Data Processing Agreement
This Data Processing Agreement (DPA) governs Mercury's processing of Customer Personal Data in connection with the Services and forms part of the agreement between Mercury and Customer.
Effective date: June 15, 2026
1. Application and Definitions
This DPA applies when Mercury processes Customer Personal Data on behalf of Customer. It is incorporated into the agreement governing Customer's use of the Services (Agreement). Capitalized terms not defined here have the meanings in the Agreement. Mercury means Mercury Forensics LLC, doing business as Mercury Forensics, with a mailing address at 30 N Gould St, Ste R, Sheridan, WY 82801, USA.
Applicable Data Protection Law means privacy, data protection, and breach-notification laws applicable to the processing. Customer Personal Datameans personal data, personal information, or personally identifiable information contained in Customer Data that Mercury processes on Customer's behalf.Data Subject, Controller, Processor, Business,Service Provider, Contractor, Sell, and Sharehave the meanings given by Applicable Data Protection Law. Security Incident means confirmed unauthorized access to or acquisition, destruction, loss, alteration, or disclosure of Customer Personal Data, excluding unsuccessful attempts that do not compromise its security.
2. Roles and Instructions
As between the parties, Customer is the Controller or Business and Mercury is the Processor, Service Provider, or Contractor for Customer Personal Data. Customer instructs Mercury to process Customer Personal Data to provide, secure, support, and improve the contracted Services; comply with documented configurations and user actions; prevent fraud and misuse; and comply with law. Mercury will process Customer Personal Data only on documented instructions unless law requires otherwise, in which case Mercury will notify Customer unless prohibited.
Customer is responsible for the lawfulness, fairness, accuracy, and transparency of its instructions and for providing required notices and obtaining required rights or permissions. Mercury will promptly inform Customer if, in its reasonable opinion, an instruction violates Applicable Data Protection Law.
3. Processing Details
| Subject matter | Hosting and operation of enforcement-intelligence, online audit, evidence preservation, monitoring, analytics, reporting, support, and related SaaS functions. |
|---|---|
| Duration | The Agreement term plus the limited return, deletion, backup, security, and legal-retention periods described below. |
| Nature and purpose | Collection at Customer direction; hosting; organizing; querying; crawling public sources; comparison; classification; analysis; scoring; screenshot and evidence generation; reporting; export; support; security; and deletion. |
| Data subjects | Customer users and personnel; business contacts; persons identified in Customer-submitted case materials; public-facing merchant personnel or business representatives; and other persons whose data Customer submits. |
| Data categories | Business contact and account data; user identifiers; authentication and audit logs; IP and device data; case notes and labels; URLs and public-web content; public business or license information; communications; query content; files; and report data. |
| Sensitive data | Not intended for regulated sensitive data. Customer must not submit government identifiers, payment-card data, credentials, precise geolocation, protected health information, biometric templates, or similarly sensitive data unless expressly authorized in writing. |
| Frequency | Continuous or as initiated and configured by Customer during the Services term. |
4. Confidentiality and Personnel
Mercury will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations, receive appropriate privacy and security guidance, and access data only as needed for their duties. Mercury remains responsible for its personnel's compliance with this DPA.
5. Security Measures
Taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, Mercury will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Measures include, as appropriate:
- Encryption in transit and protected storage using reputable cloud infrastructure.
- Role-based access, least privilege, authentication controls, and periodic access review.
- Logging and monitoring of security-relevant platform and administrative activity.
- Secure development, dependency management, vulnerability remediation, and change controls.
- Backups, availability protections, recovery procedures, and incident-response processes.
- Vendor diligence, confidentiality commitments, and contractual data-protection requirements.
- Data minimization, retention controls, and secure deletion procedures.
Customer acknowledges that security measures evolve and Mercury may update them, provided the overall level of protection is not materially reduced during the Services term.
6. Subprocessors
Customer generally authorizes Mercury to use subprocessors to provide the Services. Subprocessor functions may include cloud hosting, database and object storage, authentication, email and communications, security, customer support, monitoring, and AI-assisted processing enabled for the Services. Mercury will impose written data-protection obligations substantially equivalent to those applicable to Mercury under this DPA and remains responsible for each subprocessor's performance of those obligations.
Mercury will make its current subprocessor list available upon request and provide notice of a new subprocessor where required by Applicable Data Protection Law or the Agreement. Customer may object on reasonable data-protection grounds within 15 days after notice. The parties will work in good faith on a commercially reasonable solution. If none is available, Customer may terminate only the affected Services without penalty before the subprocessor begins processing Customer Personal Data.
7. Data Subject Requests
Taking into account the nature of processing, Mercury will provide reasonable assistance through available Service functionality and, where necessary, appropriate technical and organizational measures so Customer can respond to verified Data Subject requests. If Mercury receives a request relating to Customer Personal Data, Mercury will notify Customer and will not independently respond except to confirm that the request relates to a customer-controlled service, as legally required, or as authorized by Customer.
8. Security Incidents
Mercury will notify Customer without undue delay after confirming a Security Incident affecting Customer Personal Data. Notice will include information reasonably available to Mercury concerning the nature of the incident, affected data and Data Subjects, likely consequences, mitigation taken or proposed, and a contact for follow-up. Mercury may provide information in phases and will take reasonable steps to contain, investigate, remediate, and mitigate the incident. Notification is not an admission of fault or liability. Customer is responsible for regulatory or Data Subject notifications unless law requires Mercury to provide them directly.
9. Compliance Assistance
Taking into account the nature of processing and information available, Mercury will reasonably assist Customer with security obligations, breach assessments, data-protection impact assessments, and prior consultation with regulators as required by Applicable Data Protection Law. Additional assistance beyond standard Service functionality may be subject to reasonable fees unless required because of Mercury's breach of this DPA.
10. Audits and Information
Mercury will make available information reasonably necessary to demonstrate compliance with this DPA. No more than once annually, Customer may request relevant third-party audit reports, certifications, or a completed security questionnaire. If those materials are reasonably insufficient, Customer may conduct an audit through an independent auditor bound by confidentiality, on at least 30 days' notice, during normal business hours, without accessing other customers' data or disrupting operations. Customer bears audit costs unless the audit identifies Mercury's material breach. More frequent audits are permitted following a Security Incident or when required by a competent regulator.
11. Return and Deletion
During the term, Customer may use available export features. At Customer's choice and subject to the Agreement, Mercury will return or delete Customer Personal Data after termination and delete remaining copies, unless law requires retention. Data in backups may remain until overwritten through ordinary cycles, provided it remains protected, isolated from ordinary processing, and deleted according to Mercury's retention schedule.
12. U.S. State Privacy Terms
To the extent U.S. state privacy law applies, Mercury will process Customer Personal Data only for the limited and specified purposes in the Agreement; will not Sell or Share it; will not retain, use, or disclose it outside the direct business relationship with Customer or for commercial purposes other than providing the Services; and will not combine it with personal information received from another person or collected from Mercury's own interactions with a consumer except as permitted by law. Mercury will provide the same level of privacy protection required of Customer, notify Customer if it can no longer meet its obligations, and allow Customer to take reasonable steps to stop and remediate unauthorized use. The parties acknowledge that Customer is disclosing Customer Personal Data only for the limited purposes stated in the Agreement and this DPA.
13. International Transfers
Customer authorizes processing in the United States and other locations used by approved subprocessors. If Customer Personal Data protected by the GDPR, UK GDPR, or Swiss data-protection law is transferred to a country without an applicable adequacy decision, the parties will use a legally recognized transfer mechanism. Where required, the applicable European Commission Standard Contractual Clauses or UK transfer addendum are incorporated by reference, with Customer as exporter, Mercury as importer, Module Two applying to controller-to-processor transfers, optional docking applying, general written authorization for subprocessors, and the processing and security details in this DPA completing the relevant annexes. The parties will cooperate on supplementary measures reasonably required by law.
14. Government and Legal Requests
Mercury will evaluate demands for Customer Personal Data and, where legally permitted, notify Customer before disclosure. Mercury will disclose only data reasonably required by valid legal process and may challenge demands it reasonably believes are unlawful or overbroad. Nothing requires Mercury to violate applicable law.
15. Liability, Conflict, and Term
The Agreement's liability limitations apply to this DPA to the maximum extent permitted by law. If this DPA conflicts with the Agreement concerning processing of Customer Personal Data, this DPA controls. If applicable transfer clauses conflict with this DPA, those clauses control. This DPA remains effective while Mercury processes Customer Personal Data.
16. Execution and Contact
This DPA becomes binding when incorporated into an executed Agreement, order form, or other written acceptance by authorized representatives. Requests for a countersigned copy, subprocessor information, privacy assistance, or legal notices may be sent to info@mercuryforensics.com or mailed to Mercury Forensics LLC, 30 N Gould St, Ste R, Sheridan, WY 82801, USA.