Legal

Data Processing Agreement (DPA)

Scope and roles

This Data Processing Agreement (“DPA”) forms part of the dmarced Terms of service (the “Agreement”) between:

  • Wierk S.à r.l., 8, Beforterstrooss, 9365 Eppeldorf, Luxembourg, Company registration number B244365 (”Processor”), and
  • The entity or individual agreeing to the Agreement and using the Services (“Customer”).

This DPA applies where Processor processes Personal Data on behalf of Customer in connection with dmarced Services (the “Services”).

Customer acts as Controller and Processor acts as Processor within the meaning of applicable Data Protection Laws, including Regulation (EU) 2016/679 (General Data Protection Regulation).

The term of this DPA follows the term of the Agreement. Capitalized terms not defined herein have the meaning given to them in the Agreement.

Details of processing

Processor processes Customer Personal Data solely for the purpose of providing and operating the Services. The Services include domain security and authentication monitoring, such as DNS record monitoring, DMARC aggregate report analysis, and the enrichment of IP address data with related technical metadata (e.g., country codes or autonomous system information), as well as alerting, account administration, and the maintenance of system security, performance, capacity planning, and reliability.

Processor may generate internal operational metrics related to the volume and technical characteristics of processed data for monitoring system load, detecting anomalies, and ensuring service stability. Processor may also create aggregated and anonymized statistical information derived from Customer Personal Data, provided that such information does not identify any Customer or individual and does not constitute Personal Data.

Processor does not process Customer Personal Data for independent purposes outside the scope of the Services.

Processing of Customer Personal Data shall take place for the duration of the Agreement. Customer Personal Data shall be retained in accordance with the retention period applicable to the Customer’s selected Service plan and this DPA.

Categories of Data Subjects:

  • Authorized users of the Customer’s account;
  • Individuals whose IP addresses or technical identifiers may appear in authentication reports or monitoring data processed within the Services.

Categories of Personal Data:

  • Account information of authorized users (such as name, email address, account identifiers, access roles, and account-related activity records);
  • Domain-related technical data (such as domain names, DNS record content, and related configuration data);
  • Authentication and reporting data (such as DMARC aggregate reports, IP addresses, timestamps, volume metrics, and related technical metadata);
  • Operational log data generated in connection with the use and operation of the Services.

No special categories of personal data are intentionally processed within the Services.

Processor obligations

Processor shall process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law. In such case, Processor shall inform Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

Processor shall ensure that persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Processor shall comply with applicable Data Protection Laws in the performance of its obligations under this DPA.

Processor shall inform Customer without undue delay if, in Processor’s opinion, an instruction infringes applicable Data Protection Laws.

Customer obligations

Customer remains responsible for complying with its obligations as Controller under applicable Data Protection Laws, including ensuring the lawfulness of processing and providing appropriate information to data subjects.

Security measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with applicable Data Protection Laws.

Such measures are designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, and include, as appropriate:

  • Access controls restricting access to Customer Personal Data to authorized personnel only;
  • Encryption of data in transit and at rest where appropriate;
  • Logical separation of Customer environments;
  • Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.

Processor may update or modify its security measures from time to time, provided that such updates do not materially decrease the overall level of security.

Subprocessors

Customer grants Processor general authorization to engage third-party subprocessors in connection with the provision of the Services and to disclose Customer Personal Data to such subprocessors where necessary. A current list of subprocessors (the “Subprocessor List”) is available at: https://dmarced.eu/en/legal/subprocessor-list.

Processor may update the Subprocessor List and shall notify Customer of any intended addition or replacement of a subprocessor at least thirty (30) days in advance. Customer may object to a new subprocessor on reasonable data protection grounds within the notice period. In such case, the Parties shall work in good faith to resolve the objection.

Processor shall ensure that each subprocessor is bound by written contractual obligations that provide a level of data protection no less protective than those set out in this DPA. Processor remains responsible for the performance of its subprocessors’ obligations in accordance with applicable Data Protection Laws.

International transfers

Processor processes Customer Personal Data within the European Economic Area (EEA).

Processor shall not transfer Customer Personal Data outside the EEA unless such transfer is carried out in compliance with applicable Data Protection Laws. Where required, Processor shall ensure that appropriate safeguards are implemented, including the use of Standard Contractual Clauses approved by the European Commission or reliance on an adequacy decision issued by the European Commission.

Details regarding applicable transfer safeguards may be provided upon reasonable request.

Data subject rights assistance

Taking into account the nature of the processing, Processor shall assist Customer, by appropriate technical and organizational measures and insofar as possible, in fulfilling Customer’s obligations to respond to requests from data subjects exercising their rights under applicable Data Protection Laws.

If Processor receives a request directly from a data subject relating to Customer Personal Data processed under this DPA, Processor shall promptly inform Customer and shall not respond to such request except on Customer’s documented instructions or as required by applicable law.

Taking into account the nature of the processing and the information available to Processor, Processor shall provide reasonable assistance to Customer in ensuring compliance with Customer’s obligations under Articles 32 to 36 of the GDPR, including in relation to security of processing, personal data breach notifications, data protection impact assessments, and prior consultation with supervisory authorities.

Personal data breach notification

In the event of a Personal Data Breach affecting Customer Personal Data, Processor shall notify Customer without undue delay after becoming aware of such breach.

Processor shall provide Customer with information reasonably necessary to enable Customer to comply with its obligations under applicable Data Protection Laws, including information regarding the nature of the breach, its likely consequences, and the measures taken or proposed to address and mitigate the breach.

Processor shall cooperate with and reasonably assist Customer in relation to the investigation and remediation of the Personal Data Breach.

Processor shall not notify any Supervisory Authority or affected data subjects of a Personal Data Breach relating to Customer Personal Data without Customer’s prior written instruction, unless required to do so by applicable law.

Processor’s notification of or response to a Personal Data Breach shall not constitute an acknowledgment of fault or liability.

Deletion or return of data

Upon termination or expiration of the Agreement, Customer may request an export of Customer Personal Data within thirty (30) days following such termination. During this period, the Services may remain accessible solely for the purpose of data export, unless otherwise agreed.

Following this thirty (30) day period, Customer Personal Data shall be deleted from active systems and shall no longer be accessible. Data marked for deletion may remain in secure backups for up to an additional thirty (30) days and shall not be restored except as necessary for disaster recovery.

Operational logs that may contain Customer Personal Data are retained for security and reliability purposes for a period not exceeding ninety (90) days, unless retention is required for the investigation of a security incident or required by applicable law.

Processor shall not retain Customer Personal Data beyond the periods described above, except where required by applicable law.

Audit rights

Processor shall make available to Customer, upon reasonable request, information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws.

Where Customer reasonably determines that such information is insufficient to verify compliance, Customer may conduct an audit of Processor’s relevant processing activities, subject to the following conditions: (i) at least thirty (30) days’ prior written notice; (ii) no more than once per twelve (12) month period, unless required by applicable law or following a confirmed security incident; (iii) during normal business hours; (iv) in a manner that does not unreasonably disrupt Processor’s operations; and (v) subject to appropriate confidentiality obligations.

Any audit shall be limited to information and systems relevant to the processing of Customer Personal Data and shall not permit access to data relating to other customers. Customer shall bear its own costs in connection with any audit.