grigoriev.co.il

Data Processing Addendum (DPA)

Last updated: May 8, 2026.

This Addendum governs the processing of personal data (PII) by Marketing Engineering Studio (hereafter — the “Processor,” the “Studio”) in providing services to the Client (hereafter — the “Controller”). It supplements the Terms of Service and applies automatically to all engagements where the Studio processes Client PII or PII of the Client’s customers.

1. Parties and roles

  • Data Controller — the Client ordering Studio services
  • Data Processor — Dmitry Grigoriev / Marketing Engineering Studio
  • Sub-processors — third parties listed in Annex A

2. Data categories

The Studio may process the following PII categories:

2.1. PII of Client’s customers

  • Names, emails, phone numbers
  • Communication history (WhatsApp, voice calls, forms)
  • Behavioral data (clicks, page views, conversions) via GA4/GTM
  • Attribution data (gclid, fbclid, utm)
  • AI agent dialog records on Takli (if applicable)

2.2. Client’s internal data

  • GSC / GA4 / Google Ads / Meta Ads access tokens
  • Business metrics (revenue, CPA, ROAS)
  • Customer lists for targeting (via Customer Match)

2.3. Categories NOT processed

  • Health data (special categories per GDPR Art. 9)
  • Biometrics
  • Minors’ data (we don’t work with audiences < 16)

3. Processing purposes

Only to provide services per signed Service Order:

  • Audit / implementation work
  • Performance marketing operations
  • Customer support / quality monitoring
  • Reporting to Client

4. Technical security measures

Per Israeli Privacy Protection Regulations (Information Security) 2017:

4.1. Encryption

  • In transit: TLS 1.3 for all connections
  • At rest: AES-256 for D1 database, S3-equivalent storage
  • Backups: encrypted

4.2. Access Control

  • Principle of least privilege — only Dmitry has access to production data
  • MFA required on all admin accounts (Cloudflare, Google Workspace, Anthropic, OpenAI)
  • Session timeout — 8 hours maximum
  • No shared accounts — each sub-processor has a separate account

4.3. Logging

  • All access events logged in Cloudflare Logs
  • Retention: 90 days for access logs, 1 year for security events
  • Logs immutable (write-once)

4.4. Isolation

  • Tenant isolation on Takli platform — Client A doesn’t see Client B’s data
  • API key separation — each Client has its own Google Ads MCC link

5. Sub-processors (Annex A)

The Studio uses the following sub-processors. All have valid DPAs:

Sub-processorRoleLocationDPA link
Cloudflare, Inc.Hosting, CDN, D1 database, WorkersUS/EU/ILlink
Google LLCGA4, GTM, Google Ads (after opt-in)US/EUlink
Resend, Inc.Transactional emailUSlink
Anthropic PBCLLM (Claude) for AI bots on TakliUSlink
OpenAI, L.L.C.LLM (GPT-4) fallbackUSlink
Twilio Inc.Voice gateway (if used)USlink
Voicenter Ltd.Israeli telco partner for voice (optional)ILon request

Changes to the sub-processor list — Client notified 30 days before a new one is added. Client has the right to object (with possible contract termination).

6. Cross-border transfers

When transferring data outside Israel or EEA, the Studio ensures compliance via:

  • Standard Contractual Clauses (SCC) for US-located processors
  • Adequacy decisions where applicable (UK, Switzerland)

7. Sub-processor Anthropic / OpenAI — special handling

When processing AI bot dialogs on Takli:

  • PII redaction server-side before sending to LLM provider (names → [NAME], emails → [EMAIL], phones → [PHONE], financial figures → [AMOUNT])
  • Zero data retention agreement with Anthropic (data not used for model training)
  • EU/IL data residency where available

For medical and financial clients — separate enhanced DPA with additional safeguards (HIPAA-style, not “HIPAA-compliant,” since HIPAA is US-specific).

8. Data subject rights

If a data subject contacts the Studio directly (as Processor) — the Studio:

  1. Identifies the subject via Controller (Client)
  2. Forwards the request to Controller within 5 business days
  3. Executes Controller’s instructions on the request

9. Data breach notification

In case of data breach, the Studio:

  1. Notifies Controller within 24 hours of discovery
  2. Provides available info (affected data, possible impact, mitigation steps)
  3. Cooperates with Controller in fulfilling PPL Amendment 13 / GDPR notification requirements

10. Audit rights

Controller has the right to conduct (or hire an independent auditor to conduct) an audit of the Studio once per 12 months. Audit costs borne by Controller, except when the audit reveals material non-compliance by the Studio.

11. Data return and deletion

Upon engagement termination, the Studio at Controller’s choice:

  • Returns all PII in machine-readable format
  • Deletes all copies (including backups) within 30 days

Confirmation of deletion — written certificate of deletion.

12. Term

This DPA enters into force simultaneously with the first Service Order signed between the Studio and the Client and remains valid for all engagements + retention periods per Privacy Policy.

13. Contact

Studio DPO: [email protected] (subject “DPA Inquiry”).

See also: Privacy Policy, Terms of Service.