What data do I need to get started?

At minimum: a product list (SKU, classification, source), sales or demand history by period, and supplier lead times. Our Nova Glow template pack shows the exact column format for Excel and CSV import.

No. Merkurius is designed for teams that plan in spreadsheets today. Upload Excel or CSV files, run forecasts, and export replenishment plans — ERP integrations are on the roadmap.

Can I manage both make and buy SKUs?

Yes. Merkurius handles purchased finished goods and in-house production in one scenario. Routings connect produced SKUs to raw materials; purchased SKUs flow through standard replenishment logic.

How long does setup take?

With our demo templates, most teams complete a first forecast and supply plan in under 60 minutes. Your own data may take longer depending on cleanup — the importer includes column mapping to help.

How accurate are the forecasts?

Forecasts use statistical models (Prophet) at SKU level with visible assumptions. You can override buckets, stack scenario modifiers, and track adjustments — nothing is a black box.

Does Merkurius replace my ERP?

No. Merkurius is the planning layer: consensus demand, supply recommendations, and exports. Execution stays in your ERP, WMS, or spreadsheets.

Enterprise S&OP teams needing multi-plant finite scheduling, deep MRP, or native ERP modules. Also not ideal if you are purely make-to-order with no forecast-driven SKUs.

Tenant data is isolated per account with row-level security. Contact us for a security overview if your procurement team needs one before a trial.

Data Processing Agreement (DPA)

Version: 2026-06-12
Last updated: 12 June 2026
Template for business customers

This Data Processing Agreement ("DPA") forms part of the agreement between [LEGAL_ENTITY_NAME] ("Processor", "we", "us") and the customer entity that uses Merkurius ("Controller", "you") under our Terms of Service.

This DPA applies when you are the data controller and we process personal data contained in Customer Data on your behalf. It supplements our Privacy Policy, which governs processing where we act as controller for account data.

For a countersigned copy, contact [email protected] with subject line "DPA".

1. Background and purpose

1.1 This DPA sets out terms for processing personal data by the Processor on behalf of the Controller in connection with the Merkurius service (the "Service"), in accordance with GDPR Article 28 and applicable Finnish data protection law.

1.2 The Controller determines the purposes and means of processing personal data in Customer Data. The Processor processes such data only on documented instructions from the Controller, as set out in this DPA, the Terms, and the Controller's use of the Service.

1.3 Details of processing are specified in Schedule 1 below.

2. Definitions

Capitalized terms not defined here have the meaning in the Terms or GDPR:

"Customer Data" — as defined in the Terms.
"Data Protection Regulation" — GDPR and applicable national implementing legislation.
"Personal Data Breach" — a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
"Sub-processor" — a third party engaged by the Processor to process personal data on behalf of the Controller.
"Standard Contractual Clauses" — EU Commission-approved clauses for transfers of personal data to third countries.

3. Processing instructions

3.1 The Processor shall process personal data only on documented instructions from the Controller, including as necessary to provide the Service, maintain security, comply with law, or as otherwise instructed in writing.

3.2 The Processor shall inform the Controller if an instruction appears to violate the Data Protection Regulation, unless prohibited by law from doing so.

4. Processor obligations

The Processor shall:

a) process personal data only as instructed;
b) ensure persons authorized to process personal data are bound by confidentiality;
c) implement appropriate technical and organizational measures (see Section 5);
d) respect conditions for engaging Sub-processors (Section 6);
e) assist the Controller with data subject rights requests (Section 7);
f) assist with security, breach notification, and impact assessments where required (Sections 8–9);
g) delete or return personal data at end of Services (Section 10);
h) make available information necessary to demonstrate compliance and allow audits (Section 11).

5. Security measures

The Processor maintains measures appropriate to risk, including:

logical tenant isolation and row-level access controls;
encryption in transit (HTTPS/TLS);
authentication and access management;
backup and recovery procedures;
subprocessors bound by equivalent data protection terms.

A more detailed description is available on request. The Processor may update measures provided they do not materially reduce overall security.

6. Sub-processors

6.1 The Controller provides general authorization for Sub-processors listed in Schedule 1. The Processor shall impose data protection obligations on Sub-processors equivalent to this DPA.

6.2 The Processor remains liable for Sub-processor performance as for its own obligations.

6.3 The Processor shall notify the Controller of intended changes to Sub-processors (via the Privacy Policy or direct notice for material changes). The Controller may object on reasonable grounds relating to data protection. If the parties cannot resolve the objection, the Controller may terminate affected Services.

6.4 Where a Sub-processor is outside the EEA, the Processor shall ensure appropriate transfer safeguards (such as Standard Contractual Clauses).

7. Data subject rights

Taking into account the nature of processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling requests from data subjects (access, rectification, erasure, restriction, portability, objection).

The Controller is responsible for responding to data subjects. The Processor may direct individuals to the Controller where the Controller is responsible.

8. Personal data breaches

8.1 The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting personal data processed on behalf of the Controller.

8.2 The notification shall include, to the extent available: nature of the breach; categories and approximate numbers of data subjects and records concerned; likely consequences; and measures taken or proposed.

8.3 The Processor shall cooperate with the Controller in investigating and mitigating the breach.

9. Data protection impact assessments

The Processor shall provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities where required for processing under this DPA, taking into account the nature of processing and information available to the Processor.

10. Return and deletion

Upon termination of the Service or on Controller request, the Processor shall, at the Controller's choice, delete or return personal data processed on behalf of the Controller, except where retention is required by law. Deletion timelines align with Section 14 of the Terms unless otherwise agreed.

11. Audits and information

11.1 The Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.

11.2 The Controller may audit compliance no more than once per twelve (12) months on thirty (30) days' notice, during business hours, without disrupting operations. Audits shall be conducted by the Controller or a mutually agreed independent auditor bound by confidentiality. The Controller bears audit costs unless material non-compliance is found.

12. Liability

12.1 Each party's liability under this DPA is subject to the limitations in the Terms, except where limitation is prohibited by the Data Protection Regulation.

12.2 Each party is responsible for administrative fines and damages to the extent resulting from its breach of the Data Protection Regulation. If one party compensates a data subject under Article 82 GDPR, it may recover from the other party that party's share of responsibility.

13. Term

This DPA is effective when the Controller accepts the Terms or signs a separate agreement incorporating this DPA, and continues until processing of Controller personal data on behalf of the Controller ends.

14. Order of precedence

If there is a conflict between this DPA and the Terms regarding processing of personal data as processor, this DPA prevails. If there is a conflict between this DPA and a separately signed enterprise agreement, the signed agreement prevails.

15. Contact

Processor privacy contact: [email protected]

Schedule 1 — Specification of processing

Subject matter and duration

Processing of personal data in Customer Data to provide the Merkurius SaaS planning platform for the duration of the subscription or trial and any retention period described in the Terms and Privacy Policy.

Nature and purpose of processing

Hosting, storage, organization, retrieval, analysis (forecasting and planning calculations), display, export, backup, security monitoring, and support related to Customer Data uploaded or generated through use of the Service.

Categories of personal data

Depending on what the Controller uploads or configures, this may include:

user account identifiers (name, email, display name);
company or tenant name;
business contact details in master data or orders;
operational and planning data linked to identifiable individuals only where the Controller includes such data in imports;
technical logs (IP address, timestamps, session identifiers) where generated by the Service.

The Controller is responsible for ensuring that Customer Data uploaded to the Service is adequate, relevant, and limited to what is necessary.

Categories of data subjects

Controller's employees and contractors with User accounts;
other individuals whose personal data the Controller chooses to include in Customer Data (e.g. planners, buyers, contacts in uploaded files).

Processing locations

Primary processing in EU (confirm in Supabase dashboard) via Supabase infrastructure. Frontend delivery may involve EU (confirm in Supabase dashboard) and/or the United States (Vercel). Transfers outside the EEA use Standard Contractual Clauses or other approved mechanisms.

Authorized Sub-processors

| Sub-processor | Service | Location | |---------------|---------|----------| | Supabase, Inc. | Database, authentication, storage | EU (confirm in Supabase dashboard) / as configured | | Vercel Inc. | Application hosting and CDN | EU and/or United States |

The current list is also published in our Privacy Policy. We will update Schedule 1 or the Privacy Policy when Sub-processors change materially.

Controller instructions

The Controller instructs the Processor to process personal data as necessary to:

provide features the Controller enables in the Service;
maintain security and integrity;
comply with applicable law; and
perform actions initiated by authorized Users (import, forecast, export, delete).

Special categories and criminal data

The Service is not designed for special categories of personal data under GDPR Article 9 or criminal conviction data under Article 10. The Controller shall not upload such data unless parties agree in writing to additional safeguards.

[LEGAL_ENTITY_NAME]
Business ID: [BUSINESS_ID]
[REGISTERED_ADDRESS]
[COUNTRY]