This page complements our public Trust Center. It sets out the contractual and procedural detail behind the partner list — the material that matters to enterprise procurement, data-protection officers, and users exercising rights under privacy law. For most users, the partner list is the page you want.
Notification of changes
We update the public list whenever a sub-processor is added, removed, or replaced. For material changes, we notify users by email at least 30 days before the new sub-processor begins processing your data, where reasonably practicable. To receive these notices, just keep your account email up to date.
Enterprise customers with a Data Processing Addendum receive notice and exercise objection rights according to the terms of their DPA, which apply in addition to the rights set out below.
Right to object
Users in the EU, UK, EEA, Switzerland, and other GDPR-aligned jurisdictions have the right to object to a new sub-processor on reasonable, documented data-protection grounds. To exercise that right, email privacy@marvinmoney.com within 30 days of the notice. If we cannot accommodate your objection, you may terminate your subscription and we will refund any prepaid but unused fees for the affected period.
Equivalent rights under other privacy frameworks — including California's CCPA/CPRA, India's Digital Personal Data Protection Act, 2023, Quebec's Law 25, Australia's Privacy Act, and Canada's PIPEDA — are honoured per those laws and are described in our Privacy Page.
How we vet sub-processors
Before we onboard a sub-processor, we require:
- A written contract with appropriate data-protection clauses — Standard Contractual Clauses (EU), the UK International Data Transfer Addendum, or equivalent instruments for cross-border transfers.
- Relevant security certifications for the service being provided, such as SOC 2 Type II, ISO/IEC 27001, ISO/IEC 27701, or PCI-DSS.
- A no-AI-training commitment — the sub-processor contractually agrees not to use your data to train their own machine-learning or generative models, except as instructed by us to provide the Service to you.
- Deletion on termination — a clear path to delete or return your data when our relationship with the sub-processor ends.
- Breach-notification obligations — written commitments on incident timelines and information-sharing.
Cross-border transfers
Some of our partners are located outside your country of residence. Where personal data crosses borders, we rely on legally recognised transfer mechanisms — most commonly the EU Standard Contractual Clauses (Module Two or Three, as applicable) and the UK International Data Transfer Addendum. For transfers from India, we observe the cross-border rules under the Digital Personal Data Protection Act, 2023 as operationalised. Specific transfer instruments per partner are available to enterprise customers under NDA on request.
Enterprise data-processing addendum
Customers on Business plans (and enterprise customers more broadly) may execute a Data Processing Addendum that incorporates the EU SCCs and any region-specific clauses required by your jurisdiction. To request a DPA, email legal@marvinmoney.com with your entity's legal name, country of incorporation, and the applicable transfer scenarios.
Vendors named only by category
On the public list, some rows identify a partner only by category (for example, "Payment processor", "Email delivery provider", "Error-monitoring provider"). The specific vendor is identified to enterprise customers under NDA on request. We follow this pattern where the vendor is interchangeable for our use case and revealing the specific name without operational context could mislead, or where the vendor's contract restricts public identification.
What this page does not cover
For operational reasons, we do not publish:
- Internal data-retention windows beyond contractual minimums;
- Security architecture details (key management, network segmentation, IAM topology, etc.);
- Operational workflows (how on-call responds to incidents, deployment processes, internal monitoring);
- AI-system configuration (model selection, prompt structure, caching strategy, tool architecture);
- Vendor failover or redundancy logic.
These are operational and security-sensitive details. They are not part of the data-protection disclosure your privacy rights cover, and publishing them would weaken our security posture. Specific aspects can be reviewed under NDA by enterprise procurement and data-protection officers on request.
Contact
Questions about partner vetting, transfer mechanisms, DPAs, or objection rights? Email privacy@marvinmoney.com. For our complete privacy commitments, see our Privacy Page.
Mars Enterprises Inc. · India · © 2026. Last updated April 26, 2026. Earlier versions are available on request.