Data Processing Addendum (DPA)
Published for transparency and procurement review. For all inquiries, email security@meridianverity.com.
Meridian Verity Group LLC Data Processing Addendum (DPA)
| Document ID | MVG-DPA-1.0.1 |
|---|---|
| Version | 1.0.1 |
| Effective date | 2026-02-06 |
| Status | Public |
| Classification | Website policy (B2B / procurement oriented) |
| Primary contact | privacy@meridianverity.com |
1. Parties and scope
This Data Processing Addendum (“DPA”) forms part of the Agreement between Customer and Meridian Verity Group LLC (“MVG”).
This DPA applies only to Personal Data processed by MVG as a Processor on behalf of Customer in providing the Services.
2. Order of precedence
If there is a conflict among documents, the following order applies (unless the Agreement states otherwise):
Executed transfer schedules (e.g., EU SCCs / UK Addendum / UK IDTA),
This DPA,
The Agreement and Order Forms,
Any other online terms.
3. Definitions
“Applicable Data Protection Law” means laws applicable to processing of Personal Data under the Agreement (e.g., GDPR/UK GDPR, Swiss FADP, U.S. state privacy laws).
“Controller”, “Processor”, “Personal Data”, “processing” have the meanings given in Applicable Data Protection Law.
“Customer Content” means data submitted to the Services by or on behalf of Customer.
“Subprocessor” means a third party engaged by MVG to process Personal Data on behalf of Customer.
4. Roles
Customer is the Controller of Personal Data in Customer Content (unless otherwise specified).
MVG processes Personal Data as a Processor on Customer’s documented instructions, solely to provide the Services.
5. Processing details
The subject matter, duration, nature and purpose of processing, types of Personal Data, and categories of data subjects are described in Annex 1.
6. Processor obligations (GDPR Art.28 aligned)
Process Personal Data only on documented instructions from Customer.
Ensure persons authorized to process Personal Data are bound by confidentiality.
Implement appropriate technical and organizational measures (Annex 2).
Engage Subprocessors only under the controls in Section 7.
Assist Customer with data subject requests and regulatory inquiries (Section 9).
Delete or return Personal Data at end of Services (Section 12), unless legally required to retain.
If MVG believes an instruction violates Applicable Data Protection Law, MVG will inform Customer (unless prohibited by law).
6.1 No generalized model training on Customer Content
Unless explicitly agreed in writing, MVG will not use Customer Content (including Customer Personal Data) to train generalized models.
MVG may use de-identified and aggregated operational metrics to improve reliability and security, to the extent permitted by law and the Agreement.
7. Subprocessors (request-based list + change notice)
Customer grants MVG a general authorization to use Subprocessors to provide the Services.
MVG will provide a current list of Subprocessors on request at security@meridianverity.com (and/or via a URL if published) and will provide reasonable prior notice of material changes.
Customer may object to a new or replacement Subprocessor on reasonable grounds related to data protection. If the parties cannot resolve, Customer may terminate the affected Services per the Agreement.
MVG will impose data protection obligations on Subprocessors no less protective than this DPA.
8. Security measures
MVG will implement and maintain the technical and organizational measures described in Annex 2.
9. Assistance
9.1 Data subject requests
Taking into account the nature of processing, MVG will assist Customer by appropriate technical and organizational measures to respond to data subject requests, to the extent Customer cannot do so through self-service tools.
9.2 DPIAs and consultations
MVG will provide reasonable information needed for DPIAs and prior consultations, considering the Services and information available to MVG.
10. Personal Data Breach notification
MVG will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.
The notification will include information reasonably necessary for Customer to meet breach-notification obligations, as available at the time, and MVG will provide supplemental information as it becomes available.
11. Audits (evidence-first default; public-sector hook)
Audit-by-evidence is the default: MVG may satisfy audit requests by providing reasonable documentation and third-party reports under NDA where appropriate.
Customer may request an on-site or live audit no more than once per 12 months (unless a material incident occurs), subject to reasonable advance notice and MVG security constraints.
Government Entities: If Customer is a Government Entity with mandatory audit requirements, the parties will in good faith negotiate an audit plan that meets legal requirements while protecting security and confidentiality.
Nothing in this Section obligates MVG to disclose trade secrets, unpublished patent claims, or security-sensitive implementation details.
12. Deletion or return
At the end of the provision of Services, MVG will, at Customer’s choice and where feasible, delete or return Customer Personal Data and delete remaining copies, unless applicable law requires retention.
Backup and archival deletion may follow MVG’s standard cycles, provided MVG continues to protect retained data.
On request and where reasonable, MVG will provide a written confirmation of deletion/return completion.
13. Government and legal access requests
If MVG receives a legally binding request from a law enforcement agency or other public authority for Customer Personal Data, MVG will (to the extent legally permitted):
Promptly notify Customer before disclosing the data,
Disclose only the minimum data required to comply with the request, and
Challenge or seek to limit the request where there are reasonable grounds to do so.
14. International transfers
If Customer Personal Data is transferred from the EEA/UK/Switzerland to a country not recognized as adequate, the parties will implement an appropriate transfer mechanism, such as:
EU Standard Contractual Clauses (SCCs) as applicable,
UK Addendum to the EU SCCs and/or the UK International Data Transfer Agreement (IDTA), as applicable.
Transfer mechanisms and module selections will be set out in Annex 3 (Transfer Mechanisms) and executed/attached as required.
15. U.S. state privacy (CPRA and similar)
Where Customer is a “business” and MVG is a “service provider” or “processor” under applicable U.S. state privacy laws:
MVG will not sell or share Personal Data for cross-context behavioral advertising.
MVG will not retain, use, or disclose Personal Data outside the direct business relationship except as permitted by law and the Agreement.
MVG will cooperate with Customer to support consumer rights requests as required by law.
If required by law, MVG will implement reasonable controls to prevent combining Personal Data received from Customer with Personal Data from other sources except as permitted.
16. Confidentiality
Customer Personal Data is Customer Confidential Information under the Agreement (or, if not defined, MVG will treat it as confidential and protect it with reasonable safeguards).
17. Liability
Liability under this DPA is subject to the liability limitations and exclusions in the Agreement, unless prohibited by law.
18. Contact
DPA inquiries: security@meridianverity.com (recommended: dpa@meridianverity.com alias forwarding to the same inbox)
Privacy: security@meridianverity.com
19. Signature (optional)
If the parties execute this DPA as a standalone document, signature blocks may be used below. If the DPA is incorporated by reference into the Agreement, signatures on the Agreement are sufficient.
| Customer | Meridian Verity Group |
|---|---|
| By: ________________________________ | By: ________________________________ |
| Name: ______________________________ | Name: ______________________________ |
| Title/Role: _________________________ Date: ______________________________ | Title/Role: _________________________ Date: ______________________________ |
Annex 1 - Processing Details
Subject matter: Provision of the Services (governance/accountability systems; receipts; verification artifacts; fail-closed enforcement support).
Duration: For the term of the Agreement plus any agreed retention period.
Nature of processing: collection, storage, structuring, access, use, disclosure (as instructed), deletion.
Purpose: provide, secure, and maintain the Services; generate and verify evidence artifacts; support audits and procurement evidence; customer support.
Types of Personal Data (depends on configuration): authorized user identifiers; system identifiers and logs; evidence artifact metadata; Customer Content to the extent it contains Personal Data.
Categories of data subjects: Customer employees/contractors/authorized users; Customer end users (if Customer inputs their data); other individuals whose data appears in Customer Content.
Special categories: not intended unless Customer explicitly instructs and lawful basis exists.
Annex 2 - Security Measures (baseline)
Access controls (least privilege) and MFA for administrative access.
Encryption in transit (TLS) and encryption at rest where appropriate.
Logging and monitoring for security events.
Vulnerability management and patching.
Incident response procedures.
Secure development and change control appropriate to the Services.
Segregation controls for multi-tenant systems where applicable.
Backup and recovery appropriate to the Services.
Annex 3 - Transfer Mechanisms (attach if needed)
Schedule 3A: EU SCCs - attach executed SCCs (module selection depends on roles).
Schedule 3B: UK Addendum and/or UK IDTA - attach if UK restricted transfers apply.
Schedule 3C: Switzerland addendum - attach if applicable.
Change log
v1.0.1 - Contact routing standardized to security@meridianverity.com.