Using GoMarble with Agency-Client NDAs

This article explains how agencies can connect GoMarble to client accounts without breaching confidentiality. It outlines what GoMarble stores, how data is used, and provides ready‑to‑send templates and clause snippets you can paste into your client agreements.

Written By GoMarble

Last updated 6 months ago

TL;DR

  • If your existing NDA already: (a) covers confidentiality, (b) permits vetted third‑party tools/sub‑processors, and (c) describes data categories you access/store, you typically don’t need a separate NDA to use GoMarble.

  • For regulated or risk‑averse clients, add a short Data Use Addendum / DPA describing GoMarble’s limited, read‑only model (templates below).

What GoMarble Is (and isn’t)

GoMarble is a read‑only analytics and reporting tool used by agencies to analyze and report on client ad and commerce data—similar to Supermetrics or Zapier. GoMarble does not warehouse client marketing data.

Data we store (to power product functionality)

  1. Configured ad account details — identifiers and trailing 30‑day spend (metadata) for in‑product UX.

  2. OAuth 2.0 credentials/tokens — read‑only access for Meta, Google, LinkedIn, Shopify.

  3. User‑created artifactsChats and Reports saved by users inside GoMarble. Any fetched data displayed inside a chat/report remains confined there and is deleted if the user deletes the chat/report.

Data we do not store by default

  • Raw historical marketing datasets or full account exports.

  • Creative assets beyond what is embedded in a user’s saved report/chat artifact.

  • Data for model training shared across customers.

Do we need a separate NDA to connect GoMarble?

Usually no, if your client contract already covers:

  • Confidentiality obligations for agency and its vendors.

  • Permission to use third‑party tools/sub‑processors to deliver services.

  • Clear description of data categories accessed/stored and read‑only usage.

Add an addendum if:

  • The MSA/SOW/ NDA lacks third‑party tool consent or explicit data categories.

  • The client operates in regulated sectors (finance, health, public sector) or has strict procurement.

  • The client requests formal confirmation of security, retention, or cross‑border transfers.

Security summary (for questionnaires)

  • Access model: Read‑only OAuth scopes for supported platforms; least‑privilege service configuration.

  • Data at rest: Encrypted; OAuth tokens held in secret storage; limited metadata + user artifacts only.

  • Data in transit: TLS 1.2+.

  • Observability: Audit/event logs for access and key actions.

  • Isolation: No commingling of client artifacts; no cross‑client model training.

  • Deletion: User‑initiated deletion for chats/reports; full tenant cleanup on termination upon request.

Retention & deletion

  • Default retention: Only while engagement and user account are active.

  • User control: Users can delete chats and reports; associated fetched data inside those artifacts is deleted as part of that action.

  • Offboarding: On contract end or upon request, agency triggers deletion of GoMarble‑stored metadata and artifacts; GoMarble provides confirmation.

FAQs