All legal documents

Legal

Data Processing Agreement

Effective date: April 19, 2026

How Mora processes personal data on behalf of customers, including the GDPR-aligned subprocessor list and standard contractual clauses.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Respired.io, Corp. doing business as Mora ("Mora," "we," "us," "our") (the "Processor") and the customer ("Customer," "you") (the "Controller"), collectively the "Parties."

This DPA reflects the Parties' agreement with regard to the processing of Personal Data by Mora on behalf of the Customer, in accordance with the requirements of applicable data protection laws including the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection, and US state privacy laws including the CCPA/CPRA, VCDPA, CPA, CTDPA, and UCPA (together, "Data Protection Laws").

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms of Service or in the GDPR.

  • "Personal Data" means any information relating to an identified or identifiable natural person processed by Mora on behalf of Customer.
  • "Data Subject" means the natural person to whom Personal Data relates.
  • "Subprocessor" means a third party engaged by Mora to process Personal Data on behalf of Customer.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries, adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Roles and scope of processing

For the purposes of this DPA, Customer is the Controller and Mora is the Processor of Personal Data submitted to the Services by or on behalf of Customer ("Customer Data").

Subject matter: Mora's provision of the Services as described in the Terms of Service.

Duration: The term of the Customer's subscription plus any retention period required by law or described in the Privacy Policy.

Nature and purpose of processing: To deliver, maintain, secure, and improve the Services; to provide support; and to comply with applicable law.

Categories of Data Subjects: Customer's authorized users (e.g. team members), and end-users whose data is uploaded or surfaced through Customer's connected platforms (Shopify customers' first-name/email when used in personalized content, social media followers' public-profile metadata, etc.).

Types of Personal Data: Names, email addresses, account credentials (hashed), profile photos, brand assets uploaded by Customer, posting permissions for connected accounts, IP addresses, device identifiers, usage telemetry.

Special categories of Personal Data: None expected. Customer agrees not to upload special categories of Personal Data (Article 9 GDPR) without our prior written consent.

3. Mora's obligations

Mora shall:

a. Process Personal Data only on Customer's documented instructions, including with regard to transfers to a third country or international organization, unless required to do so by law (in which case Mora shall inform Customer of that legal requirement before processing, unless that law prohibits such notification).

b. Ensure that personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

c. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as set out in the Security Policy and in Annex II below.

d. Engage Subprocessors only in accordance with Section 5 below.

e. Assist Customer, taking into account the nature of the processing, by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligation to respond to Data Subjects' requests under Data Protection Laws.

f. Assist Customer in ensuring compliance with the obligations pursuant to Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and the information available to Mora.

g. Make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer (subject to reasonable confidentiality and security restrictions).

h. At Customer's choice, delete or return all Personal Data after the end of the provision of services relating to processing, and delete existing copies, unless applicable law requires storage of the Personal Data.

4. Customer's obligations

Customer represents and warrants that:

a. It has obtained any necessary consents and provided any necessary notices to Data Subjects to enable the lawful processing of Personal Data by Mora as contemplated by this DPA.

b. Its use of the Services complies with applicable Data Protection Laws.

c. The instructions given to Mora regarding the processing of Personal Data comply with applicable Data Protection Laws.

5. Subprocessors

Customer authorizes Mora to engage Subprocessors as listed in Annex III below. Mora shall:

a. Maintain an up-to-date list of Subprocessors and notify Customer of intended changes (additions or replacements) at least 30 days in advance, giving Customer the opportunity to object to such changes on reasonable, documented data-protection grounds. If Customer objects, Mora and Customer will discuss the objection in good faith. If no resolution is reached, Customer may terminate the affected portion of the Services as Customer's sole remedy.

b. Impose data-protection obligations on each Subprocessor that are no less protective than those set out in this DPA.

c. Remain fully liable to Customer for the performance of each Subprocessor's obligations.

6. Cross-border data transfers

Where Personal Data of EEA, UK, or Swiss Data Subjects is transferred to a country not deemed adequate by the European Commission (or equivalent UK/Swiss authority), the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) are hereby incorporated by reference and shall apply, with the UK International Data Transfer Addendum and the Swiss Addendum as applicable. The Parties agree:

  • For Annex I.A of the SCCs: Customer is the data exporter, Mora is the data importer; contact details as in the underlying agreement.
  • For Annex I.B: as described in Section 2 above.
  • For Annex I.C: the Irish Data Protection Commission shall be the competent supervisory authority unless Customer's establishment requires another EEA authority.
  • For Annex II: as described in our Security Policy and Annex II below.
  • For Annex III: the Subprocessor list at Annex III below.

7. Personal data breach

Mora shall notify Customer without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data Breach affecting Customer Data. Mora's notification will include, to the extent then known: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

8. Liability

Each Party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Terms of Service.

9. Term and termination

This DPA is effective from the effective date above and remains in force as long as Mora processes Personal Data on behalf of Customer.

10. Conflict

In the event of a conflict between the Terms of Service and this DPA with respect to Mora's processing of Personal Data, this DPA prevails.

Annex I — Description of processing

As set out in Section 2 above.

Annex II — Technical and organizational measures

See our Security Policy for the current technical and organizational security measures, including:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256 via cloud provider managed keys).
  • Logical access controls based on least-privilege; multi-factor authentication for production access.
  • Network segmentation and managed firewalls at the cloud-provider layer.
  • Routine vulnerability scanning, dependency-update policy, and code-review requirements before deployment.
  • Logging, monitoring, and alerting for security events.
  • Backup of production databases with point-in-time recovery.
  • Incident response procedures with documented breach-notification protocols.
  • Regular employee training on data protection and security.

Annex III — Subprocessor list

| Subprocessor | Purpose | Location of processing | Transfer mechanism | |--------------|---------|------------------------|---------------------| | Vercel, Inc. | Hosting (Fluid Compute, edge), CDN, deployment platform | United States (multi-region edge) | SCCs (Module 2) where applicable | | Supabase, Inc. | Database (Postgres), authentication, storage | United States (us-east-1 by default) | SCCs (Module 2) | | Stripe, Inc. | Payment processing | United States | SCCs (Module 2); Stripe is a separate Controller for fraud-prevention purposes | | Anthropic, PBC | AI inference (Claude models) for content generation | United States | SCCs (Module 2); zero-data-retention via API | | OpenAI, L.L.C. | AI inference for select features | United States | SCCs (Module 2); zero-data-retention via API | | Google LLC (Vertex AI / Gemini API) | AI inference for select features | United States / EU (depending on region) | SCCs (Module 2) | | Sentry (Functional Software, Inc.) | Error and performance monitoring | United States | SCCs (Module 2); PII scrubbing enabled | | Sanity.io (Sanity AS) | Marketing-site CMS (content authoring) — not used for Customer Data | Norway / EU | Adequacy (EU/EEA) | | Resend (Drip Labs, Inc.) | Transactional email delivery | United States | SCCs (Module 2) | | Google LLC (Google Analytics 4) | Aggregate marketing-site analytics — not used for app data | United States | SCCs (Module 2); IP anonymization on, no advertising features |

This list reflects the Subprocessors current as of the effective date of this DPA. The current list, including any additions or replacements, will be maintained at this URL. Customer may subscribe to subprocessor-change notifications by emailing hello@mora-marketer.com.

Contact

For questions or to invoke any rights under this DPA, contact hello@mora-marketer.com with "DPA Request" in the subject line.