Subprocessors
Learn who processes your data on our behalf.
Marad B.V. Version: V.01.2026 | Last update to subprocessors: May 2026 | Maintained separately from the Data Processing Agreement
This document lists the third-party service providers (“Subprocessors”) authorised to process Customer Personal Data (as defined in Article 4(1) of the GDPR) on behalf of Marad B.V. These Subprocessors support the delivery, operation, and security of the Marad web application, APIs, underlying infrastructure, and related services, including hosting, storage, software development, technical support, communication, and analytics.
Marad shares only the minimum Customer Personal Data necessary for each purpose. All Subprocessors are subject to written agreements that include data protection obligations, confidentiality requirements, and appropriate technical and organisational measures. Where required, international transfers are protected by appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) or equivalent lawful transfer mechanisms. Marad remains responsible for ensuring that processing is performed in accordance with applicable data protection laws.
Change notification
Changes to this Subprocessor List (addition or replacement of Subprocessors) are communicated to Controllers in writing or by email in advance, with a minimum notice period of 14 days, in accordance with Article 6 of the Data Processing Agreement. Controllers may object to such changes within that notice period.
The current version of this document is always available at marad.com/subprocessors or upon request via support(at)marad.com
Subprocessors
| Subprocessor | Country | Processing Activity | Data Categories | Safeguards |
|---|---|---|---|---|
| RSH | Netherlands | Hosting services, file storage and backup services | Customer and operational data stored or processed in Marad services | DPA; confidentiality obligations; access controls; backup and retention controls |
| Leaseweb | Netherlands and Australia | Hosting services, file storage and backup services | Customer and operational data stored or processed in Marad services | DPA; confidentiality obligations; access controls; backup and retention controls |
| Microsoft | EU (Ireland) and Global | Cloud hosting of Marad services, DNS, infrastructure operations, email, file sharing, and collaboration tools | Customer account and contact data, licence and entitlement data, authentication and access logs, communications, documents and attachments (where applicable) | DPA; encryption in transit and at rest (service dependent); access controls; audit logging; SCCs or equivalent transfer safeguards where applicable |
| NetRom Software | Netherlands | Software development, maintenance and testing | Operational data, test data, documentation, and limited customer data where necessary for support or troubleshooting | DPA; confidentiality obligations; least-privilege access; controlled access to environments |
| Snelstart | Netherlands | Accounting and financial administration | Billing data, invoicing details, customer contact and payment-related data | DPA; access controls; retention controls; confidentiality obligations |
| Asana | EU and Global | Project management and task tracking | Task data, project timelines, internal notes, customer contact details (where included) | DPA; access controls; encryption in transit and at rest (service dependent); SCCs or equivalent transfer safeguards where applicable |
| DocuSign | EU and Global | Electronic signatures and document workflow | Names, email addresses, signatures, and signed document contents | DPA; encryption in transit and at rest (service dependent); access controls; audit logging; SCCs or equivalent transfer safeguards where applicable |
| Plausible Analytics | EU (Germany) | Privacy-friendly website analytics | Website usage metrics; IP address processed transiently for security and aggregation (configuration dependent) | DPA; data minimisation; cookie-free configuration (where enabled); access controls |
| Mailchimp | USA | Email marketing and transactional email delivery | Names, email addresses, email engagement data (opens, clicks) | DPA; encryption in transit and at rest; access controls; SCCs or equivalent transfer safeguards where applicable |