Data Processing Agreement

1. Parties and scope

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller") and Surf Online ("Processor") when you use Meridian to host bots that process personal data on your behalf.

This DPA applies where GDPR, UK GDPR, or similar laws require a written processing agreement.

2. Subject matter and duration

Processor hosts bot configurations, stored variables, transcripts, and related metadata for the duration of your subscription or account, plus retention periods in our Privacy Policy.

3. Nature and purpose of processing

Processing includes storage, execution, backup, transmission to Discord, and support activities necessary to run your bots on Meridian.

4. Categories of data and subjects

Data subjects may include your team members and Discord users interacting with your bots. Categories may include identifiers, messages, guild metadata, and other fields your bots handle.

5. Processor obligations

Processor will:

Process personal data only on documented instructions from Controller.
Ensure personnel with access are bound by confidentiality.
Implement appropriate technical and organizational security measures.
Assist Controller with data subject requests where feasible.
Notify Controller without undue delay of personal data breaches we discover.
Delete or return data when the service ends, subject to legal retention.

6. Subprocessors

Controller authorizes Processor to use subprocessors listed below. Processor remains responsible for their performance:

Subprocessor	Purpose	Location	Data processed
Convex	Backend, database, file storage, and real-time API	United States	Account data, bot configurations, variable definitions and stored values, transcripts, platform logs
Vercel	Frontend hosting and edge delivery	Global	HTTP request metadata, session cookies
Discord	Authentication and bot API	United States	OAuth profile fields, bot runtime data
Stripe	Payment processing and subscriptions	United States	Billing contact, payment method metadata (not full card numbers)
Cloudflare	CDN, edge, and runner traffic	Global	HTTP metadata, cached assets
Resend	Transactional email	United States	Email address, message content for service emails

7. International transfers

Where personal data is transferred outside the EEA/UK, Processor uses appropriate safeguards such as Standard Contractual Clauses under the Netherlands and EU law.

8. Contact

DPA inquiries: legal@meridian.surf. See also our Privacy Policy.