Is there a way to secure SQL Server at their location so even their DBA cannot change data?
No. If a user has physical access to the data, they can modify the data. Even if you were able to store the database using some kind of full disk encryption scheme or something like that, your application has to read it somehow.
What is the cleanest way to send new data to their installation?
I have to concur with @RB. above. Either store the data in machines that you control and have some kind of client/server model, or have your application check for the new values once every few hours or once a day or something like that.
Of course, it is possible to intercept and modify data going over the wire too, so if the data is stored on the customer's machine your updates could be just as toast.