Data Processing Agreement
Last updated: 1 March 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Mevrik Inc. ("Mevrik") and the Customer and governs the processing of personal data by Mevrik on behalf of the Customer in connection with the Mevrik platform services.
Enterprise customers requiring a signed DPA should contact legal@mevrik.cx.
We aim to return signed DPAs within 5 business days.
1. Definitions
"Controller" means the Customer. "Processor" means Mevrik. "Personal Data" means any information processed by Mevrik on behalf of the Customer relating to identified or identifiable individuals. "Processing" has the meaning given in the GDPR.
2. Scope of Processing
Mevrik processes Personal Data only: (a) to provide the platform services as described in the Customer's subscription agreement; (b) on documented instructions from the Customer; (c) as required by applicable law. Mevrik will promptly inform the Customer if, in its opinion, an instruction infringes applicable data protection law.
3. Technical and Organisational Measures
Mevrik implements and maintains appropriate technical and organisational security measures including: AES-256 encryption at rest, TLS 1.3 in transit, access controls (RBAC), audit logging, regular security testing, and incident response procedures. Details are available in the Security documentation at mevrik.cx/security.
4. Sub-processors
Mevrik uses sub-processors to deliver platform services (including cloud infrastructure, analytics, and email delivery). A current list of sub-processors is available on request. Mevrik will provide 30 days' notice before adding new sub-processors. Customers may object on reasonable grounds.
5. Data Subject Rights
Mevrik will assist the Customer in responding to data subject requests (access, rectification, erasure, portability). Mevrik will notify the Customer of any data subject requests received directly relating to Customer Data within 5 business days.
6. Data Breach Notification
Mevrik will notify the Customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Data, providing all information reasonably available to allow the Customer to fulfil its own notification obligations.
7. Data Deletion
Upon termination of the agreement, Mevrik will delete or return all Customer Personal Data within 30 days, unless applicable law requires continued storage. Mevrik will certify in writing that deletion has been completed.
8. International Transfers
Where Personal Data is transferred outside the EEA or UK, such transfers are governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission. Managed Private Cloud customers may opt for in-region data residency.
9. Audit Rights
Mevrik will provide the Customer with all information necessary to demonstrate compliance with this DPA. The Customer may conduct audits (or appoint an independent auditor) with 30 days' prior written notice, no more than once per year, subject to reasonable confidentiality obligations.
Request a signed DPA
Enterprise and regulated industry customers can request a countersigned DPA. Email us with your legal entity name and DPA requirements.
Request DPA — legal@mevrik.cx