Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the DMARCify Terms of Service ("Agreement") and governs DMARCify GmbH's ("Processor") processing of Personal Data on behalf of the Customer ("Controller"). It is incorporated by reference into the Agreement and is binding when Customer uses DMARCify in a manner that involves Personal Data of EU/EEA, UK, or Swiss data subjects.

Need a counter-signed PDF for your records? Email legal@dmarcify.dev — we'll issue one within one business day at no charge.

This DPA applies to all Personal Data processed by Processor on Controller's behalf in connection with the DMARCify service. Capitalised terms not defined here have the meanings given in the Agreement, the GDPR, or the UK GDPR as applicable.

With respect to the Personal Data contained in DMARC aggregate reports and account metadata processed via the DMARCify service:

• Controller: Customer.
• Processor: DMARCify GmbH.
• Sub-processors: the entities listed in Section 5, each of whom acts as a processor on Customer's behalf, with Processor remaining responsible for their performance.

For Processor's own account and billing data, DMARCify is the Controller and its Privacy Policy governs that processing.

Categories of data subjects: senders and recipients of email referenced in DMARC reports; Customer's authorised users.

Categories of personal data: source IP addresses, header-From domains, email addresses of authorised users, reverse-DNS hostnames, ASN and country of source IPs.

Special categories: none. DMARC reports do not contain special-category data under GDPR Art. 9.

Nature and purpose: ingestion of DMARC aggregate reports, parsing, enrichment, storage, and rendering in the Customer's dashboard.

Duration: as long as Customer maintains the Agreement, subject to the retention limits of the Customer's plan.

Processor uses the following sub-processors:

• Cloudflare, Inc. (USA) — Workers, Durable Objects, D1, KV, Email Routing. Storage and compute.
• Stripe Payments Europe Ltd. (Ireland) — billing for paid plans only.
• Plausible Analytics (Estonia, EU) — marketing-site analytics. Does not process Customer-Provided Personal Data.

Customer is deemed to have given general authorisation for the use of these sub-processors. Processor will notify Customer of new sub-processors at least 30 days in advance by email and on this page; Customer may object on reasonable grounds, in which case Processor will either propose an alternative or allow Customer to terminate the affected portion of the service.

Processor maintains appropriate technical and organisational measures, including but not limited to:

• Encryption in transit (TLS 1.2+) and at rest for all customer data stores.
• Per-domain logical isolation: each Customer's DMARC reports are stored in a Durable Object dedicated to that domain.
• MFA-required access for all personnel with administrative access.
• Role-based access controls inside the application (owner/admin/viewer).
• Audit logging of administrative and security-relevant events.
• Backup and disaster-recovery exercises on at least an annual basis.
• A coordinated vulnerability disclosure programme via security@dmarcify.dev.

Processor will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data breach affecting Customer's data. Notification will include the nature of the breach, the categories and approximate number of data subjects and records affected, and the measures taken or proposed.

Where Processor or its sub-processors transfer Personal Data outside the EU/EEA, UK, or Switzerland, the EU Commission's Standard Contractual Clauses (Module 2: controller-to-processor; Module 3: processor-to-processor) apply by reference. The UK International Data Transfer Addendum and the Swiss FDPIC adaptations apply where relevant.

Processor will assist Customer in responding to data-subject requests, in conducting data protection impact assessments where required by Art. 35 GDPR, and in demonstrating compliance with this DPA. Customer may audit Processor's compliance once per twelve-month period on 30 days' written notice; audit findings remain subject to confidentiality.

On termination of the Agreement, Processor will delete or return all Personal Data processed on Customer's behalf within 30 days, except where retention is required by law (e.g. invoices under German HGB §257). Customer may export Personal Data at any time via the DMARCify dashboard or API.

By accepting the DMARCify Terms of Service or using the DMARCify service after this DPA is published, Customer enters into this DPA with Processor. A counter-signed version is available on request at legal@dmarcify.dev.

DMARCify GmbH
Bergmannstraße 102, 10961 Berlin, Germany
Represented by its managing director.