Data Processing Addendum

1. Roles

For Customer Data processed via Meldry, the Customer is the Data Controller and the Operator is the Data Processor. Where applicable law uses different terminology, the equivalent roles apply.

2. Subject matter

Provision of a managed Matrix homeserver, including storage of messages, media, configuration and audit metadata.

3. Categories of data subjects

• The Customer's end users (Matrix accounts inside the workspace).
• Visitors to bridged rooms (where bridges are enabled).

4. Categories of personal data

• Account identifiers (handle, optional email).
• Message metadata (timestamps, room IDs, participant IDs).
• Encrypted message bodies (we cannot read them).
• Sign-in events, IP addresses, user-agents.

5. Processor obligations

• Process Customer Data only on documented instructions from the Customer.
• Ensure personnel with access are bound by confidentiality.
• Implement appropriate technical and organisational measures, including encryption at rest, isolation per workspace, role-based access, audit logging.
• Notify the Customer without undue delay (target: 72 hours) of any personal data breach affecting their data.
• Assist the Customer in responding to data subject requests.
• On termination, delete or return Customer Data within 30 days, subject to legal retention requirements.

6. Sub-processors

The Operator may engage sub-processors strictly necessary to provide the service (hosting, payment, email). A current list is available on request and changes are notified at least 30 days in advance with a right to object.

7. International transfers

Where Customer Data is transferred outside the EU/EEA or other regulated regions, the Operator relies on Standard Contractual Clauses or equivalent safeguards.

8. Audits

The Customer may audit compliance once per year on reasonable notice, or more frequently following a confirmed incident. Audits may not unreasonably disrupt the service.