Data Processing Agreement for Customers (May 2025)

Last updated May 12, 2025

Background

This Data Processing Agreement is a component of the Agreement and subject to its terms which can be found at www.m3ter.com/docs. Capitalised terms in this Data Processing Agreement shall be construed in accordance with the Agreement unless expressly indicated otherwise. m3ter shall be entitled to amend this Data Processing Agreement from time to time in accordance with the provisions of the Agreement. Disputes arising under this Data Processing Agreement shall be resolved in accordance with the version of the Data Processing Agreement that was in force and effect at the time when the relevant dispute arose.

Why is a Data Processing Agreement necessary?

The Customer and m3ter are obliged to enter into a Data Protection Agreement pursuant to the Data Protection Laws where the Customer requires m3ter to Process Personal Data on behalf of the Customer pursuant to the provision of the Services. There are further documentary requirements relating to the Sub-Processing of Personal Data by a sub-contractor of m3ter and where m3ter Transfers any Personal Data outside of the United Kingdom.

In more detail:

m3ter UK Limited, one of the m3ter group of companies, is incorporated under the laws of England and Wales with a registered office in England. m3ter provides Services to Customers who operate and provide services in multiple jurisdictions around the world. In order to provide the Services, m3ter uses sub-contractors who also operate from multiple jurisdictions around the world.

m3ter’s provision of the Services involves Processing Data which, depending on the nature of the services provided by the relevant Customer to End-Customers, may involve the Processing of Personal Data. The multi-jurisdictional nature of the Transfers of Personal Data means that the Data Protection Laws will be applicable to Personal Data Processed pursuant to the Agreement. In order for the Customer to Process Personal Data lawfully pursuant to the Data Protection Laws it must have a lawful basis for doing so, which typically involves the Customer obtaining consent for such Processing from the relevant End-Customer.

In the event that m3ter is Processing Personal Data on behalf of a Customer pursuant to the provision of the Services, then m3ter will be acting as a Processor on behalf of the Customer. In order to comply with Data Protection Laws the Customer (as Controller of the relevant Personal Data) and m3ter (as Processor) must agree a Data Processing Agreement. The Data Processing Agreement contains various obligations including (a) that the Customer has a lawful basis for Processing the Personal Data (b) that m3ter will comply with the Customer’s instructions in Processing the Personal Data (c) that m3ter will utilise technical and organisational measures with the intention of protecting the security and integrity of the Personal Data (d) that m3ter will provide assistance to the Customer to enable the Customer to comply with the Data Protection Laws including, without limitation, in respect of Data Subject Requests and audits.

Definitions

In this Data Processing Agreement:

Applicable Law	means the following to the extent forming part of the law of United Kingdom (or a part of the United Kingdom) or part of any territory which is applicable and binding on either party or the Services (including, without limitation, the EEA): (a) any law, statute, regulation, byelaw or subordinate legislation in force from time to time; (b) the common law and laws of equity as applicable to the parties from time to time; (c) any binding court order, judgement, or decree; or (d) any applicable direction, policy, rule or order made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business.
Agreement	is construed in accordance with the definition set out in the Terms of Service agreed by the Parties.
Controller	has the meaning given to that term in Data Protection Laws.
Data Processing Agreement	means this Data Processing Agreement including the Schedules annexed hereto which forms a schedule to the Master Services Agreement.
Data Protection Laws	means all national, federal, state, provincial or local privacy, cybersecurity and data protection laws which by their nature apply to the provision or receipt of the Services purchased under the Relevant Contract, together with any implementing or supplemental rules and regulations, including to the extent applicable: (a) in the UK all applicable data protection and privacy legislation in force from time to time in the UK, including (i) the retained UK law version of the EU GDPR as defined in section 3(10) of the Data Protection Act 2018 and as supplemented by section 205(4) (the “UK GDPR”); (ii) the Data Protection Act 2018 and regulations made under it; (iii) the Privacy and Electronic Communications Regulations (SI 2003/2426), as amended; (b) in member states of the European Union, the General Data Protection Regulation (EU) 2016/679 (the “EU GDPR”) and the Privacy and Electronic Communications Directive (2002/58/EC) as updated by Directive 2009/136/EC and all relevant member state laws or regulations giving effect to or corresponding with any of them which relate to the protection of Personal Data, as amended; (c) any related mandatory guidance, guidelines, code of practice and approved codes of conduct guidance issued by a supervisory or competent authority.
Data Protection Supervisory Authority	means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
Data Subject	has the meaning given to that term in Data Protection Laws.
Data Subject Request	means a request made by a Data Subject to exercise any rights of Data Subjects under Chapter III of the UK GDPR or the EU GDPR (as the case may be).
International Recipient	means the organisations, bodies, persons and other recipients to which Transfers of Protected Data are prohibited under clause 6.1 without the Customer’s prior written authorisation.
Lawful Safeguards	means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time.
Onward Transfer	means a Transfer from one International Recipient to another International Recipient.
Personal Data	has the meaning given to that term in Data Protection Laws.
Personal Data Breach	means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Data.
Processing	has the meaning given to that term in Data Protection Laws (and related terms such as Process, Processes and Processed have corresponding meanings).
Processor	has the meaning given to that term in Data Protection Laws.
Restricted Transfer	means processing of Personal Data collected from the United Kingdom or European Economic Area (EEA) in a country outside the United Kingdom or EEA where the country in which the Personal Data is Processed or from which the Personal Data is accessed does not have an adequacy decision in its favour from the United Kingdom (for Personal Data collected from the United Kingdom) or from the European Commission (for Personal Data collected from the EEA).
Standard Contractual Clauses or SCCs	means the Standard Contractual Clauses set out in the European Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679, as updated, amended, replaced or superseded from time to time by the European Commission;
Sub-Processor	means a Processor engaged by m3ter or by any other Sub-Processor for carrying out Processing activities in respect of the Customer Data on behalf of the Customer.
Transfer	bears the same meaning as the word ‘transfer’ in Article 44 of the EU GDPR and the UK GDPR. Related expressions such as Transfers and Transferring shall be construed accordingly.
UK Addendum	means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 VERSION B1.0, which came into force on 21 March 2022;

Specific interpretive provision(s)

In this Data Processing Agreement:

(a) references to any Applicable Laws (including to the Data Protection Laws and each of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including any new Data Protection Laws from time to time) and the equivalent terms defined in such Applicable Laws, once in force and applicable; and

(b) a reference to a law includes all subordinate legislation made under that law; and

(c) a capitalised term which is not defined in this Data Processing Agreement is construed in accordance with the definition set out in the Agreement.

Data Processing provisions

Controller, Processor and Sub-Processor

1. The Parties agree and acknowledge that for the purposes of the Data Protection Laws:

   1. where the Customer is a Controller of Customer Data then the Supplier is a Processor; and
   2. where the Customer is a Processor of Customer Data then the Supplier is a Sub-processor

   and the provisions of the DPA shall be construed accordingly to enable compliance with Applicable Laws.

2. Each party shall Process Customer Data in compliance with:
   (a) Applicable Laws; and
   (b) the terms of this Data Processing Agreement.

Processing Customer Data accordance with the Customer’s Lawful Instructions

1. The Customer shall ensure that its instructions to m3ter on the Processing of Customer Data are lawful.

2. M3ter shall process the Customer solely in accordance with the Customer’s lawful instructions and the terms of this Agreement.

3. M3ter shall treat the Customer Data as the Customer’s confidential information.

Technical and organisational measures

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, m3ter shall implement appropriate technical and organisational measures in relation to the Processing of Customer Data by m3ter to ensure a level of security appropriate to the risk, including inter alia as appropriate:

   1. the pseudonymisation and encryption of Personal Data;

   2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

   3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

   4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

   Such measures include (but are not limited to) the measures as set out in Schedule 2.

Using staff and other Processors

1. M3ter shall ensure that:

   1. it grants access to the Customer Data only to those authorised personnel who need access for the performance of the relevant element of the Services, in compliance with the terms of this Data Processing Agreement; and
   2. shall ensure that all such authorised persons Processing the Customer Data are informed of the confidential nature of the Customer Data and are bound by written confidentiality obligations in respect of the Customer Data.

2. M3ter will take reasonable steps to ensure the reliability, integrity and trustworthiness of, and will conduct reasonable and appropriate background checks consistent with applicable domestic law, on all M3ter’s personnel who have access to the Customer Data.

3. The Customer authorises the appointment of the Sub-Processors set forth on Schedule 5.

4. M3ter shall notify the Customer if it changes its Sub-Processors at least thirty (30) calendar days in advance of any such changes.

5. The Customer may object in writing to m3ter’s appointment of a new Sub-Processor by notifying m3ter promptly in writing within ten (10) calendar days of notice of the change. Customer’s notification shall explain the reasonable grounds relating to data protection for the objection. The parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If the parties are not able to reach resolution, m3ter will, at its sole discretion, either not appoint the new Sub-Processor, or permit Customer (as Customer’s sole and exclusive remedy) to terminate the Agreement and this Data Processing Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).

6. m3ter shall:

   1. prior to the relevant Sub-Processor carrying out any Processing activities in respect of the Customer Data, ensure each Sub-Processor is appointed under a written contract containing materially the same obligations as set out in this Data Processing Agreement (including, without limitation, those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures) that is enforceable by m3ter;

   2. ensure each such Sub-Processor complies with all such obligations; and

   3. remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.

7. m3ter shall ensure that all persons authorised by it (or by any Sub-Processor) to Process Customer Data are subject to a binding written contractual obligation to keep the Customer Data confidential (except where disclosure is required in accordance with Applicable Law, in which case m3ter shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure and fully cooperate with Customer, at Customer’s expense, in seeking a protective order, or confidential treatment, or taking other measures to oppose or limit such disclosure).

Assistance with the Customer’s compliance with Applicable Laws

1. m3ter shall provide such assistance as the Customer reasonably requires (taking into account the nature of Processing and the information available to m3ter) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:

   1. Data Subject Requests;

   2. security of Processing;

   3. data protection impact assessments (as such term is defined in Data Protection Laws);

   4. prior consultation with a Data Protection Supervisory Authority regarding high-risk Processing; and

   5. notifications to the Data Protection Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach.

2. If any such Data Subject Request is made to m3ter directly, m3ter shall notify Customer and m3ter shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If m3ter is required to respond to such a request, m3ter shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

International Transfers

1. Subject to clause 6.2, m3ter shall not Transfer (nor permit any Onward Transfer of) any Customer Data:

   1. to any country or territory outside the United Kingdom and/or EEA; and/or

   2. to an organisation and/or its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries,

   without the Customer’s prior written authorisation except where required by Applicable Law.

2. The Customer hereby authorises m3ter (or any Sub-Processor) to Transfer Customer Data for the purposes referred to in Schedule 1 in accordance with that Schedule, provided all Transfers of Customer Data by m3ter to an International Recipient (including any Onward Transfer) shall:

   1. be effected by way of the Lawful Safeguards referred to in clause 6.3 and in accordance with this Agreement; and

   2. be made pursuant to a written contract, including equivalent obligations on each Sub-Processor in respect of Transfers to International Recipients as apply to m3ter under any of this clause 6.

3. The provisions of this Agreement shall constitute the Customer’s instructions with respect to Transfers of Customer Data to International Recipients for the purposes of this Data Processing Agreement.

4. The Lawful Safeguards employed by m3ter in connection with this Data Processing Agreement shall be as set out in Schedule 3;

Records, information and audit

1. m3ter shall maintain, in accordance with Data Protection Laws binding on m3ter, written records of all categories of Processing activities carried out on behalf of the Customer.

2. m3ter shall, in accordance with Data Protection Laws make available to the Customer such information as is reasonably necessary to demonstrate m3ter’s compliance with its obligations under Article 28 of the UK GDPR, and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose, subject to the Customer:

   1. giving m3ter reasonable prior notice of such information request, audit and/or inspection being required by the Customer;

   2. ensuring that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to a Data Protection Supervisory Authority or as otherwise required by Applicable Law);

   3. hereby agreeing that to the extent consistent with the generality of m3ter’s obligations set out above in this clause, m3ter shall be entitled to withhold information where it is commercially sensitive or confidential to it or its other customers;

   4. ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to m3ter’s business and the business of any customers of m3ter; and

Breach notification

1. In respect of any Personal Data Breach, m3ter shall, without undue delay:

   1. notify the Customer of the Personal Data Breach, which shall include a summary of the known circumstances of the Personal Data Breach and the correction action taken or to be taken by m3ter;

   2. conduct an investigation of the circumstances of the Personal Data Breach

   3. use commercially reasonable efforts to mitigate the effects of the Personal Data Breach; and

   4. reasonably cooperate with Customer concerning its responses to the Personal Data Breach.

2. M3ter shall implement and maintain, at its cost and expense, technical and organisational measures in relation to the Processing, to assist the Customer insofar as is possible in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Customer Data.

Deletion of Customer Data

1. M3ter shall delete Customer Data in accordance with the provisions of Schedule 4 of this DPA.

Survival of data protection provisions

1. Clauses 1 to 8 (inclusive) shall survive expiry or termination (for any reason) of this Data Processing Agreement and continue until no Customer Data remains in the possession or control of m3ter or any Sub-Processor. The termination or expiry of such clauses shall be without prejudice to any accrued rights or remedies of either party under any such clauses at the time of such termination or expiry.

2. Clauses 9 to 10 (inclusive) shall survive expiry or termination (for any reason) of this Data Processing Agreement and continue indefinitely.

Data protection contact

m3ter may be contacted at dpo@m3ter.com.

Schedules

Data Processing Details

Details of Data Protection Officer or equivalent contact	dpo@m3ter.com
Subject-matter of processing	M3ter’s provision of the Services to the Customer
Purpose of processing	To provide the m3ter Services. Specifically, this data is used to: (a) Identify the End Customers’ Account within the m3ter Service. For example, when an Authorised User views the list of End Customers in the m3ter service, they know which one relates to each End Customer; (b)To populate End Customer details in the End Customer invoice data generated by the m3ter service
Nature of processing	Ingress of this data via calls to the m3ter Account API. Storage of the data within the m3ter service against the relevant Account entity. Egress of the relevant Account entities via the m3ter APIs.
Duration of processing	For the Service Term and until deleted in accordance with Schedule 4
Categories of Data Subjects	End Customers
Categories of Personal Data	The names, email addresses and addresses of End Customers Explicitly no special category Personal Data is permitted to be sent to m3ter.
Additional Notes	The Customer is responsible for deciding which Personal Data to send to m³ter, for retrieving the Personal Data and deleting it where necessary. In the event that the Customer decides to use a m3ter Integration to synchronise Personal Data from one of the Customer’s source systems, it is the Customer’s responsibility to control which, if any, Personal Data is sent to m3ter by that m3ter Integration. The Customer must only provide Personal Data to m3ter for the purposes of identifying their End-Customers. This Personal Data should be kept to the minimum required for this purpose and must only be stored in m3ter End-Customer Account entities as further described in the Documentation available at www.m3ter.com/docs. The Customer is responsible for retrieving and deleting such Personal Data using the m3ter API.

Technical and Organisational Measures

1. m3ter uses technical and organisational security measures designed to protect Customer Data Processed by m3ter against unauthorised access, disclosure, alteration, and destruction.

2. m3ter will develop and maintain a comprehensive security program including without limitation appropriate administrative, technical, organisational and physical security measures to protect the Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised access or disclosure. At a minimum, these measures will include, encryption of data in transit and at rest, restricting access to the Customer Data to only employees who need access, implementing network security and access control, reasonable change management Processes and regular monitoring and testing of the effectiveness of system security.

3. m3ter will maintain written policies including without limitation, an information security policy, security and privacy guidelines, an internal acceptable use policy, and internal procedural documentation, and will provide the Customer with reasonable evidence of its policies and guidelines upon request.

4. m3ter will provide appropriate training to m3ter’s personnel in relation to security and handling of Customer Data and m3ter’s policies in respect of the same.

5. m3ter shall remain primarily liable for the actions of its employees in respect of Customer Data.

6. Without prejudice to the generality of the foregoing, m3ter will perform appropriate risk assessments and maintain appropriate organisation controls in respect of m3ter’s personnel.

7. Where Customer Data is stored with any Sub-Processors, access is only provided after appropriate due diligence. Sub-Processors have added additional layers of security to limit access to Customer Data stored in their cloud-based solutions and to permit safe and lawful data transfers, which m3ter will have assessed and reviewed prior to sending such Sub-Processor any Customer Data. These controls will include strict access restriction, encryption, two factor authentication and password protection, to prevent Customer Data from being accidentally lost or used or accessed unlawfully.

8. M3ter shall maintain SOC 2 Type II certification through the Service Term.

9. On an annual basis, m3ter shall have auditors conduct an examination, testing the effectiveness of the controls m3ter has implemented. m3ter shall, at its own expense, correct any control issue or deficiencies identified during the audit Process. Upon request from the Customer, m3ter will provide the Customer with a summary of the latest audit report produced on behalf of m3ter. Such information will be treated as m3ter’s Confidential Information.

International Transfers

APPLICABLE INTERNATIONAL TRANSFER DOCUMENT(S)

Where the Customer is the data exporter and M3ter is the data importer

Restricted Transfers under the EU Standard Contractual Clauses

Restricted Transfers made under the terms of the Module 2 of the EU Standard Contractual Clauses (with the Customer as data exporter and m3ter as data importer), which clauses are hereby incorporated by reference into this Data Processing Agreement and which shall come into effect upon the commencement of a Restricted Transfer. The parties make the following selections for the purposes of Module 2:

a) Clause 7 – Docking clause shall apply;

b) Clause 9 – Use of sub-processors Option 2, general written authorisation shall apply and the time period shall be 30 days;

c) Clause 11(a) – Redress the optional language shall not apply;

d) Clause 13(a) – Supervision: The Supervisory Authority of the Republic of Ireland shall act as competent supervisory authority.

e) Clause 17 – Governing law “Option 1” shall apply and the Member State shall be the Republic of Ireland;

f) Clause 18 – Choice of forum and jurisdiction shall be the Republic of Ireland;

g) Annex I – the Data Exporter is the Customer and the Data Importer is m3ter (in each case as identified, including in relation to their places of establishment, in this Addendum) and the processing operations are deemed to be those described in Schedule 1 of the Data Processing Agreement;

h) Annex II – see Technical and Organisational Measures in this Data Processing Agreement;

i) Annex III – see List of Sub-Processors in this Schedule 5 of this Data Processing Agreement.

Restricted Transfer subject to the UK GDPR

The Parties hereby enter into the UK Addendum which is incorporated by reference into this Data Processing Agreement and which shall come into effect upon the commencement of any Restricted Transfer of Personal Data collected from Data Subjects in the United Kingdom. For Table 1 of the UK Addendum, the Data Exporter is the Customer and the Data Importer is the Customer (in each case as identified, including in relation to their places of establishment, in this Addendum). Table 2 shall be deemed to be prepopulated in accordance with the provisions selected for “Restricted Transfer subject to the EU GDPR” above. The Appendix Information of the UK IDTA shall be deemed to be prepopulated with the relevant information set out in this Data Processing Agreement.

Each party’s agreement and consent to this Data Processing Agreement shall be considered a signature to the Standard Contractual Clauses and/or the UK Addendum. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the Standard Contractual Clauses and/or the UK Addendum as separate documents. In case of conflict between the Standard Contractual Clauses and/or the UK Addendum (as applicable), and this Data Processing Agreement, the Standard Contractual Clauses and/or the UK Addendum (as applicable) will prevail.

Where the Customer is the Data Exporter and a Sub-Processor is the Data Importer

The Customer shall enter in an appropriate agreement incorporating the provisions of the Standard Contractual Clauses.

Data Retention

The Customer shall retain and maintain all copies of the Customer Data that it needs for legal compliance or any other reason and shall not rely on m3ter for retention of such Customer Data.

During the Service Term, m3ter deletes the raw usage and cost Data you send to the m3ter API after 60 days, or as otherwise specified in the applicable Order Form.

Ingested Usage and Cost Measurements are available to the Customer via the Services during the Service Term until the earlier of (a) such date when the Customer deletes the Data via the m3ter API and (b) the data retention period specified in the paragraph below.

M3ter may retain copies of the Customer Data for up to 60 days after expiry or termination of the Service Term and shall permanently and irrevocably delete the Customer Data immediately thereafter save that m3ter’s whole Service backup may be retained for a further period that is consistent with m3ter’s then current SOC 2 Type II audit obligations. As of the Effective Date, the current maximum length of such backup being retained is no more than 35 days. m3ter may reasonably extend such backup retention timeline if required to by law, regulation or best practice, provided that m3ter shall promptly notify Customer prior to such extension. Upon request, m3ter shall certify in writing that it has complied with this paragraph.

Sub-Processors

The Sub-Processors currently engaged by Service Provider are as follows:

Name of Sub-Processor & DPO Details	Data Subject Type	Categories of Personal Data	Purpose of Processing	Countries where Processed	Valid Mechanism for Transfer
Amazon Web Services EMEA SARL https://aws.amazon.com/contact-us/compliance-support/	End Customers	Name, email address, address	Provision of cloud computing services	USA	SCCs with Sub-processor
ClickHouse, Inc. privacy@clickhouse.com	End Customers	Name, email address, address	Provision of cloud computing services	USA	SCCs with Sub-processor
Workato, Inc. privacy@workato.com	End Customers	Name, email address, address	Provision of cloud computing services	USA	SCCs with Sub-processor
Redcentric PLC data.protectionofficer@redcentricpc.com	Customers, End Customers	Name, email address	Provision of helpdesk services	UK, India	SCCs with Sub-processor

Members of the m3ter Group that may process Personal Data pursuant to this Agreement

Name of Sub-processor & DPO Details	Data Subject Type	Categories of Personal Data	Purpose of Processing	Countries where Processed
M3ter UK Limited dpo@m3ter.com	End Customers	Name, email address, address	Provision of the m3ter Service	UK, USA
M3ter US Services Inc. dpo@m3ter.com	End Customers	Name, email address, address	Provision of the m3ter Service	USA
M3ter International Limited dpo@m3ter.com	End Customers	Name, email address, address	Provision of the m3ter Service	EEA