Privacy and GDPR
When you navigate our website, DMARCwise collects certain personal data about you.
Our website privacy policy explains what data we collect, how we use it and what are your privacy rights, according to the European General Data Protection Regulation (GDPR):
We use cookies and similar technologies to make our website work and, where applicable, to improve it. You can read the details in our cookie policy :
When you sign up for our service, DMARCwise collects personal data about you to provide the service.
In this case, DMARCwise acts as a data controller for your personal data as an individual.
Our customer privacy policy explains what data we collect, how we use it and what are your privacy rights, according to the GDPR:
As a DMARCwise customer, you may provide us with data of other people like your employees or customers/clients. In this case, your organization acts as a data controller while DMARCwise acts as a data processor (or sub-processor, where applicable).
This relationship is governed by a document called a data processing agreement (DPA):
You can agree to the data processing agreement and download a copy with your organization's name from the dashboard in the organization settings.
FAQ
Is DMARCwise compliant with the GDPR?
Yes. DMARCwise is designed and operated in accordance with the requirements of the European General Data Protection Regulation (GDPR).
We have implemented appropriate technical and organizational measures to protect personal data, and we maintain internal documentation and procedures required under the GDPR, including records of processing activities and data protection assessments where applicable.
DMARCwise also provides customers with the contractual and documentation elements required to support their own GDPR compliance, such as privacy policies and a data processing agreement.
Do you transfer personal data outside the European Union?
We design and operate DMARCwise with a strong preference for EU-based infrastructure and vendors. Wherever reasonably possible, we rely on European providers, self-host core components, and avoid unnecessary third-party services or trackers.
Reducing exposure to non-EU dependencies is an explicit and ongoing objective, reflected in our vendor selection, architectural decisions, and periodic reassessment of existing dependencies, and is not treated solely as a compliance requirement.
In limited cases, certain processors involved in providing the service may be located outside the EU. Where this is the case, we actively evaluate EU-based alternatives and reassess those dependencies on an ongoing basis, with the goal of further reducing or eliminating non-EU reliance where feasible.
When a transfer of personal data outside the EU cannot be avoided, we ensure that appropriate safeguards are in place in accordance with applicable data protection law, such as the use of Standard Contractual Clauses, documented transfer risk assessments, and additional technical or organizational measures where appropriate. Where relevant, recognized certification frameworks (such as the EU–U.S. Data Privacy Framework) are also considered as part of our vendor due diligence.
Customer support and operational access to personal data under the DPA are performed exclusively from within the European Union/European Economic Area.
How is DMARC report data protected?
DMARCwise processes DMARC and TLS reports sent by email service providers. These reports contain technical and aggregate data about email authentication and delivery, not the content of emails or individual recipient addresses.
Where IP addresses are included, they relate to mail servers and sending infrastructure rather than to individual users or devices. DMARCwise does not use this data to identify individuals.
Report data is stored in secure cloud infrastructure. Access to this infrastructure is restricted to authorized systems and personnel and is operated in accordance with our security and data protection practices. Report data is protected using industry-standard security practices, including encryption, access controls, and logical separation of customer data.
Does DMARCwise read or store email content?
No. DMARCwise does not receive, read, or store the content of emails. We only process DMARC and TLS reports, which contain aggregated technical information about email authentication and delivery.
How can data be deleted from DMARCwise?
DMARCwise provides self-service controls that allow customers and users to delete data directly from the platform.
Organization owners can delete their organization at any time from the dashboard. This action immediately removes the organization, all associated data, and all user accounts linked to it.
Organization owners can also remove individual team members. When a team member is removed, their user account and associated personal data are removed from the platform.
Individual users that don’t belong to an organization can delete their own account at any time. When an account is deleted, the user’s personal data is removed from the platform.
How are payments handled?
Payments and invoicing are handled by Paddle, which acts as our merchant of record (MoR). This means Paddle processes your payment details and issues invoices/receipts, while DMARCwise receives only the information needed to provision the subscription and provide support (for example: billing contact details, the plan you purchased, and payment status).
From a data-protection perspective, Paddle acts as an independent controller for the personal data it processes for payment and billing purposes. You can read more in the Paddle Data Sharing Addendum and in Paddle’s own privacy documentation.
What is a DPA and why do I need one?
A Data Processing Agreement (DPA) is a contract that applies when one party (the “controller”) uses another party (the “processor”) to process personal data on its behalf.
For the personal data and processing activities described in the DPA (Annex II) your organization acts as the controller, as it determines the purposes and means of processing, while DMARCwise acts as a processor, operating the service and processing that data in accordance with the agreement.
The DPA sets out roles and responsibilities, confidentiality commitments, security measures, the use of sub-processors, assistance with data-subject requests, audit rights, and what happens to data at the end of the contract.
EU organizations are generally required to have DPAs in place with their processors.
The DPA we provide is based on the EU-approved standard model clauses for controller–processor relationships and is available on our website and in the dashboard.
What data is covered by the DPA?
The scope of the DPA is limited to the personal data and processing activities described in Annex II of the DPA.
This includes personal data relating to your authorized users, employees, customers, and other personal data that is submitted to or generated through the use of the service for account administration, authentication, billing coordination, support, security monitoring, and abuse prevention, as described in Annex II of the DPA.
The DPA does not apply to personal data processed by DMARCwise as an independent controller, such as data relating to service ownership, contractual administration, or payments, which is instead governed by our Customer Privacy Policy and, where applicable, the privacy terms of third parties such as Paddle.
What are sub-processors?
Sub-processors are third parties that help us deliver the service and may process personal data on our behalf, under our instructions (for example: infrastructure hosting, email delivery, or customer support tools).
For processing that falls under the DPA, we disclose the list of sub-processors in the DPA published on our website. We only use sub-processors where necessary, require them to meet appropriate security and privacy standards, and ensure they are contractually bound to protect personal data and act only on our instructions.