Marad B.V. — Version V.01.2026 | Burgemeester J. Schipperkade 8a — P.O. Box 171, 8320 AD Urk — The Netherlands T +31 (0)527 258346 — info@marad.com — www.marad.com

This Data Processing Agreement (“DPA”) is entered into between the customer identified in the order confirmation or agreement (“customer”) and Marad B.V., with its registered office at Burgemeester J. Schipperkade 8a, 8320 AD Urk, the Netherlands, registered with the Dutch Chamber of Commerce (“Marad”).

This DPA forms part of, and is incorporated by reference into, the agreement between the customer and Marad (the “Agreement”), including Marad’s General Terms and Conditions. In the event of a conflict between this DPA and the General Terms and Conditions, this DPA shall prevail solely with respect to the processing of Personal Data.

Article 1 Definitions

1. “Agreement” means any agreement between the customer and Marad, including the order confirmation and the General Terms and Conditions of Marad.
2. “Controller” means the customer, being the natural person or legal entity that determines the purposes and means of the processing of Personal Data and who has commissioned Marad to perform the Agreement.
3. “Data Breach” means a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Marad.
4. “Data Subject” means the natural person to whom Personal Data relates.
5. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
6. “Personal Data” means any information relating to an identified or identifiable natural person, as defined in the GDPR.
7. “Processing” (and cognate terms such as “process” and “processed”) means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in the GDPR.
8. “Processor” means Marad B.V., which processes Personal Data on behalf of the Controller pursuant to this DPA.
9. “Sub-processor” means any third party engaged by Marad to carry out processing activities on Personal Data on behalf of the Controller.
10. “Supervisory Authority” means the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “AP”) or any other competent supervisory authority under applicable data protection law.

Article 2 Applicable

1. By entering into any agreement with Marad under the General Terms and Conditions, the customer accepts this DPA in full. No separate signature is required.
2. This DPA applies to every customer that makes use of goods and/or services of whatever nature and under whatever name Marad uses, and is applicable to the Personal Data that are handled by Marad in the context of the execution of the Agreement with and processed for the customer, as well as for all work arising from the Agreement with Marad and the Personal Data processed within that framework.
3. By giving the instruction to perform work, the customer has instructed Marad to process Personal Data on behalf of the customer in accordance with the provisions of this DPA.
4. In the execution of the Agreement, Marad processes certain Personal Data for the customer. The customer is the Controller and responsible for the processing of the Personal Data. The control over the Personal Data is never with Marad.
5. This DPA constitutes a processing agreement within the meaning of Article 28(3) GDPR, in which the rights and obligations with respect to the processing of Personal Data are regulated in writing, including but not limited to the security of Personal Data. This DPA is binding for Marad in respect to the customer.
6. This DPA, like the General Terms and Conditions of Marad, forms part of the (future) agreements between parties.
7. In the event of inconsistencies between the provisions of this DPA and the Agreement/order confirmation and/or the General Terms and Conditions of Marad, the provisions of this DPA shall prevail with respect to the processing of Personal Data.
8. Marad and the customer will provide each other with all necessary information in good time to enable proper compliance with the applicable privacy laws and regulations.
9. Marad may process Personal Data in countries within the European Economic Area (EEA). Transfer to countries outside the EEA is also permitted, provided that the requirements of the GDPR are observed.

Article 3 Description of the processing

1. In accordance with Article 28(3) GDPR, the processing carried out under this DPA is described as follows. Further detail may be specified in Annex 1 or in the order confirmation.
2. Subject matter: The provision of software (including SaaS), related services, and support by Marad to the customer as described in the Agreement.
3. Duration: For the duration of the Agreement, including any period required for deletion as set out in Article 10. After termination or expiry, Marad ceases processing except as required by law.
4. Nature of the processing: Collection, storage, retrieval, use, transmission, and deletion of Personal Data in the context of operating and maintaining the Marad software environment made available to the customer.
5. Purpose: To deliver the services described in the Agreement and to fulfil Marad’s obligations thereunder. Marad shall not process Personal Data for any other purpose.
6. Categories of Personal Data: As determined by the customer and further specified in Annex 1. In the ordinary course of providing its services, these may include: names, email addresses, job titles, telephone numbers, login credentials, and user activity data within the Marad platform.
7. Categories of Data Subjects: As determined by the customer and further specified in Annex 1. In the ordinary course of providing its services, these may include: employees, contractors, and end users of the customer.
8. The customer, as Controller, determines the actual categories of Personal Data and Data Subjects. Where the scope of processing materially changes, the customer is responsible for notifying Marad so that Annex 1 can be updated accordingly.

Article 4 Responsibilities of Marad

1. Personal Data will be processed by Marad in a proper and careful manner in accordance with this DPA and in accordance with the GDPR.
2. Marad processes Personal Data exclusively in the context of the execution of the Agreement and the written instructions given by the customer, subject to legal obligations. In the latter case Marad informs the customer of the legal provisions of its obligations. If instructions from the customer to Marad conflict with any legal provision regarding data protection, then Marad will notify the customer.
3. Marad only processes Personal Data of the customer for the purposes for which they were received. Marad will not use the Personal Data for other purposes.
4. Marad will not share Personal Data with or provide it to third parties, unless Marad has obtained prior written permission or instruction from the customer or is obliged to do so by mandatory law. If Marad is obliged to share Personal Data with or provide it to third parties on the grounds of mandatory legal regulations, then Marad will inform the customer of this in writing, unless this is not permitted.
5. Marad will not change Personal Data without the customer’s instructions.
6. Marad will provide the customer, upon request, assistance in the event of a request from a Data Subject, or in the case of investigations or inspections by the supervisory authority. If Marad receives a request directly from a Data Subject, Marad will inform the customer of the receipt of the request within two working days. Marad will carry out as quickly as possible all instructions that the customer supplies Marad in writing as a result of such a request.
7. Marad will assist the customer at the customer’s request and expense in carrying out a data protection impact assessment.
8. Marad keeps a register of all categories of processing activities that are carried out on behalf of the customer in accordance with the requirements stated in the GDPR.
9. Marad will support the customer in fulfilling the statutory information obligations to a supervisory authority or persons involved and, if necessary in the case of Marad’s technology, assist with a Privacy Impact Assessment (PIA).
10. Marad ensures that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Article 5 Responsibilities of the customer

1. The customer is responsible for the legality of the processing, compliance with the legal regulations regarding the protection of Personal Data, including but not limited to the protection of the rights of the Data Subjects.
2. The customer is responsible for determining the purpose and means of the processing of Personal Data.
3. The customer is responsible for informing Data Subjects and guaranteeing the rights that Data Subjects may exercise on the basis of the GDPR and other applicable privacy laws and regulations, and for communication with the Data Subjects.
4. The customer shall take the necessary measures to ensure that Personal Data, given the purposes for which they are collected and/or subsequently processed, are correct and accurate and as such are also provided to Marad.
5. The customer will inform Marad immediately if irregularities occur in relation to the processing.
6. The customer is obliged to make all information which Marad requires for the processing available in a timely manner.

Article 6 Sub-processors

1. Marad is authorised to engage sub-processors. A current overview of all engaged sub-processors is set out in the sub-processor list, available at https://marad.com/sub-processors/ or provided upon request. Marad has concluded a data processing agreement with each sub-processor that complies with Article 28 GDPR.
2. Marad operates under general authorisation for the engagement of sub-processors. The customer consents to the sub-processors listed in the sub-processor list at the time of entering into this DPA.
3. Changes to the sub-processor list (addition or replacement of sub-processors) shall be communicated to the customer in writing (email sufficient) in advance, with a minimum notice period of 14 calendar days. The customer may object to such changes within that notice period. If the customer raises a reasonable objection on grounds relating to data protection, the parties shall consult in good faith to reach a solution. If no agreement is reached, the customer shall be entitled to terminate the Agreement with due observance of a reasonable notice period.
4. Marad remains fully liable towards the customer for the acts and omissions of its sub-processors to the same extent as if Marad had carried out the processing itself.

Article 7 Security and Data Breach

1. Taking into account the state of technology, the implementation costs, as well as the nature, the scope, the context and the processing objectives and the various risks for the rights and freedoms of persons, Marad will take technical and organisational security measures to ensure a risk-appropriate level of security, as required by Article 32 GDPR.
2. Marad takes measures aimed at preventing unnecessary collection and further processing of Personal Data.
3. The technical and organisational measures currently in place are described in Annex 3 to this DPA. As Marad holds ISO 27001 certification, Marad shall make available to the customer upon request its current ISO 27001 certificate together with the applicable certification scope. Marad may update its security measures over time, provided the level of protection is not diminished.
4. No more than 24 hours after Marad has become aware of a Data Breach that has or may have involved access to Personal Data, Marad shall inform the customer using the contact details provided in the order confirmation or agreement, unless the parties have expressly designated another contact point in writing. This early notification is intended to give the customer sufficient time to assess whether it must notify the supervisory authority within the 72-hour period required under Article 33 GDPR. Marad will provide information about the nature of the Data Breach, the affected Personal Data, the determined and expected consequences of the Data Breach on the Personal Data, and the measures that Marad has undertaken and will take. Where not all information is available at the time of initial notification, Marad shall provide further information in phases without undue delay.
5. Marad will support the customer with notifications to Data Subjects and/or authorities.

Article 8 Confidentiality

1. Marad will keep the Personal Data that it processes in the context of the execution of the Agreement confidential and will take all necessary measures to ensure confidentiality of the Personal Data. Marad will also impose the obligation of secrecy on its personnel and all persons engaged who have access to Personal Data.
2. The duty of confidentiality referred to in this article does not apply if the customer has explicitly given permission in writing to provide the Personal Data to a third party, or a legal obligation exists to provide the Personal Data to a third party.

Article 9 Compliance monitoring

1. Marad shall provide the customer with information about the processing of Personal Data by Marad or sub-processors at the customer’s request and for the customer’s account. Marad will provide the information requested as soon as possible, but no later than five working days.
2. The customer is entitled once a year and for its own account to have an independent third party jointly designated by the customer and Marad carry out an inspection to verify whether Marad complies with the obligations under the GDPR and this DPA. Marad will provide all reasonably necessary cooperation. Marad has the right to charge the customer for the costs of the inspection.
3. In the context of its obligation under paragraph 1 of this article, Marad will in any case provide all relevant information and documents. Physical access to buildings, information systems and Personal Data will only be granted where provision of information and documents is insufficient to allow the customer to determine Marad’s compliance, and subject to prior written agreement between the parties on scope, timing and duration.
4. The customer and Marad will consult with each other as soon as possible after the report has been completed in order to address the possible risks and shortcomings. Marad will take measures at the expense of the customer to reduce the identified risks and shortcomings to an acceptable level for the customer or to cancel them, unless the parties have agreed otherwise in writing.
5. In case of an investigation by the Dutch Data Protection Authority (AP), Marad will provide all reasonable cooperation and inform the customer as soon as possible.
6. Marad will not take any action against any investigation received from the parties or third parties, except on previous instructions from the customer, unless Marad is legally obliged to do so. Insofar as a Data Subject requests Marad to maintain his or her claims in relation to data protection legislation, Marad will send this request to the customer without delay.

Article 10 Duration and Termination

1. This DPA applies as long as Marad processes Personal Data as Processor pursuant to the Agreement between Marad and the customer.
2. If Marad has to keep certain data and/or documents for a legal period after termination or expiry of the Agreement on the basis of a statutory obligation, then Marad will ensure the destruction of these Personal Data within 4 weeks after the end of the statutory retention period.
3. Without prejudice to the other provisions in this article, Marad will not keep or use any Personal Data after termination or expiry of the Agreement.
4. Upon termination or expiry of the Agreement between Marad and the customer, the customer may request Marad to provide an accessible, readable copy of the Personal Data within two months after termination of the Agreement. The costs are for the customer. After the expiration of this period, Marad will proceed with the final destruction of the Personal Data, unless Marad is obliged to store the Personal Data on the basis of a legal obligation.

Article 11 Liability

1. The provisions in the order confirmation and in the General Terms and Conditions of Marad apply in full.
2. Nothing in this article limits liability that cannot be limited under mandatory law, including liability arising under Article 82 GDPR.

Article 12 Governing Law and Jurisdiction

1. Dutch law applies to this DPA.
2. All disputes in connection with this DPA or their execution are submitted to the exclusive jurisdiction of the District Court of Midden-Nederland, location Lelystad, the Netherlands.

Article 13 Closing provisions

1. If one or more provisions from this DPA are null and void or are nullified, the other provisions remain fully applicable. If any provision of this DPA is not legally valid, the parties will negotiate the content of a new provision which stipulates that the content is as close as possible to the original provision.
2. After termination of the Agreement with the customer, the provisions which by their nature are intended to remain in force afterwards, including the confidentiality obligation, remain in full force and effect.

ANNEX 1 — Description of processing activities

To be completed per customer at the time of entering into this DPA, and updated if the scope of processing materially changes. The table below sets out the categories of Personal Data processed by Marad in the ordinary course of providing its services, together with the purposes for which each category is processed.

Subject matter: Provision of the Marad software platform and related services as described in the Agreement.

Duration: Duration of the Agreement, plus any legally required retention period.

Nature of processing: Collection, storage, retrieval, use, transmission, and deletion of Personal Data within the Marad platform.

Purpose: Delivery of contracted services and fulfilment of contractual obligations.

Special categories of Personal Data: None, unless explicitly agreed in writing.

Categories of Data Subjects: In the ordinary course of providing its services these may include employees, contractors, and end users of the customer.

1. Identification and contact data

Personal Data	Purpose
First and last name	Client and prospect communication, onboarding, support
Company name	Identification of business client
Job title / role	Appropriate addressing and tailored communication
Email address	Communication, demo requests, support, email marketing
Phone number	Contact for demos, sales, and client support

2. Account and user data

Personal Data	Purpose
Username / account ID	Platform access
Login credentials (hashed)	Authentication and security
Role within account	Authorisations and access management
Account status	Subscription and service management

3. Communication and interaction data

Personal Data	Purpose
Content of contact forms	Responding to enquiries
Demo request data	Scheduling and conducting demos
Support tickets and correspondence	Client support and quality improvement
Email history	Relationship management and follow-up

4. Marketing and analytics data

Personal Data	Purpose
IP address	Security and statistical analysis
Cookie ID / tracking ID	Website analysis and optimisation
Website usage (pages, clicks)	User behaviour analysis
Marketing preferences	Targeted communication

5. Financial and administrative data

Personal Data	Purpose
Invoice address	Invoicing
Payment details	Payment processing
Subscription information	Contract and payment management
VAT number (if sole trader)	Legal obligations

6. Legal and compliance data

Personal Data	Purpose
Contract data	Performance of agreement
Dispute-related correspondence	Legal proceedings
Evidentiary documents	Legal obligations

7. Technical and log data

Personal Data	Purpose
IP address	Security and fraud prevention
Log files	Monitoring and troubleshooting
Device information	Platform stability and security

ANNEX 2 — Sub-processors

The current list of sub-processors engaged by Marad is maintained at https://marad.com/sub-processors/ and is updated in accordance with Article 6 of this DPA. The customer may also request the current list directly from Marad at privacy@marad.com.

ANNEX 3 — Technical and organisational security measures

Marad implements the following technical and organisational measures in accordance with Article 32 GDPR. These measures are aligned with the ISO 27001 information security management framework. Marad’s current ISO 27001 certificate, including the certification scope, is available upon request.

Measure	Description
Encryption	Personal Data is encrypted in transit using industry-standard algorithms. The vessel database (PostgreSQL) applies client-side encryption.
Access control	Access to Personal Data is restricted to authorised personnel on a need-to-know basis, with unique accounts and strong authentication. Access rights are reviewed regularly and revoked promptly upon termination of employment or engagement.
Availability and resilience	Marad maintains a business continuity and disaster recovery plan. Regular backups are performed and tested. Backups receive the same level of protection as production data.
Incident management	Marad maintains a security incident management procedure. Data Breaches are detected, contained, assessed, and reported in accordance with Article 7 of this DPA.
Physical security	Data is hosted in facilities with appropriate physical access controls. Security certifications of hosting providers are reviewed at least annually.
Vulnerability management	Marad performs regular security testing and risk assessments. Identified vulnerabilities are addressed within risk-based timescales.
Personnel measures	All personnel and contractors with access to Personal Data are bound by confidentiality obligations and receive appropriate training on data protection and information security.
Data minimisation	Marad collects and processes only the minimum amount of Personal Data necessary for the performance of the services.
Sub-processor oversight	Sub-processors are bound by written agreements containing obligations equivalent to those in this DPA.
Logging and monitoring	Access to systems processing Personal Data is logged and monitored. Logs are protected from unauthorised modification.