Effective May 28, 2026
Data Processing Addendum
Defines the controller/processor relationship for end-user data that MRBD processes on a developer's behalf through managed authentication.
This Data Processing Addendum (the "DPA") forms part of the Developer Terms of Service between the Developer and MRBD ("MRBD"). It applies to MRBD's processing of end-user personal data on the Developer's behalf in connection with MRBD managed authentication.
1. Roles of the parties
For end-user personal data processed through managed authentication, the Developer is the controller and MRBD is the processor. The Developer determines the purposes and means of processing for its application; MRBD processes such data only to provide the authentication service and on the Developer's documented instructions (including these terms and the Developer's configuration).
2. Subject matter and scope
- Subject matter: provision of MRBD managed authentication.
- Duration: for as long as the Developer uses managed authentication, plus retention required for security and legal purposes.
- Nature and purpose: device pairing, one-time passcode delivery and verification, session issuance and refresh, and abuse prevention.
- Categories of data: end-user email address, authentication identifiers and metadata, and security context (IP, user agent, origin).
- Categories of data subjects: end users of the Developer's application.
3. MRBD's processor obligations
- Process end-user data only on the Developer's documented instructions and as needed to provide and secure the service.
- Ensure persons authorized to process data are bound by confidentiality.
- Implement appropriate technical and organizational security measures.
- Assist the Developer, taking into account the nature of processing, with data-subject requests and with security, breach notification, and impact-assessment obligations.
- Make available information reasonably necessary to demonstrate compliance with this DPA.
4. Subprocessors
The Developer authorizes MRBD to engage subprocessors (including our managed database/authentication provider and email delivery provider) to support the service. MRBD imposes data-protection obligations on subprocessors substantially similar to those in this DPA and remains responsible for their performance.
5. Security incidents
MRBD will notify the Developer without undue delay after becoming aware of a personal-data breach affecting end-user data processed for the Developer, and will provide information reasonably available to help the Developer meet its notification obligations.
6. Return and deletion
On termination of managed authentication, MRBD will delete or return end-user personal data processed for the Developer, except where retention is required by law or for legitimate security and audit purposes.
7. Contact
Data-protection inquiries under this DPA can be sent to privacy@mrbd.io.
This document is provided for the MRBD platform and may be updated. It is not legal advice.