Legal
Data Processing Addendum
For enterprise customers under GDPR, UK GDPR, CCPA, and equivalent regimes.
Last updated · May 25, 2026
Note. The signed DPA is provided as a standalone document for enterprise customers. To request the latest signed version, email legal@getmonroe.com. What follows is a summary of the terms.
Roles
For data Monroe processes on your behalf through your authorized connectors, you are the Data Controller and Monroe is the Data Processor. For data Monroe collects directly to operate the Service (e.g., your account information), Monroe is the Controller.
Subprocessors
Monroe maintains a current list of subprocessors at the bottom of our Privacy Policy. We notify Customers 30 days before adding a new subprocessor and provide an objection mechanism.
Security measures
- Encryption at rest (AES-256) and in transit (TLS 1.3).
- Least-privilege connector scoping; per-tenant key isolation on Enterprise.
- Annual third-party penetration testing.
- SOC 2 Type II in progress; report available under NDA when complete.
- Documented incident response plan with notification within 72 hours.
International transfers
For transfers of personal data outside the EEA or UK, Monroe relies on Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum. EU data residency is available Q4 2026.
Data subject requests
Monroe will assist Customer in fulfilling data subject requests (access, deletion, portability) within statutory timeframes. Requests should be initiated through Customer’s account or via privacy@getmonroe.com.
Audit rights
Customer may audit Monroe’s compliance with the DPA once per year on reasonable notice, or rely on the SOC 2 report. Audits at Customer’s expense.
Termination
On termination, Monroe will, at Customer’s choice, return or delete all personal data within 30 days, except as required by law.