Standard starting text, published for transparency. Each engagement executes a tailored version; where a signed agreement differs from this page, the signed agreement prevails.
1. Parties and roles
The Client (controller) and Meridianstacks (processor). Meridianstacks processes personal data only within the scope of the services agreement it accompanies, and this DPA forms part of that agreement.
2. Scope of processing (Schedule A, completed per engagement)
- Subject matter & duration: the software services and term defined in the services agreement.
- Nature & purpose: development, testing, deployment and support of the Client's product.
- Categories of data & data subjects: listed per engagement (e.g. end-user account data of the Client's customers).
3. Processor obligations
- Process personal data only on the Client's documented instructions, and tell the Client if an instruction appears to infringe applicable law.
- Ensure every person authorised to process the data is bound by confidentiality.
- Apply appropriate technical and organisational measures: client-controlled repositories, least-privilege access, encrypted transport, separated environments, no production personal data on developer machines except where the Client instructs it, and prompt credential rotation at offboarding.
- Use anonymised or synthetic data for development and testing by default; production data only on written instruction.
- Assist the Client with data-subject requests and with the Client's own compliance obligations (security, breach notification, impact assessments).
- Notify the Client of any personal-data breach without undue delay and within 72 hours of becoming aware, with the information needed for the Client's own notifications.
- At the end of the engagement, delete or return (at the Client's choice) all personal data, and certify deletion.
- Make available the information necessary to demonstrate compliance, and allow and contribute to audits with reasonable notice.
4. Sub-processors
No sub-processor is engaged without the Client's prior written authorisation. Authorised sub-processors (e.g. the hosting provider named in Schedule B) are bound by terms no less protective than this DPA, and Meridianstacks remains fully liable for their performance.
5. International transfers
Meridianstacks' engineering hubs are in Nigeria, Kenya and South Africa, which do not hold UK/EU adequacy decisions. Transfers are therefore protected by the mechanism matching the Client's regime, incorporated by reference and executed together with this DPA:
- UK GDPR: the ICO's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.
- EU/EEA GDPR: the European Commission's Standard Contractual Clauses (Module 2, controller→processor).
- UAE: transfer terms consistent with Federal Decree-Law No. 45/2021 (PDPL).
- Canada: contractual safeguards consistent with PIPEDA's accountability principle.
6. Liability and term
Liability follows the services agreement's liability clause. This DPA lasts as long as Meridianstacks processes personal data for the Client and survives until deletion/return is complete.
Template v1.0 · July 2026 · Questions or redlines welcome: [email protected]