Mercando

Data Processing Agreement

Version 1.0.0 • Effective Date: April 14, 2026

1. Definitions

  • "Controller" means the Customer who determines the purposes and means of processing Personal Data
  • "Processor" means Mercando, which processes Personal Data on behalf of the Controller
  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data
  • "Data Subject" means the individual to whom Personal Data relates
  • "Subprocessor" means any third party engaged by Mercando to process Personal Data

2. Scope and Purpose

This Data Processing Agreement ("DPA") applies when Mercando processes Personal Data on behalf of the Customer in connection with the Services. The processing includes:

  • Storage and management of documents containing Personal Data
  • Providing access to authorized users
  • Maintaining audit logs and access records
  • Technical support and service maintenance

3. Processing Instructions

Mercando will only process Personal Data:

  • In accordance with the Customer's documented instructions
  • As necessary to provide the Services
  • As required by applicable law (with prior notice to Customer where permitted)

The Customer's instructions are documented in this DPA, the Terms of Service, and any additional written agreements.

4. Security Measures

Mercando implements appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption of data at rest (AES-256-GCM) and in transit (TLS 1.3)
  • Access controls and authentication requirements
  • Regular security assessments and penetration testing
  • Employee training and confidentiality obligations
  • Incident detection and response capabilities
  • Business continuity and disaster recovery plans

5. Subprocessors

The Customer authorizes Mercando to engage subprocessors to assist in providing the Services. Mercando will:

  • Maintain a list of current subprocessors at /subprocessors
  • Notify the Customer at least 30 days before adding a new subprocessor
  • Enter into written agreements with subprocessors imposing equivalent data protection obligations
  • Remain liable for the acts and omissions of its subprocessors

The Customer may object to a new subprocessor by notifying Mercando in writing within 15 days of receiving notice.

6. Data Subject Rights

Mercando will assist the Customer in responding to Data Subject requests to exercise their rights under applicable law, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

If Mercando receives a request directly from a Data Subject, it will redirect the request to the Customer unless prohibited by law.

7. Data Breach Notification

In the event of a Personal Data breach, Mercando will:

  • Notify the Customer without undue delay, and in any event within 72 hours of becoming aware of the breach
  • Provide information about the nature of the breach, categories of data affected, and approximate number of Data Subjects affected
  • Describe the likely consequences of the breach
  • Describe the measures taken or proposed to address the breach
  • Cooperate with the Customer in investigating and remediating the breach

8. Audit Rights

Upon reasonable notice, the Customer may:

  • Request information necessary to demonstrate compliance with this DPA
  • Conduct audits or inspections, or mandate a third-party auditor to do so
  • Review audit reports, certifications, or assessments conducted by independent auditors

Audits will be conducted during normal business hours with reasonable advance notice and in a manner that minimizes disruption to Mercando's operations.

9. Data Return and Deletion

Upon termination of the Services:

  • The Customer may export their data using available export features
  • Mercando will delete or return all Personal Data within 30 days of the termination date, unless required by law to retain it
  • Certain data may be retained for compliance purposes (e.g., 5-year retention requirements for shared documents)

10. International Transfers

When Personal Data is transferred outside the European Economic Area (EEA), Mercando ensures appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Additional technical and organizational measures as necessary
  • Transfer impact assessments where required

11. Liability

The liability of each party under this DPA is subject to the limitations and exclusions set forth in the Terms of Service. Each party will be liable for damages caused by processing that violates applicable data protection law or this DPA.

Terms of Service Privacy Policy Subprocessors Security