MONARCHStart beta

Data Processing

Data Processing Agreement

Last updated: June 15, 2026

Parties:Monarch LLC, a New York limited liability company ("Processor") and the Monarch Customer ("Controller").

This Data Processing Agreement ("DPA") forms part of the Terms of Servicebetween Processor and Controller, governing Processor's processing of Personal Data on Controller's behalf. It is published here and incorporated by reference into the Terms of Service for Customers whose data is subject to GDPR or UK GDPR. For self-serve tiers, no counter-signature is required; Enterprise customers whose privacy team requires a counter-signed version may request one at legal@flymonarch.ai.

1. Definitions

Terms not defined here have the meanings given in the Terms of Service or in GDPR Article 4. "GDPR" means Regulation (EU) 2016/679. "UK GDPR" means the United Kingdom's data protection regime under the Data Protection Act 2018. "Personal Data" means any data relating to an identified or identifiable person processed by Processor on Controller's behalf under the Terms of Service. "Subprocessor" means a third party engaged by Processor to process Personal Data on Controller's behalf. "Standard Contractual Clauses" or "SCCs" means the EU Commission's standard clauses (Module 2: Controller-to-Processor) for international data transfers.

2. Roles

For Personal Data submitted to or generated by the Service on Controller's behalf, Controller is the Data Controller and Processor is the Data Processor. For Personal Data Processor collects independently for its own purposes (for example billing, security, and aggregate analytics described in the Privacy Policy), Processor is the Data Controller.

3. Scope and instructions

Processor processes Personal Data only to provide the Service as described in the Terms of Service, on documented instructions from Controller (including those issued through Controller's configuration of the Service), and as required by applicable law (with notice to Controller where permitted). If Processor receives an instruction that it believes violates GDPR or UK GDPR, Processor will notify Controller without undue delay.

4. Confidentiality

Processor will ensure that personnel authorized to process Personal Data are under appropriate confidentiality obligations.

5. Security

Processor maintains the technical and organizational measures described in Annex II, including TLS encryption in transit and AES-256 encryption at rest, multi-tenant data isolation at the database layer, access controls and audit logging, subprocessor due diligence, and incident response procedures. Processor will update Annex II from time to time; updates will not materially weaken protections.

6. Subprocessors

Controller authorizes Processor to use the Subprocessors listed in Annex III. If Processor intends to add or replace a Subprocessor, Processor will notify Controller at least 30 days in advance via email to the Tenant Owner. Controller may object to a new Subprocessor on reasonable grounds within 14 days; if Processor and Controller cannot agree, Controller may terminate the affected portion of the Service with a pro-rata refund. Processor remains responsible for Subprocessors' compliance with this DPA.

7. Data subject rights

Processor will assist Controller in responding to data subject rights requests by providing the request surfaces in the Service. For requests Processor receives directly (for example via the Recipient request form at flymonarch.ai/privacy/request), Processor will route the request to affected Controller tenants.

8. Personal data breach

Processor will notify Controller without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data Breach affecting Controller's data. Notice will include the nature of the breach, the categories and approximate volume of data subjects and records, the likely consequences, and the measures taken or proposed.

9. International transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the Standard Contractual Clauses (Module 2: Controller-to-Processor) by reference. The SCCs are deemed completed as follows: Clause 7 (Docking) applicable; Clause 9 (Subprocessors) Option 2 (general written authorization) with 30 days' prior notice; Clause 11 (Redress) independent dispute resolution body not required; Clause 17 (Governing law) Irish law; Clause 18 (Forum) Irish courts; Annex I completed in Annex I of this DPA; Annex II completed in Annex II of this DPA. For UK transfers, the parties incorporate the International Data Transfer Addendum to the EU Commission's SCCs (the "UK Addendum") issued under section 119A of the Data Protection Act 2018.

10. Audit

Processor will respond to reasonable audit requests with information sufficient to demonstrate compliance with this DPA. On-site audits are permitted with reasonable advance notice (30 days), limited to once per year per Controller (more frequently after a confirmed breach), and during normal business hours. Controller bears its own audit costs.

11. Return or deletion

On termination of the Terms of Service, Processor will delete or return Personal Data within the 30-day deletion window after Tenant deletion. Processor may retain Personal Data as required by law (for example audit logs and tax records).

12. Conflict

In the event of conflict between this DPA and the Terms of Service, this DPA prevails for the processing of Personal Data.

Annex I — Description of processing

Categories of data subjects:Controller's End Users (employees authorized by Controller), Recipients of Monarch-sent communications (business contacts Controller's End Users follow up with), and Visitors to flymonarch.ai (limited to data necessary for the Service).

Categories of personal data:identification (name, email, phone, title, company); authentication (password hash for Controller's End Users only, OAuth tokens); content (voice captures, transcripts, draft emails, sent emails, one-pagers); enrichment (business contact data returned by enrichment subprocessors); engagement (open, click, view, reply, bounce, complaint events); and audit (tenant administrative actions).

Sensitive or special categories of data: not knowingly collected. Controller will not submit Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, health data, or data concerning sex life or sexual orientation unless explicitly agreed and configured for that purpose.

Frequency of transfer: continuous, on a per-capture basis. Nature of the processing: storage, transcription, enrichment, drafting, sending, CRM sync, and analytics necessary to deliver the Service. Purpose of the processing: delivering the Service to Controller as described in the Terms of Service. Duration: for the term of the Terms of Service plus the applicable deletion windows. Onward transfers to subprocessors: as listed in Annex III.

Annex II — Technical and organizational measures

  • Encryption: TLS 1.2+ in transit; AES-256 at rest for stored data.
  • Tenant isolation: every persisted record carries a tenant identifier; row-level filters enforce isolation.
  • Access control: role-based access in the Service; production access limited to authorized personnel with named approval.
  • Credentials: provider credentials stored only in Google Secret Manager; never in source.
  • Audit logging: administrative and send actions logged; 90-day retention beyond tenant deletion.
  • Backups: GCP-managed automated backups; restore tested.
  • Vulnerability management: continuous dependency scanning and security review.
  • Personnel: confidentiality obligations on all personnel with production access.
  • Incident response: documented process; breach notification within 72 hours per the section above.
  • Data residency: default region the United States (us-central1); Enterprise customers may request a specific region.
  • Physical security:inherits Google Cloud Platform's data center controls (SOC 1/2/3, ISO 27001).

Annex III — Subprocessor list

The current list of subprocessors processing Personal Data on Monarch's behalf. Material changes are notified per the Subprocessors section above.

  • Google Cloud Platform (Alphabet Inc.): hosting, Cloud SQL, Cloud Run, Cloud Storage, Pub/Sub, Secret Manager — United States (us-central1).
  • Google LLC (Gmail, Workspace):outbound email send via End User OAuth — per Google's regions.
  • Stripe, Inc.: billing and payment processing — US and EU.
  • Anthropic, PBC: draft generation — US.
  • Wispr Flow, Inc.: voice transcription — US.
  • Apollo.io: contact enrichment — US.
  • Hunter: email finder (enrichment fallback) — EU.
  • Clay (optional, if configured): async deep enrichment — US.
  • HubSpot, Inc.: CRM sync when the Customer connects HubSpot — US and EU.
  • Salesforce, Inc.: CRM sync when the Customer connects Salesforce — US, EU, and others.
  • PDF rendering (Gotenberg, self-hosted on Google Cloud Platform): one-pager PDF rendering — US. Operated by Monarch on Google Cloud; no separate third-party rendering provider.

Contact

DPA questions and counter-signature requests can be sent to legal@flymonarch.ai. Operator: Monarch LLC, 418 Broadway STE N, Albany, NY 12207.