1. Definitions
- Controller means the entity that determines the purposes and means of processing personal data — in engagements governed by this DPA, the customer ("Customer").
- Processor means the entity that processes personal data on behalf of a controller — PartnerMCP, acting on Customer's documented instructions.
- Personal Data means any information relating to an identified or identifiable natural person that PartnerMCP processes on Customer's behalf in connection with the services.
- Sub-processor means any third party engaged by PartnerMCP to process personal data on Customer's behalf.
- Data Protection Laws means the data protection and privacy legislation applicable to the processing under this DPA (which may include GDPR, CCPA/CPRA, or other laws depending on Customer's jurisdiction and data footprint).
2. Roles of the Parties
For engagements under this DPA, Customer is the controller of any personal data involved, and PartnerMCP is the processor, processing personal data only on Customer's documented instructions, the underlying MSA/Statement of Work, and this DPA.
- PartnerMCP does not sell personal data and does not process personal data for independent purposes unrelated to delivering the contracted services.
- Where an engagement's structure differs (for example, Customer itself acts as a processor for its own customers), the parties will document the applicable roles in the engagement-specific DPA.
3. Subject Matter and Duration of Processing
Subject matter: PartnerMCP's provision of AI-native implementation, integration, automation, and software-cost/license optimization services, which may require access to Customer's systems, data pipelines, connectors, and usage or license data.
Duration: processing continues for the term of the applicable MSA or Statement of Work, plus any additional period reasonably necessary to complete the return or deletion of personal data described in Section 9, or as otherwise required by applicable law.
4. Nature and Purpose of Processing
Nature: configuration, integration, testing, migration, monitoring, and optimization activities performed on or with Customer's systems and data as part of the agreed engagement scope, including AI-agent-assisted analysis of software license usage, system logs, and configuration data.
Purpose: solely to deliver the contracted services — for example, implementation and integration work, automation workflows, and license, renewal, or software-cost optimization analysis. Personal data is not processed for independent marketing, profiling, or resale purposes.
5. Categories of Personal Data and Data Subjects
Categories of personal data may include, depending on engagement scope:
- Business contact information (name, work email, phone number, job title)
- System user identifiers, account metadata, and access/permission records
- System and usage logs that may incidentally contain personal data
- Other personal data resident in Customer's systems that PartnerMCP must access to perform the services
Categories of data subjects may include Customer's employees, contractors, and authorized users of in-scope systems, and — where applicable — Customer's own customers or end users, to the extent their data resides in systems accessed under the engagement.
PartnerMCP does not seek and does not expect to process special categories of data (such as health or biometric data). Customer should flag any such data before an engagement begins so scope and safeguards can be adjusted accordingly.
6. Sub-processors
- PartnerMCP may engage sub-processors — for example, cloud infrastructure, AI model, and monitoring providers — to support delivery of the services.
- PartnerMCP maintains a current list of sub-processors and will make it available to Customer on request.
- PartnerMCP will provide advance notice before engaging a new sub-processor and will give Customer a reasonable opportunity to object on legitimate data-protection grounds.
- PartnerMCP remains responsible for ensuring its sub-processors are bound by data protection obligations materially equivalent to those in this DPA.
7. Security Measures
PartnerMCP maintains administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, disclosure, alteration, or destruction, proportionate to the nature and scope of the engagement. Measures may include:
- Encryption of data in transit and at rest
- Access controls and least-privilege provisioning for engagement systems
- Logging, monitoring, and credential/secrets management
- A documented incident-response process
PartnerMCP will notify Customer without undue delay upon becoming aware of a confirmed personal data breach affecting Customer's personal data, and will cooperate on investigation and remediation. See the Security page for further detail on PartnerMCP's broader security practices.
8. Assistance with Data Subject Requests
PartnerMCP will provide reasonable assistance to Customer in responding to verified data subject requests (for example, requests for access, correction, deletion, restriction, or portability) to the extent such requests relate to personal data processed under this DPA.
Because Customer is the controller, PartnerMCP will generally refer any data subject request it receives directly back to Customer, and will not respond to it substantively without Customer's instruction, unless required to do so by applicable law.
9. Audit Rights and General Provisions
- Customer may request information reasonably necessary to demonstrate PartnerMCP's compliance with this DPA, including responses to security questionnaires or summaries of relevant certifications or reports where available.
- Where reasonably necessary, and subject to confidentiality, advance notice, and reasonable limits on frequency and scope, Customer (or an independent auditor bound by confidentiality) may audit PartnerMCP's relevant policies and controls.
- On termination or expiration of the engagement, PartnerMCP will, at Customer's election, delete or return personal data processed under this DPA, except where retention is required by applicable law.
- This DPA supplements, and does not replace, the underlying MSA or Statement of Work. In the event of a conflict specifically regarding data processing terms, this DPA controls.
- This page is a general template and does not constitute legal advice. An engagement-specific, signed DPA should be executed via Contact before it is relied upon for compliance purposes.
PartnerMCP recommendations are designed to comply with applicable vendor terms, product limitations, security requirements, and customer agreements. Final licensing decisions should be validated against the relevant contract and vendor documentation.
Frequently asked questions
Is this DPA ready to sign as-is?
Is PartnerMCP a data controller or a data processor?
Does PartnerMCP use sub-processors?
What happens to our data after the engagement ends?
Related reading
Cost & Architecture Review
See what this looks like for your stack
Run the numbers on your own users, licenses, and workflows, or talk to a Forward Deployed Engineer about where the cost is actually coming from.