Meow Technologies, Inc. Data Processing Agreement
Last Updated: June 24, 2026
This Data Processing Agreement ("DPA") amends and forms part of the written agreement between Meow Technologies, Inc. ("MTI" or "Company") and the entity using or receiving MTI's Services ("Customer") titled Terms of Service for Meow Technologies, Inc., available here: https://www.meow.com/legal/terms-of-service (the "Agreement"). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.
1.
Definitions
1.1
In this DPA:
a.
"Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Processor", and "Supervisory Authority" have the meaning given to them in Data Protection Law;
b.
"Customer Personal Data" means Personal Data Processed by Company as a Processor on behalf of Customer or Third Party Controller;
c.
"Data Protection Law" means all data protection and privacy laws applicable to the Processing of Customer Personal Data, including (i) the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area ("EEA"), including the European Union, and all other data protection laws of the EEA, the United Kingdom ("UK"), and Switzerland; and (ii) the privacy and data protection laws of US states applicable to the Processing of Customer Personal Data, including the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations (as further addressed in Section 15), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act; in each case as applicable, and as may be amended or replaced from time to time;
d.
"Data Subject Rights" means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making in accordance with Data Protection Law;
e.
"International Data Transfer" means any disclosure of Customer Personal Data by an organization subject to Data Protection Law to another organization located outside the EEA, the UK, or Switzerland;
f.
"Services" means the services provided by Company to Customer under the Agreement;
g.
"Subprocessor" means a Processor engaged by Company to Process Customer Personal Data;
h.
"SCCs" means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time;
i.
"Third-Party Controller" means a Controller for which Customer is a Processor; and
j.
"UK Addendum" means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).
1.2
Capitalized terms used but not defined herein have the meaning given to them in the Agreement.
2.
Scope
2.1
This DPA applies to the Processing of Customer Personal Data by Company subject to Data Protection Law to provide the Services.
2.2
The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Annex I, which is an integral part of this DPA.
2.3
Customer is a Controller and appoints Company as a Processor on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.
2.4
If Customer is a Processor on behalf of a Third-Party Controller, then Customer: is the single point of contact for Company; must obtain all necessary authorizations from such Third-Party Controller; and undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.
3.
Instructions
3.1
Company will Process Customer Personal Data to provide the Services and in accordance with Customer’s documented instructions.
3.2
The Controller’s instructions are documented in this DPA, the Agreement, and any applicable statement of work.
3.3
Customer may reasonably issue additional instructions as necessary to comply with Data Protection Law. Company may charge a reasonable fee to comply with any additional instructions.
3.4
Unless prohibited by applicable law, Company will inform Customer if Company is subject to a legal obligation that requires Company to Process Customer Personal Data in contravention of Customer’s documented instructions.
4.
Personnel
4.1
Company will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.
5.
Security and Personal Data Breaches
5.1
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Annex II.
5.2
Customer acknowledges that the security measures in Annex II are appropriate in relation to the risks associated with Customer’s intended Processing and will notify Company prior to any intended Processing for which Company’s security measures may not be appropriate.
5.3
Company will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Company’s notification is delayed, it will be accompanied by reasons for the delay.
6.
Subprocessing
6.1
Customer hereby authorizes Company to engage Subprocessors. Company maintains a current list of its Subprocessors at trust.meow.com/?tab=subprocessors, which Company updates from time to time, as further described in Annex III.
6.2
Company will enter into a written agreement with Subprocessors which imposes the same obligations as required by Data Protection Law.
6.3
Company will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Company’s notification of the intended change. Customer and Company will work together in good faith to address Customer’s objection. If Company chooses to retain the Subprocessor, Company will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and either party may immediately discontinue providing or using the relevant parts of the Services, as applicable, and may terminate the relevant parts of the Services within thirty (30) days.
7.
Assistance
7.1
Taking into account the nature of the Processing, and the information available to Company, Company will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfillment of Customer’s own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.
7.2
Company may charge a reasonable fee for assistance under this Section 7. If Company is at fault, Company and Customer shall each bear their own costs related to assistance.
8.
Audit
8.1
Upon reasonable request, Company must make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested no more than once per year by Customer, and performed by an independent auditor as agreed upon by Customer and Company. The foregoing shall only extend to those documents and facilities relevant and material to the Processing of Customer Personal Data and shall be conducted during normal business hours and in a manner that causes minimal disruption.
8.2
Company will inform Customer if Company believes that Customer’s instruction under Section 8.1 infringes Data Protection Law. Company may suspend the audit or inspection or withhold requested information until Customer has modified or confirmed the lawfulness of the instructions in writing.
8.3
Company and Customer each bear their own costs related to an audit.
9.
International Data Transfers
9.1
Customer hereby authorizes Company to perform International Data Transfers to any country deemed to have an adequate level of data protection by the European Commission or the competent authorities, as appropriate; on the basis of adequate safeguards in accordance with Data Protection Law; or pursuant to the SCCs and the UK Addendum referred to in Sections 9.2 and 9.3.
9.2
By signing this DPA, Company and Customer conclude Module 2 (controller-to-processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the "data exporter" is Customer; the "data importer" is Company; the optional docking clause in Clause 7 is implemented; Option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the Courts of Dublin, Ireland; Annex I and II to Module 2 and 3 of the SCCs are Annex I and II to this DPA respectively. For International Data Transfers from Switzerland: (i) Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland and (ii) the SCCs cover Personal Data pertaining to legal entities until the entry into force of the revised Swiss Federal Act on Data Protection of 2020.
9.3
By signing this DPA, Company and Customer conclude the UK Addendum, which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the"Exporter" is Customer and the "Importer" is Company, their details are set forth in this DPA, and the Agreement; (ii) in Table 2, the first option is selected and the "Approved EU SCCs" are the SCCs referred to in Section 9.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B) and II to the "Approved EU SCCs" are Annex I and II respectively; and (iv) in Table 4, both the"Importer" and the "Exporter" can terminate the UK Addendum.
9.4
If Company’s compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Company’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Customer and Company will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative standard contractual clauses or UK standard contractual clauses are approved by Supervisory Authorities, Company reserves the right to amend the Agreement and this DPA by adding to or replacing, the standard contractual clauses or UK standard contractual clauses that form part of it at the date of signature in order to ensure continued compliance with Data Protection Law.
10.
Liability
10.1
Where Company has paid compensation, damages or fines, Company is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer’s part of responsibility for the compensation, damages or fines.
11.
Termination and return or deletion
11.1
This DPA is terminated upon the termination of the Agreement.
11.2
Customer may request return of Customer Personal Data up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, Company will delete all remaining copies of Customer Personal Data within one hundred eighty (180) days after returning Customer Personal Data to Customer.
12.
Applicable law and jurisdiction
12.1
This DPA is governed by the laws of the State of Florida, United States. Any disputes relating to this DPA will be subject to the exclusive jurisdiction of the state courts and federal courts located within Miami-Dade County, Florida, United States.
13.
Modification of this DPA
13.1
This DPA may only be modified by a written amendment signed by both Company and Customer.
14.
Invalidity and severability
14.1
If any provision of this DPA is found by any court or administrative body of a competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
15.
California Consumer Privacy Act Addendum (CCPA/CPRA)
15.1
This Section 15 applies to the extent Company Processes Personal Information of California residents on behalf of Customer that is subject to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations ("CCPA"). For the Processing of such Personal Information, Customer is the "Business" and Company acts as a "Service Provider". In the event of a conflict between this Section 15 and the remainder of this DPA with respect to such Personal Information, this Section 15 controls.
15.2
The terms "Business", "Business Purpose", "Consumer", "Contractor", "Deidentified", "Personal Information", "Sell", "Service Provider", "Share", and "Sensitive Personal Information" have the meanings given to them in the CCPA.
15.3
Company will Process Personal Information solely on behalf of Customer and only for the limited and specified Business Purposes of operating and providing the Services described in the Agreement, including account onboarding and identity verification, processing and settling payments and transactions, providing and maintaining the features and functionality of the Services, providing customer support, securing the Services and detecting and preventing fraud, and complying with applicable legal and regulatory obligations. Company will not retain, use, or disclose Personal Information for any purpose other than those Business Purposes, except as otherwise permitted by the CCPA.
15.4
Company will not Sell or Share Personal Information.
15.5
Company will not retain, use, or disclose Personal Information outside the direct business relationship between Company and Customer, except where permitted by the CCPA.
15.6
Company will not combine Personal Information received from, or on behalf of, Customer with Personal Information that Company receives from, or on behalf of, another person, or collects from its own interaction with the Consumer, except as permitted by the CCPA.
15.7
Company will limit its collection, use, and retention of Personal Information to what is reasonably necessary and proportionate to achieve the Business Purposes.
15.8
Company will Process Sensitive Personal Information only as necessary to perform the Services and consistent with any limitations a Consumer has directed under the CCPA.
15.9
Taking into account the nature of the Processing, Company will provide reasonable assistance to enable Customer to respond to verifiable Consumer requests to know or access, delete, correct, opt out of the Sale or Sharing of Personal Information, and limit the use of Sensitive Personal Information. If Company receives such a request directly from a Consumer relating to Customer’s Personal Information, Company will, unless prohibited by law, promptly inform the Consumer to submit the request to Customer or forward the request to Customer.
15.10
To the extent applicable to the Services, Company will reasonably cooperate with Customer to honor opt-out preference signals, including the Global Privacy Control (GPC).
15.11
Company will reasonably assist Customer in verifying the identity of a Consumer making a request before any responsive action is taken.
15.12
Company may engage Subprocessors as Service Providers or Contractors and will impose on them, by written contract, the same obligations and restrictions that apply to Company under this Section 15 and that the CCPA requires of service providers and contractors.
15.13
Company certifies that it understands the restrictions set out in this Section 15 and will comply with them.
15.14
Company will notify Customer without undue delay if it determines that it can no longer meet its obligations under the CCPA. Customer may, upon reasonable notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
15.15
Where Company Processes Deidentified data, Company will take reasonable measures to ensure the information cannot be associated with a Consumer or household, will publicly commit to maintain and use it in deidentified form and not attempt to reidentify it, and will contractually obligate any recipients to comply with the CCPA.
15.16
Company will comply with all applicable requirements of the CCPA, including by providing the same level of privacy protection to Personal Information as is required of Customer as a Business under the CCPA.
15.17
Customer has the right to take reasonable and appropriate steps to ensure that Company Processes Personal Information in a manner consistent with Customer’s obligations under the CCPA, including, where appropriate, through assessments, audits, or other technical and operational testing of Company’s relevant systems and processes.
Company | Customer |
Name: Meow Technologies, Inc. | Name: As specified in the Agreement |
Contact details including email address: support@meow.com | Job title, contact details including email address: As specified in the Agreement |
Address: 1504 Bay Rd Apt 2503 Miami Beach, FL, 33139 | Address: As specified in the Agreement |
Signature: The parties agree that the execution of the Agreement shall constitute execution of this DPA and its Annexes, as applicable. | Signature: The parties agree that the execution of the Agreement shall constitute execution of this DPA and its Annexes, as applicable. |
Date: As specified in the Agreement | Date: As specified in the Agreement |
ANNEX I
DESCRIPTION OF THE TRANSFER
A.
LIST OF PARTIES
Data exporter:
- Name: Customer (as defined above)
- Address: See signature page above.
- Contact person’s name, position and contact details: See signature page above.
- Activities relevant to the data transferred under these Clauses: Customer receives Company’s services as described in the Agreement and Customer provides Personal Data to Company in that context.
- Signature and date: See signature page above.
- Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller
Data importer:
- Name: Company (as defined above)
- Address: See signature page above.
- Contact person’s name, position and contact details: See signature page above.
- Activities relevant to the data transferred under these Clauses: Company provides its services to Customer as described in the Agreement and Processes Personal Data on behalf of Customer in that context.
- Signature and date: See signature page above
- Role (controller/processor): Processor on behalf of Customer, or Subprocessor on behalf of Third-Party Controller
B.
DESCRIPTION OF INTERNATIONAL DATA TRANSFER
- Categories of Data Subjects whose Personal Data is transferred:
#
Category of Data Subjects
1. Customer’s customers or end-users
2. Customer’s personnel, staff and contractors
- Categories of Personal Data transferred:
#
Category of Personal Data
1. Professional contact details
2. Identification information such as government ID or passport
3. Other information required to open or maintain an account with MTI
- Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
#
Category of Sensitive Data
Applied restrictions or safeguards
Biometric Data when needed to open or maintain an account with MTI
Sensitive data is pseudonymized
- The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): On a continuous basis.
- Nature of the processing: The Personal Data will be processed and transferred as described in the Agreement.
- Purpose(s) of the data transfer and further processing: The Personal Data will be transferred and further processed for the provision of the Services as described in the Agreement.
- The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.
- For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.
C.
COMPETENT SUPERVISORY AUTHORITY
- The competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority a) of Customer’s country of establishment, or, where not applicable, b) of the country where Customer’s EU data protection representative is located, or, where not applicable, c) of one of the EEA countries where the Data Subjects are located.
- The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
- The competent authority for the Processing of Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Company will, at a minimum, implement the following types of security measures:
1.
The technical and organizational security measures described on MTI’s trust center, available at: trust.meow.com
2.
The continuously-updated controls and security report maintained on MTI’s trust center, available at: trust.meow.com
ANNEX III
List of Subprocessors
Customer authorizes Company to engage the Subprocessors set out on Company’s current list of Subprocessors, maintained at trust.meow.com/?tab=subprocessors, as that list is updated from time to time in accordance with Section 6 of this DPA.