# Data Processing Addendum (DPA) — MeetForge

**Version:** 1.0
**Last updated:** 2026-05-29
**Author:** MeetForge (drafted autonomously per EXPERT-STACK-RECOMMENDATION-2026-05-29.md rec #5)
**Roman: review with counsel before binding any customer contract. Scaffold based on Article 28 GDPR / SCC 2021/914.**

---

This Data Processing Addendum (the "**DPA**") forms part of the Master Services Agreement, Order Form, or other written or electronic agreement between Meta Force Solutions LLC d/b/a **MeetForge** ("**Processor**", "**we**", "**us**") and the customer identified in such agreement ("**Controller**", "**you**", "**Customer**") (collectively, the "**Agreement**"). It governs the Processing of Personal Data by MeetForge on behalf of Customer in connection with the MeetForge service (the "**Service**").

In the event of any conflict between this DPA and the Agreement, this DPA prevails with respect to the Processing of Personal Data.

## 1. Definitions

Capitalized terms not defined here have the meanings given in the Agreement, the GDPR, or the UK GDPR as applicable.

- **"Applicable Data Protection Law"** means the GDPR (Regulation (EU) 2016/679); the UK GDPR; the California Consumer Privacy Act as amended by the CPRA (collectively, "**CCPA**"); and any other privacy or data protection law applicable to the Processing under the Agreement.
- **"Personal Data"** has the meaning given in the Applicable Data Protection Law and refers to data Processed by Processor on behalf of Controller in connection with the Service.
- **"Processing"**, **"Controller"**, **"Processor"**, **"Data Subject"**, and **"Sub-processor"** have the meanings given in the GDPR.
- **"Standard Contractual Clauses"** or **"SCCs"** means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 adopted by the European Commission Decision (EU) 2021/914 of 4 June 2021.

## 2. Roles & subject matter

2.1 With respect to Personal Data Processed under the Agreement, Controller is the **Controller**, and Processor is the **Processor** (or a Sub-processor of Controller's Controller, as the case may be).

2.2 The subject matter of the Processing is the provision of the Service. The duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in **Annex I**.

## 3. Processor obligations

Processor will:

a. Process Personal Data only on documented instructions from Controller, including with regard to transfers, unless required to do so by applicable law (in which case Processor will inform Controller of that legal requirement before Processing unless that law prohibits such information on important grounds of public interest);

b. Ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

c. Implement and maintain the technical and organizational security measures set out in **Annex II**;

d. Assist Controller, taking into account the nature of the Processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Controller's obligation to respond to requests by Data Subjects exercising their rights under the Applicable Data Protection Law;

e. Assist Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of Processing and the information available to Processor;

f. At the choice of Controller, delete or return all Personal Data to Controller after the end of the provision of the Service relating to Processing, and delete existing copies unless retention is required by applicable law;

g. Make available to Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR.

## 4. Sub-processors

4.1 Controller provides general authorization for Processor to engage Sub-processors listed at **<https://meetforge.ai/security>** (the "**Sub-processor List**").

4.2 Processor will inform Controller of any intended changes concerning the addition or replacement of Sub-processors at least **fifteen (15) days** in advance by updating the Sub-processor List. Controller may object to such changes for a reasonable basis within ten (10) days of notice by emailing **legal@meetforge.ai**.

4.3 Processor will ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.

## 5. International transfers

5.1 To the extent Processing involves the transfer of Personal Data subject to the GDPR or UK GDPR to a country not deemed adequate by the European Commission or the UK ICO, the parties incorporate the SCCs as follows:

- **Module 2 (Controller-to-Processor)** applies where Controller is a Controller and Processor is a Processor.
- **Module 3 (Processor-to-Processor)** applies where Controller is a Processor and Processor is a Sub-processor.

5.2 Clause selections, governing law (Ireland), supervisory authority (Irish Data Protection Commission), Annex I.A, I.B, I.C, and Annex II are populated by Annexes I and II of this DPA.

## 6. Security measures

Processor will implement and maintain the security measures set out in **Annex II** ("**Security Measures**"). Controller acknowledges that the Security Measures are subject to technical progress and development and that Processor may update or modify them from time to time provided that such updates do not materially diminish the overall security of the Service.

## 7. Personal Data breach

7.1 Processor will notify Controller without undue delay and in any case within **seventy-two (72) hours** after becoming aware of a Personal Data breach affecting Controller's Personal Data.

7.2 The notification will, at minimum: (a) describe the nature of the breach including categories and approximate number of Data Subjects and records concerned where known; (b) communicate the name and contact details of Processor's point of contact for further information; (c) describe the likely consequences; and (d) describe the measures taken or proposed to address the breach.

## 8. Audits

8.1 Processor will make available to Controller, on reasonable request not more than once per calendar year, the most recent audit reports or certifications relevant to the Service (e.g., SOC 2 Type 2 once obtained), subject to the recipient's confidentiality obligations.

8.2 Controller may request additional information necessary to demonstrate compliance with this DPA. Audits conducted on premises will be subject to reasonable advance notice (not less than 30 days), confidentiality, and reimbursement of Processor's reasonable costs.

## 9. Return or deletion

Upon termination or expiration of the Service, Processor will, at Controller's choice, return or delete all Personal Data within **thirty (30) days**, unless storage is required by applicable law. Backups expire on a thirty-day rolling window.

## 10. Liability & governing law

10.1 The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

10.2 This DPA is governed by the laws of the State of **Delaware, USA**, except where (i) the SCCs apply, in which case the SCCs' governing-law provisions control; or (ii) Applicable Data Protection Law specifies a different governing law.

## 11. Order of precedence

In the event of conflict: (1) the SCCs; (2) this DPA; (3) the Agreement.

---

## Signatures

| Party | Name | Title | Date |
|---|---|---|---|
| **Processor** (MeetForge) | _________________________ | _________________________ | _________________________ |
| **Controller** (Customer) | _________________________ | _________________________ | _________________________ |

---

## Annex I — Subject matter, nature, purpose, and duration

**A. List of Parties**

- **Data Exporter (Controller):** Customer as identified in the Agreement.
- **Data Importer (Processor):** Meta Force Solutions LLC d/b/a MeetForge, registered in the United States (Texas), with business address in Richardson, Texas, USA. Contact: legal@meetforge.ai.

**B. Description of Transfer**

- **Categories of Data Subjects:** Customer's prospects, leads, and contacts targeted by the outbound campaigns Processor operates; and Customer's own personnel who interact with the Service.
- **Categories of Personal Data:**
  - Prospect identifiers: name, business email, business phone, job title, employer.
  - Engagement data: replies to outbound emails, classification labels, meeting booking metadata.
  - Customer account data: account holder email, billing identifiers, support correspondence.
- **Sensitive data:** None expected. Customer is responsible for ensuring no Special Category Data is included in inputs provided to Processor.
- **Frequency of transfer:** Continuous during the Service term.
- **Nature of processing:** Outbound campaign orchestration, AI-assisted reply classification, meeting booking, refund-eligibility tracking.
- **Purpose:** Provision of the MeetForge AI-SDR managed service.
- **Duration:** Term of the Agreement plus 30 days for deletion.

**C. Competent supervisory authority:** Irish Data Protection Commission (where the SCCs apply).

---

## Annex II — Technical & organizational security measures

| Domain | Measure |
|---|---|
| Access control | Role-based access, hardware-key 2FA on all administrator accounts. |
| Encryption at rest | AES-256 on managed platforms (n8n Cloud, Stripe, Backblaze SSE-B2). |
| Encryption in transit | TLS 1.2+ on all customer-facing and inter-service hops. |
| Key management | Production secrets stored in operator's local-only environment file; never committed to repository; rotation per incident. |
| Backup | Daily encrypted tarballs to Backblaze B2 us-east-005, 30-day retention. |
| Logging & audit | n8n execution logs (90-day retention), application-level audit trail per workflow, public refund ledger and cryptographic integrity log at <https://meetforge.ai/proof/integrity>. |
| Vulnerability management | Quarterly dependency review; security advisories monitored via GitHub. |
| Incident response | 72-hour breach notification SLA (Section 7); incident playbook in operator runbooks directory. |
| Sub-processor management | Public list at <https://meetforge.ai/security>; 15-day change notice; customer objection right. |
| Data deletion | 30-day window upon termination or request. |
| Personnel | Confidentiality obligations binding on all personnel with access to Personal Data. |
| Physical security | Sub-processor managed (DigitalOcean SOC 2 Type 2, Google Workspace SOC 2 Type 2). |

---

*End of DPA template. To bind: populate the signature block, attach to or incorporate into the Master Services Agreement. Counsel review recommended before first execution.*