DMARCit

Data Processing Addendum

Effective date: April 6, 2026
Last updated: April 6, 2026

1. Parties and Scope

This Data Processing Addendum ("DPA") is entered into between:

  • Customer ("Controller"): The entity that has agreed to the DMARCit Terms of Service and uses the Service.
  • Cadmos LLC ("Processor" or "DMARCit"): The provider of the DMARCit platform.

This DPA supplements and forms part of the Terms of Service (the "Agreement"). In the event of a conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of personal data.

This DPA is automatically effective for any Customer that agrees to the Terms of Service, to the extent that DMARCit processes personal data on behalf of that Customer in the course of providing the Service. No separate signature or execution is required.

2. Definitions

Terms used in this DPA have the meanings given in the Agreement. In addition:

  • "Data Protection Laws" means all applicable laws relating to the processing of personal data, including (where applicable) the EU General Data Protection Regulation (GDPR), UK GDPR, the California Consumer Privacy Act (CCPA), and other applicable data protection and privacy laws.
  • "Personal Data" means any information relating to an identified or identifiable natural person that DMARCit processes on behalf of the Customer in connection with the Service.
  • "Processing" means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.
  • "Subprocessor" means a third party engaged by DMARCit to process personal data on behalf of the Customer.

3. Roles of the Parties

The Customer is the Controller of the personal data submitted to or processed through the Service. DMARCit is the Processor acting on behalf of the Customer.

Where the Customer is an MSP, consultant, or reseller managing domains on behalf of its own clients, the Customer represents that it has obtained appropriate authorization from those clients and acts as either Controller or Processor in its own right. DMARCit acts as a Processor (or Sub-processor, as applicable) to the Customer.

4. Subject Matter and Duration of Processing

DMARCit processes personal data for the duration of the Agreement, plus any post-termination period described in Section 12.

5. Nature and Purpose of Processing

DMARCit processes personal data to provide the Service, which includes:

  • Receiving, parsing, and storing DMARC aggregate reports (RUA) on behalf of the Customer
  • Configuring DMARC forensic/failure report (RUF) addresses through DNS guidance on behalf of the Customer (note: the Service does not currently receive or process RUF reports; no RUF data is ingested or stored)
  • Enriching report data with IP geolocation and organization information
  • Managing domain configurations, DNS records, and Hosted SPF records
  • Providing dashboards, analytics, and alerting based on report data
  • Managing user accounts, organization membership, and access controls
  • Processing billing and subscription management through Stripe
  • Sending transactional emails (invitations, alerts, account notifications)

6. Categories of Personal Data

The personal data processed may include:

  • Account holder names and email addresses
  • IP addresses of email senders (contained in DMARC reports)
  • Email addresses of senders and recipients (contained in RUF forensic reports)
  • Email subject lines and message headers (contained in RUF forensic reports)
  • Domain names and DNS record data
  • Organization names and membership data
  • Billing identifiers (via Stripe; DMARCit does not store full payment card data)
  • Usage logs and IP addresses of Service users

7. Categories of Data Subjects

Data subjects may include:

  • Customer employees and authorized users of the Service
  • End-user clients of MSP/consultant/reseller Customers
  • Individuals whose email addresses or IP addresses appear in DMARC reports submitted to or received by the Service

8. Customer Obligations

The Customer shall:

  • Ensure that it has a lawful basis for processing personal data and for instructing DMARCit to process it
  • Provide any required notices and obtain any required consents from data subjects
  • Ensure that its instructions to DMARCit comply with applicable Data Protection Laws
  • Be responsible for the accuracy and legality of the personal data provided to DMARCit

9. Processor Obligations

DMARCit shall:

  • Process personal data only on documented instructions from the Customer (which include the Agreement and this DPA), unless required by law
  • Ensure that persons authorized to process personal data are bound by obligations of confidentiality
  • Not process personal data for any purpose other than providing the Service as described in the Agreement
  • Inform the Customer if, in DMARCit's opinion, an instruction infringes applicable Data Protection Laws

10. Security Measures

DMARCit implements and maintains appropriate technical and organizational security measures to protect personal data, including:

  • Encryption of data in transit (TLS)
  • Access controls and authentication for the Service and infrastructure
  • Regular review and testing of security measures
  • Incident detection and response procedures
  • Secure deletion of data when no longer needed

11. Subprocessors

The Customer provides general authorization for DMARCit to engage subprocessors to assist in providing the Service. The current list of subprocessors is available at dmarcit.io/subprocessors.

DMARCit will notify the Customer at least 30 days before engaging a new subprocessor or replacing an existing subprocessor. If the Customer objects to a new subprocessor on reasonable data protection grounds, the Customer may notify DMARCit in writing within 14 days of receiving notice. The parties will discuss the objection in good faith. If no resolution is reached, the Customer may terminate the affected Service by providing written notice.

DMARCit will impose data protection obligations on each subprocessor that are no less protective than those in this DPA.

12. Assistance with Data Subject Requests

DMARCit will, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures in fulfilling the Customer's obligation to respond to data subject requests (including requests for access, rectification, erasure, restriction, portability, and objection).

If DMARCit receives a data subject request directly, it will promptly redirect the request to the Customer unless legally required to respond directly.

13. Data Breach Notification

DMARCit will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting data processed on behalf of the Customer. The notification will include, to the extent available:

  • A description of the nature of the breach, including categories and approximate number of data subjects and records affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach
  • Contact information for further inquiries

DMARCit will cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

14. Deletion or Return of Data

Upon termination of the Agreement, DMARCit will, at the Customer's choice, delete or return all personal data processed on behalf of the Customer, and delete existing copies unless retention is required by applicable law. The Customer may request data export within 30 days of termination. After that period, DMARCit will promptly delete remaining Customer personal data.

15. Audit and Information Rights

DMARCit will make available to the Customer, on reasonable request, information necessary to demonstrate compliance with this DPA.

The Customer (or a qualified third-party auditor appointed by the Customer and accepted by DMARCit, such acceptance not to be unreasonably withheld) may conduct an audit of DMARCit's processing activities, subject to the following conditions:

  • Audits may be conducted no more than once per 12-month period, unless required by a supervisory authority or following a confirmed data breach
  • The Customer must provide at least 30 days' written notice
  • The audit must be conducted during normal business hours and must not unreasonably disrupt DMARCit's operations
  • The auditor must agree to reasonable confidentiality obligations
  • The Customer bears the cost of the audit

Where available, DMARCit may satisfy audit requests by providing a copy of a relevant third-party audit report or certification in lieu of an on-site audit, provided that such report adequately addresses the Customer's reasonable concerns.

16. International Transfers

DMARCit processes data in the United States. Where the Customer is located in a jurisdiction that restricts cross-border transfers of personal data (such as the EU or UK), the parties agree that transfers will be made under an approved transfer mechanism.

For transfers of personal data from the European Economic Area to the United States, the parties agree that the EU Standard Contractual Clauses (Module 2: Controller to Processor) as approved by the European Commission are incorporated by reference as an annex to this DPA.

For transfers from the United Kingdom, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses applies where required by UK data protection law.

17. Order of Precedence

In the event of a conflict between this DPA and the Agreement (including the Terms of Service), this DPA will prevail with respect to the processing of personal data. In the event of a conflict between this DPA and the Standard Contractual Clauses (if applicable), the Standard Contractual Clauses will prevail.

18. Contact

For questions about this DPA, contact:

Cadmos LLC
PO Box 231, Cullman, AL 35056
Email: legal@dmarcit.io