← Back to docs

Legal / Compliance

Data processing agreement

When you use Meridian to route prompts through our LLM gateway, you remain the controller of any personal data inside those prompts and Meridian acts as your processor. This page summarizes how our standard DPA works, what we process, and how to countersign one for your account.

1.Scope and roles

The DPA covers every API call made with a key issued under your workspace, including chat completions, embeddings, image generation, and any future model classes routed through api.getnimbus.net. You are the data controller. Meridian is the processor. Upstream model vendors (Azure OpenAI, Anthropic, Google) are sub-processors and are listed inside the executed DPA appendix, updated on 30 days notice.

2.What we process

We process the prompt body, completion text, request metadata (timestamp, model id, token counts, latency), and the workspace owner email. We do not log request bodies on the zero-retention tier and we never train models on your data. Retention defaults to 30 days for billing reconciliation; on the enterprise tier you can drop it to zero or pin it to your own S3 bucket.

3.Executing the DPA

Send a request to legal@getnimbus.net with your legal entity name, jurisdiction, and signatory. We return a countersigned PDF within two business days. If you need our standard template sight-unseen, the curl below pulls the latest version:

# Pull the current Meridian DPA template
curl -L \
  -H "Accept: application/pdf" \
  -o meridian-dpa.pdf \
  https://api.getnimbus.net/v1/legal/dpa/template

# Sign locally, then email back
mail -s "Countersigned DPA - ACME Inc" \
  -A meridian-dpa-signed.pdf \
  legal@getnimbus.net < cover.txt