Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between Dunglas Services SAS ("Processor", "Mercure.rocks") and the customer ("Controller") for use of the Mercure Cloud service ("Service"). It governs processing of personal data carried out by the Processor on behalf of the Controller in the course of providing the Service, in accordance with Article 28 of Regulation (EU) 2016/679 ("GDPR").
This DPA is offered as a template. To execute it for your organisation, email a signed copy to contact@mercure.rocks; we will counter-sign and return.
Last updated: 2026-04-30.
1. Definitions
Terms used in this DPA have the meanings given in Article 4 GDPR. "Personal Data", "Processing", "Controller", "Processor", "Subprocessor", "Data Subject", and "Supervisory Authority" carry their GDPR definitions.
2. Subject matter and duration
The Processor processes Personal Data on behalf of the Controller for the sole purpose of providing the Service, for as long as the Service agreement is in force, plus any retention period required by law.
3. Nature, purpose and categories of processing
| Item | Detail |
|---|---|
| Nature of processing | Hosting, transmission and storage of real-time messages and account metadata |
| Purpose | Operation of the Mercure Cloud Hub on behalf of the Controller |
| Categories of data subjects | The Controller's end users, employees, contractors, or any other person whose data is published or subscribed through the Service |
| Categories of personal data | As determined by the Controller; typically identifiers, message payloads chosen by the Controller, technical metadata (IP, timestamps) |
| Special-category data | Not expected. The Controller must not transmit special-category data (Art. 9) without first informing the Processor |
4. Obligations of the Processor
The Processor shall:
Process Personal Data only on documented instructions from the Controller, including those given through the Service configuration and APIs, except where required by EU or Member State law.
Ensure that personnel authorised to process Personal Data are bound by confidentiality.
Implement the technical and organisational measures described in Section 7 and the Security Policy.
Engage Subprocessors only as listed in Section 8 and notify the Controller of intended changes in advance.
Assist the Controller, taking into account the nature of the processing, in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Chapter III GDPR.
Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR.
At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the Service, and delete existing copies unless EU or Member State law requires retention. Standard retention is 31 days for backup snapshots.
Make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations and allow for and contribute to audits, including inspections, by the Controller or another auditor mandated by the Controller.
5. Obligations of the Controller
The Controller warrants that:
It has a valid legal basis for processing the Personal Data it transmits through the Service.
It has provided all required notices to and obtained any necessary consents from Data Subjects.
It will not instruct the Processor to process Personal Data in a way that would violate applicable data-protection law.
6. International transfers
The Service is operated in the European Union. Where any onward transfer to a third country occurs, including incidental support access by a Subprocessor, the Processor and the relevant Subprocessor rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and any additional safeguards required by Schrems II case law.
7. Technical and organisational measures (Article 32)
The Processor implements the following measures:
Encryption in transit. TLS via Caddy with automatic certificate management, HTTP/2 and HTTP/3 by default.
Encryption at rest. Provider-managed encryption on the production database, cache, and EU backup storage.
Access control. Strict minimum number of personnel with production access. Authentication via short-lived credentials with MFA. Service-account access scoped to least privilege.
Network segmentation. Per-tenant isolation. Tenant Hubs cannot reach each other.
Hardened workloads. Rootless-compatible container images, restricted security context, automatic security patches.
Backup. Encrypted nightly backups to EU storage (AWS, Paris) with a 31-day retention policy.
Vulnerability management. Automated dependency and vulnerability scanning on every commit. Security patches applied promptly.
Logging and monitoring. Centralised observability via Prometheus and OpenMetrics endpoints and structured JSON logs.
Resilience. Workloads scheduled across multiple availability zones inside the Amsterdam region.
8. Subprocessors
The Processor uses the following Subprocessors. The Controller authorises their engagement by signing this DPA.
| Subprocessor | Role | Location |
|---|---|---|
| DigitalOcean LLC | Compute, database, cache | Amsterdam, Netherlands |
| Amazon Web Services EMEA SARL | Encrypted backups | Paris, France |
| Okta, Inc. (Auth0) | Authentication | EU region |
| Stripe Payments Europe Ltd | Payments | Ireland (EU); incidental US transfer for cardholder verification under SCCs |
The Processor will provide at least 30 days' written notice (or via the Service notification mechanism) before adding or replacing a Subprocessor. The Controller may object to a new Subprocessor on reasonable grounds, in which case the parties will work in good faith to resolve the objection or the Controller may terminate the Service for the affected scope.
9. Personal-data breach notification
The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting the Controller's data, providing all information required to satisfy GDPR Articles 33 and 34. Notifications go to the email associated with the Controller's account.
10. Liability and term
The DPA is governed by French law. It enters into force when signed by both parties and remains in force for as long as the Processor processes Personal Data on behalf of the Controller. Liability under this DPA is subject to the limitations of liability set out in the main agreement.
11. How to execute
Save this page (or copy the text into a PDF).
Fill in the Controller's legal name, registered office, and signing authority on a cover sheet.
Sign and email to contact@mercure.rocks from a verifiable address.
We will counter-sign and email back the executed copy.
For procurement workflows that require a vendor's MSA-style DPA, get in touch and we will sign yours if it does not materially diverge from this template.