This Data Processing Agreement (“DPA”) explains how mandera processes personal data on behalf of its customers in accordance with Article 28 of the General Data Protection Regulation (GDPR).
mandera is built as a privacy-first platform. Certain parts of the mandera service are designed to operate without processing personal data, while other parts may involve the processing of personal data depending on how the service is used.
This DPA applies automatically when customers use the mandera service and forms part of the contractual relationship between mandera and its customers. No separate signature is required.
Under the GDPR, mandera and its customers have clearly defined roles:
This DPA applies only to processing activities that involve personal data within the meaning of the GDPR.
mandera provides different categories of functionality within the service:
mandera processes personal data exclusively for the purpose of providing and operating the mandera service in accordance with the customer’s instructions.
This includes, in particular:
mandera does not process personal data for its own independent purposes and does not sell or share personal data for advertising or tracking.
Depending on how the service is used, mandera may process the following categories of personal data on behalf of the customer:
mandera does not process personal data of website visitors for analytics or tracking purposes. Analytics data is collected in an aggregated and anonymized manner without cookies, IP addresses, fingerprinting, or user profiling.
mandera processes personal data only on documented instructions from the customer. The use and configuration of the mandera service constitute such instructions.
The customer is responsible for:
mandera is responsible for implementing appropriate technical and organizational measures to protect personal data.
mandera implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Further details regarding these measures can be provided upon reasonable request.
mandera may engage sub-processors to support the provision of the service, such as hosting, infrastructure, email delivery, or billing providers.
mandera ensures that all sub-processors are contractually bound by data protection obligations consistent with this DPA.
Sub-Processor: Resend (Plus Five Five, Inc.)
Purpose: Transactional email delivery (e.g., account verification, password resets, system notifications)
Data processed: Email address, name (if provided), email content
Location: United States
Safeguards: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs), SOC 2 Type II
DPA: https://resend.com/legal/dpa
An up-to-date list of sub-processors can be made available upon request. mandera will inform customers of material changes to sub-processors where required by applicable law.
mandera assists customers, to the extent technically feasible, in fulfilling their obligations towards data subjects under the GDPR, including requests for:
In the event of a personal data breach affecting personal data processed under this DPA, mandera will notify the customer without undue delay and provide relevant information required to comply with GDPR obligations.
Personal data is stored only for as long as necessary to fulfill the purposes of processing or to comply with statutory retention obligations.
Upon termination of the contractual relationship, mandera will delete or return personal data processed on behalf of the customer, unless retention is required by applicable law.
Further details are described in the Privacy Policy.
mandera makes available all information reasonably necessary to demonstrate compliance with this DPA.
Audits may be conducted by the customer or an independent auditor, provided they are reasonable in scope, conducted with prior notice, and do not unreasonably interfere with mandera’s operations.
This DPA is governed by the same law as the mandera Terms of Service.
Last updated: January 28, 2026
