Merula
Standing terms — applies as part of Merula's public terms

Data Processing Addendum

Where Merula processes personal data on your behalf — most clearly when DMARC Analytics or TLS-RPT Analytics is activated and we receive aggregate reports containing sender or relay IP addresses for your monitored domains — Adspace Nordic AB acts as processor under GDPR Article 28. You act as controller.

This Data Processing Addendum forms part of the public terms that apply when you use Merula. It describes the standing terms for that processor relationship.

Subject matter and duration

Merula processes personal data on your documented instructions for the purpose of providing the monitoring service you have subscribed to. Processing continues for as long as the subscription is active and for the retention windows described in the Privacy Notice after termination.

Processor obligations

Merula processes personal data only on the customer's documented instructions, including with regard to transfers outside the EEA, unless required to do otherwise by Union or Member State law. If such law requires processing beyond the customer's instructions, Merula will inform the customer before processing unless the law prohibits that notice.

Merula ensures that persons authorised to process personal data are bound by confidentiality obligations.

Merula implements appropriate technical and organisational measures, taking into account the nature, scope, context and purposes of the processing.

Merula may use sub-processors under the general authorisation described in this Data Processing Addendum. Merula remains responsible for its sub-processors and imposes data-protection obligations on them that are no less protective than those in this Agreement.

Taking into account the nature of the processing and the information available to it, Merula will reasonably assist the customer with data-subject requests, security-of-processing obligations, personal-data-breach handling, data-protection impact assessments and prior consultations where required by GDPR.

Merula will make available information reasonably necessary to demonstrate compliance with Article 28. If Merula believes an instruction infringes GDPR or other applicable EU or Member State data-protection law, Merula will inform the customer unless legally prohibited.

Website analytics

Merula may use Google Analytics 4 on the public marketing website to understand how the website is used and improve product communication. Website analytics is described in the Privacy Notice and, where required, controlled by consent.

Google Analytics is not used to process customer monitoring results, DMARC report data or domain-check history under this Data Processing Addendum unless explicitly stated in the service documentation.

Categories of data subjects

Depending on the feature and context, this may include:

Categories of personal data

Depending on the feature and context, Merula may process:

Sub-processors

We use service providers and sub-processors to operate Merula. The current list is maintained in the Trust Centre and the Privacy Notice and includes the categories of data each provider handles.

For customer monitoring data and aggregate-report parsing, current core providers include:

Merula has general written authorisation to use sub-processors. Merula will inform customers of intended material additions or replacements of sub-processors used for customer-controlled data, giving customers an opportunity to object where required by GDPR. Merula imposes data-protection obligations on its sub-processors that are no less protective than those in this Data Processing Addendum, and remains responsible for their performance.

Security measures

Data subject rights

We support you in responding to data subject requests where the request relates to personal data processed on your behalf. Many account-level requests can be handled directly in the dashboard. For requests that require backend assistance, contact privacy@merula.io. We aim to respond within a reasonable time, taking GDPR deadlines into account.

Audit and inspection

We provide public Trust Centre documentation describing our security measures, data handling and sub-processors. Where GDPR requires information reasonably necessary to demonstrate compliance with Article 28, you may contact privacy@merula.io.

On-site audits are not offered for standard self-service plans. Any audit request must be reasonable, limited to the processing covered by this Data Processing Addendum, and must not compromise the security or confidentiality of Merula or other customers.

International transfers

Merula's production infrastructure for customer monitoring data is operated in the European Union. Some service providers may involve limited processing outside the EEA — for example for billing, fraud prevention, support or analytics described in the Privacy Notice.

Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms.

Service availability and detection scope

The detection scope, cadence limits and best-effort availability of the monitoring service are governed by the Terms of service. This Data Processing Agreement governs how personal data is processed; it does not guarantee that the service detects every change or remains continuously available.

Termination

Before deletion, customers can export account-level data through the dashboard during the export window described in the Terms of service and the Privacy Notice. After the deletion grace period, personal data processed on behalf of the customer is deleted or anonymised according to the retention schedules in the Privacy Notice, this Data Processing Agreement and applicable legal obligations, unless Union or Member State law requires storage. Backups age out according to the backup retention period described in the Trust Centre or Privacy Notice.

This Data Processing Addendum applies as part of Merula's public terms for self-service customers.