MarsProxies Data Processing Agreement
(Last updated January 2026 | Version 2.0)
This Data Processing Agreement (“Data Processing Agreement” or “DPA”) is entered into by and between:
(1) MarsProxies (Comet Tech Inc.), acting as the Data Processor (the “Data Processor” or the “Processor”); and
(2) The natural or legal person that enters into this DPA as the Data Controller (“Data Controller”, or the “Controller”).
The Data Processor and the Data Controller are individually referred to as a “Party” and collectively as the “Parties.”
Recitals
The Data Processor provides proxy infrastructure and related data solutions, including IP addresses that enable the Data Controller to connect to the internet and access proxy management services (the “Services”).
The Data Controller wishes to obtain and use the Services under the MarsProxies Terms of Service (the ‘Agreement’), of which this Data Processing Agreement forms a part.
In performing the Services, the Data Processor will process Personal Data on behalf of and for the benefit of the Data Controller.
In light of the above, the Parties agree as follows:
1. DEFINITIONS
For the purposes of this DPA (including its annexes), the following capitalised terms shall have the meanings set out below:
Data Protection Laws – all privacy, data-protection, and information-security laws and regulations applicable to the processing of Personal Data under this DPA, including, for example, Law No. 81 of 2019 of the Republic of Panama, also known as the Panama Personal Data Protection Law (PPDPL), and the General Data Protection Regulation (EU) 2016/679 (GDPR), as each may be amended or replaced from time to time.
Data Controller – the natural or legal person that enters into the Agreement, determines the purposes and means of the processing of Personal Data, and has accepted this DPA.
Data Processor – MarsProxies (Comet Tech Inc.), which processes Personal Data on behalf of the Data Controller under this DPA.
Personal Data – any information relating to an identified or identifiable natural person.
Personal Data Breach – any accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to Personal Data transmitted, stored, or otherwise processed.
Sub-processor – any third-party subcontractor engaged by the Data Processor which, as part of its role in delivering the Services, processes Personal Data on behalf of the Data Controller.
Services – proxy infrastructure and related data solutions, including IP addresses that enable the Data Controller (and/or its end users, as applicable) to connect to the internet and access proxy management services, all of which are accessible via https://marsproxies.com.
Terms not defined in this DPA shall have the meanings given in the Agreement.
2. ROLES AND RESPONSIBILITIES
2.1 Each Party shall fulfil its respective obligations under the Data Protection Laws.
2.2 The Data Controller represents and warrants that it has provided all required privacy notices and obtained all necessary consents and rights to enable the lawful processing of Personal Data by the Data Processor under this DPA and the Agreement.
2.3 The Data Processor shall process Personal Data only on documented instructions from the Data Controller, unless required to do so by the Data Protection Laws.
The Data Processor will inform the Data Controller if it reasonably believes an instruction violates the Data Protection Laws, but is not responsible for assessing the overall legality of the Controller’s instructions.
2.4 The Data Controller is solely responsible for:
(i) the accuracy, quality, and legality of Personal Data and the means by which it was obtained;
(ii) ensuring all necessary transparency, lawfulness, and consent requirements are met;
(iii) ensuring its instructions are lawful; and
(iv) notifying the Data Processor promptly if it cannot comply with its obligations under this DPA.
2.5 The Data Processor shall refrain from knowingly taking any action that would cause the Data Controller to violate the Data Protection Laws.
3. SCOPE OF PROCESSING AND SUB-PROCESSORS
3.1 Processing scope
Subject Matter
Provision of the Services by the Data Processor to
the Data Controller.
Purpose and Nature
Processing Personal Data solely to perform
the Services, in accordance with the Agreement.
Categories of Data Subjects
Individuals whose Personal Data is processed
by the Data Controller through the Services.
Categories of Personal Data
Personal Data relating to such individuals
that the Controller provides or otherwise
makes available through the Services.
Duration of Processing
For as long as the Data Controller uses the
Services, unless otherwise required by law.
3.2 The Data Processor is authorised to engage Sub-processors to perform processing on its behalf.
The Data Processor shall:
(i) ensure each Sub-processor is bound by written terms providing at least the same level of protection for Personal Data as set out in this DPA;
(ii) remain fully liable for the acts and omissions of its Sub-processors; and
(iii) maintain an up-to-date list of authorised Sub-processors set out in Annex I.
3.3 By entering into this Data Processing Agreement and by starting to use the Services, the Data Controller acknowledges that it has familiarised itself with the Sub-processor list set out in Annex I and hereby authorizes the engagement of those Sub-processors. The Data Controller also grants a general authorisation for the engagement of any future Sub-processors that the Data Processor may appoint for the same or substantially similar processing purposes. The Data Processor maintains an up-to-date list of authorised Sub-processors in Annex I, which may be updated from time to time without individual notice to the Data Controller. The current list will be made available upon request, and the Data Controller may, on reasonable grounds relating to the protection of Personal Data, raise a reasoned written objection to any new Sub-processor by contacting [email protected].
In the event of a valid objection, the Data Processor will use reasonable efforts to make available a commercially reasonable change in the Services to avoid processing of Personal Data by the objected-to Sub-processor. If the Data Processor is unable to make such change within thirty (30) days, the Data Controller may, as its sole and exclusive remedy, terminate the affected Services, provided that partial provision of the Services is feasible both technically and organisationally. If partial provision is not feasible, the Data Controller may terminate the Agreement and this Data Processing Agreement in full. In such a case, all fees due before the termination date shall remain payable and any fees already paid shall be non-refundable, in each case to the maximum extent permitted by law. The Data Controller shall have no further claims against the Data Processor arising from (i) the past use of authorised Sub-processors prior to the date of objection, or (ii) termination of the affected Services in accordance with this Section. The Parties shall in good faith discuss potential alternatives prior to termination.
4. ASSISTANCE AND COOPERATION
4.1 Taking into account the nature of processing and the information available, the Data Processor shall assist the Controller in:
(i) responding to data subject requests;
(ii) performing data protection impact assessments or prior consultations; and
(iii) implementing security and breach-notification measures.
4.2 If any data subject or authority contacts the Data Processor directly regarding the processing of Personal Data, the Data Processor shall promptly forward such request to the Data Controller.
4.3 The Controller may verify compliance by requesting reasonable documentation or, subject to prior written notice, by conducting an audit no more than once per twelve (12) months, unless required by a competent supervisory authority. Audits must occur during business hours, avoid undue disruption, and the Controller shall bear all related costs.
5. LIABILITY AND COSTS
5.1 The Data Processor’s aggregate liability arising under or in connection with this Data Processing Agreement shall be limited as provided in the Agreement, except to the extent such limitation is not permitted under applicable Data Protection Laws. This Data Processing Agreement does not alter the allocation of liability between the Parties as set out in the Agreement.
5.2 The Data Processor shall be entitled to reimbursement of reasonable expenses, costs, and fees incurred due to:
(i) unfounded, excessive, repetitive, or disproportionate cooperation requests; or
(ii) inaccurate, incomplete, or unlawful instructions from the Controller.
6. DATA SECURITY AND CONFIDENTIALITY
6.1 The Data Processor shall implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorised access or disclosure, taking into account the state of the art, the costs of implementation, and the nature, scope and purposes of processing, as well as the risks to data subjects.
6.2 Access to Personal Data shall be limited to authorised employees or contractors who require it for performance of their duties, each bound by confidentiality obligations no less protective than those in this DPA.
6.3 The Data Processor shall not disclose Personal Data to third parties except (i) to authorised Sub-processors; or (ii) as required by law, in which case the Data Processor shall, where lawful, notify the Data Controller in advance.
6.4 The Data Processor shall notify the Data Controller without undue delay upon becoming aware of a Personal Data Breach, providing sufficient information to assist the Controller in complying with its obligations under the Data Protection Laws.
7. TERM AND TERMINATION
7.1 This Data Processing Agreement shall enter into force and become legally binding upon the Data Controller’s acceptance of the Agreement or its use of the Services, whichever occurs first.
7.2 This Data Processing Agreement shall remain in effect for as long as the Data Processor processes Personal Data on behalf of the Data Controller under the Agreement, and in any event for the duration of the Services provided to the Data Controller, or as otherwise required under the Data Protection Laws.
7.3 Upon termination or expiry of the Services, the Data Processor shall, at the Data Controller’s choice, delete or return all Personal Data and ensure that Sub-processors do the same, unless retention is required by law or required for the establishment, exercise, or defence of legal claims.
7.4 This Data Processing Agreement forms an integral part of the Agreement. Any matter not expressly governed by this Data Processing Agreement shall be governed by the Agreement. In the event of any conflict or contradiction between the terms of this DPA and the Agreement, the provisions of this DPA shall prevail.
ANNEX I – List of Authorised Sub-Processors
(as of December 2025)
iDenfy UAB
Identity verification
Lithuania / EU
Intuition Machines Inc. (hCaptcha)
Fraud prevention
United States
Intercom Inc.
Live chat support
United States
Discord Inc.; Discord Netherlands B.V.
Customer communication
Global (US/EU)
Twilio Inc.
Messaging platform
United States
Microsoft Corporation (Clarity)
App analytics
United States
UXIFY LTD
Analytics
Bulgaria / EU
Designmodo Inc.
Website analytics
United States
Google LLC (Firebase and Google Play Store)
Analytics
Global (US/EU)
APPLE INC. (App Store Connect)
Analytics
Global (US/EU)
Usercentrics A/S (Cookiebot)
Cookie consent
Denmark / EU
Trustpilot A/S
Reviews
Denmark / EU
Meta Platforms Inc.
Marketing & analytics
United States
Google LLC
Analytics & ads
Global (US/EU)
Impact Tech Inc.
Affiliate network
United States
Iterable Inc.
Marketing automation
United States
LinkedIn Corp.
Analytics
United States
X Corporation
Marketing
United States
APPLE INC. (App Store Connect)
Marketing & analytics
Global (US/EU)
Bitlocus LT UAB
Payment processing
Lithuania / EU
Decentralized UAB (CoinGate)
Crypto gateway
Lithuania / EU
Paddle.com Market Ltd.
Billing
United Kingdom
Stripe, Inc.
Payment processing
United States
Airwallex (Hong Kong) Limited (AliPay)
Payment processing
Hong Kong / China
ANNEX II – Standard Contractual Clauses and European Transfers
EEA Transfers
Where the Data Processor processes Personal Data subject to the GDPR and such data is transferred to a third country outside the EEA that does not ensure an adequate level of protection, the Parties agree that the transfer shall be governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision (EU) 2021/914, Module Two (Controller to Processor), which are incorporated by reference into this DPA and form an integral part of it.
For the purposes of the SCCs:
- The Data Controller is the data exporter;
- The Data Processor is the data importer;
- Clause 7 (Docking Clause) applies;
- Clause 9 (Use of Sub-processors): Option 2 (General Authorisation) applies;
- Clause 11 (Redress): the optional language is deleted;
- Clause 17 (Governing Law): the Parties agree that the governing law shall be the law of Lithuania; and
- Clause 18 (Forum and Jurisdiction): disputes shall be resolved before the courts of Lithuania.
The Parties agree that Section 3.1 of this DPA provides the information required for Annex I of the SCCs, and Section 6 of this DPA provides the information required for Annex II of the SCCs. These Sections are hereby incorporated into the SCCs by reference. In the event of a conflict between these incorporated Sections and the SCCs, the SCCs shall prevail.
UK Transfers
Where Personal Data subject to the UK GDPR is transferred to a third country, the International Data Transfer Addendum to the EU SCCs (version B.1.0, issued by the UK Information Commissioner’s Office) (“UK Addendum”) shall apply and is hereby incorporated by reference.
- In the UK Addendum:
- Table 1 (Parties): completed with the information from this DPA;
- Table 2 (Selected SCCs): the SCCs as incorporated above;
- Table 3 (Annexes): completed with Section 3.1 and Section 6 of this DPA; and
- Table 4: “neither party” is selected for the option on amendments.
- Any conflicts between the SCCs and the UK Addendum shall be resolved in accordance with Sections 10 and 11 of the UK Addendum.
ANNEX III – CCPA/CPRA Addendum
1. Scope and Applicability
1.1 This Addendum applies where the Data Processor acts as a “Service Provider,” and the Data Controller acts as a “Business,” as those terms are defined in the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (together, the “CCPA”).
1.2 This Addendum governs the collection, retention, use, and disclosure of Personal Information by the Data Processor solely for the purpose of providing the Services to the Data Controller under the Agreement or for performing a Business purpose as defined in the CCPA.
1.3 The Data Processor’s collection, retention, use, or disclosure of Personal Information for its own independent purposes outside the scope of providing the Services is prohibited and outside the scope of this Addendum.
2. Restrictions on Processing
2.1 The Data Processor shall not:
(a) sell or share Personal Information;
(b) retain, use, or disclose Personal Information for any purpose other than the specific Business purpose of performing the Services as described in the Agreement and this DPA, or as otherwise permitted by the CCPA;
(c) retain, use, or disclose Personal Information outside the direct business relationship between the Parties; or
(d) combine Personal Information received from the Data Controller with Personal Information obtained from another source, except as expressly permitted by the CCPA and the regulations adopted thereunder.
2.2 The Parties acknowledge and agree that any exchange of Personal Information between them is solely for the purpose of providing the Services and does not constitute monetary or other valuable consideration for purposes of the CCPA.
2.3 The Data Processor shall comply with all applicable obligations under the CCPA and shall notify the Data Controller without undue delay if, in its opinion, it can no longer meet such obligations, unless such notice is prohibited by the Data Protection Laws. Upon receiving such notice, the Data Controller may take reasonable and appropriate steps to stop and remediate any unauthorised use of Personal Information by the Data Processor.
3. Consumer Rights Assistance
3.1 If the Data Processor directly or indirectly receives a request from a Consumer to exercise a right under the CCPA in relation to that Consumer’s Personal Information, the Data Processor shall promptly forward the request to the Data Controller.
3.2 The Data Processor shall provide reasonable assistance to the Data Controller in facilitating compliance with verified Consumer rights requests under the CCPA, including access, deletion, correction, and opt-out requests, to the extent such assistance relates to the Services.
3.3 Upon the Data Controller’s written instruction and within a commercially reasonable time, the Data Processor shall delete Personal Information, to the extent required under the CCPA and to the extent applicable to it as a Service Provider, unless retention is required by the Data Protection Laws or other applicable laws, or is necessary to detect security incidents, protect against fraudulent or illegal activity, or otherwise permitted under the CCPA.
4. Verification and Audits
4.1 Upon reasonable written request, the Data Processor shall make available to the Data Controller information necessary to demonstrate compliance with this Addendum.
4.2 Alternatively, the Data Processor may provide a written certification confirming that it understands and complies with its obligations under the CCPA to the extent applicable to it as a Service Provider, no more than once in any twelve (12) month period, unless required by law.
5. Miscellaneous
5.1 This Addendum supplements and forms an integral part of the DPA. In the event of a conflict between this Addendum and the DPA or the Agreement, this Addendum shall prevail with respect to the processing of Personal Information subject to the CCPA.
5.2 Capitalised terms not otherwise defined in this Addendum shall have the meanings given to them in the CCPA or in the DPA.