LEARN MORE ABOUT METAROUTER

Data Processing Addendum

Data Processing Addendum

v. 2.2
Last updated: May 4, 2026

This Data Processing Addendum (“DPA”) is an agreement between MetaRouter and Customer, and supplements the MetaRouter Master Solution Agreement (“Agreement”). Capitalized terms not otherwise defined herein will have the meanings given to them in the Agreement. This DPA applies only to the extent that MetaRouter processes Personal Data for Customer as Customer’s processor or sub-processor. The MetaRouter Privacy Policy applies to Personal Data that MetaRouter processes for its own purposes, as the data controller.

Definitions

In this DPA, the following definitions apply:

“Data Protection Law”
means all applicable current data protection and privacy legislation to the extent binding on the parties, and as may be updated or amended from time to time, and which may include, without limitation, (i) the General Data Protection Regulation (EU 2016/679) (“EU GDPR”) and the UK GDPR, as that term is defined by section 3(10), and as supplemented by section 205(4)), of the UK Data Protection Act of 2018 (“UK GDPR”); (ii) any national implementing laws (including laws implementing the EU GDPR or UK GDPR), and associated regulations and secondary legislation; and (iii) any other applicable national, provincial, federal, state, and/or local legislation, including, without limitation, the California Consumer Privacy Act (“CCPA”), and any associated regulations and secondary legislation.
“Data Subject”
will have the meaning given to it in the Data Protection Law.
“EU Standard Contractual Clauses” or “EU SCCs”
means the annex found in the European Commission decision of 4 June 2021 on the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, specifically Module 2 and Module 3 (as applicable), and/or other standard contractual clauses adopted by the European Commission and entered into by the parties, from time to time.
“GDPR”
means the EU GDPR and/or UK GDPR, as applicable.
“Instructions”
has the meaning set forth in section 9.1 below.
“Standard Contractual Clauses” or “SCCs”
means the EU Standard Contractual Clauses and/or the UK Addendum, as applicable.
“Sub-processor”
means any data processor other than MetaRouter who have been instructed to process data on behalf of the Customer by MetaRouter.
“UK Addendum”
means the ICO’s UK Addendum to the EU Standard Contractual Clauses, as amended from time to time, and available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

Data Protection

  1. Both parties will comply with all applicable requirements of the Data Protection Law. This DPA is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Law.
  2. This DPA applies to Personal Data processed by MetaRouter for Customer, if any. In this context, MetaRouter may act as “processor” to Customer, who may act either as “controller” or “processor” (as those terms are defined in Data Protection Law) with respect to Personal Data. If Customer acts as a processor, Customer represents and warrants on an ongoing basis that the relevant controller has authorized the Instructions and Customer’s engagement of MetaRouter and its sub-processors. Customer will forward to the relevant controller promptly and without undue delay any notice provided by MetaRouter under this DPA.

  3. Details of Personal Data Processing (Annex 1 and Annex 2 to the EU SCCs and/or Appendix 1 Information for the UK Addendum, if and as applicable):

    Data Exporter: the Customer, as the party sending or responsible for Customer Content, some of which may contain Personal Data, to MetaRouter for MetaRouter’s processing in furtherance of provision of the MetaRouter Service.

    Data Importer: MetaRouter as a mere conduit / technical intermediary of Customer Content transmitted through the use of the MetaRouter Service, some of which, unbeknownst to MetaRouter, may contain Personal Data.

    Subject Matter: the subject matter of the data processing under this DPA is the data and content as described below.

    Purpose: the provision of the MetaRouter Service initiated by Customer from time to time.

    Nature of the Processing: provision of the MetaRouter Service as described in the Agreement and initiated by Customer from time to time.

    Categories of Data Subjects: the Data Subjects may include Customer’s (and its customers’) users, visitors, guests, employees and staff, as well as any other individual(s) identified or identifiable within Customer Content shared by such persons and/or any others whose Personal Data is captured in Customer Content.

    Description of Processing: in addition to Personal Data incidentally captured and processed as Customer Content in the MetaRouter Service (“Captured Personal Data”), MetaRouter collects and processes the following as a necessary step in providing the MetaRouter Service, all or some of which may or may not be personally identifying or identifiable information:

    • IP addresses
    • Authorized User login credentials
    • Other identifiers (refer to table below)

    Customer Content transmitted through the use of the MetaRouter Service may, unbeknownst to MetaRouter, contain Personal Data. MetaRouter does not determine purposes or means of processing of any Customer Content. Any such Personal Data is only incidentally and transiently transmitted through the Service and is not accessed, used, or processed by MetaRouter except to facilitate such transmission. MetaRouter does not act as a processor with respect to this incidental Personal Data, and such incidental transmission is expressly excluded from the scope of the DPA. Such Personal Data is held only for as long as needed to transmit it (except if and to the extent of such data the Customer elects to store, as data controller).

    Special Categories of Data: the parties do not anticipate or knowingly collect or process highly sensitive or special categories of data.

    Duration of Processing: during the term of the Customer’s subscription and for 90 days thereafter or as set forth in the table below.

    Processing Operations: as described in this DPA, including Annex 1.

  4. Customer will ensure and warrants that it has all necessary and appropriate consents, rights, authorizations, and notices, in any form required by Data Protection Law, in place to enable lawful transfer and processing of the Personal Data to MetaRouter for the duration and purposes of the Agreement. Customer will ensure that its instructions to MetaRouter regarding Customer Content comply with all applicable laws, including Data Protection Laws. Customer is solely responsible for the nature, accuracy, quality, and legality of all Customer Content, including any Personal Data, that Customer or its users submit to or transmit through the MetaRouter Service. MetaRouter has no obligation to monitor, validate, or verify Customer Content and will have no liability arising from Customer Content or Customer’s failure to comply with its obligations under this DPA. Customer acknowledges that the MetaRouter Service is not intended or designed for the processing of special categories of data or sensitive information (including as may be defined by applicable Data Protection Law), and Customer agrees not to enable the transmission of any such information or data through the MetaRouter Service. The parties agree that Personal Data processing is required as a part of MetaRouter’s provision of the MetaRouter Service, and that Personal Data is not exchanged for monetary or other valuable consideration.
  5. Customer will ensure and warrants that where Personal Data is transferred outside the European Economic Area (“EEA”), Switzerland, or outside the UK, as part of Customer’s use or deployment of the MetaRouter Service, adequate measures will be taken to ensure the Personal Data will be protected to an adequate level and the data subjects’ rights under the Data Protection Law will not be prejudiced by such a transfer. Subject to MetaRouter’s obligation in section 9.5 below with respect to MetaRouter sub-processors, and section 11 below with respect to the Standard Contractual Clauses if applicable, Customer acknowledges that Customer is solely responsible for ensuring that Personal Data is transferred out of the EEA, Switzerland, or the UK in full compliance with the Data Protection Law.
  6. Customer will ensure and warrants that Customer utilizes appropriate technical and organizational measures to ensure a level of security appropriate to such risks, including, as appropriate, the measures referred to in the Data Protection Law.
  7. Customer confirms that it has assessed any security measures in place at the time of this Agreement, and that it will continue to do so on an ongoing basis to ensure its obligations under this DPA. Customer is solely responsible (as between the parties) if such measures fail to meet the standards required by Data Protection Law.
  8. Customer undertakes and confirms that any information required to be provided to a Data Subject has been so provided or an applicable exemption is available and is being relied upon by the Customer.
  9. Customer will defend, indemnify, and hold harmless MetaRouter from and against any claims, damages, liabilities, penalties, or expenses arising from (a) Customer Content, including Personal Data submitted or transmitted by Customer or its users; or (b) Customer’s failure to comply with its obligations under this DPA or applicable Data Protection Laws. Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Agreement, and any reference in the Agreement to the liability of a party means the aggregate liability of that party under and in connection with both the Agreement and this DPA. For the avoidance of doubt, MetaRouter’s total aggregate liability under both the Agreement and this DPA combined shall not exceed the liability cap set forth in the Agreement.

  10. MetaRouter will, in relation to any Personal Data processed in connection with the provision of the MetaRouter Service:

    10.1. process that Personal Data only on the written instructions of Customer in the form of (a) the Agreement (including this DPA), (b) Customer’s use of the MetaRouter Service including Customer’s preferences, settings and controls within the MetaRouter Service, (c) Customer’s use of MetaRouter features that incorporate AI Tools (as defined in the Agreement), provided, however, that Customer’s Personal Data shall not be used to train generalized AI models and MetaRouter does not engage in automated decision making or profiling, and (d) any other written instructions provided by Customer and acknowledged by MetaRouter as valid instructions with which MetaRouter agrees to comply (collectively the “Instructions”), except to the extent MetaRouter is required to process data by applicable law or if in MetaRouter’s opinion such Instructions infringe Data Protection Laws. In either case MetaRouter will notify Customer unless applicable law prohibits MetaRouter from so notifying Customer;

    10.2. not access or use, or disclose to any third party, any Personal Data, except, in each case, as necessary to maintain or provide the MetaRouter Service, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order);

    10.3. ensure that it has in place appropriate technical and organizational measures set forth in Annex 1 to this DPA designed to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;

    10.4. ensure that all MetaRouter personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;

    10.5. ensure that where Sub-processors are used outside the EEA, Switzerland, or the UK such that Personal Data is transferred outside the EEA, Switzerland, or the UK, and such transfer is not to a third country that the EU Commission considers to provide an adequate level of protection (in the case of transfers subject to EU GDPR) or that the UK Secretary of State considers to provide an adequate level of protection (in the case of transfers subject to UK GDPR) or that is recognized as ensuring adequate protection under applicable Swiss law (in the case of transfers subject to Swiss data protection law), adequate measures will be taken to ensure the Personal Data will be protected to an adequate level (including without limitation use of the SCCs) and the Data Subjects’ rights under the Data Protection Law will not be prejudiced by such a transfer;

    10.6. maintain general records of processing activities carried out on behalf of Customer as required by Data Protection Law;

    10.7. taking into account the nature of the processing, insofar as reasonable and practicable, assist the Customer in responding to any request from a Data Subject and in ensuring compliance with its obligations under Data Protection Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators, provided, however, that MetaRouter may charge Customer reasonable fees beyond a de minimis threshold of assistance;

    10.8. notify Customer without undue delay after confirming an actual Personal Data security incident. MetaRouter is not obligated to report unsuccessful incidents or incidents that result in no unlawful or accidental destruction, loss, alteration, disclosure of, or unauthorized access to Personal Data or any of MetaRouter’s equipment or facilities storing Personal Data. Such non-reportable incidents may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers), or similar incidents. MetaRouter’s obligation to report or respond to a security incident under this section is not and will not be construed as an acknowledgement by MetaRouter of any fault or liability of MetaRouter with respect to the incident. MetaRouter has no obligation to assess or inspect data in order to identify information subject to any specific legal requirements;

    10.9. make available to Customer all information reasonably necessary to demonstrate compliance with the obligations in this section 10 and, subject to section 15, to permit Customer-initiated audits and inspections (including those described in the SCCs), no more than once per calendar year at Customer’s sole expense (including a reasonable fee charged by MetaRouter), to confirm compliance with this DPA and Data Protections Laws, on mutually agreed terms regarding the third party auditor (if any), confidentiality, timing, duration, and scope of such audits; and

    10.10. at the written direction of Customer, delete Personal Data to the extent MetaRouter is capable of doing so via its standard retrieval and delete mechanism, unless required by applicable law to store the Personal Data.

  11. MetaRouter’s obligations under section 10 apply solely to Personal Data within MetaRouter’s systems and reasonable control, including within the MetaRouter-hosted Environment (as defined in the SLA). MetaRouter shall have no obligation or liability under section 10 with respect to: (a) Customer-hosted Environments or systems not managed by MetaRouter; (b) Customer-selected data destinations or third-party applications; (c) Customer Content that Customer transmits through the MetaRouter Service in violation of section 4 of this DPA; or (d) Personal Data security incidents caused by Customer’s acts, omissions, and/or security failures.
  12. Customer will immediately notify MetaRouter if any necessary appropriate consents and notices required to enable lawful transfer of Personal Data to MetaRouter for the duration and purposes of this Agreement have been breached, terminated, withdrawn, or are otherwise no longer valid.
  13. The parties agree that (a) the EU SCCs apply if Personal Data from the EEA and/or Switzerland is transferred via use of the MetaRouter Service to MetaRouter in a country that is outside of the EEA or Switzerland, and such transfer is not to a third country that the EU Commission or the Swiss data protection authority considers to provide an adequate level of protection, and (b) the UK Addendum applies if Personal Data from the UK is transferred via use of the MetaRouter Service to MetaRouter in a country that is outside of the UK, and such transfer is not to a country that the UK Secretary of State considers to provide an adequate level of protection (such outbound transfers of Personal Data from the EU, Switzerland, or the UK, each an “EU/UK Outbound Transfer”). If no EU/UK Outbound Transfer occurs, the SCCs and this section 13 will not apply. As used in this section, the terms “Data Importer” and “Data Exporter” will have the meanings given to them in the Standard Contractual Clauses. The parties acknowledge that for the purposes of the Standard Contractual Clauses, MetaRouter is acting in the capacity of a Data Importer and Customer is the Data Exporter (notwithstanding that Customer may be located outside of the EEA/Switzerland/UK or is acting as a processor on behalf of third-party controllers). Each party will comply with the applicable obligations of the Standard Contractual Clauses in their respective roles as Data Exporter and Data Importer. The data subjects, categories of data, and processing operations (as required to be disclosed in Appendix 1 of the Standard Contractual Clauses) are as set forth in this DPA. Annex 1 to this DPA details the technical and security measures MetaRouter has implemented, as required to be disclosed in Appendix 2 of the Standard Contractual Clauses.
  14. The parties further agree that for all EU/UK Outbound Transfers, the governing law of the Standard Contractual Clauses entered into by MetaRouter and the Customer will be: (a) the laws of Ireland, if the Customer is located in the EEA or Switzerland, or (b) the laws of the UK, if the Customer is located in the UK. If any inconsistency arises between this section 14 and any other provision for the governing law of the Standard Contractual Clauses entered into between Customer and MetaRouter, this section 14 will take precedence.
  15. In the event of any conflict between this DPA and the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will prevail. In the event of any conflict between this DPA and the UK Addendum, the UK Addendum will prevail.
  16. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including where applicable, the Standard Contractual Clauses) and any audit rights granted by Data Protection Law, by instructing MetaRouter to comply with the audit measures described in Annex 1 to this DPA, and if such measures fail to adequately confirm compliance as the parties may mutually agree, as stipulated in section 10.9 above.

  17. MetaRouter represents and warrants that it has not received any order, request or other communication from a governmental body for the disclosure of Personal Data and it shall:

    17.1. if it receives such order, request or other communication, attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, MetaRouter may provide Customer’s basic contact information to the relevant body. If compelled to disclose Personal Data to a governmental body, then MetaRouter will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless MetaRouter is legally prohibited from doing so;

    17.2. publish a transparency report or provide information to Customer on request regarding: (a) the number of orders, requests or other communications from governmental bodies for the disclosure of Personal Data and/or assistance in surveillance processes and the type of information requested, (b) its responses to the foregoing, and (c) its process for challenging such confidential and non-confidential orders, requests and communications; and

    17.3. notify Customer if its ability to maintain the confidentiality and security of Personal Data has been compromised for any reason including by orders, requests or communications described above, and cease processing, including receiving such Personal Data.

  18. Customer agrees that MetaRouter may use Sub-processors (including Google Cloud, Amazon Web Services and/or Microsoft Azure) to fulfill its contractual obligations under this DPA or to provide certain services on its behalf, such as providing support services, and consents to the use of Sub-processors as described in this section. The MetaRouter website (currently posted at https://metarouter.io/sub-processors; such webpage constitutes Annex III/Appendix 3 to the Standard Contractual Clauses if and as applicable) lists Sub-processors that are currently engaged by MetaRouter to deliver the MetaRouter Service. At least 10 business days before MetaRouter engages any new Sub-processor to carry out processing activities on Personal Data on behalf of Customer, MetaRouter will endeavor to provide Customer notice of that update as per the means specified for notices in the Agreement. If Customer objects to a new Sub-processor, Customer must notify MetaRouter in writing within ten days of Customer’s notice of the change (without prejudice to any termination rights Customer has under the Agreement), after which time Customer shall be deemed to have consented to the new sub-processor’s appointment in the absence of any such Customer notice. If Customer objects to a new Sub-processor, MetaRouter may either, in its sole discretion: (a) propose an alternative Sub-processor or remain with the current Sub-processor; or (b) refrain from the use of any Sub-processor. MetaRouter shall not be liable for any Personal Data security incident or processing failure by or on behalf of a Sub-processor.
  19. MetaRouter may propose revisions to this DPA by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an approved code of conduct or applicable certification scheme (which will apply when replaced by attachment to this Agreement). Customer and MetaRouter will negotiate such changes in good faith as soon as reasonably practicable. The parties agree that if any new versions or revisions to the EU SCCs are approved by the European Commission, or if any new versions or revisions to the UK Addendum is adopted by the UK, such that the implementation of the Standard Contractual Clauses in this DPA and/or UK Addendum no longer applies or is no longer appropriate, the parties shall work together to enter into the new SCCs as applicable as soon as reasonably practicable.
  20. Where the EU SCCs apply to transfers of Personal Data governed by this DPA, the following options shall be deemed to be selected and incorporated, each clause reference in this section being a reference to a clause in the EU SCCs: (a) Clause 7 shall not apply; (b) at Clause 9, option 2 shall apply for both Module 2 and Module 3; and (c) at Clause 11, the optional redress mechanism shall not apply.
  21. California Consumer Privacy Act (CCPA) Notice: as a “Service Provider” (as that term is defined in the CCPA), MetaRouter will process California Personal Data that is subject to the CCPA strictly for the purpose of providing to Customer the solutions and services described in the Agreement, or as otherwise permitted by the CCPA, and shall not retain, use, or disclose such data for any other purpose, or sell or share California Personal Data, except as permitted by the CCPA. Further, MetaRouter does not sell, share, or commercialize Personal Data under any U.S. state privacy law.
  22. Customer agrees not to process any HIPAA Data via the MetaRouter Service unless Customer has entered into a Business Associate Agreement (“BAA”) with MetaRouter. Unless a BAA is in place, MetaRouter will have no liability under this Agreement for HIPAA Data. “HIPAA Data” means any patient, medical or other protected health information regulated by US HIPAA or any similar US federal or state laws, rules or regulation.

  23. Where the UK Addendum applies to transfers of Personal Data governed by this DPA, the parties agree that:

    (a) the UK Addendum shall be populated by reference to this DPA and its Annex and that any changes in formatting (including for the avoidance of doubt with respect to Part 1: Tables) will not adversely affect the validity of the DPA or the compliance with Data Protection Law of any international transfers of Personal Data made thereunder;

    (b) any formatting changes do not reduce the standard of Appropriate Safeguards (as defined in the UK Addendum) provided; and

    (c) without prejudice to any of the rights and remedies under the Agreement, pursuant to Section 19 of the UK Addendum, neither party shall be entitled to terminate the UK Addendum.

Table of Categories of Personal Data Processed

Any of the following if and to the extent satisfying the definition of Personal Data:

Data Type Description Retention Length
Customer User Behavior Data and Debug Data Individual customer defined user behavior data and contextual data sent to the platform by the customer. Includes identifiers like userAgent, IP, and anonymous cookie identifiers. No longer than 7 days.
Configuration Data Event mapping and connection configuration data including API keys. Used for determining how data flows through the system. 90 days after the term of customer subscription.
User Management Data User login data contains email and password information. 90 days after the term of customer subscription.
Schema Data and Alerts Customer Data Schemas used for monitoring data quality and alerts for data coming into the platform. No longer than 1 year.
Telemetric Data High level metric data used for assessing how data is flowing through the systems. No longer than 1 year.
Audit Log Data Data describing actions and changes taken by users in the platform. No longer than 1 year.

Last updated: April [DATE], 2026

DPA Annex 1: Technical and Organizational Security Measures

(Annex II/Appendix 2 to the Standard Contractual Clauses if and as applicable)

MetaRouter will maintain administrative, physical, and technical safeguards designed to protect the security, confidentiality and integrity of Personal Data uploaded to the MetaRouter Service. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement and the DPA.

  1. Security Governance. MetaRouter maintains an information security program (including the adoption and enforcement of internal policies and procedures) designed to: (a) help customers secure their data processed using MetaRouter’ online product against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to MetaRouter online Subscription Services, and (c) minimize security risks, including through risk assessment and regular testing. MetaRouter’s head of security and compliance coordinates MetaRouter’s information security program with the information security team. The program is overseen by an executive management committee, which includes MetaRouter’s CEO, President, and the heads of engineering and product.
  2. Scalable and Secure Infrastructure. MetaRouter’s centralized control and client infrastructure are located within multiple, geographically dispersed data center facilities. Each facility is designed for maximum security and availability. All locations employ industry best-practices, including badge and biometric access entry systems, redundant power sources, redundant air conditioning units and fire suppression systems. (For a more extensive discussion of the security measures built into the cloud infrastructure and services utilized by MetaRouter, see Google Security Overview.)
  3. Secure Data Transmission and Storage. Personal Data is stored in separate logical directories and encrypted at rest using AES 256. MetaRouter encrypts its data exports and imports in transit using TLS 1.2. Authentication and robust access controls are used.
  4. Disaster Recovery. MetaRouter maintains essential disaster avoidance, readiness and recovery planning capabilities through the use of multiple geographically dispersed data centers and redundancy throughout the platform architecture.
  5. Application Security. MetaRouter follows an agile development methodology, with security testing implemented throughout the entire software development lifecycle. Security best practices are a mandated aspect of all development activities. MetaRouter leverages the technical organizational and security measures implemented by its public cloud hosting providers, including as applicable Google Cloud (https://cloud.google.com/terms/data-processing-addendum), Amazon Web Services (https://d1.awsstatic.com/legal/aws-dpa/aws-dpa.pdf), and Microsoft Azure (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA).
  6. Risk Management. MetaRouter focuses its risk management in the software development process and in the production environment to protect against attacks on and/or disruption of the MetaRouter Service and attempts to compromise the privacy, confidentiality, or integrity of Personal Data. Technical measures deployed include (a) firewalls for all data entering MetaRouter’s internal data network from any external source; (b) techniques to prevent harmful software code from affecting the MetaRouter Service or Personal Data, (c) regular monitoring of systems used for the MetaRouter Service, (d) 24x7 monitoring and alerting to notify MetaRouter’ Site Reliability team of anomalous events, and (e) annual 3rd party penetration and vulnerability testing. MetaRouter maintains audit information and logs for all systems.
  7. Employee Hiring, Training, and Awareness. MetaRouter employees undergo federal, national, state and global watchlist criminal background checks prior to being hired. MetaRouter trains all new employees on confidentiality, privacy and information security obligations and requires all employees and contractors to sign confidentiality agreements. A compulsory annual security and privacy training requirement ensures employees refresh their knowledge and understanding. Employees are given appropriate accounts on systems to which they are authorized to access, following the principle of “least privilege.” MetaRouter regularly reviews employee access to internal systems. Reviews ensure that employees access rights and access patterns are commensurate with their current positions.

  8. MetaRouter Platform Operations Management.

    • Change Management. MetaRouter maintains and follows formal change management processes. All changes to the production environment are risk assessed, logged, approved, and implemented by a dedicated team. All deployments to the production environment must be promoted through a pre-production test environment.
    • Patch Management. MetaRouter operates a commercial patch management solution to maintain all hardware system, OS and application level security patches.
    • Separation of Development and Operational Facilities. The MetaRouter Platform operations environment is separate from development and QA environments and from corporate IT (each of these environments reside in a separate network domain and is managed by a separate team). Access to platform operations resources is limited to authorized personnel and authentication requires a separate set of credentials.
  9. Audited Controls. An independent auditor has examined the controls present in MetaRouter’s system, including its infrastructure and operations to confirm that these controls are in accordance with the Service Organization Controls (SOC) 2 Type II Trust Services Principles for Security. In addition, MetaRouter contracts with a reputable third party security firm to conduct a regular security audit (penetration test and web application vulnerability tests) of the MetaRouter Service platform. Upon written request, MetaRouter shall supply (on a confidential basis) a summary copy of its most current audit reports to Customer.