Data Processing Agreement
Last updated: April 7, 2026
1. Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Tech Tap Solutions ("Processor") and the organization subscribing to Meridix ("Controller"). It governs the processing of personal data by Meridix on behalf of the Controller.
2. Definitions
- Personal Data — any information relating to an identified or identifiable person, including email addresses, names, IP addresses, and email content.
- Processing — any operation performed on personal data, including collection, storage, retrieval, transmission, and deletion.
- Sub-processor — a third party engaged by the Processor to process personal data on behalf of the Controller.
3. Data Controller and Processor Roles
The organization using Meridix is the Data Controller. Tech Tap Solutions (operating Meridix) is the Data Processor. The Processor processes data only on documented instructions from the Controller, including as specified in the Terms of Service and this DPA.
4. Categories of Data Processed
| Category | Data Elements | Retention |
|---|---|---|
| Email content | Subject, body, headers, attachments | Per org retention policy |
| Account data | Name, email, role, org membership | Until account deletion |
| Authentication | Session tokens, login events, IP addresses | 90 days |
| Usage metrics | Email volumes, storage, API calls | 12 months (aggregated) |
| Encrypted portal | AES-256-GCM encrypted messages, audit logs | Per message expiry or until revoked |
5. Sub-processors
The Processor uses the following sub-processors. The Controller is notified of changes via email to the organization admin.
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Cloud | Infrastructure hosting | Ashburn, VA, USA |
| Cloudflare | DNS, CDN, R2 object storage | Global (US-headquartered) |
| Bulwark Auth | Authentication and identity | USA |
| Anthropic | AI processing (classification, summarization) | USA |
| Groq | AI classification | USA |
| Backblaze B2 | Encrypted backup storage | USA |
| AWS SES | Fallback email delivery | US regions |
6. Security Measures
- TLS 1.3 encryption for all data in transit
- AES-256-GCM encryption for secure email portal messages
- SSH key-only server access with fail2ban
- Daily encrypted backups (Restic + Backblaze B2)
- Role-based access control for admin operations
- Audit logging of all administrative actions
- Rate limiting and brute-force protection
- Rspamd spam and malware scanning
7. Data Breach Notification
In the event of a personal data breach, the Processor will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, categories of data affected, estimated number of data subjects, and measures taken to mitigate the breach.
8. Data Subject Rights
The Processor will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) within the timeframes required by applicable law. Data export is available in JSON format via Settings. Account deletion requests are processed within 30 days.
9. Data Transfers
All data is processed and stored in the United States. For transfers from the EEA/UK, the Processor relies on Standard Contractual Clauses (SCCs) as approved by the European Commission.
10. Term and Termination
This DPA remains in effect for the duration of the service agreement. Upon termination, the Processor will delete all personal data within 90 days, unless retention is required by law. The Controller may request immediate data export before termination.
11. Contact
Data Protection Officer: [email protected]
Tech Tap Solutions, United States