Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the DMARCify Terms of Service ("Agreement") and governs Digital David AG's ("Processor") processing of Personal Data on behalf of the Customer ("Controller"). It is incorporated by reference into the Agreement and is binding when Customer uses DMARCify in a manner that involves Personal Data of EU/EEA, UK, or Swiss data subjects.

Need a counter-signed PDF for your records? Email legal@dmarcify.dev — we'll issue one within one business day at no charge.

This DPA applies to all Personal Data processed by Processor on Controller's behalf in connection with the DMARCify service. Capitalised terms not defined here have the meanings given in the Agreement, the GDPR, or the UK GDPR as applicable.

With respect to the Personal Data contained in DMARC aggregate reports and account metadata processed via the DMARCify service:

• Controller: Customer.
• Processor: Digital David AG.
• Sub-processors: the entities listed in Section 5, each of whom acts as a processor on Customer's behalf, with Processor remaining responsible for their performance.

For Processor's own account and billing data, DMARCify is the Controller and its Privacy Policy governs that processing.

Categories of data subjects: senders and recipients of email referenced in DMARC reports; Customer's authorised users.

Categories of personal data: source IP addresses, header-From domains, email addresses of authorised users, reverse-DNS hostnames, ASN and country of source IPs.

Special categories: none. DMARC reports do not contain special-category data under GDPR Art. 9.

Nature and purpose: ingestion of DMARC aggregate reports, parsing, enrichment, storage, and rendering in the Customer's dashboard.

Duration: as long as Customer maintains the Agreement, subject to the retention limits of the Customer's plan.

Processor uses the following sub-processors:

• Cloudflare, Inc. (USA) — Workers, Durable Objects, D1, KV, Email Routing. Storage and compute.
• Stripe, Inc. (USA) — Managed Payments merchant of record for paid plans (checkout, billing, tax, customer portal).

Customer is deemed to have given general authorisation for the use of these sub-processors. Processor will notify Customer of new sub-processors at least 30 days in advance by email and on this page; Customer may object on reasonable grounds, in which case Processor will either propose an alternative or allow Customer to terminate the affected portion of the service.

Processor maintains appropriate technical and organisational measures, including but not limited to:

• Encryption in transit (TLS 1.2+) and at rest for all customer data stores.
• Per-tenant logical isolation: Customer data is scoped to the owning organisation at the application layer; cross-tenant access is prevented by authorisation checks on every query.
• MFA-required access for all personnel with administrative access.
• Role-based access controls inside the application (owner/admin/viewer).
• Audit logging of administrative and security-relevant events.
• Backup and disaster-recovery exercises on at least an annual basis.
• A coordinated vulnerability disclosure programme via security@dmarcify.dev.

Processor will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data breach affecting Customer's data. Notification will include the nature of the breach, the categories and approximate number of data subjects and records affected, and the measures taken or proposed.

Where Processor or its sub-processors transfer Personal Data outside the EU/EEA, UK, or Switzerland, the EU Commission's Standard Contractual Clauses (Module 2: controller-to-processor; Module 3: processor-to-processor) apply by reference. The UK International Data Transfer Addendum and the Swiss FDPIC adaptations apply where relevant.

Processor will assist Customer in responding to data-subject requests, in conducting data protection impact assessments where required by Art. 35 GDPR, and in demonstrating compliance with this DPA. Customer may audit Processor's compliance once per twelve-month period on 30 days' written notice; audit findings remain subject to confidentiality.

On termination of the Agreement, Processor will delete or return all Personal Data processed on Customer's behalf within 30 days, except where retention is required by law (e.g. invoices under German HGB §257). Customer may export Personal Data at any time via the DMARCify dashboard or API.

By accepting the DMARCify Terms of Service or using the DMARCify service after this DPA is published, Customer enters into this DPA with Processor. A counter-signed version is available on request at legal@dmarcify.dev.

Digital David AG
Weserstraße 4, 60329 Frankfurt am Main, Germany
HRB 121238 (Amtsgericht Frankfurt am Main) · VAT ID DE337018659
Represented by its managing director, Stefan Rühle.