Data Processing Addendum
Last updated: July 15, 2026
This Data Processing Addendum (DPA) applies when Mercur processes Customer Personal Data on behalf of a customer as a processor or subprocesser under applicable data protection laws.
This DPA is incorporated into the Terms of Service unless the parties sign a separate written agreement.
1. Definitions
"Customer Personal Data" means personal data that a customer submits to Mercur or makes available through tunnel traffic, request logs, proxy configuration, support requests, or other use of the service, where Mercur processes that data on behalf of the customer.
"Data Protection Laws" means GDPR, UK GDPR, ePrivacy rules, US state privacy laws, and other privacy or data protection laws that apply to the processing.
"Process" and related terms have the meanings given under applicable Data Protection Laws.
2. Roles
For Customer Personal Data, the customer is the controller or processor, and Mercur is the processor or subprocesser. For account, billing, security, website analytics, and business operations data, Mercur may act as an independent controller as described in the Privacy Policy.
3. Processing Instructions
Mercur will process Customer Personal Data only to provide, secure, support, maintain, and improve the service; comply with the Terms and this DPA; follow documented customer instructions; and comply with law.
Customer instructions include the Terms, product settings, API or dashboard actions, agent configuration, startup modes, and written instructions accepted by Mercur.
4. Details of Processing
- Subject matter: relay, tunneling, request inspection, endpoint configuration, agent connection, metrics, support, security, and account operations.
- Duration: for the term of the customer relationship and for retention periods described in the Privacy Policy or product settings.
- Data subjects: customer personnel, developers, end users, webhook senders, endpoint callers, support contacts, and other individuals whose data appears in customer traffic.
- Data categories: identifiers, contact data, IP addresses, device data, request metadata, headers, body previews, user agents, tokens, endpoint configuration, logs, metrics, and support content.
- Sensitive data: not intentionally required. Customers should not send sensitive personal data, secrets, payment card data, health data, or special-category data through logged traffic unless legally authorized and appropriately protected.
5. Confidentiality and Security
Mercur will use reasonable technical and organizational measures designed to protect Customer Personal Data against unauthorized access, loss, alteration, disclosure, and destruction.
Personnel and contractors with access to Customer Personal Data must be subject to confidentiality obligations. Access should be limited based on operational need.
6. Subprocessors
Customer authorizes Mercur to use subprocessors for hosting, networking, databases, caching, storage, security, support, billing, analytics, and other service operations.
Mercur remains responsible for subprocessors that process Customer Personal Data on Mercur's behalf and will use agreements requiring appropriate data protection obligations.
A formal subprocessor list should be published before production launch. Until then, customers may request current infrastructure subprocessors by contacting us.
7. Data Subject Requests
Mercur will provide reasonable assistance, taking into account the nature of the service and available information, for customer responses to data subject requests. If Mercur receives a request relating to Customer Personal Data, Mercur may direct the requester to the customer unless legally required to respond.
8. Security Incidents
Mercur will notify affected customers without undue delay after confirming a personal data breach affecting Customer Personal Data, where required by law. Notices will include available information reasonably needed for the customer to meet legal obligations.
9. Deletion and Return
Upon account closure or written request, Mercur will delete or return Customer Personal Data where feasible, subject to product functionality, legal obligations, security needs, backups, billing records, and legitimate business records.
10. International Transfers
Where Customer Personal Data is transferred internationally and transfer safeguards are required, the parties will use appropriate safeguards such as standard contractual clauses or another lawful transfer mechanism.
11. Audits and Information
Mercur will provide reasonable information needed to demonstrate compliance with this DPA. Because Mercur is an early-stage startup, no SOC 2, ISO 27001, or similar certification is promised unless separately stated in writing.
12. Customer Obligations
Customer is responsible for lawful instructions, notices, consents, endpoint configuration, security of exposed services, token management, and deciding whether request logging is appropriate for the data being processed.
13. Contact
Data protection questions may be sent to [privacy@your-domain.com]. Operator: [Legal Name / FOP], operating Mercur, [Legal address].