Data Processing Addendum

Last updated: 16 February 2026

This Data Processing Addendum ("DPA") forms part of the Master Services Agreement or other written agreement (the "Agreement") between Mercator Nodes Limited, trading as Mercator Union ("Mercator Union"), and the counterparty identified in the Agreement ("Client"). This DPA applies where and to the extent that Mercator Union processes Personal Data in connection with the Agreement.

1. Definitions

"Applicable Law" means all laws, rules, and regulations applicable to the processing of Personal Data under this DPA, including the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Data Protection Act, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and any other applicable US state privacy law.

"Covered Data" means Personal Data processed by either Party in connection with the services provided under the Agreement.

"Breach" means a known or suspected accidental, unauthorised, or unlawful access to, acquisition of, or other processing of Covered Data.

"Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

"Personal Data" means any information relating to an identified or identifiable natural person, within the meaning of Applicable Law.

"Process" and its cognates mean any operation performed on Personal Data, whether or not by automated means, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.

"Restricted Transfer" means a transfer of Covered Data to a jurisdiction that has not been recognised as providing adequate protection for Personal Data by the relevant authority (European Commission, UK Secretary of State, or Swiss Federal Council, as applicable).

"SCCs" means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

"Sensitive Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation, criminal convictions, or data concerning children under 18 years of age, as defined under Applicable Law.

2. Relationship of the Parties

  1. Each Party acts as an independent Controller with respect to Covered Data. Neither Party processes Covered Data as a processor on behalf of the other.
  2. Each Party shall independently determine the purposes and means of its own processing of Covered Data.
  3. Nothing in this DPA creates a joint controller relationship unless expressly agreed in writing.

3. Legal Basis and Compliance

  1. Each Party is solely responsible for establishing and maintaining a valid legal basis for its own processing of Covered Data under Applicable Law, including where applicable, legitimate interest (GDPR Article 6(1)(f), Recital 47) for B2B data intelligence purposes.
  2. Each Party shall comply with all obligations applicable to it under Applicable Law with respect to its own processing, including transparency, record-keeping, and data subject rights.
  3. Mercator Union represents that Covered Data provided to Client does not include Sensitive Data.
  4. Mercator Union represents that Covered Data has not been acquired from, or processed within, jurisdictions subject to sanctions administered by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) or the U.S. Export Administration Regulations (EAR).

4. Data Subject Rights

  1. Each Party is independently responsible for responding to requests from data subjects to exercise their rights under Applicable Law, including rights of access, rectification, erasure, restriction, portability, and objection.
  2. Where a Party receives a data subject request that relates to the other Party's processing, it shall promptly notify the other Party and the Parties shall cooperate to address the request in compliance with Applicable Law.
  3. Mercator Union maintains opt-out and suppression mechanisms for data subjects. Suppression requests are propagated to downstream partners.

5. CCPA/CPRA Provisions

  1. To the extent that Covered Data includes personal information of California residents, each Party shall comply with its obligations under the CCPA/CPRA.
  2. Each Party certifies that it understands the restrictions on the sale and sharing of personal information under the CCPA/CPRA and will comply with them.
  3. Neither Party shall sell or share (as defined under the CCPA/CPRA) Covered Data received from the other Party except as permitted by the Agreement and Applicable Law.
  4. Each Party shall honour and propagate opt-out signals, including Global Privacy Control (GPC), to the extent required by Applicable Law.

6. Sub-Processing

  1. Client provides general written authorisation for Mercator Union to engage sub-processors to perform services under the Agreement.
  2. Mercator Union shall impose data protection obligations on sub-processors that are no less protective than those set out in this DPA.
  3. Mercator Union remains liable to Client for the performance of its sub-processors' obligations under this DPA.
  4. A list of categories of sub-processors is available upon request to compliance@mercatorunion.com.

7. International Transfers

  1. For Restricted Transfers, the Parties agree to be bound by the SCCs (Module One: Controller-to-Controller). The Parties agree that execution of the Agreement incorporating this DPA constitutes execution of the applicable SCCs.
  2. With respect to Restricted Transfers subject to UK data protection law, the Parties shall comply with the UK International Data Transfer Addendum (IDTA) to the extent required, or alternatively the 2021 SCCs as supplemented by the UK Addendum.
  3. With respect to Restricted Transfers subject to Swiss data protection law, references to the GDPR shall be read as references to the Swiss Federal Data Protection Act where legally required.
  4. The SCCs shall not apply to Covered Data processed in a country that the European Commission, UK, or Swiss authorities (as applicable) have determined provides adequate protection for Personal Data.

8. Security

  1. Each Party shall implement and maintain appropriate technical and organisational measures to protect Covered Data against unauthorised or unlawful access, loss, destruction, alteration, or damage.
  2. Such measures shall be appropriate to the nature and sensitivity of the Covered Data and the risks presented by the processing.

9. Breach Notification

  1. In the event of a Breach, the affected Party shall notify the other Party without undue delay and in any event within 72 hours of becoming aware of the Breach, to the extent the Breach relates to Covered Data.
  2. Such notification shall include, to the extent known: (a) the nature of the Breach; (b) the categories and approximate number of data subjects affected; (c) the likely consequences; and (d) the measures taken or proposed to mitigate the Breach.
  3. Each Party is independently responsible for any notification obligations to supervisory authorities and data subjects under Applicable Law.

10. Term and Termination

  1. This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination or expiry of the Agreement.
  2. Obligations under this DPA that by their nature should survive termination shall survive, including Sections 4, 7, 8, and 9.

11. Limitation of Liability

Each Party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.

12. Precedence

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Covered Data. In the event of any conflict between this DPA and the applicable SCCs, the SCCs shall prevail.

13. Contact

For enquiries regarding this DPA or data protection matters:

Mercator Nodes Limited
compliance@mercatorunion.com