Data Processing Agreement

1. Definitions

"GDPR" means the EU General Data Protection Regulation 2016/679 and, where applicable, the UK GDPR.

"Personal Data" has the meaning given in the GDPR: any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on Personal Data, including reading, storing, analyzing, transmitting, or deleting.

"Controller" means you - the entity that determines why and how Personal Data is processed.

"Processor" means Mero - the entity that processes Personal Data on your behalf.

"Subprocessor" means any third party engaged by Mero to process Personal Data.

2. Scope and purpose of processing

2.1 Subject matter: Mero processes Personal Data to provide the AI-powered product insights Service described in the Terms of Service.

2.2 Duration: For the term of your Mero subscription, and for the period required to delete data after termination (as set out below).

2.3 Nature of processing: Accessing, reading, analyzing, storing, and transmitting data from connected third-party integrations to generate product recommendations.

2.4 Types of Personal Data processed:

• Names, email addresses of your team members (from connected tools)
• User behavior data and feedback from your end users (if present in connected tools such as Intercom, Slack, or Jira)
• Internal communications and project data containing personal references (e.g. Slack messages, Notion pages, Linear issues)

2.5 Categories of data subjects:

• Your employees and team members
• Your end users (to the extent their data appears in your tools)

3. Mero's obligations as processor

Mero agrees to:

3.1 Process Personal Data only on documented instructions from you (the Terms of Service and this DPA constitute those instructions), unless required by law.

3.2 Ensure personnel authorized to process Personal Data are bound by confidentiality obligations.

3.3 Implement and maintain appropriate technical and organizational security measures (see Section 6).

3.4 Not engage Subprocessors without your prior authorization (general authorization is granted by accepting this DPA; see the Subprocessors list in Section 7).

3.5 Assist you in responding to data subject rights requests (access, deletion, portability, etc.) to the extent technically feasible.

3.6 Notify you without undue delay (and within 72 hours where feasible) upon becoming aware of a Personal Data breach affecting your data.

3.7 Delete or return all Personal Data upon termination of the Service, within 30 days.

3.8 Provide you with reasonable assistance to demonstrate compliance with GDPR obligations, including making available information necessary for audits.

4. Your obligations as controller

You confirm that:

4.1 You have a lawful basis for sharing Personal Data with Mero (e.g. legitimate interests, consent, or contractual necessity).

4.2 You have provided required notices to data subjects (your team members and users) about data processing by tools like Mero.

4.3 The data you share with Mero is limited to what is necessary for the Service.

5. Data subject rights

If a data subject submits a request (access, deletion, portability) directly to Mero regarding data you control, we will promptly notify you and await your instructions before responding.

6. Security measures

Mero implements and maintains the following technical and organizational measures:

Technical measures

• Encryption in transit: TLS 1.2+ for all data transmission
• Encryption at rest: Database-level encryption via Supabase
• Access controls: Role-based access; production access restricted to authorized personnel only
• Authentication: Multi-factor authentication for all internal system access
• Network security: Isolated network environments via Vercel and Supabase infrastructure

Organizational measures

• Access to production data limited to personnel who require it for their role
• Personnel are bound by confidentiality obligations
• Regular review of access privileges
• Incident response procedures in place

Infrastructure

All critical infrastructure (Supabase, Vercel, Clerk, Anthropic, Inngest) is SOC 2 Type II certified.

7. Subprocessors

By accepting this DPA, you authorize Mero to use the following Subprocessors:

Subprocessor	Purpose	Country	DPA / Certification
Anthropic	AI model inference	USA	API Terms (no training)
Supabase	Database + storage	S. Korea	SOC 2 Type II
Clerk	Authentication	USA	SOC 2 Type II
Vercel	Hosting + edge network	USA	SOC 2 Type II
Inngest	Background job processing	USA	SOC 2 Type II
PostHog	Product analytics	USA	SOC 2 Type II

Mero will notify you of any intended changes to this Subprocessor list (additions or replacements) by updating this page and notifying you via email at least 14 days before the change takes effect. You may object to a new Subprocessor within 14 days by emailing hello@withmero.com. If no agreement can be reached, you may terminate the Service.

8. International data transfers

Personal Data processed by Mero may be transferred to and stored in countries outside your own, including the United States and South Korea.

For transfers from the EU/EEA or UK to countries without an adequacy decision, Mero relies on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Subprocessors' own compliance frameworks (SCCs, adequacy decisions, or Privacy Shield successor frameworks where applicable)

On request, Mero will provide copies of applicable SCCs.

9. Data breach notification

In the event of a Personal Data breach affecting your data, Mero will:

• Notify you within 72 hours of becoming aware
• Provide details of the nature, scope, and likely consequences
• Describe measures taken or proposed to address the breach

10. Term and termination

This DPA is effective for the duration of your Mero subscription. Upon termination, Mero will delete all Personal Data within 30 days unless retention is required by law.

11. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.

12. Governing law

This DPA is governed by the same law as the Terms of Service (India), with any disputes resolved exclusively in the courts of New Delhi, India. Where GDPR applies, it takes precedence over conflicting provisions.