Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between you ("Customer", "Data Controller") and DMARC Moon ("Processor", "we", "us") and governs the processing of Personal Data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below:

• "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service
• "Processing" means any operation performed on Personal Data, including collection, storage, analysis, or disclosure
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates
• "Sub-processor" means any third party engaged by the Processor to process Personal Data
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council
• "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection

Scope and Applicability

This DPA applies to all processing of Personal Data by the Processor on behalf of the Customer in connection with the provision of the DMARC Moon service. This includes, but is not limited to:

• DMARC aggregate and forensic reports
• Email authentication data (SPF, DKIM, DMARC records)
• Domain names and DNS information
• IP addresses and email source information
• User account and contact information

Roles and Responsibilities

Data Controller

The Customer acts as the Data Controller and shall:

• Determine the purposes and means of processing Personal Data
• Ensure that processing instructions comply with applicable Data Protection Laws
• Maintain appropriate legal basis for processing Personal Data
• Respond to Data Subject requests and complaints
• Ensure data minimization and accuracy of Personal Data

Data Processor

DMARC Moon acts as the Data Processor and shall:

• Process Personal Data only on documented instructions from the Customer
• Implement appropriate technical and organizational security measures
• Ensure confidentiality of persons authorized to process Personal Data
• Assist the Customer in responding to Data Subject requests
• Assist the Customer in ensuring compliance with data protection obligations
• Delete or return Personal Data upon termination of services

Processing Instructions

The Processor shall process Personal Data only in accordance with the Customer's documented instructions. The initial instruction is to process Personal Data for the purpose of providing the DMARC Monitor service as described in the Terms and Conditions.

If the Processor believes that any instruction violates applicable Data Protection Laws, it shall immediately inform the Customer and shall not be required to comply with such instruction.

Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Measures

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
• Secure authentication and access controls (multi-factor authentication)
• Regular security testing and vulnerability assessments
• Intrusion detection and prevention systems
• Firewall protection and network segmentation
• Secure backup and disaster recovery procedures

Organizational Measures

• Information security policies and procedures
• Employee training on data protection and security
• Confidentiality agreements with employees and contractors
• Access control policies (least privilege principle)
• Incident response and breach notification procedures
• Regular security audits and compliance reviews

Sub-processors

Authorization

The Customer authorizes the Processor to engage Sub-processors to process Personal Data. The Processor shall enter into a written agreement with each Sub-processor imposing substantially the same data protection obligations as set out in this DPA.

List of Sub-processors

The current list of Sub-processors includes:

Changes to Sub-processors

The Processor shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance. The Customer may object to such changes on reasonable grounds relating to data protection.

Data Subject Rights

The Processor shall assist the Customer in fulfilling its obligations to respond to Data Subject requests, including:

• Right of access to Personal Data
• Right to rectification of inaccurate Personal Data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making

The Processor shall provide such assistance within a reasonable timeframe and may charge a reasonable fee for extensive assistance requests.

Data Breach Notification

The Processor shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification shall include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact details for further information

The Processor shall provide reasonable cooperation and assistance to the Customer in relation to any notification to supervisory authorities or Data Subjects.

Data Protection Impact Assessment

The Processor shall provide reasonable assistance to the Customer in conducting Data Protection Impact Assessments (DPIAs) and consultations with supervisory authorities, where required under applicable Data Protection Laws.

International Data Transfers

Transfer Mechanisms

To the extent that processing involves transfers of Personal Data to countries outside the EEA that do not ensure an adequate level of data protection, the parties agree to implement appropriate safeguards, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Binding Corporate Rules where applicable
• Additional security measures as required

Standard Contractual Clauses

Where transfers of Personal Data are made to the Processor or Sub-processors located outside the EEA, the parties shall execute the Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries (Module Two: Controller to Processor).

Audit Rights

The Processor shall make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

The Customer may conduct such audits no more than once per year, upon reasonable notice (at least 30 days), during business hours, and in a manner that does not unreasonably interfere with the Processor's operations.

Data Retention and Deletion

During Service

The Processor shall retain Personal Data for as long as necessary to provide the service and in accordance with the data retention periods specified in the Privacy Policy.

Upon Termination

Upon termination or expiration of the service, the Processor shall, at the Customer's choice:

• Delete all Personal Data and existing copies (unless storage is required by law)
• Return all Personal Data to the Customer in a commonly used, machine-readable format

The Processor may retain Personal Data to the extent required by applicable law and only for the purposes and duration specified by such law.

Confidentiality

The Processor shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation shall survive termination of this DPA.

Liability and Indemnification

Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions set out in the Terms and Conditions, except where prohibited by applicable Data Protection Laws.

Indemnification

The Processor shall indemnify and hold harmless the Customer from and against all claims, costs, damages, and expenses (including reasonable attorney's fees) arising from the Processor's breach of this DPA, subject to the limitations in the Terms and Conditions.

Term and Termination

This DPA shall commence on the effective date of the Terms and Conditions and shall continue until the termination of all services provided by the Processor to the Customer.

Upon termination, the provisions relating to data deletion, confidentiality, liability, and any other provisions that by their nature should survive, shall continue to apply.

Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the same governing law as specified in the Terms and Conditions. For the purposes of GDPR, the supervisory authority with jurisdiction shall be determined in accordance with Article 55 GDPR.

Order of Precedence

In the event of any conflict between the provisions of this DPA and the Terms and Conditions, the provisions of this DPA shall prevail to the extent of such conflict with respect to the processing of Personal Data.

Amendments

The Processor may amend this DPA from time to time to reflect changes in Data Protection Laws or processing operations. The Processor shall provide notice of material changes at least 30 days in advance. Continued use of the service after such changes constitutes acceptance of the updated DPA.

Severability

If any provision of this DPA is found to be unenforceable or invalid, such provision shall be modified to the minimum extent necessary to make it enforceable, and the remainder of this DPA shall continue in full force and effect.

Contact Information