Me&AI
← All legal documents

Data Processing Agreement (DPA)

Version: 0.1 (DRAFT — pending lawyer review) Effective from: TBD (post lawyer review) Last updated: 2026-05-02 Operator (Processor): Stefan Stešević trading as meandai, registered in Montenegro. Customer (Controller): as identified in the Order Form.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between meandai and the Customer. It applies to the Processing of Personal Data by meandai on the Customer's behalf in connection with the Services.

This DPA is the meandai standard form. Customers signing the standard subscription accept it as written; enterprise Customers may negotiate amendments via their Order Form.

1. Definitions

  • "Personal Data", "Processing", "Controller", "Processor", "Subprocessor", "Data Subject", "Personal Data Breach", and "Supervisory Authority" have the meanings given in the GDPR.
  • "Customer Personal Data" means Personal Data that the Customer (as Controller) submits to or generates via the Platform that meandai (as Processor) processes on behalf of the Customer.
  • "GDPR" means Regulation (EU) 2016/679 and, where applicable, the United Kingdom General Data Protection Regulation as it forms part of UK law.
  • "Standard Contractual Clauses" or "SCCs" means the Module Two (Controller-to-Processor) Clauses annexed to Commission Implementing Decision (EU) 2021/914.
  • "Subprocessor" means a third party engaged by meandai to process Customer Personal Data.

2. Scope and roles

2.1 The Customer is the Controller of Customer Personal Data. meandai is the Processor.

2.2 In limited circumstances, meandai may also act as an independent Controller for certain Personal Data — see the Privacy Policy §1.1. Where meandai acts as a Controller, this DPA does not apply to that Processing; the Privacy Policy alone governs it.

2.3 Each party complies with its obligations under applicable Data Protection Laws.

3. Processing details (Annex I to SCCs)

ItemDetail
Subject matterProvision of the meandai AI agent platform Services to the Customer
DurationThe term of the Terms of Service, plus any mandatory retention period under §10
Nature and purposeHosting, storage, transmission, and AI-assisted Processing of Customer Personal Data on the Customer's instructions for the purpose of operating AI agents that draft, send, summarise, schedule, and otherwise act on the Customer's behalf within the Customer's tenant
Categories of Data Subjects(a) Authorised Users of the Customer; (b) end-users, contacts, prospects, and customers of the Customer whose data the Customer submits to the Platform via connected accounts (Gmail, CRM, Calendar, etc.)
Categories of Personal DataIdentification data (name, email, phone), professional data (job title, employer, business address), communication content (email body, message content), calendar data, document content, AI-generated outputs that may contain Personal Data, account / OAuth tokens (as encrypted data)
Special category dataThe Platform is not designed for, and the Customer is contractually prohibited from submitting (without prior written authorisation), the categories listed in the AUP §2.5(u) — including health, biometric, financial-account, and credentials of unrelated third parties
Sensitive data subject to additional safeguardsWhere the Customer's connected accounts contain children's data, communications subject to professional confidentiality (medical, legal, religious confession), or data classified as "high risk" under the EU AI Act, additional safeguards in §11 apply

4. Customer instructions

4.1 meandai processes Customer Personal Data only on the documented instructions of the Customer, including with respect to international transfers, unless required by law that applies to meandai.

4.2 The Customer's documented instructions are constituted by:

(a) the Terms of Service; (b) this DPA; (c) the configuration of the Customer's tenant (operating mode, connected accounts, agent rubrics, Brand Pack); (d) the per-request invocations made via the Platform's UI or API; (e) any further written instructions referenced in the Order Form.

4.3 If meandai believes an instruction infringes Data Protection Law, it will inform the Customer without delay and may suspend the relevant Processing pending clarification.

5. Confidentiality

meandai ensures that personnel with access to Customer Personal Data are bound by appropriate confidentiality undertakings (whether contractual or statutory) and are trained on data protection.

6. Security (Annex II to SCCs)

meandai implements the technical and organisational measures set out in Schedule 1 of this DPA. The Customer acknowledges that the measures may be updated from time to time provided the level of protection is not materially diminished.

7. Subprocessors

7.1 The Customer authorises meandai to engage Subprocessors. The current Subprocessor list is published in the Privacy Policy §6 and at https://meandai.com/subprocessors (when live).

7.2 meandai gives the Customer at least 30 days prior notice of any new or replacement Subprocessor (via email and the in-app changelog). Within that 30-day window, the Customer may object on documented Data Protection grounds. If the parties cannot agree on an alternative within a further 30 days, the Customer may terminate the affected Services without penalty.

7.3 meandai imposes on each Subprocessor data-protection obligations no less protective than those set out in this DPA, by means of a written contract. meandai remains liable to the Customer for the acts and omissions of its Subprocessors as for its own.

8. Data Subject rights

8.1 meandai assists the Customer, taking into account the nature of the Processing, by appropriate technical and organisational measures, to fulfil the Customer's obligations to respond to requests from Data Subjects to exercise their rights.

8.2 If meandai receives a request from a Data Subject relating to Customer Personal Data, meandai will not respond directly other than to confirm receipt and direct the Data Subject to the Customer (unless legally required to respond directly), and will forward the request to the Customer without undue delay.

9. Personal Data Breach

9.1 meandai notifies the Customer of any Personal Data Breach affecting Customer Personal Data without undue delay and in any event within 48 hours of becoming aware.

9.2 The notification includes, to the extent then known:

(a) the nature of the breach including, where possible, the categories and approximate number of Data Subjects and records concerned; (b) the name and contact details of meandai's privacy contact; (c) the likely consequences; (d) the measures taken or proposed to address the breach and to mitigate adverse effects.

9.3 meandai cooperates with the Customer to investigate, contain, and remediate the breach. Information notified or sent under this clause is shared in good faith and is not, of itself, an admission of liability.

10. Return or deletion of Customer Personal Data

10.1 On expiry or termination of the Services, meandai, at the Customer's choice, returns or deletes all Customer Personal Data, except to the extent meandai is required by applicable law to retain a copy.

10.2 The Customer's choice must be communicated in writing to privacy@meandai.com within 30 days of expiry or termination. Default is deletion.

10.3 Deletion is completed within 90 days of the Customer's instruction (or default date), excluding encrypted backups, which are deleted in the ordinary course of the rolling 30-daily / 12-monthly schedule.

10.4 meandai will provide written confirmation of return or deletion on request.

11. Audits

11.1 meandai makes available to the Customer the information necessary to demonstrate compliance with Article 28 GDPR.

11.2 At the Customer's reasonable request, no more than once per twelve-month period, and with at least 30 days prior written notice, meandai allows for and contributes to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, of:

(a) meandai's technical and organisational measures; (b) meandai's subcontractor management; (c) meandai's data-protection records relating to Customer Personal Data.

11.3 Audits are conducted during business hours, with minimum disruption to operations, and subject to confidentiality undertakings. The Customer pays its own costs and meandai's reasonable costs of supporting the audit beyond the standard documentation pack provided up-front (SOC 2 report when available, this DPA, the Privacy Policy, the Subprocessor list, and the SCCs).

11.4 The Customer accepts the most recent SOC 2 Type II report (or equivalent third-party assurance, when available) of meandai or any Subprocessor as fulfilment of the audit right with respect to the controls covered by that report.

12. International transfers

12.1 To the extent that meandai transfers Customer Personal Data outside the EEA, the United Kingdom, or Switzerland to a country not benefiting from a European Commission adequacy decision, the parties enter into the Module Two Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), with:

  • Clause 7 (Docking clause) → not used;
  • Clause 9 (Use of Subprocessors) → Option 2 (general written authorisation) — meandai may engage Subprocessors with the 30 days notice in §7.2;
  • Clause 11 (Redress) → Independent Dispute Resolution Body option not selected;
  • Clause 17 (Governing law) → law of Ireland;
  • Clause 18 (Choice of forum) → courts of Ireland;
  • Annex I → as set out in §3 of this DPA;
  • Annex II → as set out in Schedule 1 of this DPA;
  • Annex III → as set out in the Subprocessor list at the Privacy Policy §6.

12.2 For UK transfers, the parties enter into the UK International Data Transfer Addendum to the SCCs, version A.1.0, or such successor document as is approved by the UK Information Commissioner.

12.3 The parties have completed a Transfer Impact Assessment in accordance with the Schrems II ruling. A copy is available on request.

13. Liability and order of precedence

13.1 Nothing in this DPA limits the liability of either party under the SCCs to a Data Subject.

13.2 As between the parties, liability under or in connection with this DPA is subject to the limitations and exclusions in the Terms of Service §11.

13.3 In the event of any conflict between this DPA, the SCCs, the Terms of Service, and the Privacy Policy:

(a) for matters relating to the SCCs themselves, the SCCs prevail; (b) for other data-protection matters, this DPA prevails over the Terms of Service and the Privacy Policy; (c) for non-data-protection matters, the Terms of Service prevail.

14. Term

This DPA enters into effect on the same date as the Terms of Service and remains in effect for as long as meandai processes Customer Personal Data, plus any post-termination retention period under §10.

Schedule 1 — Technical and Organisational Measures (Annex II to SCCs)

Pseudonymisation and encryption

  • In transit: TLS 1.3 with strong cipher suites between all client / server endpoints and between internal services on the Railway private network.
  • At rest, Customer Personal Data in Postgres (Neon): envelope encryption — AWS KMS Customer Master Key in eu-central-1, plus per-tenant Data Encryption Key (DEK) cached in memory for 5–10 minutes via the AWS Encryption SDK Caching Materials Manager. Per-tenant DEKs are stored in tenants.encrypted_dek only in their KMS-encrypted form.
  • At rest, OAuth tokens and connected-account credentials: the same envelope encryption pattern, in the connected_accounts table.
  • At rest, daily backups: pg_dump output encrypted with a system-level CMK before upload to Cloudflare R2 (EU region). Bucket configured for object-lock and 30-daily / 12-monthly retention.

Confidentiality, integrity, availability and resilience

  • Multi-tenant isolation enforced by Postgres FORCE RLS policies on every tenant-scoped table, with app.current_tenant set per request from the validated Clerk JWT.
  • Capability tokens: every sensitive tool call (email send, CRM write, Slack post, Calendar write, etc.) requires a fresh, KMS-signed, 60-second-TTL HMAC token bound to (tool_name, tenant_id, agent_id, params_hash). Replay protection via Redis-backed nonce store.
  • Prompt-injection filter based on Anthropic Haiku, applied to all untrusted ingress (incoming email, document upload, MCP tool responses). Block policy: reject with HTTP 403 when injection confidence > 0.85.
  • Rate limits per AUP §3.
  • Logging to Logfire with PII redaction policy and a 30-day full-payload retention window.
  • Daily backups to Cloudflare R2 (EU). 30 daily + 12 monthly retention.
  • Disaster recovery target: Recovery Point Objective ≤ 24 hours; Recovery Time Objective ≤ 4 hours for Standard plan.

Operational security

  • Single Sign-On (Clerk) with mandatory MFA on all administrative accounts.
  • YubiKey hardware MFA for the production AWS root account and the meandai-platform IAM principal.
  • Secrets management via Doppler with 4-project segregation (system-secrets, mla-prod, meandai-prod, sandbox) and quarterly rotation.
  • Out-of-band kill switch via the meandai Telegram bot (/kill <agent>, /kill_all) — operable from any device, no Platform login required.
  • Continuous deep-health probes every 5 minutes against /health/deep on every Railway service, with Telegram alerting on failure.

Identification and authorisation

  • Customer-side: Clerk authentication, role-based access control (owner, admin, member) recorded in tenant_members.
  • meandai-side: SSO + MFA on all infrastructure dashboards (Railway, Neon, Cloudflare, AWS, Doppler). Audit log of every administrative action.
  • Service-to-service: bearer tokens generated per-environment, rotated quarterly.

Data protection by design and by default

  • Default operating mode for new tenants is Concierge (no autonomous outbound action without Authorised User approval).
  • Default retention for Customer Data after Customer instruction or termination is deletion within 90 days.
  • Default cookie posture is strictly necessary only; analytics cookies require explicit consent.
  • AI model providers contractually prohibited from training on Customer Data.

Monitoring and incident response

  • Anomaly detection on capability-token issuance volumes, prompt-injection block rates, and authentication failure rates.
  • Personal Data Breach response runbook with named owner (Stefan Stešević), 48-hour Customer notification target, and 72-hour Supervisory Authority notification target where the breach poses a risk to Data Subjects.

Compliance

  • This DPA is the contractual basis under GDPR Article 28.
  • Records of Processing Activities maintained in accordance with GDPR Article 30(2).
  • Vendor risk reviews documented for each Subprocessor before onboarding.
  • Annual review of this Schedule, with material changes notified per §6.