Sub-processors
Learn who processes your data on our behalf.
Marad B.V. Version: 26.1 | Last update to sub-processors: May 2025 | Maintained separately from the Data Processing Agreement
This document lists the third-party service providers (“Sub-processors”) authorised to process Customer Personal Data (as defined in Article 4(1) of the GDPR) on behalf of Marad B.V. These Sub-processors support the delivery, operation, and security of the Marad web application, APIs, underlying infrastructure, and related services, including hosting, storage, software development, technical support, communication, and analytics.
Marad shares only the minimum Customer Personal Data necessary for each purpose. All Sub-processors are subject to written agreements that include data protection obligations, confidentiality requirements, and appropriate technical and organisational measures. Where required, international transfers are protected by appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) or equivalent lawful transfer mechanisms. Marad remains responsible for ensuring that processing is performed in accordance with applicable data protection laws.
Change notification
Changes to this Sub-processor List (addition or replacement of Sub-processors) are communicated to Controllers in writing or by email in advance, with a minimum notice period of 14 days, in accordance with Article 5 of the Data Processing Agreement. Controllers may object to such changes within that notice period.
The current version of this document is always available at marad.com/sub-processors or upon request via support(at)marad.com
Sub-processors
| Sub-processor | Country | Processing Activity | Data Categories | Safeguards |
|---|---|---|---|---|
| Cloudflare | EU and Global | DNS hosting, CDN, DDoS protection, WAF / web security | IP addresses, DNS query data, traffic metadata, security event logs (where enabled) | DPA; encryption in transit; access controls; security logging and monitoring; SCCs or equivalent transfer safeguards where applicable |
| RSH | Netherlands | Hosting services, file storage and backup services | Customer and operational data stored or processed in Marad services | DPA; confidentiality obligations; access controls; backup and retention controls |
| Leaseweb | Netherlands and Australia | Hosting services, file storage and backup services | Customer and operational data stored or processed in Marad services | DPA; confidentiality obligations; access controls; backup and retention controls |
| Microsoft | EU (Ireland) and Global | Cloud hosting of Marad services, infrastructure operations, email, file sharing, and collaboration tools | Customer account and contact data, licence and entitlement data, authentication and access logs, communications, documents and attachments (where applicable) | DPA; encryption in transit and at rest (service dependent); access controls; audit logging; SCCs or equivalent transfer safeguards where applicable |
| NetRom Software | Netherlands | Software development, maintenance and testing | Operational data, test data, documentation, and limited customer data where necessary for support or troubleshooting | DPA; confidentiality obligations; least-privilege access; controlled access to environments |
| Snelstart | Netherlands | Accounting and financial administration | Billing data, invoicing details, customer contact and payment-related data | DPA; access controls; retention controls; confidentiality obligations |
| Asana | EU and Global | Project management and task tracking | Task data, project timelines, internal notes, customer contact details (where included) | DPA; access controls; encryption in transit and at rest (service dependent); SCCs or equivalent transfer safeguards where applicable |
| DocuSign | EU and Global | Electronic signatures and document workflow | Names, email addresses, signatures, and signed document contents | DPA; encryption in transit and at rest (service dependent); access controls; audit logging; SCCs or equivalent transfer safeguards where applicable |
| Plausible Analytics | EU (Germany) | Privacy-friendly website analytics | Website usage metrics; IP address processed transiently for security and aggregation (configuration dependent) | DPA; data minimisation; cookie-free configuration (where enabled); access controls |