Last Updated: October 22, 2025 This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other written or electronic agreement between DryMerge, Inc. (“DryMerge,” “we,” “us,” or “our”) and the entity or person agreeing to these terms (“Customer,” “you,” or “your”) for the provision of DryMerge’s automation platform services (the “Services”). This DPA supplements the Terms of Service and applies where and only to the extent that DryMerge processes Personal Data on behalf of Customer in the course of providing the Services and such Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom.
1. Definitions
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. “Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates. “GDPR” means the General Data Protection Regulation (EU) 2016/679. “Personal Data” means any information relating to an identified or identifiable natural person that is processed by DryMerge on behalf of Customer in the course of providing the Services. “Processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR. “Sub-processor” means any Processor engaged by DryMerge to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement.2. Roles and Scope of Processing
2.1 Role of the Parties
Customer is the Controller of Personal Data, and DryMerge is the Processor. DryMerge will process Personal Data only on behalf of and in accordance with Customer’s documented instructions.2.2 Customer’s Instructions
Customer instructs DryMerge to process Personal Data as necessary to:- Provide the Services in accordance with the Terms of Service
- Comply with other documented instructions provided by Customer that are consistent with the Terms of Service
- Process data as further specified in the Agreement
2.3 Details of Processing
Subject Matter: The provision of automation platform services that enable workflow automation and integration between various software applications. Duration: The term of the Agreement. Nature and Purpose of Processing: DryMerge will process Personal Data as necessary to provide the Services, including:- Workflow automation execution
- Data synchronization between integrated applications
- AI-powered chatbot responses (only when explicitly enabled by Customer)
- Platform analytics and performance monitoring
- Customer’s employees, contractors, and authorized users
- Customer’s end users and contacts
- Other individuals whose Personal Data is provided to DryMerge by Customer
- Contact information (name, email address, phone number)
- Authentication data (usernames, encrypted passwords)
- Communication data (messages, email content)
- CRM data (contact records, company information, deal information)
- Calendar data (events, attendees, meeting details)
- Task and project management data
- Any other data Customer chooses to input into the Services
3. Sub-processors
3.1 Authorized Sub-processors
Customer acknowledges and agrees that DryMerge may engage Sub-processors to process Personal Data on Customer’s behalf. A current list of Sub-processors is available at https://docs.drymerge.com/legal-policies/subprocessors/page.3.2 Sub-processor Changes
DryMerge will provide Customer with at least 30 days’ prior notice of the addition or replacement of any Sub-processor by updating the Sub-processor list and sending an email notification to Customer’s account email address. Customer may object to DryMerge’s use of a new Sub-processor by notifying DryMerge promptly in writing within 10 business days of receipt of DryMerge’s notice. If Customer objects, DryMerge will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid processing of Personal Data by the objected-to new Sub-processor.3.3 Sub-processor Obligations
DryMerge will:- Enter into a written agreement with each Sub-processor containing data protection obligations substantially similar to those in this DPA
- Remain responsible for each Sub-processor’s compliance with the obligations of this DPA
- Be liable to Customer for the acts and omissions of Sub-processors to the same extent DryMerge would be liable if performing the services of each Sub-processor directly
4. Security
4.1 Security Measures
DryMerge will implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. These measures include: Technical Measures:- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Multi-factor authentication for administrative access
- Regular security testing and vulnerability assessments
- Secure software development lifecycle practices
- Network security and firewall protections
- Intrusion detection and prevention systems
- Regular backups with encryption
- Access controls and least-privilege principles
- Background checks for employees with access to Personal Data
- Confidentiality agreements with employees and contractors
- Security awareness training
- Incident response procedures
- Vendor security assessments
- Regular security audits and reviews
4.2 Updates to Security Measures
DryMerge may update or modify the security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services.5. Data Subject Rights
5.1 Customer Responsibility
Customer is responsible for responding to requests from Data Subjects to exercise their rights under Data Protection Laws (including access, correction, deletion, restriction, portability, and objection).5.2 DryMerge Assistance
Taking into account the nature of the Processing, DryMerge will assist Customer by appropriate technical and organizational measures, insofar as this is possible, to fulfill Customer’s obligations to respond to requests from Data Subjects. DryMerge will:- Provide Customer with the ability to access, correct, and delete Personal Data through the Services
- Forward to Customer any Data Subject request received by DryMerge within 5 business days of receipt
- Not respond directly to Data Subject requests without Customer’s prior written authorization
5.3 Customer Reimbursement
If DryMerge’s assistance requires resources beyond normal operations, Customer will reimburse DryMerge for reasonable costs incurred in providing such assistance.6. Data Breach Notification
DryMerge will notify Customer without undue delay after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (“Security Incident”). Such notification will include:- A description of the nature of the Security Incident
- The categories and approximate number of Data Subjects and Personal Data records affected
- The likely consequences of the Security Incident
- Measures taken or proposed to address the Security Incident and mitigate its possible adverse effects
7. Data Transfers
7.1 International Transfers
Customer acknowledges that DryMerge may transfer and process Personal Data to and in the United States and other countries where DryMerge or its Sub-processors maintain facilities.7.2 Transfer Mechanisms
Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, DryMerge will ensure that appropriate safeguards are in place, including:- Standard Contractual Clauses approved by the European Commission
- Other lawful transfer mechanisms as approved by relevant data protection authorities
7.3 Supplementary Measures
DryMerge implements supplementary measures to ensure adequate protection of Personal Data during international transfers, including:- Encryption of data in transit and at rest
- Access controls and authentication mechanisms
- Regular security assessments and audits
- Contractual commitments from Sub-processors
8. Data Retention and Deletion
8.1 Retention
DryMerge will retain Personal Data for as long as necessary to provide the Services or as required by law. Customer may delete Personal Data at any time through the Services interface.8.2 Deletion Upon Termination
Upon termination or expiration of the Agreement, DryMerge will delete or return all Personal Data to Customer as requested, unless retention is required by applicable law. The deletion will occur within 90 days of termination, except where:- Retention is required by applicable law
- The Personal Data has been anonymized
- Deletion is not technically feasible (in which case DryMerge will cease processing and implement appropriate security measures)
8.3 Certification of Deletion
Upon Customer’s request, DryMerge will provide written certification that Personal Data has been deleted in accordance with this section.9. Audit Rights
9.1 Compliance Verification
DryMerge will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.9.2 Certifications and Reports
Upon reasonable request, DryMerge will provide Customer with copies of relevant security certifications and audit reports, subject to confidentiality obligations.9.3 On-site Audits
Customer may conduct audits of DryMerge’s compliance with this DPA, provided that:- Customer provides at least 30 days’ prior written notice
- Audits are conducted no more than once per year
- Audits are conducted during regular business hours with minimal disruption
- Customer bears all costs associated with the audit
- Customer enters into a reasonable confidentiality agreement
10. Cooperation and Data Protection Impact Assessment
DryMerge will provide reasonable cooperation and assistance to Customer in connection with:- Customer’s data protection impact assessments, when required under Data Protection Laws
- Prior consultations with data protection authorities, when required under Data Protection Laws
- Customer’s compliance with Data Protection Laws
11. Liability and Indemnification
11.1 Liability Cap
Each party’s liability arising out of or related to this DPA will be subject to the limitations of liability set forth in the Terms of Service.11.2 Indemnification
Customer will indemnify, defend, and hold harmless DryMerge from and against all claims, liabilities, damages, costs, and expenses (including reasonable attorneys’ fees) arising out of or related to:- Customer’s violation of Data Protection Laws
- Customer’s instructions that violate Data Protection Laws
- Processing of Personal Data by DryMerge in accordance with Customer’s instructions
12. Term and Termination
This DPA will remain in effect for as long as DryMerge processes Personal Data on behalf of Customer or until termination of the Agreement, whichever occurs first.13. General Provisions
13.1 Amendments
DryMerge may update this DPA from time to time to reflect changes in Data Protection Laws, business practices, or regulatory requirements. Updated versions will be posted at https://docs.drymerge.com/legal-policies/data-processing-agreement/page.13.2 Severability
If any provision of this DPA is held invalid or unenforceable, the remaining provisions will remain in full force and effect.13.3 Governing Law
This DPA will be governed by the same laws as specified in the Terms of Service.13.4 Entire Agreement
This DPA, together with the Terms of Service, constitutes the entire agreement between the parties regarding the subject matter hereof.14. Contact Information
For questions or concerns regarding this DPA, please contact: DryMerge, Inc.Data Protection Officer
Email: privacy@drymerge.com
Address: [Company Address] For data subject requests or privacy inquiries:
Email: privacy@drymerge.com