odeMERIDIAN
Get Access

Legal

Data Processing Addendum

Effective Date: February 16, 2026 | Version 1.0

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Llewellyn Systems, LLC, a subsidiary of Sound of Life Media, Inc. (“Processor”) and the entity agreeing to these terms (“Controller”). This DPA applies where Processor processes Personal Data on behalf of Controller in connection with odeMERIDIAN services.

1. Definitions

  • “Data Protection Laws” means GDPR, UK GDPR, CCPA/CPRA, LGPD, PIPEDA, PDPA, Privacy Act 1988, POPIA, and all other applicable data protection legislation.
  • “Personal Data” means any information relating to an identified or identifiable natural person processed under this DPA.
  • “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • “Data Subject” means the individual to whom Personal Data relates.
  • “Subprocessor” means any third party engaged by Processor to process Personal Data.
  • “Standard Contractual Clauses” or “SCCs” means the contractual clauses approved by the European Commission for international data transfers.

2. Scope and Roles

2.1 Controller Role. Controller determines the purposes and means of Processing Personal Data. Controller is responsible for ensuring lawful bases for Processing and compliance with Data Protection Laws.

2.2 Processor Role. Processor processes Personal Data only on behalf of and in accordance with Controller's documented instructions. Processor shall not process Personal Data for any purpose other than providing the Services.

3. Processor Obligations

Processor shall:

  • Process Personal Data only on documented instructions from Controller, unless required by law
  • Ensure personnel authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist Controller in responding to Data Subject requests
  • Assist Controller with data protection impact assessments where required
  • Delete or return Personal Data upon termination, at Controller's election
  • Make available information necessary to demonstrate compliance and allow for audits
  • Notify Controller without undue delay upon becoming aware of a Personal Data breach

4. Subprocessors

4.1 Authorization. Controller provides general authorization for Processor to engage Subprocessors for the provision of the Services.

4.2 Notice. Processor shall notify Controller at least 30 days before engaging new Subprocessors. Controller may object to new Subprocessors on reasonable grounds.

4.3 Subprocessor Agreements. Processor shall ensure Subprocessors are bound by data protection obligations no less protective than those in this DPA.

5. Security Measures

Processor implements the following technical and organizational measures:

  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Access Control: Role-based access control (RBAC), multi-factor authentication, least privilege principle
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Business Continuity: Regular backups, disaster recovery procedures

6. International Data Transfers

Where Personal Data is transferred outside the European Economic Area, United Kingdom, or other jurisdictions with transfer restrictions, Processor shall ensure transfers comply with applicable Data Protection Laws, including execution of Standard Contractual Clauses (Module 2: Controller to Processor), UK International Data Transfer Agreement (IDTA), and supplementary security measures.

7. Data Breach Notification

Processor shall notify Controller within 48 hours of becoming aware of any Personal Data breach. Notification shall include: (a) nature of the breach; (b) categories and approximate number of affected Data Subjects; (c) likely consequences; and (d) measures taken or proposed to mitigate the breach.

8. Audits

Controller may audit Processor's compliance with this DPA upon 30 days' written notice, no more than once per year. Processor shall cooperate with such audits and provide relevant information.

9. Data Retention and Deletion

Upon termination of the Agreement, Processor shall, at Controller's election, return or delete all Personal Data within 30 days. Controller may request data export prior to deletion.

10. CCPA/CPRA Terms

For purposes of the California Consumer Privacy Act and California Privacy Rights Act, Processor is a “Service Provider.” Processor shall not sell or share Personal Information, retain or use Personal Information for purposes other than providing the Services, or combine Personal Information with data from other sources except as permitted by CCPA/CPRA.

11. Contact

Llewellyn Systems, LLC — A subsidiary of Sound of Life Media, Inc.
2601 Blanding Ave, Ste C248, Alameda, CA 94501
DPO: dpo@llewellynsystems.com
Privacy: privacy@llewellynsystems.com