Data Processing Addendum
Where Merula processes personal data on your behalf — most clearly when DMARC Analytics or TLS-RPT Analytics is activated and we receive aggregate reports containing sender or relay IP addresses for your monitored domains — Adspace Nordic AB acts as processor under GDPR Article 28. You act as controller.
This Data Processing Addendum forms part of the public terms that apply when you use Merula. It describes the standing terms for that processor relationship.
Subject matter and duration
Merula processes personal data on your documented instructions for the purpose of providing the monitoring service you have subscribed to. Processing continues for as long as the subscription is active and for the retention windows described in the Privacy Notice after termination.
Processor obligations
Merula processes personal data only on the customer's documented instructions, including with regard to transfers outside the EEA, unless required to do otherwise by Union or Member State law. If such law requires processing beyond the customer's instructions, Merula will inform the customer before processing unless the law prohibits that notice.
Merula ensures that persons authorised to process personal data are bound by confidentiality obligations.
Merula implements appropriate technical and organisational measures, taking into account the nature, scope, context and purposes of the processing.
Merula may use sub-processors under the general authorisation described in this Data Processing Addendum. Merula remains responsible for its sub-processors and imposes data-protection obligations on them that are no less protective than those in this Agreement.
Taking into account the nature of the processing and the information available to it, Merula will reasonably assist the customer with data-subject requests, security-of-processing obligations, personal-data-breach handling, data-protection impact assessments and prior consultations where required by GDPR.
Merula will make available information reasonably necessary to demonstrate compliance with Article 28. If Merula believes an instruction infringes GDPR or other applicable EU or Member State data-protection law, Merula will inform the customer unless legally prohibited.
Website analytics
Merula may use Google Analytics 4 on the public marketing website to understand how the website is used and improve product communication. Website analytics is described in the Privacy Notice and, where required, controlled by consent.
Google Analytics is not used to process customer monitoring results, DMARC report data or domain-check history under this Data Processing Addendum unless explicitly stated in the service documentation.
Categories of data subjects
Depending on the feature and context, this may include:
- Your team members and invited collaborators.
- Senders and relays of email to or from your monitored domains, when DMARC Analytics or TLS-RPT Analytics is activated and aggregate reports contain sender or relay IP addresses.
Categories of personal data
Depending on the feature and context, Merula may process:
- Account profile: email, name, organisation, billing-related identifiers.
- Authentication metadata: sign-in timestamps, IP address at sign-in.
- DMARC report data, if applicable: IP addresses, mail volumes, authentication results and message disposition.
- Domain monitoring metadata, where applicable: monitored domain names, check results, alert metadata and change history.
- Support correspondence: the subject, messages and status history of support tickets you open, including any image attachments and any personal data you choose to include in them. Support history is retained for the life of the account so that it remains available to you and to us while you use the service, and is deleted twelve months after the account is closed. Image attachments are deleted when the account is closed, as they cannot be selectively redacted.
Sub-processors
We use service providers and sub-processors to operate Merula. The current list is maintained in the Trust Centre and the Privacy Notice and includes the categories of data each provider handles.
For customer monitoring data and aggregate-report parsing, current core providers include:
- Amazon Web Services EMEA SARL — infrastructure hosting, EU region.
- Stripe Payments Europe Ltd — billing and tax handling, where billing data is processed.
Merula has general written authorisation to use sub-processors. Merula will inform customers of intended material additions or replacements of sub-processors used for customer-controlled data, giving customers an opportunity to object where required by GDPR. Merula imposes data-protection obligations on its sub-processors that are no less protective than those in this Data Processing Addendum, and remains responsible for their performance.
Security measures
- Encryption in transit (TLS 1.2+) and at rest, using managed AWS encryption for supported storage services (AES-256).
- Access controlled by IAM roles, no shared production credentials.
- Managed identity-provider authentication, with MFA required for paid plans according to the Terms of service.
- Daily automated backups with point-in-time recovery up to seven days.
- Application logs retained 30 days; access to production logs limited to on-call engineers.
- A CycloneDX-format Software Bill of Materials is generated for the deployed surface on release. The SBOM policy is documented in the Trust Centre.
Data subject rights
We support you in responding to data subject requests where the request relates to personal data processed on your behalf. Many account-level requests can be handled directly in the dashboard. For requests that require backend assistance, contact privacy@merula.io. We aim to respond within a reasonable time, taking GDPR deadlines into account.
Audit and inspection
We provide public Trust Centre documentation describing our security measures, data handling and sub-processors. Where GDPR requires information reasonably necessary to demonstrate compliance with Article 28, you may contact privacy@merula.io.
On-site audits are not offered for standard self-service plans. Any audit request must be reasonable, limited to the processing covered by this Data Processing Addendum, and must not compromise the security or confidentiality of Merula or other customers.
International transfers
Merula's production infrastructure for customer monitoring data is operated in the European Union. Some service providers may involve limited processing outside the EEA — for example for billing, fraud prevention, support or analytics described in the Privacy Notice.
Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms.
Service availability and detection scope
The detection scope, cadence limits and best-effort availability of the monitoring service are governed by the Terms of service. This Data Processing Agreement governs how personal data is processed; it does not guarantee that the service detects every change or remains continuously available.
Termination
Before deletion, customers can export account-level data through the dashboard during the export window described in the Terms of service and the Privacy Notice. After the deletion grace period, personal data processed on behalf of the customer is deleted or anonymised according to the retention schedules in the Privacy Notice, this Data Processing Agreement and applicable legal obligations, unless Union or Member State law requires storage. Backups age out according to the backup retention period described in the Trust Centre or Privacy Notice.
This Data Processing Addendum applies as part of Merula's public terms for self-service customers.