Legal

Data Processing Agreement

How MUR Solutions processes personal data on behalf of its clients, pursuant to GDPR (EU 2016/679)

1. Parties & Scope

This Data Processing Agreement ("DPA") forms part of the engagement between MUR Solutions S.L. ("Processor") and the client ("Controller") and governs the processing of personal data carried out by the Processor on the Controller's behalf.

Processor details:

Legal name: MUR Solutions S.L.

Tax ID (CIF): B19837715

Registered address: Torrent de l'Olla 121, 08012 Barcelona, Spain

Contact: legal@mur-solutions.com

This DPA applies whenever the Processor processes personal data on behalf of the Controller in the course of delivering the contracted Services. In all such cases the Controller determines the purposes and means of processing and the Processor acts only on documented instructions.

2. Roles of the Parties

Where MUR Solutions processes personal data supplied by, or generated on behalf of, the client to deliver an engagement, MUR Solutions acts as Processor and the client acts as Controller within the meaning of Article 4 GDPR.

The Processor shall process personal data only on the documented instructions of the Controller, including with regard to international transfers, unless required to do otherwise by EU or Member State law.

3. Subject Matter & Duration

Subject matter: processing of personal data as necessary to deliver the AI and data consulting Services agreed in the applicable proposal or statement of work.

Duration: for the term of the engagement and any agreed data-export period thereafter.

Nature & purpose: analysis, modelling, pipeline development, dashboarding and automation of the Controller's business data.

Categories of data subjects: the Controller's customers, employees and contacts, as determined by the data the Controller provides.

Categories of personal data: as provided by the Controller; the Controller is responsible for not sharing special-category data unless expressly agreed in writing.

4. Processor Obligations

MUR Solutions shall:

Process personal data only on the Controller's documented instructions.

Ensure persons authorised to process the data are bound by confidentiality.

Implement appropriate technical and organisational security measures (see clause 6).

Engage sub-processors only under clause 5.

Assist the Controller in responding to data-subject rights requests.

Assist the Controller with security, breach-notification and impact-assessment obligations (Arts. 32–36 GDPR).

At the Controller's choice, delete or return all personal data at the end of the engagement, except any copies required by law.

Make available the information necessary to demonstrate compliance and allow for audits.

5. Sub-processors

The Controller provides general authorisation for the Processor to engage the sub-processors listed below. The Processor remains fully liable for their performance and binds each by a written agreement with data-protection obligations no less protective than this DPA.

Vercel — hosting and deployment infrastructure (US/EU)

Neon / PostgreSQL — cloud database storage (EU)

Resend — transactional email (EU)

Sentry — error monitoring and tracing, PII scrubbed (US, DPF certified)

Clerk — authentication, where an account is provisioned (US, DPF certified)

The Processor will give the Controller 30 days' prior notice of any intended addition or replacement of a sub-processor, during which the Controller may object on reasonable data-protection grounds.

6. International Transfers

Where a sub-processor processes data outside the European Economic Area, transfers are protected by:

EU–US Data Privacy Framework (DPF) for certified vendors, or

Standard Contractual Clauses (SCCs) adopted by the European Commission (Implementing Decision EU 2021/914).

To request details of the specific safeguards in place, email legal@mur-solutions.com.

7. Security Measures

The Processor applies appropriate technical and organisational measures, including:

TLS encryption in transit and encryption at rest.

Role-based access control and the principle of least privilege.

Logging, monitoring and periodic security review.

PII minimisation and, where feasible, redaction before processing.

8. Personal Data Breach

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, and provide the information reasonably required for the Controller to meet its own notification obligations under Articles 33–34 GDPR.

9. Return & Deletion

On termination of the engagement, the Processor will, at the Controller's choice, return or delete all personal data processed on the Controller's behalf within 30 days, except where retention is required by applicable law (e.g. Spanish tax law for billing records).

10. Governing Law

This DPA is governed by Spanish law and the GDPR. In the event of conflict between this DPA and the main engagement terms, this DPA prevails in respect of data processing.

Last updated: June 2026