Your data. Your team's data.
Handled like a contract — not a feature.

Meridian HR Ltd is a Kenyan limited company (CR No. ●●●●●●●), registered at Nyali Road, Westlands, Nairobi. We operate the platform that sits at meridianhr.co, the iOS and Android Meridian apps, and the partner APIs documented at developers.meridianhr.co.

For the personal data of our own customers and prospects — the people who sign contracts, hand over their credit card, or chat to us on a sales call — we are the controller.

For the personal data of your employees, contractors, candidates, and dependents, processed because your employer uses our platform — we are the processor, acting on documented instructions from your employer under our Data Processing Addendum. If that's you, the right place to start is usually your HR team — they decide what your data is for, how long it's kept, and who can see it inside their organisation. We honour those decisions and the rights you have under the law that applies to you.

Data Protection Officer

Our DPO is registered with the Office of the Data Protection Commissioner of Kenya (reg. ODPC/DPO/●●●●). Reachable at dpo@meridianhr.co for any privacy question, large or small. We aim to acknowledge inside 48 hours; substantive replies inside 14 days.

The categories below are the ceiling. Most customers use a fraction of them; the platform never collects fields you don't enable.

Customer data (employer-side)

Identity

Company name, registration number, tax IDs (KRA PIN, TIN, FIRS RC, etc.), registered address, signing authority.

Account

Admin email, hashed password (Argon2id), 2FA secret, session metadata, audit log of administrative actions.

Commercial

Subscription tier, headcount band, billing address, last four digits of card (full card is held only by Stripe).

Employee data (processed for your employer)

Identity

Legal name, preferred name, date of birth, national ID number, KRA PIN / NIN / SSNIT / etc., passport number where required, photograph.

Contact

Email, phone, next of kin, emergency contact, residential and postal addresses.

Employment

Job title, manager, department, employment type, contract start/end, probation status, performance ratings, leave balance and history.

Compensation

Salary, allowances, bonuses, deductions, garnishments, pension contributions, bank account or mobile money number, statutory filings.

Dependents

Spouse and child names + DOB only when needed for tax relief, medical cover, or statutory filings.

Sensitive

Medical certificates supporting sick leave (encrypted at rest, RBAC-restricted), disability accommodations, union membership where elected.

Device

IP, browser, device fingerprint hash, clock-in geolocation (where the attendance module is enabled — never silently).

Every field above maps to a specific lawful basis. We keep the mapping current; the short version is:

We do not engage in automated decision-making with legal or similarly significant effects. Payroll math is automated; firing people is not.

Inside your employer's tenant, access is governed by role and by audit. Inside Meridian, the engineers on duty for site-reliability have a break-glass path to production — every use is logged, alerted to the DPO, and reviewed weekly. The rest of the company sees aggregate dashboards only.

Outside Meridian, the data flows below are the complete list. We commit to publishing material changes to this table at least 30 days before they take effect.

Primary production is Cape Town (AWS af-south-1). Encrypted nightly snapshots replicate to Frankfurt (eu-central-1) for disaster recovery only — never for routine reads. Backups are encrypted with customer-isolated keys, rotated every 90 days.

For customers whose home jurisdiction requires data residency, we honour it. Kenyan customers can elect to keep production data inside continental Africa with no failover to Europe; ask your CSM to enable the AFRICA-ONLY region flag at provisioning.

Transfers outside your region

A small number of operational tools (transactional email, SMS) sit outside Africa, as the sub-processor table shows. For those flows, we use Standard Contractual Clauses and the European Commission's 2021 module 3, plus the supplementary measures the EDPB recommends (encryption in transit and at rest, key separation, no plaintext payload in logs).

Two clocks. Customer Data follows the controller's instruction — your employer chooses retention windows inside their tenant settings, and we honour them. Records we keep on our own clock are these:

When a customer leaves the platform, we offer a 30-day export window, then return or delete all Customer Data per the DPA. Statutory records are retained in cold storage for the periods above, then irretrievably erased.

If you're an employee whose company uses Meridian, your starting point for most rights requests is your HR team — they control the data, and we are obligated to act on their lawful instructions. If they can't help you, or you'd rather come to us first, email dpo@meridianhr.co and we'll route appropriately, in writing, inside seven working days.

The catalogue of rights varies by where you sit, but in practice we honour the union of them across our footprint:

• Access — a copy of the personal data we hold about you, in a portable format.
• Rectification — correction of inaccurate fields, with a note in the audit trail.
• Erasure — deletion where law allows; statutory records are exempt.
• Restriction & Objection — to processing not strictly required to run your employment relationship.
• Portability — JSON or CSV export of the records held on the platform.
• Withdraw consent — for anything we collect on a consent basis (e.g. Ada AI, marketing); the unsubscribe link in every email also works.
• Complain — to your supervisory authority: ODPC in Kenya, NDPC in Nigeria, NITA-U in Uganda, CNDP in Côte d'Ivoire, DPC in Ghana, Information Regulator in South Africa.

We are SOC 2 Type II audited (Q4 2025 report; the next observation window closes Q3 2026) and ISO/IEC 27001 certified (cert. ●●●●●●●●). Our security programme is not a marketing page — the controls below are the load-bearing ones:

• Encryption: TLS 1.3 in transit; AES-256-GCM at rest; customer-isolated KMS keys; envelope encryption for sensitive fields (NID, salary, bank).
• Identity: SAML 2.0 and SCIM for enterprise SSO; mandatory 2FA for admins; Yubikey support; session binding to device fingerprint.
• Engineering: pull-request reviews required on every change; CodeQL + dependabot in CI; signed commits; reproducible builds; cosigned containers.
• Access: production access via SSO + Yubikey + just-in-time approval, logged centrally, reviewed weekly by the DPO and quarterly by the board.
• Network: private VPC, no public databases, mTLS between services, egress allowlist, no SSH (all access via session-recorded SSM).
• Backups: encrypted, immutable, tested quarterly via full-restore drill against a clean account.
• People: background checks at hire, annual security training, instant access-revocation on offboard (median ≤ 12 minutes), zero-trust laptops.
• Incident response: 24×7 on-call, four-tier severity ladder, customer notification within 72 hours of detection of any incident affecting personal data — usually much sooner.

The full SOC 2 Type II report and ISO 27001 certificate are available under NDA. Ask your CSM.

Material changes are emailed to every account admin and posted on this page with a 30-day notice period before they take effect. Non-material changes (typo fixes, link maintenance) are noted in the version log at the bottom of this page without separate notice. The full revision history is public.

Where a change requires it, we will re-collect consent before the new processing begins.

Privacy is not a ticket queue at Meridian. Email the DPO and you're emailing a person — usually answered the same business day in Nairobi.

DPO

dpo@meridianhr.co · response in 48 hours, substantive reply in 14 days

EU representative

Meridian HR EU OÜ, Sepapaja 6, Tallinn, Estonia · eu-rep@meridianhr.co

Postal

Attn: Data Protection, Meridian HR Ltd, Westlands, P.O. Box ●●●●●–00100, Nairobi, Kenya