────────────────────────────────
Privacy Contact: privacy@makrr.ai
Legal: legal@makrr.ai
Postal: Trashify Tech OÜ, Gonsiori tn 29-3,
Kesklinna linnaosa, 10147 Tallinn, Estonia
════════════════════════════════════════════════════════════════
Version 1.0 · Effective 2026-04-17
════════════════════════════════════════════════════════════════