Data Processing Addendum.
The mechanics of processing.

For the personal data Meridian processes on the Customer's behalf in the course of providing the platform (the Customer Personal Data), the Customer is the controller and Meridian is the processor. Where the Customer acts on behalf of an underlying employer (e.g. under a PEO / EOR arrangement), the Customer is a controller-in-fact and warrants its right to instruct Meridian on that data.

Meridian processes Customer Personal Data only on documented instructions from the Customer — the Agreement itself constituting the Customer's complete and final instructions at the date of signature. Subsequent instructions must be given through the platform's configuration surfaces, through the Customer's CSM in writing, or via a signed amendment.

Subject matter

Processing of Customer Personal Data to provide the Meridian platform — HR, payroll, leave, attendance, performance, and statutory filing — to the Customer.

Duration

The term of the Agreement, plus the export window, plus any statutory retention period set out in this DPA and the Privacy Notice.

Nature

Collection, structuring, storage, retrieval, use, disclosure by transmission, alignment or combination, restriction, erasure, and destruction, by automated and manual means.

Purpose

Performance of the Agreement and any documented Customer instruction consistent with it.

Categories of data subjects

• Customer's employees, contractors, and former employees
• Candidates entered into the platform during recruitment
• Dependents and emergency contacts as required for tax relief, medical cover, and statutory filing
• Customer's administrative users (HR, finance, IT, line managers)

Categories of personal data

As enumerated in the Privacy Notice. In summary: identity, contact, employment, compensation, dependents, sensitive (medical certificates supporting absence and disability accommodations), device. Religion, sexual orientation, political affiliation, and biometric identifiers are not collected.

Meridian will:

• Process Customer Personal Data only on documented instructions, including with regard to transfers, unless required to do so by law to which Meridian is subject — in which case Meridian will notify the Customer before processing, unless the law prohibits notification.
• Notify the Customer promptly if, in Meridian's opinion, an instruction infringes applicable data-protection law.
• Not combine Customer Personal Data with data from other customers, or use it to train any model, or use it for Meridian's own purposes beyond the operation of the platform and the aggregated, irreversibly de-identified usage statistics permitted under the Terms.

Meridian ensures that its personnel authorised to process Customer Personal Data are bound by appropriate confidentiality undertakings — by employment contract, by separate NDA where contracted, and by an active access-control system that grants the minimum privilege necessary for the role. Authorisation is reviewed quarterly and revoked on offboard (target ≤ 30 minutes, median observed ≤ 12 minutes).

The Customer grants Meridian general written authorisation to engage sub-processors for the processing of Customer Personal Data. The current sub-processors are listed in Annex III of this DPA (and reproduced in the Privacy Notice).

Meridian will impose on each sub-processor data-protection obligations no less protective than those in this DPA — by written contract — and remains liable to the Customer for the acts and omissions of its sub-processors.

Where Meridian intends to add or replace a sub-processor, Meridian will give the Customer at least 30 days' written notice (by email to the account admin and by changelog post). The Customer has the right to object on reasonable grounds related to data protection within those 30 days. If the parties cannot resolve the objection, the Customer may terminate the affected component of the service for convenience, with a pro-rata refund of prepaid fees for the unused period.

Meridian implements and maintains the technical and organisational measures described in Annex II to this DPA, designed to ensure a level of security appropriate to the risk. Annex II is part of this DPA and is reproduced in the Privacy Notice for ease of reference. The current measures are summarised below; the most current version is the one published in the Privacy Notice.

• Encryption: TLS 1.3 in transit; AES-256-GCM at rest; envelope encryption for sensitive fields; customer-isolated KMS keys.
• Pseudonymisation: in non-production environments by default; production telemetry pipelines strip identifiers at source.
• Availability: multi-AZ deployment; nightly encrypted backups; quarterly disaster-recovery drill against a clean account.
• Integrity: signed commits, reproducible builds, cosigned containers, immutable audit log.
• Identity & access: SSO + 2FA mandatory; Yubikey support; just-in-time production access with session recording.
• Testing: third-party penetration test no less than annually; continuous secret-scanning and dependency monitoring.
• Certifications: SOC 2 Type II (current); ISO/IEC 27001 (current).

Meridian provides the Customer with the tooling — inside the platform — to fulfil the rights of data subjects (access, rectification, erasure, restriction, objection, portability) without requiring Meridian's intervention.

Where intervention is required (e.g. a request relates to data held outside the platform interfaces, or the Customer requests Meridian's assistance), Meridian will provide reasonable assistance, taking into account the nature of the processing. We do not charge for assistance with routine requests at proportionate volume. We reserve the right to charge our reasonable cost for vexatious, repetitive, or manifestly disproportionate requests, and we will tell you in advance.

Meridian will notify the Customer without undue delay, and in any case within 72 hours of detection, of any personal-data breach affecting Customer Personal Data. The initial notification will include — to the extent then known — the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, measures taken or proposed, and a contact point for further information.

Where information cannot be provided at the same time, it will be provided in phases without further undue delay. Meridian will assist the Customer in meeting the Customer's own notification obligations to supervisory authorities and data subjects.

Meridian provides reasonable assistance to the Customer with any data-protection impact assessment, and with any prior consultation with a supervisory authority, that the Customer is required to carry out under applicable law. On request, we provide the DPIA support pack: data-flow diagrams, security architecture, sub-processor list, transfer impact assessment, and our most recent third-party audit summary.

Meridian will not transfer Customer Personal Data outside the Customer's jurisdiction except on the basis of an adequate transfer mechanism. Where the EU GDPR applies and a transfer is to a country without an adequacy decision, the parties will be bound by the EU Standard Contractual Clauses (2021), Module 3 (processor-to-processor) or Module 2 (controller-to-processor) as applicable, which are incorporated into this DPA by reference. The same applies, mutatis mutandis, for transfers subject to the UK Addendum to the SCCs, and to equivalent mechanisms under the data-protection laws of Kenya, Nigeria, Ghana, Uganda, Côte d'Ivoire, and South Africa.

For all such transfers, Meridian has carried out a transfer impact assessment (available on request under NDA) and applies the supplementary measures listed in Annex II.

Meridian makes available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allows for and contributes to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer.

The Customer's primary audit right is satisfied by Meridian providing — under NDA — its current SOC 2 Type II report, ISO 27001 certificate and Statement of Applicability, and the most recent penetration-test executive summary. Where these are insufficient to address a specific concern of the Customer or a supervisory authority, the Customer may request additional information and, no more than once per calendar year and on at least 60 days' written notice, conduct an on-site audit with a mutually agreed independent auditor under reasonable scope and confidentiality terms. Each party bears its own costs for such audits, save where the audit uncovers a material breach attributable to Meridian, in which case Meridian bears the reasonable costs of the audit.

On termination or expiry of the Agreement — at the Customer's choice — Meridian will return all Customer Personal Data to the Customer (via the standard export tooling) or delete it. The 30-day export window applies in either case; deletion follows that window. Backups containing Customer Personal Data are overwritten on the standard 35-day rotation.

Meridian may retain Customer Personal Data to the extent required by applicable law (e.g. tax records under the Kenya Tax Procedures Act, Nigerian FIRS lookback periods, and equivalent obligations elsewhere) and only for the period required by that law, in cold storage with access logged and restricted.

The liability of each party under and in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms.

This DPA prevails over any conflicting provision of the Terms or the Agreement to the extent of the conflict, but only with respect to the processing of Customer Personal Data. All other matters are governed by the Terms.

Annex I — Description of processing

As set out in Sections 02 and 03 of this DPA.

Annex II — Technical and organisational measures

As set out in Section 07 of this DPA and, in full and current form, in the Privacy Notice. Updates to Annex II that materially reduce the level of protection are notified to the Customer in advance per Section 06.

Annex III — Sub-processors

Annex IV — SCCs (where applicable)

The European Commission's Standard Contractual Clauses of 4 June 2021 (Commission Implementing Decision (EU) 2021/914), Modules 2 and 3 as applicable, are incorporated into this DPA by reference. Docking clause: open. Optional clauses: governing law of Ireland (Module 2), recipient law (Module 3); choice-of-forum: courts of Ireland.