1. Roles
- The customer acts as data controller.
- Meir AI acts as data processor per GDPR article 28.
2. Data processed
Meir AI processes the following personal data on behalf of the customer: - User identities (email, name). - Conversation content. - Usage metadata. - Data from third-party tools, queried in real time via OAuth, not stored.
3. Processing duration
Throughout the contract duration. Upon expiration, data is returned or deleted within 30 days.
4. Meir AI obligations
- Process data only per customer instructions.
- Ensure confidentiality (employee NDAs).
- Implement technical and organizational measures described in the Security page.
- Notify any data breach within 72 hours.
- Assist the customer in responding to data subject rights.
5. Sub-processors
Meir AI uses the following sub-processors: - OpenAI (LLM, under DPA and zero data retention) - Anthropic (LLM, under DPA and zero data retention) - European cloud host (ISO 27001, SOC 2)
Any change to this list is notified to the customer with 30 days' notice.
6. International transfers
No transfers outside the EU for stored data. LLM requests may be routed to providers' European servers (OpenAI EU, Anthropic). Standard Contractual Clauses applied.
7. Audits
Customer can request an annual audit report or third-party attestation (SOC 2). On-site audits possible with notice for Enterprise customers.
8. Signature
To sign this DPA: email ilan@meir-ai.com. Editable versions available for Enterprise customers.