Legal

Sub-processors

Meridian engages the following third-party sub-processors to deliver and maintain our services. Each sub-processor is vetted for security, compliance, and data handling practices. Where applicable, data processing agreements (DPAs) are in place.

Last updated: May 26, 2026

Provider

Purpose

Region

DPA

Provider: Vercel

Purpose: Hosting, edge compute, and serverless functions. Processes request logs, IP addresses, and deployment metadata to serve the Meridian dashboard and API routes.

Region: Global (US East, US West, EU West, Asia-Pacific)

DPA: View DPA

Provider: Azure OpenAI

Purpose: AI inference provider for Meridian's assistant features. Prompts and responses are transmitted for model inference; data is not used for model training.

Region: US East, Sweden Central

DPA: View DPA

Provider: Cloudflare

Purpose: DNS, CDN, and DDoS mitigation. Processes DNS queries and HTTP request metadata at the edge to accelerate delivery and protect infrastructure.

Region: Global (200+ data centers)

DPA: View DPA

Provider: Resend

Purpose: Transactional email delivery for license keys, payment receipts, and account notifications. Processes recipient email addresses and message content.

Region: US East

DPA: View DPA

Provider: SellAuth

Purpose: Payment processing and order fulfillment. Processes billing details, transaction amounts, and license generation requests for Meridian purchases.

Region: US East

DPA: View DPA

Provider: Upstash

Purpose: Serverless Redis for session state, rate limiting, and feature flags. Processes ephemeral session tokens and usage counters; no persistent PII stored.

Region: US East, EU West

DPA: View DPA

Updates

We will notify customers of any changes to this list at least 30 days before a new sub-processor begins processing personal data. Objections may be raised by contacting privacy@getnimbus.net.