Data Processing Agreement
This agreement governs how Mergeline processes personal data on behalf of your workspace.
Last updated: April 28, 2026
Plain-English summary:When you use Mergeline to manage sites and collaborate with your clients, you are the "data controller" and we are the "data processor." This agreement spells out what we do with that data, how we keep it safe, who else handles it, and your rights as our customer. By accepting our Terms of Service, you also accept this DPA. For questions, email support@mergeline.io.
Between:
- Data Controller ("Controller"): The Tenant (agency or studio) using Mergeline
- Data Processor ("Processor"): Concepcion Design, LLC, operating as Mergeline
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction.
"Data Subject"means the identified or identifiable person to whom the Personal Data relates. In this context, the term refers to the Controller's clients (end users) whose data is stored on the Platform.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Platform" means the Mergeline software-as-a-service platform, including all associated infrastructure, APIs, and services.
"Applicable Data Protection Law"means the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, and any applicable national implementing legislation.
2. Scope and Purpose of Processing
2.1. The Processor processes Personal Data on behalf of the Controller solely to provide the Platform services, which include:
- Client portal access and authentication for the Controller's end users
- Site management and GitHub-connected branch preview delivery
- Content review and approval workflows
- Email notifications related to platform activity
- Billing and subscription management
2.2. The categories of Personal Data processed include:
- Identity data: Full name, email address
- Authentication data: Hashed passwords, session tokens
- Review and collaboration data: Comments, approvals, and review status submitted by the Controller's clients
- Communication data: Email addresses for transactional notifications
- Usage data: Access logs (login events, page visits), IP addresses
2.3. The categories of Data Subjects include:
- The Controller's clients (end users invited to the client portal)
- The Controller's team members with Platform access
2.4. Processing shall continue for the duration of the service agreement and shall cease upon termination, subject to the data retention provisions in Section 8.
3. Obligations of the Processor
3.1. Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
3.2. Ensure that persons authorized to process the Personal Data are bound by confidentiality obligations.
3.3. Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+)
- Row-level security enforcing data isolation between tenants at the database level
- Role-based access controls
- Rate limiting on authentication and administrative endpoints
3.4. Respect the conditions for engaging Sub-processors as set out in Section 5.
3.5. Assist the Controller, where possible, with the fulfilment of Data Subject rights under Chapter III of the GDPR. The Platform provides mechanisms for the Controller to delete client accounts and all associated data directly from the dashboard.
3.6. Assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR (security of processing, data breach notification, data protection impact assessments, and prior consultation).
3.7.Upon termination of services or at the Controller's request, delete all Personal Data within 30 days, and delete existing copies unless applicable law requires longer retention.
3.8. Make available to the Controller all information necessary to demonstrate compliance with this Agreement, and allow for audits as described in Section 9.
4. Obligations of the Controller
4.1. Ensure that its instructions for the processing of Personal Data comply with Applicable Data Protection Law.
4.2. Have obtained all necessary consents or established another lawful basis for processing before Personal Data is submitted to the Platform.
4.3. Be responsible for the accuracy, quality, and legality of Personal Data provided to the Processor.
4.4. Notify the Processor without undue delay if it becomes aware of any data breach or security incident affecting Personal Data processed through the Platform.
5. Sub-processors
5.1. The Controller provides general written authorization for the Processor to engage Sub-processors, subject to the conditions in this Section.
5.2. The Processor currently engages the following Sub-processors:
| Sub-processor | Purpose | Location | Certifications |
|---|---|---|---|
| Supabase, Inc. | Database hosting, user authentication | USA (AWS) | SOC 2 Type II |
| Cloudflare, Inc. | File storage (R2) | USA | SOC 2, ISO 27001 |
| Vercel, Inc. | Application hosting | USA (edge) | SOC 2, ISO 27001 |
| Stripe, Inc. | Payment processing | USA | PCI DSS L1, SOC 2 |
| Sinch Email (Mailgun) | Transactional email delivery | USA | SOC 2 Type II |
| Anthropic, PBC | AI-assisted review generation | USA | SOC 2 Type II |
| GitHub, Inc. | Source repository integration | USA | SOC 2, ISO 27001 |
5.3. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object within 30 days. Notification will be provided via email to the Controller's registered email address.
5.4. Where the Processor engages a Sub-processor, the Processor shall impose data protection obligations no less protective than those set out in this Agreement by way of contract.
5.5.The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.
6. International Data Transfers
6.1.Personal Data may be transferred to and processed in the United States, where the Processor's Sub-processors are located.
6.2. Such transfers are protected by:
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into agreements with Sub-processors
- The EU-US Data Privacy Framework, where applicable (Cloudflare, Google, Stripe, GitHub)
- Data Processing Agreements with all Sub-processors
7. Data Breach Notification
7.1. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach affecting Controller's data.
7.2. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned
- The name and contact details of the Processor's contact point
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach
7.3. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
8. Data Retention and Deletion
8.1. The Processor retains Personal Data in accordance with the following schedule:
| Data Type | Retention Period |
|---|---|
| Account and profile data | Duration of account; deleted within 30 days of deletion request |
| Review and collaboration data | Duration of account; deleted with the account |
| Access logs | 12 months (automated cleanup) |
| Billing data (Stripe) | 7 years per applicable tax and accounting law |
| AI generation inputs | Not retained beyond the API call; Anthropic zero-retention policy applies |
8.2.Upon termination of the service agreement or upon Controller's request, the Processor shall delete all Personal Data within 30 days, except where retention is required by applicable law.
8.3.The Processor shall provide written confirmation of deletion upon the Controller's written request.
9. Audit Rights
9.1. The Processor shall make available to the Controller, upon reasonable written request and no more than once per calendar year, information necessary to demonstrate compliance with this Agreement.
9.2. The Controller may conduct an audit, or appoint an independent third-party auditor, subject to:
- 30 days' written notice
- Reasonable scope and duration
- Confidentiality obligations regarding the Processor's proprietary information
- The audit being conducted during normal business hours
9.3. The Processor may satisfy audit requests by providing:
- Copies of relevant security certifications or audit reports (e.g., SOC 2)
- Responses to reasonable written security questionnaires
- Documentation of technical and organizational measures
10. Liability
10.1.Each party's liability under this Agreement is subject to the limitations and exclusions of liability set out in the Mergeline Terms of Service.
10.2.Nothing in this Agreement limits either party's liability for material breaches of Applicable Data Protection Law.
11. Term and Termination
11.1.This Agreement shall remain in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller.
11.2. Upon termination of the underlying service agreement, the provisions of Section 8 (Data Retention and Deletion) shall apply.
12. Governing Law
12.1. This Agreement shall be governed by and construed in accordance with the laws of the State of California, United States, except to the extent that Applicable Data Protection Law requires a different governing law.
13. Contact
For data protection inquiries, contact us at support@mergeline.io. Please include "DPA" or "Data Protection" in your subject line.