This Data Processing Agreement ("DPA") is entered into between Meerkads LLC ("Processor") and the customer entity that has agreed to the Meerkads Terms of Service ("Controller"). This DPA forms part of the agreement between the parties and applies where Meerkads processes personal data on behalf of the Controller in connection with the Meerkads platform and services.
This DPA is designed to meet the requirements of the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), and other applicable data protection laws. Where required by applicable law, this DPA constitutes the data processing agreement between the parties.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection law.
"Processing" means any operation or set of operations performed on personal data, including collection, storage, use, disclosure, or deletion.
"Controller" means the customer entity that determines the purposes and means of processing personal data.
"Processor" means Meerkads LLC, which processes personal data on behalf of the Controller.
"Sub-processor" means any third party engaged by Meerkads to process personal data in connection with the services.
"Data Subject" means the individual to whom personal data relates.
"Applicable Data Protection Law" means all laws and regulations applicable to the processing of personal data, including GDPR, UK GDPR, and CCPA where relevant.
2. Scope and Role of the Parties
2.1 Controller and Processor Roles
The Controller determines the purposes and means of processing personal data connected to its use of the Meerkads platform. Meerkads acts as a Processor, processing personal data solely on the Controller's behalf and under the Controller's documented instructions.
2.2 Nature of Processing
Meerkads processes personal data to provide the services described in the Terms of Service, including:
Connecting and synchronizing data from advertising platforms, ecommerce stores, and marketing tools
Generating AI-powered performance analysis, insights, and recommendations
Creating and publishing ad creatives and campaign structures on connected platforms
Generating automated reports, forecasts, and performance summaries
Providing customer support and platform communications via Intercom
2.3 Categories of Data Subjects
Personal data processed under this DPA may relate to:
The Controller's employees and authorized platform users
End customers and audiences of the Controller's advertising and ecommerce activities
Recipients of the Controller's email marketing communications
2.4 Categories of Personal Data
Personal data processed may include:
Account and contact data: name, email address, job title, company name
Advertising performance data: ad interaction data, audience segment data, conversion events
Ecommerce data: purchase records, product data, customer identifiers
Email marketing data: subscriber lists, engagement data
Analytics and behavioral data: platform usage logs, session data, event tracking
3. Instructions for Processing
3.1 Documented Instructions
Meerkads will process personal data only in accordance with the Controller's documented instructions, which are set out in the Terms of Service, this DPA, and any additional written instructions provided by the Controller.
3.2 Processing Outside Instructions
If Meerkads is required by applicable law to process personal data in a manner not covered by the Controller's instructions, Meerkads will inform the Controller before such processing takes place, unless prohibited by law.
3.3 Confidentiality
Meerkads will ensure that all personnel authorized to process personal data are subject to appropriate confidentiality obligations.
4. Sub-processors
4.1 Authorized Sub-processors
The Controller grants Meerkads general authorization to engage sub-processors to assist in providing the services. Meerkads currently uses the following sub-processors:
Anthropic: AI model provider for analysis and content generation
OpenAI: AI model provider for analysis and content generation
Google (Gemini): AI model provider for analysis and content generation
Stripe: payment processing
Intercom: customer support and in-app messaging
Google Analytics 4: platform usage analytics
Heroku: cloud infrastructure and hosting
4.2 Changes to Sub-processors
Meerkads will provide the Controller with reasonable prior notice of any intended changes to its sub-processors. The Controller may object to the appointment of a new sub-processor within fourteen (14) days of receiving such notice. If the Controller raises a reasonable objection and the parties cannot resolve the matter, the Controller may terminate the affected services.
4.3 Sub-processor Obligations
Meerkads will impose data protection obligations on sub-processors that are no less protective than those set out in this DPA.
5. Data Security
5.1 Technical and Organizational Measures
Meerkads will implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:
Encryption of personal data in transit and at rest
Access controls and authentication requirements
Regular security assessments and vulnerability monitoring
Employee training on data protection and security
5.2 Security Updates
Meerkads may update its security measures over time. Meerkads will not reduce the overall level of protection provided to personal data.
6. Data Subject Rights
Taking into account the nature of the processing, Meerkads will assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection.
Where Meerkads receives a request directly from a data subject relating to the Controller's data, Meerkads will promptly forward that request to the Controller without acting on it independently.
7. Data Breach Notification
Meerkads will notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a personal data breach affecting personal data processed under this DPA. The notification will include, to the extent available:
A description of the nature of the breach
The categories and approximate number of data subjects affected
The categories and approximate number of records affected
The likely consequences of the breach
Measures taken or proposed to address the breach
Meerkads will cooperate with the Controller and provide reasonable assistance in meeting any notification obligations the Controller may have to supervisory authorities or data subjects.
8. Data Protection Impact Assessments
Where required under applicable data protection law, Meerkads will provide reasonable assistance to the Controller in conducting data protection impact assessments (DPIAs) and in consulting with supervisory authorities, to the extent such assistance relates to Meerkads's processing activities.
9. International Data Transfers
9.1 Transfers Outside the EEA
Meerkads is based in the United States. Where personal data originating from the EEA or UK is transferred to Meerkads for processing, such transfers are made in compliance with applicable data protection law. Meerkads relies on the following transfer mechanisms where applicable:
Standard Contractual Clauses (SCCs) as adopted by the European Commission
The UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs for transfers from the UK
Other lawful transfer mechanisms as required by applicable law
9.2 SCC Incorporation
Where required by applicable law, the EU Standard Contractual Clauses (Module 2: Controller to Processor) are hereby incorporated into this DPA by reference. In the event of conflict between the SCCs and this DPA, the SCCs shall prevail with respect to transfers subject to GDPR.
10. Audit Rights
Upon the Controller's reasonable written request, Meerkads will provide information necessary to demonstrate compliance with this DPA. Where required by applicable law, Meerkads will allow for and contribute to audits and inspections conducted by the Controller or an auditor appointed by the Controller, subject to reasonable prior notice and agreement on scope, timing, and confidentiality.
Meerkads may satisfy its audit obligations by providing relevant third-party certifications or audit reports, where available.
11. Retention and Deletion
Upon termination or expiration of the services, Meerkads will, at the Controller's choice, delete or return all personal data processed on behalf of the Controller, unless applicable law requires further retention. Meerkads will retain personal data for a maximum of one (1) year following termination of services, after which it will be securely deleted or anonymized.
Certain financial and transactional records may be retained for up to five (5) years to comply with applicable legal and accounting obligations.
12. Liability
Each party's liability under this DPA is subject to the limitations set out in the Meerkads Terms of Service. Nothing in this DPA is intended to limit either party's liability to data subjects or supervisory authorities under applicable data protection law.
13. Term and Termination
This DPA is effective for the duration of the services provided under the Terms of Service. It will terminate automatically upon termination or expiration of the Terms of Service, subject to the survival of obligations relating to data deletion, confidentiality, and liability.
14. Governing Law
This DPA is governed by the laws of the State of Delaware, United States, except where mandatory provisions of applicable data protection law require otherwise. For matters governed by GDPR, the laws of the Republic of Ireland shall apply to the extent required by EU law.
15. Contact and Requests
All notices, requests, and communications relating to this DPA should be directed to:
Meerkads LLC
8 The Green, Suite 22170
Dover, DE 19901
United States
Email: info@meerkads.com