Data Processing Addendum
Throughwire, a service of Meridian Networks LLC
Effective Date: May 1, 2026 Last Updated: May 1, 2026
Table of Contents
- Background and Application
- Definitions
- Roles of the Parties
- Subject Matter, Duration, Nature, and Purpose of Processing
- Categories of Data Subjects and Personal Data
- Customer Instructions
- Confidentiality
- Security Measures
- Sub-Processors
- International Data Transfers
- Assistance with Data Subject Rights
- Personal Data Breach Notification
- Data Protection Impact Assessments and Prior Consultation
- Audit Rights
- Return and Deletion of Personal Data
- Government and Legal Process Requests
- Liability and Indemnification
- Order of Precedence and Conflict
- Term and Termination
- General Provisions
Annex A: Description of Processing Annex B: Technical and Organizational Measures Annex C: Sub-Processors Annex D: Standard Contractual Clauses Configuration Annex E: UK International Data Transfer Addendum
1. Background and Application
This Data Processing Addendum (the "DPA") forms part of the Terms of Service entered into between Meridian Networks LLC, a limited liability company organized under the laws of the State of New Mexico, United States of America ("Meridian Networks" or the "Processor"), and the customer that has subscribed to the Throughwire service in a business capacity (the "Customer" or the "Controller"), each a "Party" and together the "Parties."
This DPA applies where, in connection with the Customer's use of the Throughwire service (the "Service"), Meridian Networks processes Personal Data on behalf of the Customer in a processor capacity within the meaning of Article 4(8) of the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") or equivalent legislation.
Acceptance of the Terms of Service in connection with a Team or Enterprise subscription constitutes acceptance of this DPA. For Personal subscriptions held by individuals in their personal capacity, this DPA does not apply; the Privacy Policy governs Meridian Networks' processing of personal data of those individuals as a controller.
2. Definitions
In this DPA:
-
"Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including the GDPR, the United Kingdom General Data Protection Regulation as incorporated by section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"), the United Kingdom Data Protection Act 2018, the Swiss Federal Act on Data Protection (the "FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act (the "CCPA/CPRA"), and any other equivalent legislation that applies to a Party's processing of Personal Data.
-
"Controller," "Processor," "Data Subject," "Personal Data," "Personal Data Breach," "Processing," "Special Category Data," and "Supervisory Authority" have the meanings given to them in the GDPR; equivalent terms in other Applicable Data Protection Law have equivalent meaning.
-
"Customer Personal Data" means Personal Data that the Customer (or persons acting on the Customer's behalf) submits to or generates through the Service, and that Meridian Networks processes on the Customer's behalf.
-
"EEA" means the European Economic Area.
-
"Restricted Transfer" means a transfer of Personal Data from a jurisdiction in which Applicable Data Protection Law restricts cross-border transfers (including the EEA, the United Kingdom, and Switzerland) to a jurisdiction that has not received an adequacy decision under that Applicable Data Protection Law.
-
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended from time to time.
-
"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the United Kingdom Information Commissioner under section 119A of the Data Protection Act 2018, as may be amended from time to time.
-
"Sub-processor" means any third party engaged by Meridian Networks to process Customer Personal Data in connection with the Service.
Other capitalized terms not defined here have the meanings given in the Terms of Service.
3. Roles of the Parties
3.1 Allocation of Roles
The Parties agree that, in respect of Customer Personal Data:
(a) the Customer is the Controller; and
(b) Meridian Networks is the Processor and processes Customer Personal Data on the Customer's behalf, subject to and in accordance with this DPA.
3.2 Customer Responsibilities
The Customer represents and warrants that:
(a) it has all necessary rights, authorities, consents, and lawful bases to provide the Customer Personal Data to Meridian Networks for processing as contemplated by this DPA;
(b) the Customer's instructions to Meridian Networks comply with Applicable Data Protection Law;
(c) the Customer has provided the notices and obtained any consents required from Data Subjects in connection with the processing; and
(d) the Customer is responsible for the lawfulness of the underlying processing activities for which the Service is used.
3.3 Meridian Networks as Independent Controller for Limited Purposes
Meridian Networks acts as an independent controller (and not as a processor) with respect to:
(a) account-level information about Customer's authorized administrators, including their work email and authentication credentials, where Meridian Networks processes that information for purposes of providing access to the Service;
(b) billing information, where Meridian Networks processes it for the purposes of charging fees, complying with tax law, and managing financial records;
(c) security and fraud prevention information, where Meridian Networks processes it to detect, investigate, and prevent abuse of the Service;
(d) information necessary to comply with Meridian Networks' own legal obligations, including sanctions screening; and
(e) aggregate, anonymized usage information used to improve the Service.
The Privacy Policy governs Meridian Networks' processing of personal data in those independent-controller capacities.
4. Subject Matter, Duration, Nature, and Purpose of Processing
The subject matter, duration, nature, and purpose of the processing of Customer Personal Data are set out in Annex A.
In summary:
- Subject matter: Provision of the Throughwire international encrypted network connectivity service.
- Duration: For the term of the Customer's subscription, plus the additional retention periods set out in Section 15 and the Privacy Policy.
- Nature of processing: Authentication, routing of network traffic, account management, billing, support, security operations.
- Purpose: To deliver the Service to the Customer and the Customer's authorized users in accordance with the Terms of Service.
5. Categories of Data Subjects and Personal Data
5.1 Categories of Data Subjects
(a) Authorized administrators of the Customer's account. (b) Authorized end users of the Service within the Customer's organization (for example, employees, contractors, and other personnel of the Customer with credentialed access to the Service). (c) Other natural persons whose personal data may incidentally be present in support communications submitted by the Customer.
5.2 Categories of Personal Data
The Service is architected for data minimization. Customer Personal Data processed by Meridian Networks is limited to:
(a) account-related identifiers (name, work email address);
(b) authentication-related data (hashed credentials, authentication event timestamps, the IP address of the authenticating client);
(c) connection-related data necessary to operate the Service (the IP address from which the client establishes a session, aggregate bandwidth counters);
(d) device and diagnostic information from client applications (operating system, application version, anonymized crash diagnostics);
(e) the contents of support communications voluntarily submitted by the Customer or its authorized users; and
(f) such other categories as the Customer may from time to time submit to the Service.
Meridian Networks does not collect or retain the substantive content of communications transmitted through the Service, the destinations of that traffic, DNS queries, or session-correlated activity data, as further described in the Privacy Policy.
5.3 Special Category Data
The Service is not intended for the processing of Special Category Data. The Customer must not submit Special Category Data to the Service except where strictly necessary in support communications. If the Customer expects to process Special Category Data through the Service in any other manner, the Parties will discuss whether additional safeguards are required.
6. Customer Instructions
6.1 Documented Instructions
Meridian Networks will process Customer Personal Data only on documented instructions from the Customer. The Terms of Service, this DPA, and the Customer's configuration of the Service through its account dashboard constitute the Customer's documented instructions.
6.2 Additional Instructions
The Customer may issue additional reasonable instructions in writing. Where compliance with an additional instruction would, in Meridian Networks' reasonable view:
(a) violate Applicable Data Protection Law;
(b) require material additional fees or development effort outside the scope of the agreed Service; or
(c) be technically infeasible,
Meridian Networks will inform the Customer and the Parties will discuss in good faith.
6.3 Notification of Conflict with Law
Meridian Networks will inform the Customer if, in its opinion, an instruction from the Customer infringes Applicable Data Protection Law, except where Applicable Law prohibits such notification.
6.4 Required Processing Under EU Law
Where Applicable Data Protection Law requires Meridian Networks to process Customer Personal Data otherwise than on the Customer's instructions (for example, to comply with valid legal process), Meridian Networks will inform the Customer of that legal requirement before processing, unless Applicable Law prohibits such notification on important grounds of public interest.
7. Confidentiality
Meridian Networks will ensure that personnel authorized to process Customer Personal Data:
(a) are subject to a written obligation of confidentiality, whether by contract or by professional duty;
(b) have received appropriate training on data protection and information security; and
(c) access Customer Personal Data only on a need-to-know basis to perform the duties for which they have been authorized.
Meridian Networks will maintain a confidentiality policy and will take reasonable steps to enforce it.
8. Security Measures
8.1 Technical and Organizational Measures
Meridian Networks will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures are described in Annex B and are aligned with the requirements of Article 32 GDPR.
8.2 Continuous Improvement
Meridian Networks will review and update the measures described in Annex B from time to time to reflect changes in best practices, threat landscape, and operational reality. Meridian Networks may modify the measures provided that the level of security is not reduced.
8.3 Customer Acknowledgment
The Customer acknowledges that the measures in Annex B are appropriate to the nature of the Service and the categories of Customer Personal Data processed. The Customer is responsible for evaluating the suitability of those measures for the Customer's own use case and for implementing additional measures on the Customer side where appropriate.
9. Sub-Processors
9.1 General Authorization
The Customer provides general written authorization to Meridian Networks to engage Sub-processors to process Customer Personal Data, subject to the conditions set out in this Section 9.
9.2 Current Sub-Processors
The current list of Sub-processors is set out in Annex C and includes Stripe, Inc. (payment processing), Mercury Technologies, Inc. (banking), and the infrastructure providers identified there. Annex C is maintained at /legal/sub-processors and is updated as Sub-processors change.
9.3 Notification of New Sub-Processors
Meridian Networks will provide the Customer with no less than thirty (30) days' prior notice of the addition or replacement of any Sub-processor, by email to the address designated by the Customer for this purpose, by in-product notification, or by updating Annex C and the publicly maintained list with an update timestamp. The Customer may subscribe to email notifications of Sub-processor changes by contacting info@throughwire.net.
9.4 Right to Object
The Customer may object to the addition or replacement of a Sub-processor on reasonable data-protection grounds by notifying Meridian Networks in writing within fifteen (15) days of the notice described in Section 9.3. The Parties will discuss the objection in good faith. If the Parties are unable to resolve the objection within thirty (30) days, the Customer may terminate the affected portion of the Service for convenience and Meridian Networks will refund any prepaid fees corresponding to unused service following the effective date of termination.
9.5 Sub-Processor Obligations
Meridian Networks will engage Sub-processors only under a written agreement that imposes data protection obligations no less protective than those in this DPA, including obligations relating to:
(a) processing only on Meridian Networks' documented instructions;
(b) confidentiality;
(c) security measures aligned with Article 32 GDPR;
(d) onward subcontracting, requiring Meridian Networks' or the Customer's prior written consent;
(e) assistance with Data Subject rights;
(f) Personal Data Breach notification;
(g) cross-border transfer mechanisms where applicable;
(h) audit rights; and
(i) return and deletion of Customer Personal Data at termination.
9.6 Liability for Sub-Processors
Meridian Networks remains liable to the Customer for the performance of its Sub-processors' obligations under the relevant Sub-processor agreement, to the same extent as if Meridian Networks performed those obligations itself.
10. International Data Transfers
10.1 Cross-Border Processing
The Customer acknowledges that Meridian Networks is established in the United States and that the Service is operated through infrastructure located in jurisdictions outside the People's Republic of China, including the United States, Canada, the EEA, the United Kingdom, Japan, Singapore, and other locations selected for service quality and regulatory stability. Customer Personal Data may be transferred to and processed in those jurisdictions.
10.2 EU and EEA Restricted Transfers
To the extent that the Customer's transfer of Customer Personal Data to Meridian Networks constitutes a Restricted Transfer under the GDPR, the Parties hereby enter into the Standard Contractual Clauses, which are incorporated by reference into this DPA, on the basis set out in Annex D:
(a) Module Two (Controller to Processor) applies where the Customer is a Controller and Meridian Networks is acting as Processor.
(b) Module Three (Processor to Processor) applies where the Customer is itself a Processor (acting on behalf of an upstream Controller) and Meridian Networks is acting as a Sub-processor.
The optional clauses, choice of governing law, choice of forum, and other elective provisions of the SCCs are completed in Annex D.
10.3 UK Restricted Transfers
To the extent that the Customer's transfer of Customer Personal Data to Meridian Networks constitutes a Restricted Transfer under the UK GDPR, the Parties enter into the UK Addendum, which is incorporated by reference into this DPA on the basis set out in Annex E.
10.4 Swiss Restricted Transfers
To the extent that the Customer's transfer of Customer Personal Data to Meridian Networks constitutes a Restricted Transfer under the FADP, the SCCs apply with the modifications recommended by the Swiss Federal Data Protection and Information Commissioner, including treatment of references to the GDPR as references to the FADP and treatment of references to EU Member States as references to Switzerland where applicable.
10.5 Onward Transfers
Where Meridian Networks engages a Sub-processor located outside the EEA, the United Kingdom, or Switzerland (as applicable), Meridian Networks will ensure that an appropriate transfer mechanism (including Standard Contractual Clauses, the UK Addendum, an adequacy decision, or another lawful mechanism) is in place between Meridian Networks and that Sub-processor.
10.6 Supplementary Measures
In light of the European Court of Justice's judgment in Case C-311/18 ("Schrems II"), Meridian Networks has implemented supplementary technical, contractual, and organizational measures to support cross-border transfers, including the data minimization architecture described in the Privacy Policy and Annex B.
10.7 Adequacy Mechanisms
If, during the term, an adequacy decision becomes available that covers the relevant transfer, the Parties may rely on that adequacy decision in place of or in addition to the SCCs, the UK Addendum, or other transfer mechanisms.
11. Assistance with Data Subject Rights
11.1 Forwarding Requests
If Meridian Networks receives a request from a Data Subject relating to Customer Personal Data (for example, a request for access, rectification, erasure, restriction, portability, or objection), Meridian Networks will:
(a) without undue delay forward the request to the Customer using the contact details provided by the Customer for this purpose;
(b) not respond to the request directly, except to acknowledge receipt and direct the Data Subject to the Customer; and
(c) provide reasonable assistance to the Customer to enable the Customer to fulfill the request, taking into account the nature of the processing.
11.2 Costs
Where assistance under this Section 11 requires material effort beyond what is included in the standard Service, Meridian Networks may charge reasonable fees for the additional effort, agreed in advance with the Customer.
12. Personal Data Breach Notification
12.1 Notification
Meridian Networks will notify the Customer of any Personal Data Breach affecting Customer Personal Data without undue delay after becoming aware of it, and in any event within seventy-two (72) hours of becoming aware where feasible.
12.2 Content of Notification
The notification will include, to the extent then known:
(a) the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned;
(b) the likely consequences of the Personal Data Breach;
(c) the measures taken or proposed to be taken to address the Personal Data Breach and to mitigate its possible adverse effects; and
(d) the contact point at Meridian Networks from whom further information can be obtained.
Where it is not feasible to provide the foregoing information at the time of notification, Meridian Networks will provide it in phases as it becomes available.
12.3 Cooperation
Meridian Networks will cooperate with the Customer and provide reasonable assistance to enable the Customer to fulfill the Customer's obligations to notify Supervisory Authorities and Data Subjects under Applicable Data Protection Law.
12.4 Notification by Customer
Notification by Meridian Networks to the Customer does not constitute an admission by Meridian Networks of liability or fault. The Customer is responsible for any onward notification to Supervisory Authorities and Data Subjects required under Applicable Data Protection Law.
12.5 No Spurious Notifications
Meridian Networks will not be required to notify the Customer of unsuccessful security incidents (for example, blocked attacks, log-in failures, port scans, or denial-of-service attempts that do not result in unauthorized access to Customer Personal Data).
13. Data Protection Impact Assessments and Prior Consultation
Where required by Applicable Data Protection Law, Meridian Networks will provide reasonable assistance to the Customer in connection with:
(a) the Customer's data protection impact assessments under Article 35 GDPR; and
(b) prior consultations with Supervisory Authorities under Article 36 GDPR.
This assistance is limited to information that is reasonably available to Meridian Networks and not otherwise publicly accessible. Meridian Networks may charge reasonable fees for assistance that requires material effort beyond what is included in the standard Service.
14. Audit Rights
14.1 Information
Meridian Networks will make available to the Customer information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA, including:
(a) responses to written information security questionnaires;
(b) summaries of independent third-party security and compliance reports (including SOC 2, ISO 27001, or equivalent), where Meridian Networks holds such reports; and
(c) the technical and organizational measures described in Annex B.
14.2 On-Site Audits
Where the information described in Section 14.1 is insufficient for the Customer to demonstrate compliance, the Customer may, on no less than thirty (30) days' written notice and no more than once per calendar year, request an on-site audit of Meridian Networks' processing of Customer Personal Data. The audit:
(a) will be conducted during normal business hours;
(b) will not unreasonably interfere with Meridian Networks' operations;
(c) will be subject to reasonable confidentiality obligations protecting Meridian Networks' Confidential Information and the personal data of other customers;
(d) will exclude any aspect of Meridian Networks' systems that cannot be audited without compromising the security of other customers or the Service;
(e) will be conducted by an independent, reputable auditor mutually agreed in writing (such agreement not to be unreasonably withheld); and
(f) will be at the Customer's expense.
14.3 Supervisory Authority
This Section 14 does not limit any right of a Supervisory Authority to audit Meridian Networks under Applicable Data Protection Law.
15. Return and Deletion of Personal Data
15.1 At Termination
Within ninety (90) days after termination or expiration of the Customer's subscription to the Service, Meridian Networks will, at the Customer's election:
(a) return Customer Personal Data to the Customer in a structured, commonly used, machine-readable format that Meridian Networks can reasonably support; or
(b) delete or render irreversibly anonymized Customer Personal Data in Meridian Networks' production systems.
If the Customer does not make an election within thirty (30) days of termination, Meridian Networks will proceed under Section 15.1(b).
15.2 Backups and Logs
Customer Personal Data residing in routine backup, archive, or logging systems will not be specifically extracted for deletion but will be deleted on the next routine destruction cycle for those systems and isolated from active processing in the meantime.
15.3 Retention Required by Law
Meridian Networks may retain Customer Personal Data to the extent required by Applicable Law (for example, retention required by tax, accounting, or sanctions legislation), provided that Meridian Networks limits processing of such retained data to what is necessary for the relevant legal purpose and continues to apply this DPA's confidentiality and security obligations to the data.
15.4 Certificate of Deletion
On the Customer's written request, Meridian Networks will provide a certificate of deletion confirming that deletion has been carried out in accordance with this Section 15.
16. Government and Legal Process Requests
16.1 Notification to Customer
If Meridian Networks receives a legally binding request for disclosure of Customer Personal Data from a governmental, regulatory, or law enforcement authority, Meridian Networks will, unless prohibited by Applicable Law:
(a) promptly notify the Customer of the request, including a copy of the request where lawful;
(b) inform the requesting authority that Customer Personal Data is processed on the Customer's behalf and that the Customer is the appropriate party to address regarding the data; and
(c) provide the Customer with reasonable opportunity to challenge the request before disclosure.
16.2 Foreign Government Requests
Meridian Networks does not voluntarily share Customer Personal Data with non-United States authorities. Foreign government and law enforcement requests will be processed exclusively through Mutual Legal Assistance Treaty channels or other formal channels recognized under United States law.
16.3 Challenges
Meridian Networks will challenge legally binding requests where it has a good-faith basis to believe the request is invalid, overbroad, or improperly issued.
16.4 Limited Scope of Disclosure
Where Meridian Networks is compelled to disclose Customer Personal Data, it will disclose only the minimum amount of data required to comply with the request and only the categories of data it actually retains as described in the Privacy Policy.
17. Liability and Indemnification
17.1 Liability Cap
Each Party's total aggregate liability arising out of or relating to this DPA, whether in contract, tort (including negligence), strict liability, or under any other theory, will be subject to the same liability cap as is set out in the Terms of Service.
17.2 Allocation of Liability between Controller and Processor
Where both Parties are liable under Article 82 GDPR or equivalent provision of Applicable Data Protection Law, the Parties' liability will be allocated in accordance with their respective responsibilities for the Personal Data Breach or other compliance failure, taking into account each Party's degree of fault and the share of responsibility for the harm.
17.3 Indemnification
Each Party will indemnify and hold the other harmless against fines, penalties, and damages awarded by a Supervisory Authority, court, or arbitral tribunal that arise from the indemnifying Party's breach of this DPA, subject to the liability cap in Section 17.1 and to the indemnification procedure in the Terms of Service.
17.4 Order of Recovery
Liability under this DPA does not stack with liability under the Terms of Service for the same underlying loss; recovery under either instrument satisfies recovery under both up to the liability cap.
18. Order of Precedence and Conflict
In the event of a conflict between this DPA, the Terms of Service, the Privacy Policy, the Acceptable Use Policy, and any signed order form or quote, the order of precedence is:
(1) the SCCs, the UK Addendum, and other transfer mechanisms incorporated by reference, to the extent of the conflict;
(2) any signed order form or quote;
(3) this DPA;
(4) the Terms of Service;
(5) the Acceptable Use Policy; and
(6) the Privacy Policy.
19. Term and Termination
This DPA takes effect on the Effective Date and continues for the duration of the Customer's subscription to the Service, plus any period during which Meridian Networks continues to process Customer Personal Data, plus the obligations under Section 15 (Return and Deletion). The provisions of this DPA that by their nature should survive termination will survive (including, without limitation, Sections 7, 12, 14, 15, 16, 17, and 18).
20. General Provisions
20.1 Governing Law
This DPA is governed by the law specified in the Terms of Service (the laws of the State of New Mexico, United States of America), except that the SCCs, the UK Addendum, and any other transfer mechanism incorporated by reference are governed by the law specified in the relevant instrument.
20.2 Severability
If any provision of this DPA is held invalid, illegal, or unenforceable, that provision will be modified to the minimum extent necessary to render it valid, or, if such modification is not possible, severed; the remaining provisions will continue in full force and effect.
20.3 Updates
Meridian Networks may update this DPA from time to time to reflect changes in Applicable Data Protection Law, the issuance of new transfer mechanisms by competent authorities, or operational changes that affect the processing of Customer Personal Data. Where updates materially affect the Customer's rights or obligations, Meridian Networks will provide thirty (30) days' prior notice.
20.4 Notices
Notices under this DPA will be sent to the addresses specified in the Terms of Service.
20.5 Entire Agreement
This DPA, together with the documents incorporated by reference, sets out the entire agreement between the Parties with respect to the processing of Customer Personal Data and supersedes any prior or contemporaneous understandings on that subject.
Annex A: Description of Processing
| Item | Description |
|---|---|
| Subject matter of processing | Provision of the Throughwire international encrypted network connectivity service to the Customer and its authorized end users. |
| Duration of processing | The term of the Customer's subscription to the Service, plus the retention periods set out in Section 15 of this DPA and Section 10 of the Privacy Policy. |
| Nature of processing | Authentication of users and devices; routing of network traffic through Meridian Networks' infrastructure; aggregate bandwidth measurement; account administration; billing; support; security operations and abuse prevention. |
| Purpose of processing | To deliver the Service in accordance with the Terms of Service; to administer the Customer's account; to bill the Customer; to support the Customer; to secure the Service; to comply with legal obligations. |
| Categories of Data Subjects | Authorized administrators of the Customer's account; authorized end users of the Service within the Customer's organization; other natural persons whose personal data may incidentally be present in support communications. |
| Categories of Personal Data | Account-related identifiers (name, work email); authentication-related data (hashed credentials, authentication event timestamps, client IP addresses); connection-related data (session IPs, aggregate bandwidth counters); device and diagnostic information (operating system, application version, anonymized crash diagnostics); contents of support communications voluntarily submitted by the Customer. |
| Special Category Data | Not processed in the ordinary course. May incidentally appear in support communications voluntarily submitted by the Customer. |
| Frequency of processing | Continuous during the term of the subscription. |
| Recipients | The Customer; authorized personnel of Meridian Networks; Sub-processors listed in Annex C; competent authorities pursuant to Section 16. |
Annex B: Technical and Organizational Measures
Meridian Networks implements and maintains the following technical and organizational measures to protect Customer Personal Data, aligned with Article 32 GDPR.
B.1 Pseudonymization and Encryption of Personal Data
(a) Customer Personal Data is encrypted in transit using industry-standard cryptographic protocols. (b) Customer Personal Data at rest is encrypted using strong, modern symmetric encryption. (c) Authentication credentials are stored only as salted, hashed values using a current-generation, computationally hard hashing scheme. (d) Encryption keys are managed through a key management system with controlled access, rotation, and audit logging.
B.2 Confidentiality, Integrity, Availability, and Resilience
(a) Access to Customer Personal Data is limited to authorized personnel on a need-to-know basis. (b) Multi-factor authentication is required for administrative access to systems processing Customer Personal Data. (c) Network segmentation and firewall protection separate production systems from non-production systems. (d) Production systems are deployed across multiple availability zones to support availability and resilience. (e) Data integrity is monitored through cryptographic checksums and integrity validation routines.
B.3 Restoration and Recovery
(a) Meridian Networks maintains routine backups of systems containing Customer Personal Data. (b) Recovery procedures are documented and periodically tested. (c) Disaster recovery objectives are aligned with the criticality of the Service.
B.4 Testing, Assessment, and Evaluation
(a) Meridian Networks conducts vulnerability scanning of production systems on a regular basis. (b) Penetration testing of critical components is performed periodically by qualified internal personnel or external specialists. (c) Security event logs are collected and reviewed. (d) The technical and organizational measures described in this Annex are reviewed at least annually and updated as needed.
B.5 Identity and Access Management
(a) Personnel access is provisioned through a centralized identity and access management system. (b) Access reviews are conducted on a regular basis. (c) Access is revoked promptly on termination of employment or change of role.
B.6 Personnel Security
(a) Background checks are performed where permitted by law and appropriate to the role. (b) Personnel are bound by written confidentiality obligations. (c) Security and data protection training is provided to relevant personnel.
B.7 Sub-Processor Management
(a) Sub-processors are subject to written agreements imposing data protection obligations no less protective than those in this DPA. (b) Sub-processor due diligence is performed before engagement and on an ongoing basis. (c) The Sub-processor list is maintained at /legal/sub-processors.
B.8 Incident Response
(a) Meridian Networks maintains a documented incident response plan. (b) Incident response procedures are periodically tested. (c) Personal Data Breach notification procedures are aligned with the requirements of Section 12 of this DPA.
B.9 Data Minimization Architecture
(a) The Service is architected such that the categories of data described in Section 5 of the Privacy Policy as "not collected" are not collected or retained in operational systems. (b) Architectural reviews are performed before any change that would expand the categories of data collected.
B.10 Physical Security
(a) Meridian Networks' office premises (where used to access systems containing Customer Personal Data) are subject to physical access controls. (b) Production infrastructure is hosted in facilities operated by infrastructure providers maintaining appropriate physical security controls.
Annex C: Sub-Processors
The current list of Sub-processors as of the Effective Date is set out below. The list is also maintained at /legal/sub-processors.
| Sub-processor | Role | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | United States |
| Mercury Technologies, Inc. | Banking and financial operations | United States |
| [INFRASTRUCTURE PROVIDER 1] | Hosting / networking | [JURISDICTION] |
| [INFRASTRUCTURE PROVIDER 2] | Hosting / networking | [JURISDICTION] |
| [INFRASTRUCTURE PROVIDER 3] | Hosting / networking | [JURISDICTION] |
| [INFRASTRUCTURE PROVIDER 4] | Content delivery / DDoS mitigation | [JURISDICTION] |
| [SUPPORT TOOLING PROVIDER] | Customer support tooling | [JURISDICTION] |
| [BILLING / TAX TOOLING PROVIDER] | Tax compliance and invoicing | [JURISDICTION] |
The Customer acknowledges and agrees to the use of these Sub-processors as of the Effective Date. New Sub-processors and replacements will be notified in accordance with Section 9.3.
Annex D: Standard Contractual Clauses Configuration
Where Module Two (Controller to Processor) or Module Three (Processor to Processor) of the SCCs applies, the Parties complete the SCCs as follows. References to clauses are to the corresponding clauses of the SCCs as approved by Commission Implementing Decision (EU) 2021/914.
| Item | Election |
|---|---|
| Module(s) applicable | Module Two (Controller to Processor) where the Customer is the Controller; Module Three (Processor to Processor) where the Customer is itself a Processor. |
| Clause 7 (Docking clause) | Optional Clause 7 is incorporated. |
| Clause 9(a) (Sub-processor authorization) | Option 2 (general written authorization) applies. The minimum notice period for Sub-processor changes is thirty (30) days, as set out in Section 9.3 of this DPA. |
| Clause 11(a) (Independent dispute resolution) | The optional language is not incorporated. |
| Clause 17 (Governing law) | Option 1 applies. The governing law is the law of Ireland. |
| Clause 18 (Choice of forum and jurisdiction) | Disputes will be resolved before the courts of Ireland. |
| Annex I.A (List of Parties) | Data Exporter: the Customer, with the contact details provided at registration. Data Importer: Meridian Networks LLC, 1209 Mountain Road Pl NE, Ste N, Albuquerque, New Mexico 87110, United States of America; contact: info@throughwire.net. |
| Annex I.B (Description of transfer) | As set out in Annex A of this DPA. |
| Annex I.C (Competent supervisory authority) | The supervisory authority of the EU Member State in which the Data Exporter is established (Module Two) or the lead supervisory authority of the upstream Controller (Module Three). |
| Annex II (Technical and organizational measures) | As set out in Annex B of this DPA. |
| Annex III (Sub-processors) | As set out in Annex C of this DPA. |
Annex E: UK International Data Transfer Addendum
Where the UK Addendum applies under Section 10.3 of this DPA, it is completed as follows.
| Table | Election |
|---|---|
| Table 1 (Parties) | Data Exporter: the Customer, with the contact details provided at registration. Data Importer: Meridian Networks LLC, 1209 Mountain Road Pl NE, Ste N, Albuquerque, New Mexico 87110, United States of America; contact: info@throughwire.net. Key contact: info@throughwire.net. |
| Table 2 (Selected SCCs, Modules, and Selected Clauses) | The SCCs as completed in Annex D above. |
| Table 3 (Appendix Information) | As set out in Annexes A, B, and C of this DPA. |
| Table 4 (Ending the Addendum when the Approved Addendum changes) | Either Party may end the UK Addendum when the Approved Addendum changes, in accordance with Section 19 of the UK Addendum's mandatory clauses. |
This Data Processing Addendum is effective as of the Effective Date stated above.