Data Processing Addendum
This addendum sets out how Meridian processes personal data on behalf of customers under UK GDPR. It forms part of our customer agreements.
Draft — pending legal review. Not yet binding.
Roles
Where we process personal data on your instructions to deliver a service, you are the controller and Meridian is the processor. Each party will comply with its obligations under UK data protection law.
Scope & purpose
We process personal data only to provide the agreed services and on your documented instructions, for the duration of the engagement.
Subprocessors
We maintain a list of subprocessors and the purpose of each. The current summary is published on our Compliance page, and we will give notice of changes.
Security measures
We apply appropriate technical and organisational measures to protect personal data, aligned with our move towards ISO 27001 certification.
Data residency
Personal data is processed in the United Kingdom by default.
Breach notification
We will notify you without undue delay after becoming aware of a personal data breach affecting your data, and support you in meeting your own obligations.