Terms of service
These terms govern your use of Merula. By creating an account you agree to them. If you don't, please don't use the service.
1. The parties
"Merula" or "we" means Adspace Nordic AB, a Swedish company. "You" means the organisation holding the account.
2. Eligibility
Merula is offered to EU/EEA-based businesses for use in the course of business. By signing up you confirm that:
- You are an organisation established in an EU/EEA member state, or an individual using the service in the course of an EU/EEA-based business.
- You are signing up on behalf of, and binding, that organisation.
- You are not a consumer within the meaning of EU consumer-protection law; the Service is a business-to-business product.
Free tier requires a valid EU/EEA country selection at signup; no VAT number is required. Merula reserves the right to suspend Free accounts whose use does not match the eligibility above.
Paid plans (Pro and MSP) require a valid EU/EEA VAT number entered at upgrade. The number is validated against the European Commission's VIES service via Stripe Tax; an upgrade cannot complete without a verifiable number. Reverse-charge VAT applies where applicable; Stripe Tax handles the computation and invoice annotations.
Paid self-serve checkout requires a VAT number that can be validated through VIES. Non-EU EEA businesses whose VAT numbers cannot be validated through VIES may require manual billing approval or a separate invoicing arrangement.
Multi-factor authentication (MFA) is required for every account member on paid tiers. New paid accounts have a 14-day grace period after upgrade for existing members to enrol; after that, members without MFA are blocked from sensitive actions (inviting members, viewing webhook signing secrets, changing plans) until they enrol. MFA is optional but available on Free.
3. What we provide
Merula monitors the public configuration and posture of domains you control or are authorised to monitor. This may include DNS records, TLS certificates, email authentication, transport security, HTTP security headers, availability, web hygiene, domain lifecycle and routing/RPKI signals.
We do not modify your DNS, certificates, registrar settings or email setup. Merula observes, records changes, explains findings and sends alerts according to your plan and settings.
Merula is a monitoring and observability service. It is not a compliance certification, legal assessment, security audit, vulnerability scanner, managed security service or incident response service.
4. What you can do
Add domains you own or are explicitly authorised to monitor. Receive alerts. Invite team members according to your plan. Cancel your subscription as described in sections 8 and 14.
5. What you cannot do
- Monitor domains you do not own or are not explicitly authorised to monitor.
- Use the service to enumerate, surveil, or harass third parties.
- Resell, white-label or provide Merula as a managed service except through the MSP/partner plan or a separate written agreement allowing it.
- Reverse-engineer the service or attempt to bypass usage limits.
6. Intellectual property and ownership of your data
Merula — the platform, its software, its checks engine, designs, documentation and knowledge base — belongs to Adspace Nordic AB, its licensors and its suppliers. We grant you a non-exclusive, non-transferable right to use the service for your own business for as long as your subscription is active and you keep to these terms; that right ends when your subscription ends. Nothing here transfers ownership of the platform to you, and the rights described in these terms are the only ones you receive.
Your data stays yours. The domains you monitor, your check history, your accepted baselines, your settings and the reports you receive remain yours. We process them to provide the service, and according to our Privacy Notice and Data Processing Addendum. You can export your data at any time — see section 14.
7. Plans, prices, billing
Plans and prices are described on our pricing page and confirmed at checkout. Prices are in EUR and exclusive of VAT unless stated otherwise. Annual billing is twelve months for the price of ten on eligible direct plans. We use Stripe for payments, tax calculation and invoicing.
Every public plan includes the same core set of domain posture checks. Paid plans are priced per monitored domain according to its declared classification (sending or non-sending); domain additions, removals and reclassifications adjust the subscription with proration. We never change a domain's classification ourselves — we may suggest one based on what we observe, but a classification (and therefore the billing) changes only when you confirm it. DMARC and TLS-RPT aggregate-report parsing is included with paid plans without message-volume billing or plan-tier report caps — report volume is never billed.
A trial of the Pro plan is available once per account: 14 days, full functionality, no payment method required. If the trial ends without a subscription, the account returns automatically to the Free plan; monitoring continues and history is retained under the Free plan's retention window.
List-price changes apply to new subscriptions only; an existing subscription keeps the prices it was opened under. If we need to change the price or plan structure of an existing subscription, we will give the account's administrators at least 30 days' notice by email, the change takes effect from the next billing cycle at the earliest, and you may cancel before it applies.
8. Refunds
We may offer a 14-day refund on first paid invoices for direct customers if Merula does not match expectations. After that, plans run for the chosen cycle. Cancellation stops further billing; we do not pro-rate unused time on monthly plans unless required by law or stated at checkout.
9. Detection scope and limitations
Merula observes the publicly observable configuration of the domains you enable for monitoring. Specifically:
- What we monitor: DNS records, TLS certificates and negotiated session, HTTP availability and security headers, email-authentication records (SPF, DKIM, DMARC), SMTP transport security (STARTTLS, MTA-STS, TLS-RPT, DANE/TLSA where published), DNS-level certificate-issuance authorisation (CAA), web hygiene signals such as robots.txt, sitemap.xml and security.txt (RFC 9116), domain lifecycle signals such as registry expiry where available, and routing/RPKI route-origin validation signals for the networks serving your domain — within the configured cadence and across the public IP path between our checkers and your hosts.
- What we do not monitor: authenticated endpoints, application-internal behaviour, response-body content, internal network state, code or runtime vulnerabilities, port-level service exposure, or anything not observable to a public unauthenticated client.
Some checks depend on external data sources such as registries, RDAP endpoints, DNS resolvers, certificate authorities, mail servers and customer-controlled endpoints. These sources may be unavailable, inconsistent, rate-limited or incomplete.
Detection cadence is best-effort. By default we run each check once per hour. A configuration change made minutes after a sweep may not surface until the next sweep completes. DNS propagation, anycast routing, and resolver caching can mean we transiently observe different state from what an end-user observes. Network partitions or third-party outages may cause individual checks to return unknown rather than a definitive result.
Merula is not a substitute for your own monitoring, incident response, or compliance program. You remain responsible for the configuration, security, and operation of your domains and the services they identify.
10. Service availability
We operate the service on a best-effort basis. We do not warrant uninterrupted, error-free, or timely operation, and we do not commit to a contractual SLA on direct plans. Any different commitment must be agreed separately in writing.
Customers can subscribe to platform-incident communications by email at merula.io/status.
We may send account administrators service communications about billing, security, legal notices, product changes, outages and other operational matters. These are not marketing emails and may be sent even if marketing communications are disabled.
The service depends on third-party infrastructure (AWS, our authoritative DNS resolver chain, our email and webhook delivery paths). Outages or degradations at those providers can cause sweeps to be delayed, alerts to be deferred, or the dashboard to be unreachable. We will use reasonable efforts to communicate prolonged outages to customers via email or via a status surface.
Alert delivery is similarly best-effort. Email delivery depends on your inbox provider accepting the message; webhook delivery depends on your endpoint being reachable and accepting our request. We retry failed webhook deliveries, with increasing intervals between attempts, but we cannot guarantee that an alert reaches its destination in any specific time window.
We classify each change by severity to decide what reaches you at once and what is gathered into your chosen daily or weekly digest. Severity classification and digest timing are best-effort: a change we classify below critical is delivered on your digest cadence rather than immediately, and we may occasionally classify a change differently from how you would. Alerts are only sent to recipients you have verified; until a recipient is verified, and if no verified recipient exists, no alerts are sent. Configure and verify your recipients, choose your cadence, and keep independent fail-safes for anything you consider critical.
11. Customer responsibilities
- Add the domains you intend to monitor and keep that list current.
- Configure at least one verified alert recipient (email or webhook) and review that the configured destinations are working. Until a recipient is verified, alerts to it are not sent; with no verified recipient, you receive no alerts.
- Review alerts in a timely manner; the service detects and notifies, but action is yours.
- Maintain independent monitoring or fail-safes for systems you consider critical. Do not make Merula a single point of failure for your security observability.
- Comply with all regulatory obligations applicable to your business. Merula may provide technical observations and references that support security governance, audit preparation and NIS2-related risk-management work, but use of Merula does not itself constitute regulatory compliance.
12. Changes to the service
Features evolve. We may add, change or remove functionality. Where a material removal significantly affects paid functionality, we will provide reasonable notice where practical.
13. Confidentiality
In the course of the relationship each party may learn non-public information about the other — your configuration and findings on our side; our pricing, security measures and how the service works on yours. Each party keeps the other's non-public information confidential, uses it only to perform under these terms, and protects it with the same care it gives its own confidential information. This does not cover information that is already public, that a party already held without a duty of confidence, or that the law or a competent authority requires it to disclose — and where disclosure is compelled, the disclosing party tells the other where it lawfully can. The obligation continues for three years after the relationship ends.
14. Termination and data export
You may close your account at any time. We may close an account that breaches these terms or threatens the integrity of the service, with reasonable notice where possible. On termination, we delete or retain data according to the schedules in the Privacy Notice, Data Processing Addendum and applicable legal obligations.
Taking your data with you. Before your data is deleted you can export it. Account-level exports are available in the dashboard while the account is open, and your data stays exportable through the deletion grace window described in the Privacy Notice before it is permanently deleted. We do not hold your data hostage, and we do not charge to return it to you.
15. Data protection
Our Privacy Notice explains how we process personal data as controller for account, website, billing and service administration data.
Where Merula processes customer-controlled domain monitoring data or DMARC report data on behalf of a customer, the Data Processing Addendum applies where required by GDPR.
You are responsible for ensuring that your use of Merula complies with applicable data protection law, including any obligation to inform your users, employees, customers or domain stakeholders where relevant.
16. Liability
Non-excludable liability. Nothing in these terms limits or excludes either party's liability where it would be unlawful to do so — including liability for gross negligence, wilful misconduct, or any other liability that cannot be limited under applicable mandatory law. This paragraph prevails over every other limit in this section.
"As is". Except as expressly stated, the service is provided "as is", with no warranties, express or implied, including fitness for a particular purpose. We do not warrant that every configuration change is detected, that every alert is delivered, or that the service is continuously available; detection and alerting are best-effort and described in sections 9 and 10.
Excluded loss. Subject to the first paragraph, neither party is liable for indirect, consequential, special or incidental loss, or for lost revenue, lost profits, lost or corrupted data, loss of goodwill, or third-party claims, however arising — including from a missed detection, a delayed or undelivered alert, or a service interruption.
Aggregate cap. Subject to the first paragraph, each party's total aggregate liability arising out of or in connection with the service is limited, per twelve-month period, to the greater of the fees you paid us in that period or EUR 100. The Free plan and no-charge trials carry a EUR 50 cap.
Your mitigation. You acknowledge that Merula is one signal among your controls, not a substitute for your own monitoring and incident response (section 11), and that a failure to maintain independent fail-safes for systems you consider critical is relevant to any claim.
17. Complaints and time limit on claims
If something about the service falls short, tell us promptly — email hello@merula.io, or open a support ticket if your plan includes one — with enough detail for us to reproduce and address it. We would far rather put a problem right than have it stand. A claim arising from the service must be raised in writing within a reasonable period after you discover, or could reasonably have discovered, the matter giving rise to it, and in any event within twelve months of it; raising it promptly keeps the facts fresh and gives us the chance to set it right.
18. Your authorisation to monitor, and your indemnity
You may add a domain only if you own it or are explicitly authorised by its owner to monitor it. By adding a domain you warrant that you hold that ownership or authorisation, and you agree to provide evidence of it if we reasonably ask. Monitoring reads only publicly observable configuration; it grants you no right over a domain you do not control, and we may remove a domain or suspend an account where authorisation is in genuine doubt.
You agree to indemnify Adspace Nordic AB against any third-party claim, and any reasonable loss or cost (including legal fees) it causes, arising from:
- your monitoring of a domain you did not own or were not authorised to monitor;
- your breach of these terms, or of applicable law, in your use of the service; or
- data you instructed us to process on your behalf, where our processing followed your instructions.
We will notify you promptly of any such claim, let you lead its defence with our reasonable cooperation at your cost, and not settle it in a way that admits fault on your behalf without your agreement.
19. Assignment
You may not transfer your agreement with us, or your rights and obligations under it, to anyone else without our written consent — your account is tied to your organisation. We may transfer ours to a successor entity — for example as part of a reorganisation, or the sale of the business that operates Merula — provided the successor takes on these terms and your protections under them are preserved. We will tell you if that happens.
20. Events outside our control (force majeure)
Neither party is liable for a failure or delay caused by events beyond its reasonable control — including failures of the internet, cloud infrastructure, DNS, certificate authorities or email providers, power or network outages, denial-of-service attacks, natural events, or governmental or regulatory action. Affected obligations are suspended for the duration of the event; payment obligations already accrued are not excused. If such an event continues for more than thirty days, either party may terminate the affected subscription without penalty.
21. Governing law
These terms are governed by Swedish law. Disputes are settled at the competent court in Stockholm, unless mandatory law requires another forum.