Data Processing Agreement — Meridian Cloud

This Data Processing Agreement ("DPA") forms part of the Terms of Service between TwelveSides Technologies Ltd ("Processor", "we", "us") and the Customer ("Controller", "you") who has accepted the Terms of Service for Meridian Cloud ("the Service").

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalised terms not defined here have the meanings given in the Terms of Service.

"Controller" means the Customer, who determines the purposes and means of processing Personal Data.
"Processor" means TwelveSides Technologies Ltd, who processes Personal Data on behalf of the Controller.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
"Personal Data" means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller through the Service.
"Sub-Processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, and any other applicable data protection legislation.
"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Scope and Purpose

This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Service.

The Processor processes Customer data from Microsoft 365 (synced via the Microsoft Graph API) and other connected services as a Processor. The Controller remains the data controller for all Customer Data, including the Personal Data of its employees, customers, and end users that flows through the Service.

2.1 Subject Matter

The processing of Personal Data necessary to provide the Meridian Cloud IT management platform, including data synchronisation, aggregation, analysis, alerting, and reporting.

2.2 Duration

Processing will continue for the duration of the Controller's Subscription and for up to 30 days following termination, to allow for data export.

2.3 Nature and Purpose

The Processor collects, stores, organises, retrieves, and analyses Personal Data for the purpose of providing the Service, including:

Syncing and displaying user, device, and configuration data from connected services.
Generating security insights, compliance reports, and risk assessments.
Providing AI-powered recommendations via the Intelligence module.
Sending alert notifications and summary reports.

2.4 Categories of Data Subjects

The Controller's employees and staff.
The Controller's IT administrators and Authorised Users.
End users of the Controller's IT services.

2.5 Types of Personal Data

Names, email addresses, and job titles.
User account identifiers and group memberships.
Device identifiers, IP addresses, and sign-in activity.
Licence assignments and usage data.
Security alerts and compliance status.

3. Obligations of the Processor

The Processor shall:

3.1 Process Only on Documented Instructions

Process Personal Data only on the documented instructions of the Controller, unless required to do so by applicable law. The Terms of Service and this DPA constitute the Controller's documented instructions. If the Processor is required by law to process Personal Data other than on the Controller's instructions, the Processor will inform the Controller of that legal requirement before processing (unless the law prohibits such notification).

3.2 Ensure Confidentiality

Ensure that all personnel authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Implement Appropriate Security Measures

Implement and maintain appropriate technical and organisational measures to protect Personal Data, as described in Section 6 of this DPA.

3.4 Assist with Data Subject Requests

Assist the Controller, by appropriate technical and organisational measures and insofar as possible, in fulfilling the Controller's obligation to respond to Data Subject requests to exercise their rights under the Data Protection Laws. Where a Data Subject contacts the Processor directly, the Processor will promptly redirect the request to the Controller.

3.5 Assist with Compliance Obligations

Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to the Processor.

3.6 Delete Data on Termination

Upon termination of the Service, and following a 30-day data export period, delete all Personal Data processed on behalf of the Controller and delete existing copies, unless applicable law requires storage of the Personal Data.

3.7 Make Available Information for Audits

Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or a third-party auditor mandated by the Controller. Such audits shall be conducted with reasonable notice (at least 30 days), during normal business hours, and no more than once per year unless a Security Incident has occurred.

4. Sub-Processing

4.1 Approved Sub-Processors

The Controller authorises the Processor to engage the sub-processors listed on the Sub-Processors page. The current list of approved sub-processors as of the effective date is:

Sub-Processor	Purpose	Location
Microsoft Azure	Cloud infrastructure, storage, compute	UK West
Microsoft Entra ID	Authentication, identity	Global
SMTP2GO	Email delivery	Global
Stripe	Payment processing	Global
Azure AI Foundry	AI insights, copilot	UK West

4.2 Notification of Changes

The Processor will notify the Controller at least 30 days before engaging any new sub-processor or replacing an existing one. Notification will be provided via email to the address associated with the Controller's Account and by updating the Sub-Processors page.

4.3 Right to Object

The Controller may object to the engagement of a new sub-processor by notifying the Processor in writing within 14 days of receiving the notification. If the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the affected portion of the Service. The Processor will refund any prepaid fees for the period following termination.

4.4 Sub-Processor Obligations

The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable for the acts and omissions of its sub-processors.

5. International Transfers

The Processor primarily stores and processes Personal Data within the United Kingdom (Azure UK West region). Where Personal Data is transferred to a sub-processor outside the UK, the Processor will ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office.
Transfers to countries with an adequacy decision from the UK Government.

The Processor will inform the Controller of any changes to the location of data processing.

6. Security Measures

The Processor implements and maintains the following technical and organisational security measures:

6.1 Encryption

Data encrypted in transit using TLS 1.2 or higher.
Data encrypted at rest using AES-256 encryption.
Secrets and credentials stored in Azure Key Vault.

6.2 Access Controls

Role-based access control (RBAC) enforced across all systems.
Managed identity used for service-to-service authentication (no stored credentials).
Multi-factor authentication required for all administrative access.
Principle of least privilege applied to all access grants.

6.3 Audit Logging

All administrative actions are logged with timestamps and user identifiers.
Audit logs are retained for a minimum of 90 days.
Logs are stored in a tamper-evident manner and are not accessible to end users.

6.4 Incident Response

Documented incident response procedures.
Designated incident response team.
Regular incident response drills and tabletop exercises.

6.5 Regular Security Testing

Regular vulnerability scanning of all externally facing services.
Annual penetration testing by qualified third parties.
Secure development lifecycle (SDL) practices including code review.

7. Data Breach Notification

In the event of a Security Incident affecting the Controller's Personal Data, the Processor shall:

Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the Security Incident.
Provide the Controller with sufficient information to enable the Controller to fulfil its own breach notification obligations under the Data Protection Laws.
Include in the notification:
- The nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected.
- The likely consequences of the Security Incident.
- The measures taken or proposed to be taken to address the Security Incident and mitigate its effects.
- The name and contact details of the Processor's point of contact.
Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.

8. Term and Termination

This DPA shall remain in effect for the duration of the Controller's use of the Service and shall automatically terminate upon termination of the Terms of Service, subject to the Processor's obligations regarding data deletion (Section 3.6).

The obligations of the Processor under this DPA with respect to Personal Data that it retains after termination shall survive until such data is deleted.

9. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales, without regard to its conflict of law provisions. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

10. Contact

For questions about this DPA or to exercise your rights, contact us:

TwelveSides Technologies Ltd
Email: privacy@meridiancloud.tech
Website: meridiancloud.tech