Data Processing Addendum
Last updated: March 18, 2026
This Data Processing Addendum ("DPA") supplements and forms part of the Terms of Use (the "Terms") entered into by and between Tabula LLC, doing business as Marcel ("Marcel," "Processor," "we," "us," or "our"), and you ("Customer," "Controller," or "you"), and governs the processing of Personal Data by Marcel on behalf of Customer in connection with the Platform and Services.
In the event of a conflict between this DPA and the Terms, this DPA shall prevail to the extent of such conflict with respect to data processing matters.
A.1 Scope and Roles
A.1.1 This DPA applies where and to the extent Marcel processes Personal Data on behalf of Customer in the role of Processor (or, where applicable under Data Protection Laws, "Service Provider") and Customer acts as the Controller with respect to such Personal Data.
A.1.2 This DPA does not apply to Personal Data that Marcel processes as a Controller in its own right (e.g., Account registration information, billing data, support communications, and usage analytics not processed on behalf of Customer), which is governed by the Privacy Policy.
A.1.3 For clarity, when Customer uploads, stores, or transmits through the Platform Personal Data relating to third parties (including collectors, clients, artists, consignees, transferees, or other individuals), Customer is the Controller with respect to such data and Marcel acts as the Processor.
A.2 Definitions
Capitalized terms not defined in this DPA have the meanings ascribed to them in the Terms. In addition:
"Applicable Data Protection Laws" or "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council (the "EU GDPR"); (ii) the EU GDPR as incorporated into United Kingdom law by virtue of section 3 of the United Kingdom European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Act on Data Protection ("FADP"); (v) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA"); and (vi) any other applicable data protection or privacy legislation in the jurisdictions in which Customer or Marcel operate, as each may be amended or superseded from time to time.
"Controller" means the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
"Data Subject" means an identified or identifiable natural person to whom the Personal Data relates.
"EU SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Marcel on behalf of Customer through the Platform, including but not limited to names, contact information, identity verification documents, and any information contained in Artwork Records that identifies or relates to a natural person.
"Personal Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed under this DPA.
"Processing" (and "process," "processed," etc.) has the meaning given to that term under the EU GDPR.
"Processor" means a natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Controller.
"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside the EEA that is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to a country that is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; or (iii) where the FADP applies, a transfer of Personal Data from Switzerland to a country that does not ensure an adequate level of data protection under the FADP.
"Services Personal Data" means Personal Data processed by Marcel on Customer's behalf through the Platform in connection with the Services.
"Sub-processor" means any third-party Processor engaged by Marcel to process Services Personal Data on behalf of Customer.
"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018, as updated from time to time.
A.3 Customer Obligations as Controller
A.3.1 Customer represents and warrants that:
(a) Customer's collection, use, and provision of Services Personal Data to Marcel complies with all Applicable Data Protection Laws;
(b) Customer has provided all required notices to, and obtained all necessary consents, authorizations, or other lawful bases from, Data Subjects for the processing of their Personal Data as contemplated by this DPA and the Terms;
(c) Customer has the authority and lawful basis to transfer Services Personal Data to Marcel for processing in accordance with this DPA;
(d) all instructions given by Customer to Marcel regarding the processing of Services Personal Data are and will be lawful under Applicable Data Protection Laws; and
(e) Customer will maintain an appropriate privacy policy in compliance with Applicable Data Protection Laws.
A.3.2 Customer shall not provide or make available to Marcel any "special categories of personal data" (as defined under the EU GDPR) or equivalent categories under other Applicable Data Protection Laws, except to the extent such data is specifically processed by Marcel's third-party identity verification or payment processing service providers in accordance with Section 8.7 of the Terms and such providers' own terms and privacy policies.
A.4 Marcel's Obligation as a Processor
A.4.1 Processing Instructions. Marcel shall process Services Personal Data only in accordance with Customer's documented instructions, which are deemed to include: (a) the processing necessary to provide the Platform and Services as described in the Terms and Documentation; (b) processing initiated by Customer or its Authorized Users through their use of the Platform; and (c) any additional documented instructions agreed upon by the parties. Marcel shall promptly inform Customer if, in Marcel's reasonable opinion, an instruction from Customer infringes Applicable Data Protection Laws.
A.4.2 Compliance. Marcel shall comply with all Applicable Data Protection Laws in its role as Processor. Marcel shall not "sell" or "share" Services Personal Data (as those terms are defined under the CCPA) and shall not process Services Personal Data for any purpose other than as specified in this DPA.
A.4.3 Confidentiality. Marcel shall ensure that all persons authorized to process Services Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Marcel shall limit access to Services Personal Data to those personnel who have a need to know for the purposes of providing the Services.
A.4.4 Assistance. Taking into account the nature of the processing, Marcel shall provide reasonable assistance to Customer:
(a) in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, data portability, restriction of processing, and objection);
(b) in ensuring compliance with Customer's obligations under Articles 32 through 36 of the EU GDPR (or equivalent provisions under other Applicable Data Protection Laws), including obligations relating to security, data protection impact assessments, and prior consultation with supervisory authorities; and
(c) in responding to inquiries or investigations by data protection supervisory authorities regarding the processing of Services Personal Data.
Marcel may charge reasonable fees for assistance under this Section A.4.4 to the extent such assistance exceeds the standard support provided under the Terms.
A.4.5 Data Subject Requests. If Marcel receives a request directly from a Data Subject regarding Services Personal Data, Marcel shall promptly redirect the Data Subject to Customer and notify Customer of such request. Marcel shall not respond to any Data Subject request directly unless authorized by Customer or required by Applicable Data Protection Laws, in which case Marcel shall inform Customer (to the extent legally permissible) before responding.
A.5 Security Measures
A.5.1 Marcel shall implement and maintain appropriate technical and organizational measures to protect Services Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or alteration. Such measures shall include, at a minimum:
(a) encryption of Services Personal Data in transit and at rest;
(b) measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
(c) measures to restore the availability and access to Services Personal Data in a timely manner in the event of a physical or technical incident;
(d) regular testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing;
(e) access controls limiting access to Services Personal Data to authorized personnel on a need-to-know basis;
(f) staff privacy and security training; and
(g) regular third-party security audits.
A.5.2 Marcel shall periodically review and update its security measures in light of current technology, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to Data Subjects.
A.6 Personal Data Breach Notification
A.6.1 Marcel shall notify Customer of any Personal Data Breach without undue delay without undue delay and, where technically feasible and legally required, within the timeframes mandated by applicable law after becoming aware of the Personal Data Breach.
A.6.2 Such notification shall include, to the extent available:
(a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Services Personal Data records concerned;
(b) the name and contact details of Marcel's point of contact for further information;
(c) a description of the likely consequences of the Personal Data Breach; and
(d) a description of the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
A.6.3 If Marcel is unable to provide all required information at the time of notification, Marcel shall provide the information in phases as it becomes available, without undue delay.
A.6.4 Marcel shall cooperate with Customer and take such commercially reasonable steps as Customer may direct to investigate, remediate, and mitigate the effects of any Personal Data Breach.
A.7 Sub-Processors
A.7.1 General Authorization. Customer provides a general written authorization for Marcel to engage Sub-processors to process Services Personal Data on Customer's behalf, subject to the requirements of this Section A.7.
A.7.2 List of Sub-processors. Marcel shall maintain a current list of Sub-processors, including the name, location, and description of processing activities for each Sub-processor. Such list shall be made available to Customer upon request and shall be published at MarcelHQ.com/sub-processors or provided via email.
A.7.3 Notice of Changes. Marcel shall provide Customer with at least thirty (30) days’ prior notice before engaging a new Sub-processor that will process Services Personal Data on Customer’s behalf. Such notice may be provided by updating the Sub-processor list at https://marcelhq.com/subprocessors and/or by direct communication to Customer.
A.7.4 Objection Right. Customer may reasonably object to Marcel's use of a new Sub-processor by notifying Marcel in writing within fifteen (15) days of receiving notice under Section A.7.3. If Customer objects on reasonable data protection grounds, Marcel shall use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable alternative. If Marcel is unable to provide an alternative within thirty (30) days, either party may terminate the affected portion of the Services (or, if necessary, the entire Agreement) by providing written notice, without penalty.
A.7.5 Sub-processor Obligations. Marcel shall:
(a) enter into a written agreement with each Sub-processor imposing data protection obligations substantially similar to those set out in this DPA and consistent with Applicable Data Protection Laws;
(b) remain responsible for the performance of each Sub-processor’s data protection obligations to the extent required by Applicable Data Protection Laws;
(c) conduct reasonable due diligence on Sub-processors prior to engagement to evaluate their ability to protect Personal Data; and
(d) require Sub-processors to implement appropriate technical and organizational measures designed to protect Personal Data in accordance with Applicable Data Protection Laws.
A.8 Restricted Transfers
A.8.1 The Platform is operated from the United States. Where the transfer of Services Personal Data from Customer (or Customer's Data Subjects located in the EEA, United Kingdom, or Switzerland) to Marcel in the United States constitutes a Restricted Transfer, the parties agree that such transfer shall be subject to the appropriate safeguards as follows:
(a) EU GDPR Transfers. The EU SCCs shall apply, completed as follows:
(i) Module Two (Controller to Processor) shall apply;
(ii) in Clause 7, the optional docking clause shall apply;
(iii) in Clause 9, Option 2 (general written authorization) shall apply, and the time period for prior notice of Sub-processor changes shall be thirty (30) days as set forth in Section A.7.3;
(iv) in Clause 11, the optional language shall not apply;
(v) in Clause 17 (Option 1), the EU SCCs shall be governed by the laws of Ireland;
(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vii) Annex I shall be deemed completed with the information set out in Schedule 1 to this DPA;
(viii) Annex II shall be deemed completed with the information set out in Schedule 2 to this DPA; and
(ix) Annex III shall be deemed completed with the Sub-processor list referenced in Section A.7.2.
(b) UK GDPR Transfers. The UK Addendum shall apply, completed as follows:
(i) the EU SCCs, completed as described in Section A.8.1(a), shall form the "Approved EU SCCs" referenced in the UK Addendum;
(ii) Table 1 of the UK Addendum shall be deemed completed with the exporter and importer details set out in Schedule 1;
(iii) Table 2 of the UK Addendum shall reference the selected Modules, Clauses, and optional provisions as set forth in Section A.8.1(a);
(iv) Table 3 of the UK Addendum shall be deemed completed with the information set out in Schedules 1 and 2; and
(v) Table 4 of the UK Addendum: neither party may terminate the UK Addendum as set out in Section 19 of the UK Addendum.
(c) Swiss Transfers. For transfers subject to the FADP, the EU SCCs shall apply with the modifications required by Swiss law, including: (i) references to "Regulation (EU) 2016/679" shall be interpreted as references to the FADP; (ii) the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner; and (iii) the governing law and jurisdiction under Clauses 17 and 18 shall be Switzerland and the courts of Switzerland, respectively.
A.8.2 In the event any provision of the Terms or this DPA contradicts, directly or indirectly, the Standard Contractual Clauses (EU SCCs or UK Addendum, as applicable), the Standard Contractual Clauses shall prevail.
A.8.3 The parties agree to cooperate in good faith to adopt or implement any alternative transfer mechanism that may be adopted, approved, or recognized under Applicable Data Protection Laws as providing adequate safeguards for international data transfers, in replacement of or in addition to the Standard Contractual Clauses.
A.9 Audits
A.9.1 Marcel shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws.
A.9.2 Marcel shall permit and contribute to audits and inspections conducted by Customer or an independent third-party auditor mandated by Customer, subject to the following conditions:
(a) audits shall occur no more than once per twelve (12) month period, unless a Personal Data Breach has occurred or a supervisory authority requires or requests an audit;
(b) Customer shall provide at least thirty (30) days' prior written notice of any audit;
(c) audits shall be conducted during Marcel's normal business hours and in a manner that minimizes disruption to Marcel's operations;
(d) Customer and its auditors shall comply with Marcel's reasonable security and confidentiality requirements and shall enter into appropriate non-disclosure agreements; and
(e) Customer shall bear the costs of any audit, except where the audit reveals a material breach of this DPA by Marcel, in which case Marcel shall bear the reasonable costs of such audit.
A.9.3 Marcel may satisfy audit requests by providing Customer with a copy of the most recent third-party audit report, certification (e.g., SOC 2 Type II, ISO 27001), or other evidence of compliance, provided such report or certification addresses the matters subject to audit. Customer agrees that such reports or certifications shall satisfy Customer's audit rights under this Section A.9 unless Customer can demonstrate, on reasonable grounds, that additional audit steps are necessary.
A.10 Data Return and Deletion
A.10.1 Upon termination or expiry of the Terms, or upon Customer's earlier written request, Marcel shall (at Customer's election):
(a) return all Services Personal Data to Customer in a commonly used, machine-readable format; or
(b) securely delete all Services Personal Data from Marcel's active systems, where technically feasible, within the timeframes specified in Section 11.4(e) of the Terms (or, in the case of an earlier written request, within thirty (30) days of such request), except to the extent that retention of any Services Personal Data is required by Applicable Data Protection Laws or by applicable legal, regulatory, or record-keeping obligations.
A.10.2 Marcel shall provide Customer with written certification of deletion upon Customer's request.
A.10.3 Residual copies of Services Personal Data in backup or disaster recovery systems shall be deleted in accordance with Marcel's standard backup retention policies, which shall not exceed ninety (90) days from the date of deletion from active systems.
A.10.4 Exception for Transferred and Shared Records. Customer acknowledges that the core functionality of the Services includes the sharing, consignment, and Transfer of Artwork Records and transaction histories between Users. Notwithstanding anything to the contrary in this Section A.10 or this DPA, Marcel shall have no obligation to delete, remove, or modify any Services Personal Data that Customer has:
(a) Transferred or assigned to another User's Account (e.g., via a Transfer of an Artwork Record);
(b) shared with another active User who retains lawful access to such data within the Platform; or
(c) incorporated into permanent transaction logs, provenance records, or digital certificates of title necessary to maintain the integrity and historical accuracy of the Platform for other transacting Users.
In such events, Customer acknowledges that the recipient User becomes the Controller of such shared or Transferred data, and Marcel will continue to process such data on behalf of the recipient User in accordance with that User's instructions and Applicable Data Protection Laws.
A.11 Liability
A.11.1 Any claims brought under or in connection with this DPA shall be subject to the limitations of liability set forth in Section 13 of the Terms, except to the extent that such limitations are prohibited by Applicable Data Protection Laws.
A.11.2 Marcel's liability for damages arising from processing of Services Personal Data in breach of this DPA or Applicable Data Protection Laws shall be limited to direct damages and shall not include indirect, incidental, special, or consequential damages, to the maximum extent permitted by law.
A.11.3 Nothing in this DPA shall limit the rights of Data Subjects under Applicable Data Protection Laws, including the right to seek compensation directly from the Controller or Processor for damages suffered as a result of a breach of such laws.
A.12 Term
This DPA shall take effect simultaneously with the Terms and shall remain in effect for so long as Marcel processes Services Personal Data on Customer's behalf. The obligations of Marcel under this DPA shall survive any termination or expiration of this DPA to the extent Marcel retains any Services Personal Data.
A.13 Interpretation and Conflicts
A.13.1 This DPA supplements and forms part of the Terms. Except as modified by this DPA, the Terms remain unchanged and in full force and effect.
A.13.2 In the event of any conflict between this DPA and the Terms regarding the processing of Personal Data, this DPA shall prevail. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
This Data Processing Addendum ("DPA") supplements and forms part of the Terms of Use (the "Terms") entered into by and between Tabula LLC, doing business as Marcel ("Marcel," "Processor," "we," "us," or "our"), and you ("Customer," "Controller," or "you"), and governs the processing of Personal Data by Marcel on behalf of Customer in connection with the Platform and Services.
In the event of a conflict between this DPA and the Terms, this DPA shall prevail to the extent of such conflict with respect to data processing matters.
A.1 Scope and Roles
A.1.1 This DPA applies where and to the extent Marcel processes Personal Data on behalf of Customer in the role of Processor (or, where applicable under Data Protection Laws, "Service Provider") and Customer acts as the Controller with respect to such Personal Data.
A.1.2 This DPA does not apply to Personal Data that Marcel processes as a Controller in its own right (e.g., Account registration information, billing data, support communications, and usage analytics not processed on behalf of Customer), which is governed by the Privacy Policy.
A.1.3 For clarity, when Customer uploads, stores, or transmits through the Platform Personal Data relating to third parties (including collectors, clients, artists, consignees, transferees, or other individuals), Customer is the Controller with respect to such data and Marcel acts as the Processor.
A.2 Definitions
Capitalized terms not defined in this DPA have the meanings ascribed to them in the Terms. In addition:
"Applicable Data Protection Laws" or "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council (the "EU GDPR"); (ii) the EU GDPR as incorporated into United Kingdom law by virtue of section 3 of the United Kingdom European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Act on Data Protection ("FADP"); (v) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA"); and (vi) any other applicable data protection or privacy legislation in the jurisdictions in which Customer or Marcel operate, as each may be amended or superseded from time to time.
"Controller" means the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
"Data Subject" means an identified or identifiable natural person to whom the Personal Data relates.
"EU SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Marcel on behalf of Customer through the Platform, including but not limited to names, contact information, identity verification documents, and any information contained in Artwork Records that identifies or relates to a natural person.
"Personal Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed under this DPA.
"Processing" (and "process," "processed," etc.) has the meaning given to that term under the EU GDPR.
"Processor" means a natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Controller.
"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside the EEA that is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to a country that is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; or (iii) where the FADP applies, a transfer of Personal Data from Switzerland to a country that does not ensure an adequate level of data protection under the FADP.
"Services Personal Data" means Personal Data processed by Marcel on Customer's behalf through the Platform in connection with the Services.
"Sub-processor" means any third-party Processor engaged by Marcel to process Services Personal Data on behalf of Customer.
"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018, as updated from time to time.
A.3 Customer Obligations as Controller
A.3.1 Customer represents and warrants that:
(a) Customer's collection, use, and provision of Services Personal Data to Marcel complies with all Applicable Data Protection Laws;
(b) Customer has provided all required notices to, and obtained all necessary consents, authorizations, or other lawful bases from, Data Subjects for the processing of their Personal Data as contemplated by this DPA and the Terms;
(c) Customer has the authority and lawful basis to transfer Services Personal Data to Marcel for processing in accordance with this DPA;
(d) all instructions given by Customer to Marcel regarding the processing of Services Personal Data are and will be lawful under Applicable Data Protection Laws; and
(e) Customer will maintain an appropriate privacy policy in compliance with Applicable Data Protection Laws.
A.3.2 Customer shall not provide or make available to Marcel any "special categories of personal data" (as defined under the EU GDPR) or equivalent categories under other Applicable Data Protection Laws, except to the extent such data is specifically processed by Marcel's third-party identity verification or payment processing service providers in accordance with Section 8.7 of the Terms and such providers' own terms and privacy policies.
A.4 Marcel's Obligation as a Processor
A.4.1 Processing Instructions. Marcel shall process Services Personal Data only in accordance with Customer's documented instructions, which are deemed to include: (a) the processing necessary to provide the Platform and Services as described in the Terms and Documentation; (b) processing initiated by Customer or its Authorized Users through their use of the Platform; and (c) any additional documented instructions agreed upon by the parties. Marcel shall promptly inform Customer if, in Marcel's reasonable opinion, an instruction from Customer infringes Applicable Data Protection Laws.
A.4.2 Compliance. Marcel shall comply with all Applicable Data Protection Laws in its role as Processor. Marcel shall not "sell" or "share" Services Personal Data (as those terms are defined under the CCPA) and shall not process Services Personal Data for any purpose other than as specified in this DPA.
A.4.3 Confidentiality. Marcel shall ensure that all persons authorized to process Services Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Marcel shall limit access to Services Personal Data to those personnel who have a need to know for the purposes of providing the Services.
A.4.4 Assistance. Taking into account the nature of the processing, Marcel shall provide reasonable assistance to Customer:
(a) in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, data portability, restriction of processing, and objection);
(b) in ensuring compliance with Customer's obligations under Articles 32 through 36 of the EU GDPR (or equivalent provisions under other Applicable Data Protection Laws), including obligations relating to security, data protection impact assessments, and prior consultation with supervisory authorities; and
(c) in responding to inquiries or investigations by data protection supervisory authorities regarding the processing of Services Personal Data.
Marcel may charge reasonable fees for assistance under this Section A.4.4 to the extent such assistance exceeds the standard support provided under the Terms.
A.4.5 Data Subject Requests. If Marcel receives a request directly from a Data Subject regarding Services Personal Data, Marcel shall promptly redirect the Data Subject to Customer and notify Customer of such request. Marcel shall not respond to any Data Subject request directly unless authorized by Customer or required by Applicable Data Protection Laws, in which case Marcel shall inform Customer (to the extent legally permissible) before responding.
A.5 Security Measures
A.5.1 Marcel shall implement and maintain appropriate technical and organizational measures to protect Services Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or alteration. Such measures shall include, at a minimum:
(a) encryption of Services Personal Data in transit and at rest;
(b) measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
(c) measures to restore the availability and access to Services Personal Data in a timely manner in the event of a physical or technical incident;
(d) regular testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing;
(e) access controls limiting access to Services Personal Data to authorized personnel on a need-to-know basis;
(f) staff privacy and security training; and
(g) regular third-party security audits.
A.5.2 Marcel shall periodically review and update its security measures in light of current technology, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to Data Subjects.
A.6 Personal Data Breach Notification
A.6.1 Marcel shall notify Customer of any Personal Data Breach without undue delay without undue delay and, where technically feasible and legally required, within the timeframes mandated by applicable law after becoming aware of the Personal Data Breach.
A.6.2 Such notification shall include, to the extent available:
(a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Services Personal Data records concerned;
(b) the name and contact details of Marcel's point of contact for further information;
(c) a description of the likely consequences of the Personal Data Breach; and
(d) a description of the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
A.6.3 If Marcel is unable to provide all required information at the time of notification, Marcel shall provide the information in phases as it becomes available, without undue delay.
A.6.4 Marcel shall cooperate with Customer and take such commercially reasonable steps as Customer may direct to investigate, remediate, and mitigate the effects of any Personal Data Breach.
A.7 Sub-Processors
A.7.1 General Authorization. Customer provides a general written authorization for Marcel to engage Sub-processors to process Services Personal Data on Customer's behalf, subject to the requirements of this Section A.7.
A.7.2 List of Sub-processors. Marcel shall maintain a current list of Sub-processors, including the name, location, and description of processing activities for each Sub-processor. Such list shall be made available to Customer upon request and shall be published at MarcelHQ.com/sub-processors or provided via email.
A.7.3 Notice of Changes. Marcel shall provide Customer with at least thirty (30) days’ prior notice before engaging a new Sub-processor that will process Services Personal Data on Customer’s behalf. Such notice may be provided by updating the Sub-processor list at https://marcelhq.com/subprocessors and/or by direct communication to Customer.
A.7.4 Objection Right. Customer may reasonably object to Marcel's use of a new Sub-processor by notifying Marcel in writing within fifteen (15) days of receiving notice under Section A.7.3. If Customer objects on reasonable data protection grounds, Marcel shall use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable alternative. If Marcel is unable to provide an alternative within thirty (30) days, either party may terminate the affected portion of the Services (or, if necessary, the entire Agreement) by providing written notice, without penalty.
A.7.5 Sub-processor Obligations. Marcel shall:
(a) enter into a written agreement with each Sub-processor imposing data protection obligations substantially similar to those set out in this DPA and consistent with Applicable Data Protection Laws;
(b) remain responsible for the performance of each Sub-processor’s data protection obligations to the extent required by Applicable Data Protection Laws;
(c) conduct reasonable due diligence on Sub-processors prior to engagement to evaluate their ability to protect Personal Data; and
(d) require Sub-processors to implement appropriate technical and organizational measures designed to protect Personal Data in accordance with Applicable Data Protection Laws.
A.8 Restricted Transfers
A.8.1 The Platform is operated from the United States. Where the transfer of Services Personal Data from Customer (or Customer's Data Subjects located in the EEA, United Kingdom, or Switzerland) to Marcel in the United States constitutes a Restricted Transfer, the parties agree that such transfer shall be subject to the appropriate safeguards as follows:
(a) EU GDPR Transfers. The EU SCCs shall apply, completed as follows:
(i) Module Two (Controller to Processor) shall apply;
(ii) in Clause 7, the optional docking clause shall apply;
(iii) in Clause 9, Option 2 (general written authorization) shall apply, and the time period for prior notice of Sub-processor changes shall be thirty (30) days as set forth in Section A.7.3;
(iv) in Clause 11, the optional language shall not apply;
(v) in Clause 17 (Option 1), the EU SCCs shall be governed by the laws of Ireland;
(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vii) Annex I shall be deemed completed with the information set out in Schedule 1 to this DPA;
(viii) Annex II shall be deemed completed with the information set out in Schedule 2 to this DPA; and
(ix) Annex III shall be deemed completed with the Sub-processor list referenced in Section A.7.2.
(b) UK GDPR Transfers. The UK Addendum shall apply, completed as follows:
(i) the EU SCCs, completed as described in Section A.8.1(a), shall form the "Approved EU SCCs" referenced in the UK Addendum;
(ii) Table 1 of the UK Addendum shall be deemed completed with the exporter and importer details set out in Schedule 1;
(iii) Table 2 of the UK Addendum shall reference the selected Modules, Clauses, and optional provisions as set forth in Section A.8.1(a);
(iv) Table 3 of the UK Addendum shall be deemed completed with the information set out in Schedules 1 and 2; and
(v) Table 4 of the UK Addendum: neither party may terminate the UK Addendum as set out in Section 19 of the UK Addendum.
(c) Swiss Transfers. For transfers subject to the FADP, the EU SCCs shall apply with the modifications required by Swiss law, including: (i) references to "Regulation (EU) 2016/679" shall be interpreted as references to the FADP; (ii) the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner; and (iii) the governing law and jurisdiction under Clauses 17 and 18 shall be Switzerland and the courts of Switzerland, respectively.
A.8.2 In the event any provision of the Terms or this DPA contradicts, directly or indirectly, the Standard Contractual Clauses (EU SCCs or UK Addendum, as applicable), the Standard Contractual Clauses shall prevail.
A.8.3 The parties agree to cooperate in good faith to adopt or implement any alternative transfer mechanism that may be adopted, approved, or recognized under Applicable Data Protection Laws as providing adequate safeguards for international data transfers, in replacement of or in addition to the Standard Contractual Clauses.
A.9 Audits
A.9.1 Marcel shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws.
A.9.2 Marcel shall permit and contribute to audits and inspections conducted by Customer or an independent third-party auditor mandated by Customer, subject to the following conditions:
(a) audits shall occur no more than once per twelve (12) month period, unless a Personal Data Breach has occurred or a supervisory authority requires or requests an audit;
(b) Customer shall provide at least thirty (30) days' prior written notice of any audit;
(c) audits shall be conducted during Marcel's normal business hours and in a manner that minimizes disruption to Marcel's operations;
(d) Customer and its auditors shall comply with Marcel's reasonable security and confidentiality requirements and shall enter into appropriate non-disclosure agreements; and
(e) Customer shall bear the costs of any audit, except where the audit reveals a material breach of this DPA by Marcel, in which case Marcel shall bear the reasonable costs of such audit.
A.9.3 Marcel may satisfy audit requests by providing Customer with a copy of the most recent third-party audit report, certification (e.g., SOC 2 Type II, ISO 27001), or other evidence of compliance, provided such report or certification addresses the matters subject to audit. Customer agrees that such reports or certifications shall satisfy Customer's audit rights under this Section A.9 unless Customer can demonstrate, on reasonable grounds, that additional audit steps are necessary.
A.10 Data Return and Deletion
A.10.1 Upon termination or expiry of the Terms, or upon Customer's earlier written request, Marcel shall (at Customer's election):
(a) return all Services Personal Data to Customer in a commonly used, machine-readable format; or
(b) securely delete all Services Personal Data from Marcel's active systems, where technically feasible, within the timeframes specified in Section 11.4(e) of the Terms (or, in the case of an earlier written request, within thirty (30) days of such request), except to the extent that retention of any Services Personal Data is required by Applicable Data Protection Laws or by applicable legal, regulatory, or record-keeping obligations.
A.10.2 Marcel shall provide Customer with written certification of deletion upon Customer's request.
A.10.3 Residual copies of Services Personal Data in backup or disaster recovery systems shall be deleted in accordance with Marcel's standard backup retention policies, which shall not exceed ninety (90) days from the date of deletion from active systems.
A.10.4 Exception for Transferred and Shared Records. Customer acknowledges that the core functionality of the Services includes the sharing, consignment, and Transfer of Artwork Records and transaction histories between Users. Notwithstanding anything to the contrary in this Section A.10 or this DPA, Marcel shall have no obligation to delete, remove, or modify any Services Personal Data that Customer has:
(a) Transferred or assigned to another User's Account (e.g., via a Transfer of an Artwork Record);
(b) shared with another active User who retains lawful access to such data within the Platform; or
(c) incorporated into permanent transaction logs, provenance records, or digital certificates of title necessary to maintain the integrity and historical accuracy of the Platform for other transacting Users.
In such events, Customer acknowledges that the recipient User becomes the Controller of such shared or Transferred data, and Marcel will continue to process such data on behalf of the recipient User in accordance with that User's instructions and Applicable Data Protection Laws.
A.11 Liability
A.11.1 Any claims brought under or in connection with this DPA shall be subject to the limitations of liability set forth in Section 13 of the Terms, except to the extent that such limitations are prohibited by Applicable Data Protection Laws.
A.11.2 Marcel's liability for damages arising from processing of Services Personal Data in breach of this DPA or Applicable Data Protection Laws shall be limited to direct damages and shall not include indirect, incidental, special, or consequential damages, to the maximum extent permitted by law.
A.11.3 Nothing in this DPA shall limit the rights of Data Subjects under Applicable Data Protection Laws, including the right to seek compensation directly from the Controller or Processor for damages suffered as a result of a breach of such laws.
A.12 Term
This DPA shall take effect simultaneously with the Terms and shall remain in effect for so long as Marcel processes Services Personal Data on Customer's behalf. The obligations of Marcel under this DPA shall survive any termination or expiration of this DPA to the extent Marcel retains any Services Personal Data.
A.13 Interpretation and Conflicts
A.13.1 This DPA supplements and forms part of the Terms. Except as modified by this DPA, the Terms remain unchanged and in full force and effect.
A.13.2 In the event of any conflict between this DPA and the Terms regarding the processing of Personal Data, this DPA shall prevail. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
Schedule 1: Data Processing Details
(Annex I of the EU SCCs / Table 1 and Table 3 of the UK Addendum)
Schedule 1: Data Processing Details
(Annex I of the EU SCCs / Table 1 and Table 3 of the UK Addendum)
A. List of Parties
Data Exporter (Controller)
Data Exporter (Controller)
Data Importer (Processor)
Data Importer (Processor)
Name
Name
Customer (as identified in Account registration)
Customer (as identified in Account registration)
Tabula LLC, d/b/a Marcel
Tabula LLC, d/b/a Marcel
Address
Address
As provided in Account registration
As provided in Account registration
311 East Broadway, 3rd Floor, New York, NY 10002
311 East Broadway, 3rd Floor, New York, NY 10002
Activities
Activities
Use of the Platform to manage artwork inventory, records, title, authentication, and transactions
Use of the Platform to manage artwork inventory, records, title, authentication, and transactions
Provision of the Platform and Services as described in the Terms
Provision of the Platform and Services as described in the Terms
Role
Role
Controller
Controller
Processor
Processor
B. Description of Processing
Category
Category
Details
Details
Subject Matter
Subject Matter
Processing of Personal Data in connection with the provision of the Platform and Services
Processing of Personal Data in connection with the provision of the Platform and Services
Duration
Duration
For the term of the Agreement, plus any retention period specified in the Terms or required by law
For the term of the Agreement, plus any retention period specified in the Terms or required by law
Nature and Purpose
Nature and Purpose
Storage, organization, retrieval, consultation, use, disclosure by transmission, combination, restriction, erasure, or destruction of Personal Data for the purpose of providing artwork inventory management, title management, authentication, record transfer, transaction facilitation, and related services
Storage, organization, retrieval, consultation, use, disclosure by transmission, combination, restriction, erasure, or destruction of Personal Data for the purpose of providing artwork inventory management, title management, authentication, record transfer, transaction facilitation, and related services
Categories of Data Subjects
Categories of Data Subjects
Customer's employees; Authorized Users; artists; artwork owners; collectors; consignees; transferees; agents; buyers; sellers; gallery contacts; museum contacts; and other individuals whose Personal Data is uploaded to or processed through the Platform by Customer
Customer's employees; Authorized Users; artists; artwork owners; collectors; consignees; transferees; agents; buyers; sellers; gallery contacts; museum contacts; and other individuals whose Personal Data is uploaded to or processed through the Platform by Customer
Types of Personal Data
Types of Personal Data
Names; email addresses; postal addresses; telephone numbers; company names; photographs; images of identity verification documents; social media account identifiers; payment and financial information (processed by third-party payment processors); artwork ownership and provenance information; transaction records; communications sent through the Platform; and any other Personal Data uploaded by Customer or its Authorized Users
Names; email addresses; postal addresses; telephone numbers; company names; photographs; images of identity verification documents; social media account identifiers; payment and financial information (processed by third-party payment processors); artwork ownership and provenance information; transaction records; communications sent through the Platform; and any other Personal Data uploaded by Customer or its Authorized Users
Sensitive Data
Sensitive Data
None (except identity verification documents processed by third-party service providers)
None (except identity verification documents processed by third-party service providers)
Frequency of Transfer
Frequency of Transfer
Continuous, as initiated by Customer's use of the Platform
Continuous, as initiated by Customer's use of the Platform
Retention Period
Retention Period
As specified in the Terms (30-day post-termination export period, then deletion from active systems; 90-day backup retention)
As specified in the Terms (30-day post-termination export period, then deletion from active systems; 90-day backup retention)
C. Competent Supervisory Authority
The competent supervisory authority shall be determined in accordance with Clause 13 of the EU SCCs (or, for UK transfers, the UK Information Commissioner's Office).
Schedule 2: Technical and Organizational Security Measures
(Annex II of the EU SCCs)
Marcel implements and maintains the following technical and organizational security measures:
Schedule 2: Technical and Organizational Security Measures
(Annex II of the EU SCCs)
Marcel implements and maintains the following technical and organizational security measures:
Category
Category
Measures
Measures
Encryption
Encryption
End-to-end encryption for data in transit (TLS 1.2 or higher); encryption of data at rest (AES-256 or equivalent)
End-to-end encryption for data in transit (TLS 1.2 or higher); encryption of data at rest (AES-256 or equivalent)
Access Control
Access Control
Role-based access controls; principle of least privilege; multi-factor authentication for internal systems; unique user credentials; automated session timeouts
Role-based access controls; principle of least privilege; multi-factor authentication for internal systems; unique user credentials; automated session timeouts
Network Security
Network Security
Firewalls; intrusion detection and prevention systems; network segmentation; DDoS mitigation
Firewalls; intrusion detection and prevention systems; network segmentation; DDoS mitigation
Data Center Security
Data Center Security
Cloud infrastructure hosted by industry-leading providers with SOC 2 Type II and/or ISO 27001 certification; physical access controls; environmental controls
Cloud infrastructure hosted by industry-leading providers with SOC 2 Type II and/or ISO 27001 certification; physical access controls; environmental controls
Application Security
Application Security
Secure software development lifecycle; regular vulnerability assessments and penetration testing; code review; input validation; protection against common web vulnerabilities (OWASP Top 10)
Secure software development lifecycle; regular vulnerability assessments and penetration testing; code review; input validation; protection against common web vulnerabilities (OWASP Top 10)
Logging and Monitoring
Logging and Monitoring
Centralized logging of access and security events; real-time monitoring and alerting; incident response procedures
Centralized logging of access and security events; real-time monitoring and alerting; incident response procedures
Business Continuity
Business Continuity
Regular automated backups; disaster recovery procedures; redundancy and failover mechanisms
Regular automated backups; disaster recovery procedures; redundancy and failover mechanisms
Staff Measures
Staff Measures
Background checks for personnel with access to Personal Data; mandatory privacy and security training; internal privacy and data handling policies; confidentiality obligations
Background checks for personnel with access to Personal Data; mandatory privacy and security training; internal privacy and data handling policies; confidentiality obligations
Third-Party Management
Third-Party Management
Due diligence and security assessments of Sub-processors; contractual data protection obligations for all Sub-processors
Due diligence and security assessments of Sub-processors; contractual data protection obligations for all Sub-processors
Audit and Review
Audit and Review
Regular third-party security audits (at least annually); periodic internal reviews; results may be shared with industry partners as described in the Privacy Policy
Regular third-party security audits (at least annually); periodic internal reviews; results may be shared with industry partners as described in the Privacy Policy
Contacting Us
If you have any questions about this DPA, please contact us at:
Tabula LLC (d/b/a Marcel)
Email: support@MarcelHQ.com
Website: MarcelHQ.com
Email communications aren’t always secure; so please don’t include credit card information or sensitive information in your emails to us.
Contacting Us
If you have any questions about this DPA, please contact us at:
Tabula LLC (d/b/a Marcel)
Email: support@MarcelHQ.com
Website: MarcelHQ.com
Email communications aren’t always secure; so please don’t include credit card information or sensitive information in your emails to us.
