Book a demo
Data Processing

Data Processing Agreement

Last updated: January 15, 2026

1. Parties

This Data Processing Agreement ("DPA") is entered into between Mersal Cloud Ltd. ("Processor") and the platform customer ("Controller") and supplements the Terms of Service between the parties.

2. Scope and subject matter of processing

Mersal processes personal data on the Controller's behalf to operate the customer communication platform, including: receiving messages, routing them, logging conversations, generating reports, and syncing contacts.

2.1 Categories of data subjects

  • Controller's end users (customers)
  • Controller's staff and agents

2.2 Categories of personal data

  • Contact identifiers (phone, email, social handles)
  • Message content and metadata
  • Custom attributes pushed by Controller
  • Agent data (name, role, login)

3. Mersal as processor — obligations

  • Process data only on documented instructions from the Controller.
  • Ensure confidentiality of personnel with access to personal data.
  • Implement appropriate technical and organisational security measures (ISO 27001, SOC 2).
  • Assist the Controller in responding to data subject requests.
  • Notify breaches without undue delay and within 72 hours of detection.
  • Return or delete data on termination of services.

4. Sub-processors

Mersal uses the sub-processors documented below. The Controller has the right to a reasoned objection to any new sub-processor.

  • Infrastructure: Amazon Web Services (EU, US), Google Cloud (EU), Hetzner (EU)
  • Channel providers: Meta Cloud API (WhatsApp, Instagram, Messenger), Twilio (SMS, Voice), Bandwidth (SMS, Voice)
  • Transactional email: Postmark
  • Monitoring: Datadog, Sentry
  • Customer support: Intercom (Mersal-side only — not customer data)
  • AI providers: Anthropic, OpenAI (Captain — opt-in per workspace)

5. International data transfers

When data is transferred outside the EEA, Mersal relies on the European Commission's Standard Contractual Clauses (SCCs) and offers customers workspace-level region pinning.

6. Audit rights

The Controller may audit Mersal's compliance with this DPA once per year with 30 days' notice. Annual SOC 2 Type II and ISO 27001 reports satisfy the audit obligation where applicable.

7. Contact

For signed DPA or SCC requests, contact:

Bring every conversation home.

See Mersal on your channels with your data. 30 minutes, no slide deck.

Book a demo Start free trial