Legal

Data Processing Addendum

Published: June 20, 2026  ·  Customer-review version; effective only when signed or incorporated

1. Status and Scope

This Data Processing Addendum (“DPA”) is a platform document for Merba customers that need written privacy and data-processing terms for their platform use. It supplements the Merba Terms of Service and Privacy Policy. It is not a signed contract by itself unless Merba and the customer execute it or incorporate it into an order form or agreement.

This DPA applies to personal information that Merba processes on behalf of a tenant business through scheduling, booking, client management, charting, invoices, notifications, discovery, integrations, and related platform features.

2. Roles and Instructions

The tenant business determines why client, appointment, charting, invoice, and business records are collected and how they are used in its practice. Merba processes those records to provide, secure, support, and improve the Service under the tenant's configuration and instructions.

Sensitive tenant operations are processed through protected platform workflows, including tenant scoping, booking, charting, approvals, invoices, exports, notifications, and payment-metadata routing. Intelligence, ad, and media-generation features are separate and use bounded business context plus user-directed or user-approved prompts.

Merba will not sell tenant client records. Merba will not use client records, chart notes, clinical records, payment card details, or broad client lists for third-party advertising or third-party model training.

3. Safeguards

  • TLS encryption in transit, password hashing, and secure session cookies.
  • Tenant membership, role, permission, and plan-gate checks on protected routes.
  • Audit logging for selected sensitive actions, including chart and client-profile access.
  • Deterministic processing for sensitive operational records such as charting, booking, invoices, approvals, exports, notifications, and payment metadata.
  • Provider-boundary controls that block PHI-labeled payloads from host AI provider calls.
  • Operational controls for support access, incident triage, and breach-response records.

4. Subprocessors and Cross-Border Processing

Merba uses subprocessors listed on the Subprocessor Register. Providers may process information in Canada, the United States, the European Union, or other locations depending on the provider and enabled feature.

Merba will maintain a subprocessor register and update it when material providers change. Customers may contact privacy@merba.app with questions about provider data handling.

5. Incidents, Rights, and Retention

If Merba becomes aware of unauthorized access to tenant-controlled personal information, Merba will investigate, contain, preserve evidence, and notify affected tenant businesses without unreasonable delay where notice is required or appropriate.

Merba will provide reasonable technical support for tenant requests involving access, correction, export, deletion, or retention of tenant-controlled data. Audit, security, payment, tax, dispute, backup, and legally required records may be retained for longer periods.

6. Official References

7. Contact

Questions or requests about this DPA should be sent to privacy@merba.app.

    Data Processing Addendum | Merba