1. Roles of the parties
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (“Customer”) and Meridian Cloud, Inc. (“Meridian”). It applies where Meridian processes personal data on your behalf in providing the Service.
You act as the controller (or, where applicable, processor on behalf of your own customers) of the personal data you submit to the Service. Meridian acts as the processor (or sub-processor) and processes that data only on your documented instructions, which include your configuration and use of the Service.
2. Scope and purpose of processing
Meridian processes personal data solely to provide, secure, and support the Service: for example, to host your records, send invoices and notifications on your behalf, process payments, and provide support.
The categories of data subjects (such as your customers, staff, and crew) and categories of personal data (such as names, contact details, job and scheduling records, and payment metadata) are determined by you through your use of the Service.
3. Customer instructions
Meridian will process personal data only on your documented instructions, unless required to do otherwise by law (in which case Meridian will inform you, where legally permitted).
You are responsible for ensuring you have a lawful basis to collect and submit the personal data you put into the Service, and for the accuracy of that data.
4. Confidentiality
Meridian ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations and access data only as needed to operate and support the Service.
5. Sub-processors
You authorize Meridian to engage sub-processors (for example: hosting, database, email, SMS, payments, and AI providers) to support delivery of the Service. The current list is maintained on our sub-processors page.
Meridian imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for their performance. We will give reasonable notice of new sub-processors so you can object on legitimate grounds.
6. Security
Meridian maintains appropriate technical and organizational measures to protect personal data, including encryption in transit (TLS 1.3) and at rest (AES-256), strict multi-tenant isolation, access controls, and logging.
Additional detail is available on our security overview and security disclosure pages.
7. Personal data breaches
Meridian will notify you without undue delay after becoming aware of a personal data breach affecting your data, and will provide information reasonably available to help you meet your own notification obligations.
8. Data-subject rights
The Service provides tools to access, export, correct, and delete personal data so you can respond to data-subject requests directly.
Where a data subject contacts Meridian regarding data you control, Meridian will, where legally permitted, direct them to you and assist you in responding, taking into account the nature of the processing.
9. International transfers
Where personal data is transferred across borders, Meridian relies on appropriate safeguards (such as standard contractual clauses) where required by applicable law.
10. Return and deletion of data
On termination of the Service, you may export your personal data for a reasonable period. After that period, Meridian will delete or anonymize the personal data, except where retention is required by law.
You may request deletion of personal data at any time, subject to records Meridian is legally required to retain.
11. Audits
On reasonable request, Meridian will make available information necessary to demonstrate compliance with this DPA and will cooperate with audits to the extent reasonable for the size and stage of the Service.
12. Contact
For data-protection inquiries, email privacy@meridiancloud.app.
This is a plain-language summary for an early-access product and is not a substitute for legal advice or a fully negotiated agreement. A countersignable DPA is available on request as Meridian Cloud matures. See also our Privacy Policy and sub-processors list.