Data processing agreement

2.1 Controller and Processor relationship

Customer is the Controller of Customer Data and determines the purposes and means of processing. MeaningfulCX is the Processor and processes Customer Data only on behalf of and in accordance with Customer's documented instructions.

2.2 Details of processing

• Subject matter: The provision of the Services as described in the Agreement.
• Duration: The term of the Agreement plus any post-termination data export period.
• Nature and purpose: Processing necessary to provide the research platform, including data collection via multiple methods, AI-powered analysis, statistical computing, aggregation, insight generation, and reporting.
• Type of Personal Data: Customer Data may include:
  • Contact information (email address, where optionally collected)
  • Demographics (age range, occupation, country, region)
  • Response data (interview transcripts, survey answers, voice transcripts)
  • Technical data (IP address, browser type, device type, timestamps)
  • Consent records (consent timestamp, version, acceptance status)
  • Any other data Customer chooses to collect through the Services
• Categories of Data Subjects: Research participants taking part in Customer's research projects, including interview respondents, survey respondents, and other individuals whose data Customer processes through the Services.

2.3 Data collection methods

Customer may collect research participant data through the following methods provided by the Services:

2.4 Special categories of data

Customer is responsible for ensuring no special category data (racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, biometric data) is collected unless Customer has established a lawful basis under Article 9 GDPR. Meaningful cannot determine in advance whether participant responses will contain special category data.

2.5 Customer instructions

MeaningfulCX will process Customer Data only in accordance with Customer's documented instructions, which include this DPA and the Agreement, Customer's use and configuration of the Services, and additional written instructions agreed to by MeaningfulCX in writing. If MeaningfulCX believes that any instruction violates Applicable Data Protection Law, MeaningfulCX will inform Customer without undue delay.

3.1 Primary AI models (standard features)

The following AI models are used for standard platform features:

• AWS Bedrock (Anthropic Claude): Text analysis, thematic coding, insight generation, and cross-source synthesis. Deployed in EU (eu-central-1, Frankfurt). Customer Data is not used for model training and is not retained beyond transient processing.
• Azure OpenAI (GPT): Real-time interview chat (text and voice), text analysis, and summarisation. Deployed in EU (Sweden Central). Customer Data is not used for model training and is not shared with OpenAI.
• Azure Speech Services: Real-time voice-to-text for AI-moderated interviews. Voice audio is streamed in real-time and not stored; only the resulting text transcript is retained. Deployed in EU (Sweden Central). Customer Data is not used for model training.

3.2 Multi-provider AI (optional features)

For certain optional research features, Customer may enable multi-provider AI processing:

• AI Perception: Compares perspectives from up to four AI providers simultaneously (AWS Bedrock, Azure OpenAI, Google Gemini, and Perplexity AI). Customer opt-in required. Only research questions and optional context are sent; no participant personal data unless Customer explicitly includes it.
• Secondary Research: Web-based research via Azure OpenAI (EU). Customer opt-in required. Only research topics and questions are sent; no participant data.

3.3 AI commitments

• Customer Data is not used to train or improve any AI models
• Core AI processing occurs exclusively within the EU (Frankfurt and Sweden)
• AI providers do not retain data beyond transient processing
• Optional multi-provider features require explicit Customer opt-in and are disabled by default
• Customer may disable AI processing entirely by contacting support (this limits platform functionality)

3.4 Data minimisation

All AI processing runs within MeaningfulCX's own cloud infrastructure in the EU (AWS Bedrock in Frankfurt, Azure OpenAI in Sweden). Customer Data does not leave our cloud boundary and is not shared with or retained by AI providers beyond transient processing. Research participants are typically pseudonymised before they enter the platform, as Customers generally use external panel providers that handle consent and pseudonymisation upstream. Meaningful retains only non-identifying quality-assurance data per response (country, region, city, ISP, timezone, and a one-way hashed IP) for fraud prevention and sample quality purposes — this data cannot be linked back to an individual. Customer controls what personal data is collected through their research design.

4.1 Customer represents and warrants that:

• It has obtained all necessary consents and provided all required notices to Data Subjects for the collection and processing of Customer Data through the Services
• Its instructions to MeaningfulCX comply with Applicable Data Protection Law
• It has the legal right to transfer Customer Data to MeaningfulCX for processing

4.2 Customer is solely responsible for:

• The accuracy, quality, and legality of Customer Data
• Determining the lawful basis for processing under Applicable Data Protection Law
• Providing privacy notices to Data Subjects
• Responding to Data Subject requests (with assistance from MeaningfulCX as described in Section 8)
• Determining appropriate data retention periods for Customer Data

5.1 General authorisation

Customer provides general authorisation for MeaningfulCX to engage Sub-processors to process Customer Data, subject to the requirements of this Section 5.

5.2 Current sub-processors

MeaningfulCX currently uses the following Sub-processors:

The current list of Sub-processors with full details is available at meaningful.app/subprocessors.

5.3 New sub-processors

MeaningfulCX will provide Customer with at least 30 days' prior written notice before engaging any new Sub-processor or making material changes to existing Sub-processors. Notice will be provided via email to Customer's registered account email address.

5.4 Objection to sub-processors

Customer may object to a new Sub-processor on reasonable data protection grounds by notifying MeaningfulCX in writing within 30 days of receiving notice. If Customer objects, the parties will work together in good faith to find a commercially reasonable solution. If no solution can be found, Customer may terminate the affected Services without penalty.

5.5 Sub-processor obligations

MeaningfulCX will:

• Enter into a written agreement with each Sub-processor containing data protection obligations substantially similar to those in this DPA
• Remain fully liable to Customer for the performance of any Sub-processor

6.1 Technical and organisational measures

MeaningfulCX has implemented and will maintain appropriate technical and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, as described in Annex 1: Security Measures.

6.2 Security standards

MeaningfulCX's security measures include:

• End-to-end encryption in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for administrative access
• Role-based access control (RBAC) with principle of least privilege
• Multi-tenant architecture with logical data separation scoped by organisation and workspace
• Regular security assessments and penetration testing
• Incident response and business continuity procedures
• Employee security training and background checks where legally permitted

6.3 Certifications

MeaningfulCX is pursuing the following certifications:

• ISO 27001 (Information Security Management) — In progress
• SOC 2 Type II (Security, Availability, Confidentiality) — In progress

Upon completion, MeaningfulCX will make certification documentation available to Customer under appropriate confidentiality terms.

7.1 Data storage location

Customer Data is processed and stored exclusively within the European Union:

• Amazon Web Services: eu-central-1 (Frankfurt, Germany)
• Microsoft Azure: Sweden Central

7.2 Transfers outside the EU

Certain Sub-processors (Clerk and Perplexity AI) are located in the United States. Transfers to Clerk are covered by the EU–US Data Privacy Framework (DPF) adequacy decision with SCCs as fallback. Transfers to Perplexity AI are protected by Standard Contractual Clauses (SCCs).

7.3 Standard Contractual Clauses

To the extent any Sub-processor processes Customer Data outside the EEA, MeaningfulCX will ensure appropriate safeguards are in place, including the EU Standard Contractual Clauses (Module Two: Controller to Processor, Implementing Decision (EU) 2021/914) or other legally recognised transfer mechanisms.

7.4 Government and legal requests

If MeaningfulCX receives a legally binding request from a government authority for disclosure of Customer Data, MeaningfulCX will attempt to redirect the requesting party to Customer, notify Customer unless legally prohibited, challenge overly broad or unlawful requests where reasonable, and disclose only the minimum data required to comply.

8.1 Assistance with Data Subject requests

MeaningfulCX will, taking into account the nature of the processing, assist Customer in fulfilling Customer's obligations to respond to Data Subject requests under Applicable Data Protection Law, including requests for access, rectification, erasure, restriction, data portability, and objection to processing.

8.2 Platform tools and assistance

The Services provide Customer with the ability to:

• Export workspace and project data from the platform
• Delete workspaces, projects, and data sources at any time
• Configure consent checkboxes for AI-moderated interviews and surveys

Research participants are typically pseudonymised before they enter the platform, as Customers generally use external panel providers that handle consent and pseudonymisation upstream. Meaningful retains only non-identifying quality-assurance data per response (country, region, city, ISP, timezone, and a one-way hashed IP) for fraud prevention and sample quality — this data cannot be linked back to an individual and does not constitute individually identifiable participant data. Where Customer does collect identifiable participant data directly, Customer may contact MeaningfulCX at contact@meaningful.app for assistance with data subject requests.

8.3 Forwarding Data Subject requests

If MeaningfulCX receives a Data Subject request directly, MeaningfulCX will promptly forward the request to Customer within two business days. MeaningfulCX will not respond directly to the Data Subject without Customer's instruction.

8.4 Additional assistance

If Customer requires additional assistance beyond the self-service tools, Customer may submit a request to contact@meaningful.app. MeaningfulCX will provide commercially reasonable assistance.

9.1 Security incident definition

A "Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data.

9.2 Notification

MeaningfulCX will notify Customer without undue delay after becoming aware of a Security Incident, and in any event within 24 hours of confirmation. Notification will be sent to Customer's registered account email address.

9.3 Incident information

The notification will include, to the extent available:

• Description of the nature of the Security Incident
• Categories and approximate number of Data Subjects and records affected
• Likely consequences of the Security Incident
• Measures taken or proposed to address the Security Incident
• Contact point for further information

9.4 Incident response

MeaningfulCX will:

• Conduct root cause analysis within 72 hours
• Take reasonable steps to mitigate the effects of the Security Incident
• Provide ongoing updates to Customer every 24–48 hours until resolved
• Deliver a final incident report within 14 days
• Provide reasonable assistance to Customer in notifying Data Subjects and supervisory authorities if required

9.5 Customer obligations

Customer remains responsible for determining whether to notify the supervisory authority (within 72 hours of becoming aware) and whether to notify affected Data Subjects (if high risk). MeaningfulCX will provide all information necessary for these notifications.

10.1 Audit rights

Customer has the right to audit MeaningfulCX's compliance with this DPA. Audits may be conducted no more than once per year unless required by a supervisory authority or in response to a data breach. Customer must provide at least 30 days' written notice. Audits must be conducted during normal business hours. Customer must execute a confidentiality agreement before conducting an audit.

10.2 Audit reports

As an alternative to on-site audits, MeaningfulCX will provide available third-party audit reports and certifications, responses to information security questionnaires, and information from Sub-processor audit documentation.

10.3 Audit costs

Customer is responsible for all costs associated with audits, including MeaningfulCX's reasonable costs for facilitating the audit.

11.1 Customer-controlled retention

Customer determines how long Customer Data is retained. Customer can delete workspaces, projects, and data sources at any time through the platform. For participant-level deletion requests, Customer may contact MeaningfulCX for assistance.

11.2 Deletion upon termination

Upon termination or expiration of the Agreement:

• Customer has 30 days to export Customer Data using the Services
• After the 30-day period, MeaningfulCX will delete all Customer Data within 90 days, except where retention is required by law
• Upon Customer's request, MeaningfulCX will provide written certification of deletion within 120 days of termination

11.3 Deletion scope

Deletion covers all Customer Data across all storage systems including primary databases, file storage (all response data, uploaded files, transcripts, and analysis outputs), intermediate processing files, and backup systems (within 48 hours of production deletion). Anonymised aggregate statistics and audit logs recording the fact of deletion are retained for accountability.

11.4 Legal retention

MeaningfulCX may retain Customer Data to the extent required by law, provided that MeaningfulCX will continue to maintain the confidentiality of such data and will only process it for the purposes of complying with such obligations.

15.1 Term

This DPA remains in effect for as long as MeaningfulCX processes Customer Data on behalf of Customer, and continues until all Customer Data is deleted or returned in accordance with Section 11.

15.2 Amendments

MeaningfulCX may update this DPA from time to time to reflect changes in Applicable Data Protection Law or industry standards. Material changes will be communicated to Customer with at least 30 days' notice.

15.3 Conflict

In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Personal Data. In the event of any conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses will prevail.

15.4 Governing law

This DPA is governed by the laws of the Federal Republic of Germany, in accordance with the Agreement. The supervisory authority for the purposes of the Standard Contractual Clauses is the Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutzaufsicht).

15.5 Contact

All notices and inquiries related to this DPA should be sent to:

1. Access control

• Customer Data processed in professional EU data centres operated by AWS (Frankfurt) and Azure (Sweden)
• Multi-factor authentication (MFA) required for administrative access
• Role-based access control (RBAC) with principle of least privilege
• Individual user accounts with no shared credentials
• Quarterly access reviews and immediate revocation upon termination

2. Data protection

• Data in transit: TLS 1.3 encryption for all data transmission
• Data at rest: AES-256 encryption for all stored data
• Encryption key management through AWS KMS and Azure Key Vault
• Logical separation of Customer Data by organisation and workspace
• Query-level filters prevent cross-tenant data access

3. Data minimisation

• All AI processing (AWS Bedrock, Azure OpenAI) runs within MeaningfulCX's own cloud infrastructure in the EU — Customer Data does not leave our cloud boundary and is not used for model training
• Research participants are typically pseudonymised before entering the platform — Customers generally use external panel providers that handle consent and pseudonymisation upstream. Meaningful retains only non-identifying quality-assurance data per response (country, region, city, ISP, timezone, and a one-way hashed IP) which cannot be linked back to an individual
• Customer controls what personal data is collected through their research design (question configuration, optional demographic fields, anonymous response mode)

4. Network security

• Virtual Private Cloud (VPC) network isolation
• Firewall protection and network segmentation
• DDoS protection and mitigation
• All data transfers use encrypted channels (HTTPS/TLS)
• Secure APIs with authentication and authorisation

5. Audit logging

• AWS CloudTrail and CloudWatch logging for infrastructure-level access and API activity
• Application-level logging of authentication events and errors
• Logs retained per AWS default retention policies

6. Availability and recovery

• Multi-availability-zone deployment on AWS eu-central-1

7. Incident response

• 24/7 security monitoring and alerting
• Defined incident response procedures with clear roles
• Customer notification within 24 hours of confirmed incident
• Post-incident analysis and corrective action

8. Personnel security

• Background checks for employees with data access (where legally permitted)
• Confidentiality agreements for all employees
• Annual security and privacy training
• Immediate access revocation upon role change or termination

9. AI and LLM security

• Enterprise-grade LLMs deployed within EU cloud infrastructure
• Customer Data processed entirely within EU regions
• No use of Customer Data for model training
• Audit trails for all AI-generated outputs
• Source traceability for synthesised data

10. Security testing

• Annual third-party penetration testing
• Quarterly vulnerability scanning
• Automated security scanning in development pipeline
• Security code reviews for significant changes