DMARCER
Sign in Get started
Legal

Data Processing Agreement

The terms under which we process personal data on behalf of business and MSP customers. This DPA forms part of our Terms & Conditions.

Last updated: 28 June 2026

This Data Processing Agreement ("DPA") applies where iVibe Media Limited, trading as DMARCER ("DMARCER", "Processor"), processes Personal Data on behalf of a customer ("Customer", "Controller") in providing the DMARCER service. It forms part of, and is subject to, our Terms & Conditions (the "Agreement"). Where there is a conflict on data-protection matters, this DPA prevails.

1. Definitions

"Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, and any other applicable data-protection laws. "Controller", "Processor", "Data Subject", "Personal Data", "Processing" and "Sub-processor" have the meanings given in the Data Protection Laws.

2. Roles and scope

The Customer is the Controller and DMARCER is the Processor in respect of the Personal Data processed to provide the service ("Customer Personal Data"), as described in Schedule 1. DMARCER will process Customer Personal Data only to provide and support the service and as set out in this DPA.

3. Processor obligations

  • Instructions. We process Customer Personal Data only on the Customer's documented instructions (including those given through the platform), unless required by law, in which case we will inform the Customer unless legally prohibited.
  • Confidentiality. Personnel authorised to process Customer Personal Data are bound by confidentiality and access it on a least-privilege basis.
  • Security. We implement appropriate technical and organisational measures as set out in Schedule 3 (Article 32).
  • Sub-processors. The Customer gives general authorisation for the Sub-processors in Schedule 2. We impose data-protection terms on each Sub-processor no less protective than this DPA and remain liable for their performance. We will give notice of intended changes and allow the Customer to object on reasonable data-protection grounds.
  • Assistance. Taking account of the nature of processing, we assist the Customer (by appropriate measures, and insofar as possible) to respond to Data Subject requests and to meet obligations on security, breach notification, data-protection impact assessments and prior consultation.
  • Breach notification. We notify the Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data, with the information reasonably available to us.
  • Deletion or return. On termination, we delete or return Customer Personal Data as described in the Agreement and our Privacy Policy, except where retention is required by law.
  • Audits. We make available information reasonably necessary to demonstrate compliance and allow for audits, subject to reasonable confidentiality, scope, frequency and notice.

4. Customer obligations

The Customer warrants that it has a lawful basis and all necessary rights and notices to provide the Customer Personal Data (including any DMARC forensic data) and to instruct the processing described here, and that its instructions comply with Data Protection Laws.

5. Data residency and international transfers

A domain's reporting data (DMARC aggregate (RUA), forensic (RUF) and MTA-STS data, and the resulting analytics) is processed and stored on DMARCER's dedicated servers in the region selected for that domain, and is not copied or transferred to another region. DMARCER's management systems, holding account, login, tenant and billing data, are hosted in the United Kingdom and the EU, and retrieve regional data on request in order to present it in the management application.

Where Personal Data is transferred outside the UK or EEA, for example where a non-UK/EEA region is selected, or when regional data is accessed for presentation through the UK/EU management layer, the parties rely on an appropriate transfer mechanism (UK adequacy regulations, the UK International Data Transfer Agreement / Addendum, or EU Standard Contractual Clauses), which are incorporated by reference where applicable.

6. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement.

7. Governing law

This DPA is governed by the laws of England & Wales.

Schedule 1, Details of processing

Subject matter: provision of the DMARCER email-security platform.

Duration: the term of the Agreement, plus any retention period set out in the Agreement / Privacy Policy.

Nature and purpose: monitoring, scoring, reporting and remediation of email-authentication posture (SPF, DKIM, DMARC, MTA-STS, TLS-RPT, DNSSEC), including DMARC report processing, alerting and support.

Types of Personal Data: Customer account and user contact details; support correspondence; and, occasionally, limited personal data contained in forensic (RUF) reports where enabled (e.g. message headers, sender/recipient email addresses, subject lines), which may relate to data subjects in any jurisdiction. Aggregate (RUA), MTA-STS and TLS-RPT data do not contain personal data.

Categories of Data Subjects: the Customer's staff and representatives (and, for MSP customers, their clients' representatives); senders and recipients of email referenced in DMARC reports.

Schedule 2, Sub-processors

DMARCER (iVibe Media Limited) performs the core processing of Customer Personal Data on its own infrastructure. We engage the following sub-processors only for the limited purposes shown:

  • Anthropic and OpenAI (AI / large language model providers), used only when a user requests an AI analysis of a forensic (RUF) report. RUF data can contain personal data, which is sent solely to generate that user-requested analysis. We contract on terms that prohibit using the data to train the providers' models. No other Customer Personal Data is sent to AI providers.
  • Cloudflare, bot-protection (Turnstile) on certain forms, processing the visitor's IP address.

Billing is handled by Stripe (card payments) and Xero (invoicing and accounting), each acting as an independent processor (we do not store full card details). We will give Customers prior notice of any new sub-processor so they may object, as set out in section 3.

Schedule 3, Technical and organisational measures

  • Encryption of data in transit (TLS); encryption at rest where supported.
  • Role-based access control and least-privilege access; additional restriction on forensic (RUF) data.
  • Multi-factor authentication for staff access to production systems.
  • Regional data isolation aligned to the account's selected region.
  • Logging, monitoring and alerting; incident detection and response.
  • Backups and resilience measures.
  • Vulnerability management and change control.
  • Staff confidentiality obligations and security awareness.

Contact

iVibe Media Limited (trading as DMARCER), 2 Frederick Street, Kings Cross, London, United Kingdom, WC1X 0ND. Email: privacy@dmarcer.net.