Data Processing Agreement

Last updated: June 26, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", "Controller") and MerginIT e.U. operating OCRMD ("Processor", "we", "us") when you use our services and we process personal data on your behalf.

1. Definitions

Terms such as "personal data", "processing", "controller", "processor", and "data subject" have the meanings given in the EU General Data Protection Regulation (GDPR) and applicable national data protection laws.

2. Subject matter and duration

The Processor processes personal data on behalf of the Controller for the purpose of providing OCR, document conversion, account management, billing, and related support services via ocrmd.com. Processing continues for the term of the service agreement and as required by law thereafter.

3. Nature and purpose of processing

  • Uploading and processing documents and images submitted by the Controller
  • Performing OCR and converting content to Markdown or related formats
  • Storing documents and extraction results for authenticated users
  • Managing user accounts, authentication, and billing
  • Providing customer support and service communications

4. Categories of data subjects and personal data

Data subjects may include the Controller's employees, contractors, and end users. Personal data may include account identifiers, email addresses, uploaded document content, usage metadata, billing information, and technical logs.

5. Obligations of the Processor

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist the Controller with data subject requests where applicable
  • Notify the Controller without undue delay of personal data breaches
  • Delete or return personal data after the end of services, unless retention is required by law
  • Make available information necessary to demonstrate compliance with Article 28 GDPR

6. Sub-processors

The Controller authorizes the Processor to engage sub-processors required to deliver the service, including infrastructure, authentication, email, analytics, and payment providers. A current list of key sub-processors is described in our Privacy Policy. The Processor will inform the Controller of intended changes and provide an opportunity to object where required by law.

7. International transfers

Where personal data is transferred outside the European Economic Area or United Kingdom, the Processor relies on appropriate safeguards such as Standard Contractual Clauses and supplementary measures as described in our Privacy Policy.

8. Security measures

The Processor maintains administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, loss, or disclosure. Measures include access controls, encryption in transit, secure hosting, and restricted internal access.

9. Audits

Upon reasonable request, the Processor will provide information necessary to demonstrate compliance with this DPA and allow audits mandated by applicable data protection law, subject to confidentiality and security requirements.

10. Contact

For questions about this DPA or to exercise data protection rights, contact:

MerginIT e.U.
Jonas Fröller
Nußböckstraße 92, 4060 Leonding, Austria
Email: ocrmddotcom@gmail.com

See also our Imprint and Privacy Policy.