Data Processing Agreement

This document lays out the responsibilities of Meterian Ltd., UK Company No. 11439878, hereafter referred to as Meterian, to its customers with regards to data protection in general and specifically to the European Union's General Data Protection Regulation (GDPR).

1. Meterian as Data Processor, Definitions

2. Processing of Personal Data

  1. Use of the service implies that Meterian may process personal data on behalf of the Data Controller in accordance with the requirements of Data Protection Laws. The Data Controller will ensure that instructions to Meterian for the processing of personal data comply with Data Protection Laws. The Data Controller has sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it acquires personal data.
  2. Inputs to the Meterian Service provided by the Data Controller are files of software projects required for development builds and vulnerability analysis, plus the relevant project metadata required. No other data should be sent to Meterian. The Data Controller bears sole responsibility for transmission of only software files for which they desire to be analysed by Meterian.
  3. Meterian presents a full and accurate description of its data protection practices on its website. From time to time, Meterian updates this description as and when practices change. Meterian is a Data Processor operating on behalf of its customers.

3. Rights of Data Subjects

  1. The Data Controller is solely responsible for the collecting of all necessary consent from Data Subjects to allow Meterian to process personal data on its behalf.
  2. Meterian will, to the extent legally permitted, promptly notify the Data Controller if it receives a request from a Data Subject for access to, or deletion of, that person's personal data. Meterian will not respond to a Data Subject request without the Data Controller's prior written consent except to confirm that the request relates to the Data Controller. The Data Controller is solely responsible for completing such request as required by law.

4. Personnel

  1. Meterian ensures that its personnel engaged in the processing of personal data are informed of the confidential nature of the personal data, have received appropriate training on their responsibilities and have agreed to confidentiality obligations that survive the termination of that persons' employment or engagement by Meterian.
  2. Meterian shall take commercially reasonable steps to ensure the reliability of any Meterian personnel engaged in the processing of personal data and that access to personal data by Meterian is limited to those Meterian personnel who require such access to perform the Services.
  3. Meterian's data protection officer can be reached by email at dataprotection@meterian.io

5. Sub-Processors

  1. The Data Controller agrees Meterian may engage third-party Subprocessors to provide the Services and such Subprocessors may access personal data, and appoint additional levels of Subprocessors, only for purposes of providing the services Meterian retained them to provide and not for any other purpose.
  2. Meterian agrees to be liable for the acts and omissions of its Subprocessors to the same extent Meterian would be liable if performing the services of each Subprocessor directly under the terms of this agreement.

6. Security

Meterian agrees to implement and maintain the administrative, technical, and physical safeguards of personal data stored using the Services.

7. Security Breach Management and Notification

  1. If Meterian becomes aware of unlawful access to the Data Controller's personal data stored through the Services, or unauthorized access to the Services resulting in loss, disclosure, or alteration of the Data Controller's personal data ("Security Breach"), Meterian will promptly: (a) notify the Data Controller of the Security Breach; (b) investigate the Security Breach and provide the Data Controller with information known to Meterian about the Security Breach; and (c) follow its policies and procedures to mitigate the effects and to minimize any damage resulting from the Security Breach.
  2. The Data Controller agrees that an unsuccessful Security Breach attempt will not be subject to Section 7.1 above. An unsuccessful Security Breach attempt is one that results in no unauthorized access to the Data Controller's personal data or to the Services storing your Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents.
  3. Notification(s) of Security Breaches, if any, will be delivered to one or more of the Customer's business, technical or administrative contacts by any means Meterian selects, including via email. It is the sole responsibility of the Customer to ensure it maintains accurate contact information on Meterian's support systems at all times.
  4. Meterian's report of and/or response to a Security Breach under this Section will not be construed as an admission by Meterian to fault or liability with respect to the Security Breach.

8. Deletion of Customer Data

  1. Meterian agrees to delete Customer personal data in accordance with Meterian's procedures and Data Protection Laws.
  2. At a Customer's request, Meterian will provide the Customer with a Certification of Deletion of Personal Data by email.

9. Legal Effect

This agreement comes into effect from the 30th of June 2018 for all existing customers, or from the time of purchase of a Meterian subscription. It expires with the cessation of the Customer's Meterian subscription.