GDPR Compliance

1. Our Role Under GDPR

SimpleDMARC acts as a Data Processor when processing DMARC report data and email authentication information on your behalf. You, the customer, remain the Data Controller for any personal data associated with your domains and users.

For our own operational data (account information, billing), SimpleDMARC acts as a Data Controller. Our full Privacy Policy details how we handle this information.

2. Lawful Basis for Processing

We process personal data under the following lawful bases:

• Contract performance — Processing necessary to provide our email authentication services under our Terms of Service.
• Legitimate interests — Security monitoring, fraud prevention, and service improvement activities.
• Consent — For marketing communications, where you have explicitly opted in.
• Legal obligation — Where processing is required to comply with applicable laws.

3. Your Rights Under GDPR

As an EU/EEA data subject, you have the following rights:

• Right of Access — Request a copy of all personal data we hold about you.
• Right to Rectification — Request correction of inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten") — Request deletion of your personal data, subject to legal retention obligations.
• Right to Restriction — Request that we limit how we use your data in certain circumstances.
• Right to Data Portability — Receive your personal data in a structured, machine-readable format.
• Right to Object — Object to processing based on legitimate interests, including profiling.
• Rights related to automated decision-making — We do not make solely automated decisions with significant legal effects.

To exercise your rights, contact our DPO at privacy@simpledmarc.com. We will respond within 30 days.

4. Data Processing Agreement (DPA)

Where required by GDPR, we enter into Data Processing Agreements with our customers. If you require a DPA for your records, please contact legal@simpledmarc.com and we will provide one promptly.

5. Sub-processors

We use a limited number of trusted sub-processors to deliver our services, including cloud infrastructure, payment processing, and email delivery providers. All sub-processors are bound by GDPR-compliant data processing terms. You may request our current list of sub-processors by contacting us.

6. International Data Transfers

Where data is transferred outside the EEA, we use appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring equivalent protections apply regardless of where your data is processed.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. DMARC aggregate report data is retained for the period specified in your plan. Account data is retained for the duration of your subscription and deleted within 30 days of account termination upon request.

8. Security Measures

We implement appropriate technical and organizational measures to ensure data security, including TLS encryption, AES-256 encryption at rest, regular penetration testing, and strict access controls. For details, visit our Security page.

9. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. In the EU, this would be the Data Protection Authority (DPA) in your country of residence.