Data Processing Addendum

1) Parties & Roles

• Customer acts as Data Controller.
• Merra Ai Ltd acts as Data Processor.

2) Subject Matter, Nature, Purpose, Duration

• Subject matter: processing of Candidate and Customer user personal data in connection with Merra's interview platform.
• Nature & purpose: capture of short voice/video interviews, transcription, scoring, evaluation, storage, and display to authorised users.
• Duration: for the term of the agreement and any post-termination retention set by the Controller or required by law.

3) Processor Obligations

Merra shall:

• process personal data only on Controller's documented instructions;
• ensure personnel are bound by confidentiality;
• implement security measures appropriate to risk (Art. 32), including encryption and access controls;
• assist Controller with data subject requests, breach notifications, DPIAs, and supervisory consultations as reasonably required;
• delete or return personal data at the end of the Services per Controller instruction;
• make available information needed to demonstrate compliance and allow reasonable, scoped audits (on notice, during business hours, without accessing other customers' data).

4) Sub-processors

Controller authorises Merra to use sub-processors for hosting, storage, communications, and AI inference. Merra will impose equivalent data-protection obligations on sub-processors and remains responsible for their performance. Merra will maintain a list of current sub-processors (available at /sub-processors or on request) and notify Controller of material changes.

5) International Transfers

If personal data is transferred outside the UK/EU, Merra will implement appropriate safeguards (e.g., EU Standard Contractual Clauses and UK Addendum) and conduct transfer impact assessments as required.

6) Security Measures

Merra maintains technical and organisational measures including:

• Encryption in transit and at rest;
• Role-based access and least privilege;
• Audit logging for admin actions;
• Vulnerability management and patching;
• Backups and tested restores;
• Incident response and breach notification procedures.

7) Breach Notification

Merra will notify Controller without undue delay after becoming aware of a personal-data breach and provide information reasonably available to assist Controller's obligations (including Articles 33/34 GDPR/UK GDPR).

8) Retention, Return & Deletion

Default retention is video/audio 30 days, transcripts & scores up to 12 months. Upon termination/expiry or at Controller's request, Merra will delete or return personal data (unless retention is required by law). Deletion is performed using industry-standard processes.

9) Controller Responsibilities

Controller is responsible for: establishing a lawful basis; providing required notices to data subjects; configuring retention and access; and ensuring human oversight of AI-assisted outputs before taking decisions.

10) Liability, Law & Venue

This DPA is governed by the law and jurisdiction in the ToS (England & Wales). Each party's liability under this DPA is subject to the limitations in the ToS.