Data Processing Agreement
Terms under which MeaningStack B.V. processes personal data on behalf of a business customer.
This Data Processing Agreement (“DPA”) forms part of the agreement between the customer (“Controller”) and MeaningStack B.V. (“Processor”) for use of the Services, and applies where MeaningStack processes personal data on the Controller’s behalf. It is intended to support compliance with Article 28 of the GDPR.
1. Roles
The Controller determines the purposes and means of processing personal data. The Processor processes that personal data only on the Controller’s documented instructions, including as set out in the agreement and the product documentation.
2. Subject matter and duration
The Processor processes personal data for the duration of the agreement, solely to provide the Services (for example, runtime verification data transmitted through the Steward SDK, and connection metadata for KamiraFlow).
3. Nature and purpose of processing
Processing includes collection, storage, analysis, and generation of indicative signals, alerts, and verification results, as described in the product documentation. The Controller acknowledges that these outputs are decision-supporting and indicative, as set out in the Terms of Service.
4. Categories of data and data subjects
Personal data may include identifiers and professional information relating to the Controller’s personnel, contributors, and the individuals referenced in the data the Controller connects or transmits. The Controller is responsible for ensuring it has a lawful basis to provide such data.
5. Processor obligations
- Process personal data only on documented instructions from the Controller.
- Ensure persons authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational security measures.
- Respect the conditions in Section 6 for engaging sub-processors.
- Assist the Controller, taking into account the nature of processing, in responding to data subject requests and in meeting its security, breach-notification, and impact-assessment obligations.
- At the Controller’s choice, delete or return personal data at the end of the services, save where storage is required by law.
- Make available information necessary to demonstrate compliance and allow for audits, subject to reasonable confidentiality and security conditions.
6. Sub-processors
The Controller authorises the Processor to engage sub-processors (including infrastructure and AI providers) under written terms imposing data-protection obligations comparable to those in this DPA. The Processor remains responsible for its sub-processors’ performance and will inform the Controller of intended changes, allowing the Controller to object on reasonable grounds.
7. International transfers
Where personal data is transferred outside the EEA, the Processor will rely on a recognised transfer mechanism, such as the European Commission’s Standard Contractual Clauses.
8. Security
The Processor maintains technical and organisational measures appropriate to the risk, including access controls, encryption in transit, and tamper-evident records where applicable. The Controller acknowledges that no measures can guarantee absolute security.
9. Personal data breach
The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data, and will provide information reasonably available to assist the Controller’s obligations.
10. Liability
Liability under this DPA is subject to the limitations and exclusions set out in the agreement and the Terms of Service, to the maximum extent permitted by applicable law.
11. Contact
Data-protection matters: admin@meaningstack.com.
Note: This document is a template and is not legal advice. A DPA has specific legal requirements under GDPR Article 28 and must reflect your actual processing, sub-processors, and security measures. Have it reviewed and completed by qualified counsel, and attach the required annexes (processing details and sub-processor list), before relying on it.