This Data Processing Agreement ("DPA") forms part of the Master Terms & Conditions between MergeGuard and the merchant ("Controller") and governs the processing of personal data by MergeGuard ("Processor") on behalf of the Controller.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data.
- "Data Subject" means the individual whose Personal Data is processed.
2. Scope of Processing
The Processor shall process Personal Data only:
- On documented instructions from the Controller
- For the purposes of providing the Services
- In accordance with applicable data protection laws
3. Security Measures
The Processor shall implement appropriate technical and organizational measures including:
- Encryption of Personal Data in transit and at rest
- Access controls and authentication mechanisms
- Regular security assessments and penetration testing
- Incident detection and response capabilities
4. Sub-Processors
The Controller authorizes the Processor to engage sub-processors subject to:
- Equivalent data protection obligations
- Prior notification of material changes
- Processor remaining liable for sub-processor compliance
5. Data Subject Rights
The Processor shall assist the Controller in responding to Data Subject requests to exercise their rights under applicable law.
6. Data Breach Notification
The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data breach and shall provide all necessary information to enable the Controller to meet its notification obligations.
7. Deletion and Return of Data
Upon termination of the Services, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies unless retention is required by applicable law.
8. Contact Information
dpa@mergeguard.store