Data Processing Agreement
Last updated: April 7, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between DataMCP LLC ("DataMCP," "Processor," "we," "us," or "our") and you ("Customer," "Controller," or "you"). This DPA governs the processing of personal data that you provide to us or that we process on your behalf through the Service. DataMCP LLC is a Wyoming limited liability company located at 30 N Gould St Ste R, Sheridan, WY 82801.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by DataMCP on behalf of the Customer through the Service.
- "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
- "Sub-Processor" means any third party engaged by DataMCP to process Personal Data on behalf of the Customer.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
- "Applicable Data Protection Law" means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR, CCPA, and other relevant privacy legislation.
2. Scope and Roles
When you use the Service to connect your PostgreSQL databases and expose them via MCP links, you act as the Controller of any Personal Data contained in your databases. DataMCP acts as the Processor, processing such data only as necessary to provide the Service in accordance with your instructions and configuration. This DPA applies to all Personal Data processed by DataMCP on your behalf.
3. Customer Obligations
As the Controller, you are responsible for:
- Ensuring that you have a lawful basis for processing the Personal Data that you store in databases connected to the Service.
- Providing appropriate notice to Data Subjects about how their data may be processed through the Service, including exposure to AI tools via MCP links.
- Configuring appropriate access permissions and controls for your MCP links to limit data exposure.
- Responding to Data Subject requests (access, correction, deletion) related to data in your databases.
4. DataMCP Obligations
As the Processor, DataMCP shall:
- Process Personal Data only in accordance with your documented instructions and as necessary to provide the Service. We will not process Personal Data for any other purpose.
- Ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
- Implement appropriate technical and organizational security measures as described in Section 6 of this DPA.
- Notify you without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach affecting your data.
- Assist you, to the extent reasonably practicable, in responding to Data Subject requests and in meeting your obligations under Applicable Data Protection Law.
- Upon termination of the Service, delete or return all Personal Data processed on your behalf within 30 days, unless retention is required by applicable law.
5. Sub-Processors
You authorize DataMCP to engage the following Sub-Processors to assist in providing the Service:
- Supabase Inc.— Authentication services (Supabase Auth) and database hosting (Supabase PostgreSQL). Processes account data and stores encrypted connection credentials.
- Stripe Inc.— Payment processing. Processes billing information and payment card data.
- Render Services Inc.— Application and infrastructure hosting. Processes data as part of hosting the Service.
- PostHog Inc.— Product analytics. Processes anonymized usage data and behavioral analytics.
We will notify you before engaging any new Sub-Processor by updating this DPA. If you object to a new Sub-Processor, you may terminate the Service within 30 days of notification. DataMCP ensures that all Sub-Processors are bound by data processing obligations no less protective than those in this DPA.
6. Security Measures
DataMCP implements the following technical and organizational measures to protect Personal Data:
- Encryption at rest. Database connection credentials and other sensitive data are encrypted using AES-256-GCM.
- Encryption in transit. All data transmitted between your browser, our servers, and your databases is encrypted using TLS.
- Authentication. User authentication is managed through Supabase Auth, supporting email/password and third-party OAuth providers with optional multi-factor authentication.
- Access control. Role-based access control (owner, admin, member, viewer) restricts access to data within organizations. Per-table permissions control which database resources are exposed through MCP links.
- Audit logging. All MCP link interactions are logged with timestamps, query content, and client identification. Logs are retained according to your subscription plan (7 days for Free, 30 days for Pro, 365 days for Enterprise).
- Infrastructure security. The Service is hosted on Render with network-level security, automated deployments, and environment variable encryption.
- Database security. Application data is stored in Supabase PostgreSQL with encryption at rest, automated backups, and restricted network access.
7. Data Transfers
Personal Data may be transferred to and processed in the United States, where DataMCP and its Sub-Processors are located. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland, DataMCP relies on the following mechanisms:
- Standard Contractual Clauses (SCCs) as approved by the European Commission.
- Any other lawful transfer mechanisms recognized under Applicable Data Protection Law.
Upon request, DataMCP will execute Standard Contractual Clauses with you to facilitate compliant data transfers.
8. Data Subject Rights
If DataMCP receives a request from a Data Subject seeking to exercise their rights (e.g., access, correction, deletion, portability) in relation to Personal Data that we process on your behalf, we will promptly notify you and will not respond to the request directly unless authorized by you. We will provide reasonable assistance to help you fulfill your obligations to respond to Data Subject requests.
9. Data Breach Notification
In the event of a Personal Data breach, DataMCP will:
- Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach, via the email address associated with your account.
- Provide information about the nature of the breach, the categories and approximate number of affected records, the likely consequences, and the measures taken or proposed to address the breach.
- Cooperate with you and take reasonable steps to mitigate the effects of the breach and prevent future incidents.
10. Audits and Compliance
DataMCP will make available to you, upon reasonable request, information necessary to demonstrate compliance with this DPA. You may conduct an audit of DataMCP's data processing practices, subject to reasonable notice (at least 30 days) and scope limitations to protect confidential information and the security of other customers. Audits shall be conducted at your expense and no more than once per year unless required by a regulatory authority.
11. Data Retention and Deletion
DataMCP retains Personal Data processed on your behalf only for as long as necessary to provide the Service. Upon termination of your account:
- Your database connection credentials will be securely deleted within 30 days.
- Activity logs will be deleted according to your plan's retention schedule or within 30 days of account closure, whichever comes first.
- Account data will be removed within 30 days, except where retention is required by applicable law (e.g., financial records for tax compliance).
12. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the State of Wyoming, United States, without regard to its conflict of law provisions. For customers located in the EEA, this DPA is also subject to the applicable provisions of the GDPR. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.
13. Term and Termination
This DPA remains in effect for the duration of the Terms of Service. The obligations in this DPA related to data security, confidentiality, and data deletion shall survive termination of the Terms of Service.
14. Contact Us
If you have questions about this Data Processing Agreement, please contact us at:
DataMCP LLC
30 N Gould St Ste R
Sheridan, WY 82801
Email: support@datamcp.app