Data Processing Agreement

Last updated: 30 April 2026

This Data Processing Agreement (“DPA”) is subject to and forms part of the agreement between the customer that accepts or otherwise uses the DMARCTrust service (“Customer”) and FLGXPL, a French company registered with the Tribunal de Commerce de Paris under number 810 794 164, with its registered office at 231 rue Saint-HonorĂ©, 75001 Paris, France (“FLGXPL”), for the use of the DMARCTrust service made available at https://www.dmarctrust.com (the “Service”), governed by the FLGXPL Terms of Service available at https://www.dmarctrust.com/tos (the “Agreement”).

This DPA governs the Processing of Personal Data by FLGXPL on behalf of the Customer in connection with the Service. The Customer’s identity, address, and contact details are those provided in the Customer’s account, billing profile, order form, or other Agreement records.

By accepting the Agreement, creating an account, or using the Service to submit or generate Customer Data containing Personal Data, the Customer agrees to this DPA. No separate signature is required unless the Parties expressly agree otherwise in writing.

If there is any conflict between this DPA and the Agreement on the processing of Personal Data, this DPA prevails.

1. Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Agreement. For the purposes of this DPA:

  • “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” and “Sub-processor” have the meanings given to them in the GDPR.
  • “Customer Data” means data submitted to or generated by the Service by or on behalf of the Customer for domains the Customer owns or is authorised to monitor, including DMARC aggregate and forensic reports, TLS-RPT reports, DNS records, monitored-domain configuration, and related processing logs.
  • “Data Protection Laws” means all data protection and privacy laws applicable to a Party’s processing of Personal Data, including the GDPR, the UK GDPR, and the French Data Protection Act (Loi Informatique et LibertĂ©s).
  • “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
  • “SCCs” means the Standard Contractual Clauses for the transfer of Personal Data to third countries adopted by the European Commission in Decision 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
  • “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office, available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/.
  • “UK GDPR” means the GDPR as incorporated into the law of the United Kingdom by the Data Protection Act 2018.

2. Scope, roles, and duration

2.1 This DPA applies to the Processing of Personal Data by FLGXPL on behalf of the Customer in connection with the Service.

2.2 The Customer is the Controller and FLGXPL is the Processor with respect to Customer Data containing Personal Data. Where the Customer is itself acting as a processor for a third-party controller, the Customer warrants that it has the necessary authority to bind the relevant controller to this DPA, to issue instructions to FLGXPL on that controller’s behalf, and to make this DPA available to that controller.

2.3 FLGXPL acts as an independent Controller for processing outside the scope of this DPA, including account administration, authentication, billing records, security, fraud and abuse prevention, legal compliance, website analytics, marketing, support, and business communications, as described in the Agreement and the FLGXPL Privacy Policy. This DPA does not govern that independent-controller processing.

2.4 This DPA takes effect on the earlier of the date the Customer accepts the Agreement or the date FLGXPL first processes Personal Data on behalf of the Customer under the Agreement. It remains in force for as long as FLGXPL processes Personal Data on behalf of the Customer under the Agreement. Sections that by their nature should survive termination (including Sections 13, 14, 15, 16, 17, and 18) survive termination.

3. Processing instructions

3.1 FLGXPL processes Personal Data only on documented instructions from the Customer. The Customer’s instructions are set out in the Agreement, this DPA (including Annex I), and the configuration choices the Customer makes within the Service. Additional instructions require written agreement.

3.2 FLGXPL informs the Customer if, in its opinion, an instruction infringes Data Protection Laws. FLGXPL may suspend the relevant Processing until the instruction is amended or confirmed in writing.

3.3 FLGXPL does not Process Personal Data for its own purposes other than as permitted by Section 5.2 of the Agreement (aggregated and de-identified data), as required by applicable law, and for independent-controller processing outside the scope of this DPA as described in Section 2.3.

4. Customer obligations

4.1 The Customer must provide only lawful instructions to FLGXPL and must comply with its own obligations under Data Protection Laws, including with respect to transparency, legal basis, data subject rights, confidentiality, and security.

4.2 The Customer is responsible for providing all notices and obtaining all rights, permissions, and consents necessary for FLGXPL to Process Personal Data as described in the Agreement and this DPA, including where DMARC aggregate or forensic reports contain Personal Data of senders, recipients, employees, contractors, customers, or other third parties.

4.3 The Customer must not intentionally submit special categories of Personal Data within the meaning of Article 9 of the GDPR, data relating to criminal convictions or offences, or other sensitive data to the Service. The Customer is solely responsible for its decision to configure DMARC forensic reporting or other data sources that may include Personal Data beyond standard aggregate reporting.

5. Confidentiality

FLGXPL ensures that personnel authorised to Process Personal Data are bound by appropriate confidentiality obligations, whether by contract or statutory duty, and that access is limited to those with a need to know.

6. Security of processing

6.1 FLGXPL implements appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing.

6.2 The measures in force at the date this DPA takes effect for the Customer are described in Annex II. FLGXPL may update these measures over time, provided the overall level of protection is not reduced.

7. Sub-processors

7.1 The Customer grants FLGXPL a general authorisation to engage Sub-processors to Process Personal Data, subject to this Section.

7.2 The Sub-processors authorised at the date this DPA takes effect for the Customer are listed in Annex III.

7.3 FLGXPL gives the Customer at least thirty (30) days’ prior notice of the addition or replacement of any Sub-processor by updating the list referenced in Section 7.2 or by email to the Customer’s billing contact. The Customer may object to such changes on reasonable data-protection grounds within fifteen (15) days. The Customer acknowledges that Sub-processors may be necessary to provide the Service. If the Parties cannot agree on a reasonable resolution, FLGXPL is not required to provide the affected portion of the Service using the objected-to Sub-processor, and the Customer may terminate the affected portion of the Service for convenience and receive a refund of any pre-paid fees covering the period after termination.

7.4 FLGXPL imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable to the Customer for the acts and omissions of its Sub-processors as if they were its own.

8. Assistance with data subject rights

Taking into account the nature of the Processing, FLGXPL provides reasonable assistance required by Data Protection Laws to enable the Customer to respond to requests from Data Subjects to exercise their rights. The Customer must first use the Service features and documentation available to it, including dashboard export and deletion tools where available. FLGXPL forwards any request received directly from a Data Subject to the Customer without responding on its own, unless authorised to do so. FLGXPL may charge reasonable fees for assistance beyond its obligations under Data Protection Laws.

9. Government and law-enforcement requests

To the extent required by Data Protection Laws, FLGXPL informs the Customer of any binding request from a law-enforcement authority, court, supervisory authority, or other governmental authority requiring disclosure of Personal Data Processed on behalf of the Customer, unless prohibited by applicable law or the authority’s request.

10. Personal data breaches

10.1 FLGXPL notifies the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data.

10.2 The notification includes, to the extent then known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. FLGXPL provides timely updates as more information becomes available.

10.3 FLGXPL provides reasonable assistance to the Customer in meeting its own notification obligations to supervisory authorities and Data Subjects.

11. Data protection impact assessments

Taking into account the nature of the Processing and information available to FLGXPL, FLGXPL provides reasonable assistance required by Data Protection Laws for data protection impact assessments and prior consultations with supervisory authorities, where the Customer cannot reasonably access the relevant information through the Service or documentation. FLGXPL may charge reasonable fees for assistance beyond its obligations under Data Protection Laws.

12. International transfers

12.1 FLGXPL hosts Customer Data primarily in the European Union (OVH, E.U.). Where the Service makes data-region selection available, the Customer may select a preferred data region, subject to availability and delays required for technical migration.

12.2 Where Personal Data is transferred outside the European Economic Area, the United Kingdom, or Switzerland to a country that is not the subject of an adequacy decision, the transfer is subject to:

(a) the SCCs, which are incorporated into this DPA by reference, with Module 2 (Controller-to-Processor) applying where the Customer acts as Controller and Module 3 (Processor-to-Processor) applying where the Customer acts as Processor for a third-party controller. The docking clause is enabled and the optional clauses apply as set out in Annex IV. Annex I, Annex II, and Annex III of this DPA serve as Annex I, Annex II, and Annex III of the SCCs respectively;

(b) for transfers from the United Kingdom, the UK Addendum, incorporated by reference, with Tables 1 to 3 completed by reference to the SCCs as set out in (a) and Table 4 indicating that neither Party may end the UK Addendum as set out in Section 19 of it;

(c) for transfers from Switzerland, the SCCs apply with the modifications recommended by the Swiss Federal Data Protection and Information Commissioner (FDPIC), including references to the GDPR being read as references to the Swiss Federal Act on Data Protection where applicable.

12.3 FLGXPL relies on the EU-US Data Privacy Framework, the UK Extension, and the Swiss-US Data Privacy Framework where its Sub-processors are certified under those frameworks, in addition to the SCCs.

13. Audits

13.1 FLGXPL will make available the information reasonably necessary to demonstrate compliance with Article 28 of the GDPR. The Customer must first rely on documentation, security summaries, and written responses made available by FLGXPL. FLGXPL may respond to reasonable written security questions where the information already made available is insufficient for the Customer to meet its obligations under Data Protection Laws. FLGXPL may charge reasonable fees for assistance beyond its obligations under Data Protection Laws.

13.2 FLGXPL may make available relevant certifications, attestations, summaries, or third-party materials for FLGXPL or its Sub-processors to the extent FLGXPL is legally and contractually permitted to disclose them.

13.3 If the information made available under Sections 13.1 and 13.2 is reasonably insufficient for the Customer to meet its obligations under Data Protection Laws, FLGXPL will allow and contribute to a reasonable audit, subject to a mutually agreed audit plan, at least thirty (30) days’ prior written notice, no more than once per twelve (12) months unless required by a supervisory authority or following a confirmed Personal Data Breach, and at the Customer’s cost.

13.4 Any audit must be conducted during business hours, by an independent auditor that is not a competitor of FLGXPL, under appropriate confidentiality obligations, and without disrupting FLGXPL’s operations. Audits may not include access to production systems, source code, vulnerability testing, information relating to other customers, or information that would compromise security or confidentiality.

14. Return and deletion of personal data

14.1 The Customer may export its Customer Data through the Service during the term where export features are made available.

14.2 At the Customer’s choice, following termination or expiry of the Agreement, FLGXPL deletes or returns Customer Data containing Personal Data within thirty (30) days, except for:

(a) data FLGXPL is required to retain under applicable law; and
(b) aggregated and de-identified data as permitted by Section 5.2 of the Agreement.

15. Liability

The liability of each Party under this DPA is subject to the limitations and exclusions set out in Section 9 of the Agreement. Nothing in this DPA limits or excludes any liability that cannot be limited or excluded under Data Protection Laws, including a Data Subject’s right to compensation under Article 82 of the GDPR.

16. Order of precedence

In case of conflict between this DPA, the Agreement, and any SCCs incorporated by reference: (a) the SCCs prevail; (b) then this DPA; (c) then the Agreement.

17. Governing law and jurisdiction

This DPA is governed by French law, excluding its conflict-of-law rules. Any dispute arising out of or in connection with this DPA is subject to the exclusive jurisdiction of the Tribunal de Commerce de Paris, France, in line with Section 11 of the Agreement.

18. Miscellaneous

18.1 This DPA, together with the Agreement, constitutes the entire agreement between the Parties on the Processing of Personal Data and supersedes any prior data-processing terms.

18.2 If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force, and the Parties will replace the invalid provision with a valid one closest to the original intent.

18.3 Notices under this DPA are sent to [email protected] (for FLGXPL) and to the Customer’s account administrator, billing contact, legal contact, privacy contact, or any other contact details provided by the Customer under the Agreement.

Annex I — Description of Processing

I.A. List of parties

Data exporter (Controller or Processor): the Customer identified in the Agreement, account records, billing profile, order form, or other records maintained under the Agreement. Contact: the Customer’s account administrator, billing contact, legal contact, privacy contact, or any other contact details provided by the Customer under the Agreement. Activities relevant to the data transferred: receipt of DMARC reports for domains the Customer owns or is authorised to monitor; analysis of email authentication results; alerting and reporting. Role: Controller, or Processor where the Customer processes Personal Data on behalf of a third-party controller.

Data importer (Processor): FLGXPL, 231 rue Saint-HonorĂ©, 75001 Paris, France. RCS Paris 810 794 164. Contact: [email protected]. Activities relevant to the data transferred: provision of the DMARCTrust DMARC monitoring service, including ingestion and parsing of aggregate (RUA) and forensic (RUF) reports, DNS monitoring, alerting, dashboards, and the related platform features described in the Agreement. Role: Processor.

I.B. Description of transfer

Categories of data subjects:

  • Senders and recipients of email associated with domains monitored by the Customer, to the extent they appear in DMARC reports;
  • Natural persons whose Personal Data appears in TLS-RPT reports, DNS records, monitored-domain configuration, or related processing logs.

Categories of personal data:

  • Domain and DNS data: domain names monitored by the Customer, DNS records (DMARC, SPF, DKIM, BIMI, MTA-STS, TLS-RPT);
  • DMARC aggregate (RUA) reports: sending IP addresses, email volume statistics, authentication results, organisational identifiers;
  • DMARC forensic (RUF) reports: email headers, message identifiers, partial email content;
  • TLS-RPT reports;
  • Service-generated processing logs related to monitored domains and reports.

Sensitive data: none expected. The Customer warrants that it does not knowingly submit special categories of data within the meaning of Article 9 of the GDPR, nor data relating to criminal convictions and offences, through the Service.

Frequency of the transfer: continuous, on demand.

Nature of the processing: receipt, parsing, storage, indexing, aggregation, alerting, display, export, and deletion of Customer Data, for the purpose of providing the Service.

Purpose of the processing: providing the DMARCTrust Service to the Customer, including DMARC, DNS, and TLS-RPT monitoring, alerting, dashboards, and reporting.

Retention period: Personal Data is retained as follows, in line with the Customer’s plan:

Data type Retention
Monitored-domain configuration Until removed by the Customer or account deletion + 30 days
DMARC aggregate reports (Free plan) Statistics only; detail rows not retained
DMARC reports (Starter plan) 90 days
DMARC reports (Pro plan) 180 days
Raw IMAP emails 7 days
Processing logs Per the Customer’s plan retention period

Sub-processors: see Annex III. Their processing duration mirrors the retention periods above.

I.C. Competent supervisory authority

For transfers where FLGXPL’s establishment in France is relevant to determining the competent supervisory authority, the competent supervisory authority is the Commission Nationale de l’Informatique et des LibertĂ©s (CNIL) — 3 Place de Fontenoy, 75007 Paris, France. Where Data Protection Laws require another supervisory authority to be competent for the Customer or a relevant third-party controller, that authority applies to the extent required by those laws.

Annex II — Technical and organisational measures

FLGXPL maintains technical and organisational measures designed to protect Personal Data Processed under this DPA. These measures may be updated from time to time, provided the overall level of protection is not materially reduced.

1. Access controls.

  • Access to Personal Data is restricted to authorised personnel on a need-to-know basis.
  • Administrative access is protected by authentication controls and least-privilege practices.

2. Encryption and data protection.

  • Data in transit is protected using transport encryption.
  • Credentials and backups are protected using appropriate technical controls.

3. Infrastructure and network security.

  • Production infrastructure is hosted with reputable infrastructure providers, including OVH (E.U.).
  • Network, edge, and infrastructure controls are used to reduce unauthorised access, abuse, and availability risks.
  • Production, staging, and development environments are logically segregated.

4. Vulnerability and change management.

  • FLGXPL maintains practices for dependency management, patching, vulnerability management, and controlled changes to production systems.

5. Logging, monitoring, and incident response.

  • FLGXPL maintains logging, monitoring, and incident response practices designed to detect, investigate, and respond to security events.

6. Backup, resilience, and restoration.

  • FLGXPL maintains backup and restoration practices designed to preserve availability and restore access to Customer Data following a physical or technical incident.

7. Data minimisation and retention.

  • Personal Data is retained in accordance with Annex I and the Customer’s plan.
  • Customer Data can be exported or deleted through the Service where those features are made available.

8. Personnel and confidentiality.

  • Personnel with access to Personal Data are subject to confidentiality obligations.

9. Sub-processor governance.

  • Written data-processing terms are in place with Sub-processors listed in Annex III.

Annex III — Authorised sub-processors

The following Sub-processors are authorised at the date this DPA takes effect for the Customer.

Name Role Location Transfer mechanism
OVH SAS Hosting and server infrastructure E.U. N/A (E.U.)
Cloudflare, Inc. CDN, DNS, DDoS protection, R2 object storage United States EU SCCs / EU-US DPF
Functional Software, Inc. (Sentry) Error monitoring and performance tracking United States EU SCCs / EU-US DPF

Annex IV — Cross-border transfer mechanisms

IV.1. EU Standard Contractual Clauses

The SCCs (Commission Implementing Decision (EU) 2021/914) are incorporated into this DPA by reference, with the following selections:

  • Module in use: Module 2 (Controller to Processor) where the Customer acts as Controller; Module 3 (Processor to Processor) where the Customer acts as Processor for a third-party controller.
  • Clause 7 (Docking clause): included.
  • Clause 9 (Sub-processors): Option 2 — General written authorisation, with the notice period set at thirty (30) days as per Section 7.3 of this DPA.
  • Clause 11 (Redress): the optional language enabling independent dispute resolution by Data Subjects is not included.
  • Clause 17 (Governing law): the law of France.
  • Clause 18 (Choice of forum and jurisdiction): the courts of France.
  • Signature and date: By using the Service to transfer Personal Data to FLGXPL, the Customer will be deemed to have signed Annex I of the SCCs. FLGXPL will be deemed to have signed Annex I of the SCCs on the transfer of Personal Data by the Customer in connection with the Service.
  • Annex I.A of the SCCs is satisfied by Annex I.A of this DPA.
  • Annex I.B of the SCCs is satisfied by Annex I.B of this DPA.
  • Annex I.C of the SCCs is satisfied by Annex I.C of this DPA.
  • Annex II of the SCCs is satisfied by Annex II of this DPA.
  • Annex III of the SCCs is satisfied by Annex III of this DPA.

IV.2. UK International Data Transfer Addendum

For Personal Data transfers subject to the UK GDPR, the UK Addendum is incorporated into this DPA by reference, with:

  • Table 1 completed using the Parties’ details set out at the beginning of this DPA and in Annex I.A.
  • Table 2 completed by reference to the SCCs as set out in Section IV.1 above.
  • Table 3 completed by reference to Annexes I to III of this DPA.
  • Table 4 indicates that neither Importer nor Exporter may end the UK Addendum as set out in Section 19 of it.
  • Signature: By using the Service to transfer Personal Data to FLGXPL, the Customer will be deemed to have signed the UK Addendum. FLGXPL will be deemed to have signed the UK Addendum on the transfer of Personal Data by the Customer in connection with the Service.

IV.3. Swiss transfers

For Personal Data transfers subject to the Swiss Federal Act on Data Protection (FADP), the SCCs apply with the modifications recommended by the FDPIC, including (a) references to the GDPR being read as references to the FADP, (b) references to EU Member States being read so as not to exclude data subjects in Switzerland from enforcing their rights in their place of habitual residence, and (c) the competent supervisory authority being the FDPIC.

End of Data Processing Agreement.