Subprocessors

Learn who processes your data on our behalf.

Marad B.V. Version: V.01.2026 | Last update to subprocessors: May 2026 | Maintained separately from the Data Processing Agreement

This document lists the third-party service providers (“Subprocessors”) authorised to process Customer Personal Data (as defined in Article 4(1) of the GDPR) on behalf of Marad B.V. These Subprocessors support the delivery, operation, and security of the Marad web application, APIs, underlying infrastructure, and related services, including hosting, storage, software development, technical support, communication, and analytics.

Marad shares only the minimum Customer Personal Data necessary for each purpose. All Subprocessors are subject to written agreements that include data protection obligations, confidentiality requirements, and appropriate technical and organisational measures. Where required, international transfers are protected by appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) or equivalent lawful transfer mechanisms. Marad remains responsible for ensuring that processing is performed in accordance with applicable data protection laws.

Change notification

Changes to this Subprocessor List (addition or replacement of Subprocessors) are communicated to Controllers in writing or by email in advance, with a minimum notice period of 14 days, in accordance with Article 6 of the Data Processing Agreement. Controllers may object to such changes within that notice period.

The current version of this document is always available at marad.com/subprocessors or upon request via support(at)marad.com

Subprocessors

SubprocessorCountryProcessing ActivityData CategoriesSafeguards
RSHNetherlandsHosting services, file storage and backup servicesCustomer and operational data stored or processed in Marad servicesDPA; confidentiality obligations; access controls; backup and retention controls
LeasewebNetherlands and AustraliaHosting services, file storage and backup servicesCustomer and operational data stored or processed in Marad servicesDPA; confidentiality obligations; access controls; backup and retention controls
MicrosoftEU (Ireland) and GlobalCloud hosting of Marad services, DNS, infrastructure operations, email, file sharing, and collaboration toolsCustomer account and contact data, licence and entitlement data, authentication and access logs, communications, documents and attachments (where applicable)DPA; encryption in transit and at rest (service dependent); access controls; audit logging; SCCs or equivalent transfer safeguards where applicable
NetRom SoftwareNetherlandsSoftware development, maintenance and testingOperational data, test data, documentation, and limited customer data where necessary for support or troubleshootingDPA; confidentiality obligations; least-privilege access; controlled access to environments
AsanaEU and GlobalProject management and task trackingTask data, project timelines, internal notes, customer contact details (where included)DPA; access controls; encryption in transit and at rest (service dependent); SCCs or equivalent transfer safeguards where applicable
DocuSign (deprecated)EU and GlobalElectronic signatures and document workflowNames, email addresses, signatures, and signed document contentsDPA; encryption in transit and at rest (service dependent); access controls; audit logging; SCCs or equivalent transfer safeguards where applicable
YouSign (rebranding to YouTrust)EU (France)Electronic signatures, identity verification and document workflowNames, email addresses, signatures, signed document contents, and identity verification dataDPA; encryption in transit and at rest; access controls; audit logging; EU hosting
Plausible Analytics (deprecated)EU (Germany)Privacy-friendly website analyticsWebsite usage metrics; IP address processed transiently for security and aggregation (configuration dependent)DPA; data minimisation; cookie-free configuration (where enabled); access controls
MailchimpUSAEmail marketing and transactional email deliveryNames, email addresses, email engagement data (opens, clicks)DPA; encryption in transit and at rest; access controls; SCCs or equivalent transfer safeguards where applicable

Changelog

ChangeSubprocessorEffective DateJustification
RemovedSnelstart12 May 2026Snelstart processes billing and financial administration data for which Marad acts as Controller for its own purposes. This falls outside the definition of Subprocessor under Article 1(9) of the DPA and is maintained as a separate vendor relationship.
RemovedPlausible Analytics12 May 2026Plausible does not process personal data as defined under Article 4(1) GDPR. IP addresses and User-Agent strings are irreversibly hashed with a rotating salt that is deleted every 24 hours and never stored on disk. The resulting data cannot be linked to any identifiable individual and therefore falls outside the scope of the DPA and the definition of Subprocessor under Article 1(9).
AddedYouSign (rebranding to YouTrust)26 May 2026Replaces DocuSign for electronic signatures, identity verification, and document workflow. EU-based provider with EU hosting. Applies to new signing workflows only.
DeprecatedDocuSign26 May 2026Replaced by YouSign for new workflows. Retained on the list during transition period pending confirmation that no personal data remains in DocuSign systems. Will be removed upon confirmation.