Data Processing Agreement
Mesh Mesh Inc.
Version 2.1 — Effective March 26, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between Mesh Mesh Inc. ("MeshMesh," "Processor") and the customer agreeing to the Terms of Service ("Customer," "Controller") and governs the processing of personal data by MeshMesh on behalf of Customer in connection with the Services.
This DPA applies to the extent that Customer Data includes personal data subject to applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, the California Consumer Privacy Act ("CCPA"), and other applicable data protection and privacy laws (collectively, "Data Protection Laws").
Capitalized terms not defined in this DPA have the meanings assigned to them in the Agreement.
1. Roles and Scope
1.1 Controller and Processor. For the purposes of this DPA, Customer is the data controller and MeshMesh is the data processor with respect to Customer Personal Data. This DPA does not establish a joint controllership arrangement. Each party remains solely responsible for its own compliance with Data Protection Laws in respect of its separate processing activities.
1.2 Customer Personal Data. "Customer Personal Data" means any personal data contained within Customer Data that is processed by MeshMesh on behalf of Customer in connection with the Services.
1.3 Product Analytics Data. MeshMesh may process de-identified and aggregated Product Analytics Data (as defined in the Agreement) as an independent controller solely for service improvement, analytics, security, billing, and product development purposes, provided that such data cannot be used to identify Customer, its end users, or any natural person. Product Analytics Data may be used to improve MeshMesh's Services and AI Systems as described in the Agreement.
1.4 Service Data. MeshMesh may process log data, metadata, and technical data generated through the operation of the Services ("Service Data") as an independent controller for analytics, security, and operational purposes. Service Data is distinct from Customer Personal Data.
2. Processing Purposes and Instructions
2.1 Processing Purposes. Customer Personal Data shall be processed solely for the purposes of providing, maintaining, securing, and supporting the Services as described in this DPA and the Agreement, and in accordance with Customer's documented instructions.
2.2 Customer Instructions. MeshMesh shall process Customer Personal Data only on documented instructions from Customer, including the instructions set forth in the Agreement and this DPA, unless required to do otherwise by applicable law. If MeshMesh is required by applicable law to process Customer Personal Data for any other purpose, MeshMesh shall inform Customer of that legal requirement before processing, unless prohibited by law from doing so.
2.3 Compliance. MeshMesh shall ensure that persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Subprocessors
3.1 Authorization. Customer provides general authorization for MeshMesh to engage subprocessors to process Customer Personal Data in connection with the Services. A list of MeshMesh's current subprocessors is maintained at meshmesh.io/subprocessors.
3.2 Subprocessor Obligations. MeshMesh shall impose data protection obligations on each subprocessor that are no less protective than those set forth in this DPA. MeshMesh shall remain responsible for the acts and omissions of its subprocessors to the same extent as if the acts or omissions were performed by MeshMesh directly.
3.3 Changes to Subprocessors. MeshMesh may update its subprocessor list from time to time. Changes to the subprocessor list will be posted at meshmesh.io/subprocessors. Customer should periodically review the subprocessor list. If Customer objects to a new subprocessor on reasonable data protection grounds, Customer shall notify MeshMesh in writing within thirty (30) days of the change being posted. The parties shall work in good faith to resolve the objection. If the objection cannot be resolved within a reasonable time, Customer's sole remedy shall be to terminate the affected Services by providing written notice to MeshMesh.
4. Security Measures
4.1 Security. MeshMesh shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures include:
(a) Encryption of data in transit using TLS 1.2 or greater;
(b) Encryption of data at rest using AES-256;
(c) Isolated execution sandboxes for agent task processing;
(d) Access controls and least-privilege principles for personnel and systems;
(e) Regular security assessments and vulnerability testing; and
(f) Confidentiality obligations for personnel who access Customer Personal Data.
4.2 Security Certifications. MeshMesh shall maintain industry-standard security certifications and make evidence of such certifications available to Customer upon reasonable request.
5. Data Breach Notification
5.1 Notification. MeshMesh shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a "Personal Data Breach").
5.2 Breach Information. The notification shall include, to the extent available: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of data subjects and personal data records concerned; (b) the name and contact details of MeshMesh's point of contact; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach.
5.3 Cooperation. MeshMesh shall cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach.
6. Data Subject Rights
6.1 Assistance. MeshMesh shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, in responding to requests from data subjects exercising their rights under Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).
6.2 Notification. If MeshMesh receives a request from a data subject directly, MeshMesh shall promptly notify Customer and shall not respond to the request without Customer's prior instructions, unless required by applicable law.
7. Data Protection Impact Assessments
MeshMesh shall provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out under Data Protection Laws, taking into account the nature of the processing and the information available to MeshMesh.
8. Audit Rights
8.1 Audit. Customer may, upon reasonable advance written notice (no less than thirty (30) days), and no more than once per calendar year, audit or have audited (by an independent third-party auditor bound by confidentiality obligations) MeshMesh's compliance with this DPA, subject to the following conditions:
(a) The scope of the audit shall be limited to MeshMesh's processing of Customer Personal Data under this DPA;
(b) Audits shall be conducted during normal business hours and in a manner that does not unreasonably disrupt MeshMesh's operations;
(c) Customer shall bear all costs and expenses of any audit; and
(d) The auditor and Customer shall execute a non-disclosure agreement with MeshMesh prior to any audit.
8.2 Certifications and Reports. MeshMesh may satisfy audit requests by providing Customer with relevant security certifications, SOC 2 reports, or other independent audit reports that address the subject matter of the audit, in lieu of permitting an on-site audit.
9. Data Return and Deletion
9.1 Data Export. During the term of the Agreement, Customer may export Customer Data through the functionality provided by the Services.
9.2 Post-Termination. Upon termination of the Agreement, MeshMesh shall, within thirty (30) days following Customer's written request, return or delete all Customer Personal Data in MeshMesh's possession or control (at Customer's election), unless applicable law requires continued storage of the Customer Personal Data. MeshMesh shall certify in writing that it has completed the deletion upon Customer's request.
9.3 Exceptions. MeshMesh may retain Customer Personal Data to the extent required by applicable law, provided that MeshMesh shall: (a) maintain the confidentiality of such data; (b) process it only for the purpose of complying with the applicable legal requirement; and (c) delete it as soon as the legal requirement no longer applies.
9.4 Product Analytics Data. For the avoidance of doubt, Product Analytics Data and Service Data (which by definition contain no Customer Personal Data or personally identifiable information) are not subject to the return or deletion obligations of this Section 9.
10. International Data Transfers
10.1 Processing Location. MeshMesh currently processes Customer Personal Data in the United States. A list of subprocessor locations is maintained at meshmesh.io/subprocessors.
10.2 Transfer Mechanisms. To the extent that the processing of Customer Personal Data involves a transfer of personal data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the Standard Contractual Clauses approved by the European Commission (as set forth in Annex A) shall apply to such transfers.
10.3 Standard Contractual Clauses. The Standard Contractual Clauses set forth in Annex A are incorporated into and form part of this DPA. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail to the extent of the conflict.
11. Liability
11.1 Liability Cap. Each party's liability under this DPA shall be subject to the limitations of liability set forth in the Agreement.
11.2 No Joint Controllership. Nothing in this DPA shall be construed to create a joint controllership arrangement between the parties. Each party is solely responsible for its own compliance with Data Protection Laws.
12. Term
12.1 Term. This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination of the Agreement, subject to the obligations in Section 9 (Data Return and Deletion) which shall survive termination.
12.2 Modifications. MeshMesh may update this DPA from time to time to reflect changes in Data Protection Laws, regulatory guidance, or MeshMesh's data processing practices. Updated versions will be posted at meshmesh.io/dpa with a revised version number and effective date.
13. General
13.1 Conflicts. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Customer Personal Data. To the extent Customer and MeshMesh have entered into a separately executed written agreement that includes data processing terms, those terms shall supersede this DPA to the extent of any conflict.
13.2 Governing Law. This DPA shall be governed by the laws specified in the Agreement, except to the extent that mandatory provisions of Data Protection Laws require otherwise.
13.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
Annex A: Standard Contractual Clauses
The Standard Contractual Clauses (SCCs) adopted by the European Commission's Implementing Decision (EU) 2021/914 are incorporated by reference into this DPA. The applicable module is:
Module 2: Controller to Processor (Customer as Controller; MeshMesh as Processor)
The following selections and details apply:
| Clause | Selection / Detail |
|---|---|
| Clause 7 (Docking Clause) | Included |
| Clause 9(a) (Subprocessor Authorization) | Option 2: General written authorization, with notification of changes via subprocessor list |
| Clause 11 (Redress) | Optional clause not included |
| Clause 13 (Supervision) | The supervisory authority of the EU/EEA Member State in which the data exporter is established, or where the data exporter is not established in the EU/EEA, the supervisory authority of the Member State in which the data exporter's EU representative is established |
| Clause 17 (Governing Law) | The laws of Ireland |
| Clause 18 (Choice of Forum and Jurisdiction) | The courts of Ireland |
Annex I — List of Parties, Description of Transfer, and Competent Supervisory Authority:
| Item | Detail |
|---|---|
| Data Exporter | Customer (as identified in the Agreement) |
| Data Importer | Mesh Mesh Inc., Austin, Texas, United States |
| Contact for Data Importer | privacy@meshmesh.io |
| Description of Processing | Processing of Customer Personal Data in connection with Customer's use of the MeshMesh Services, including the hosting, storage, analysis, AI-assisted generation, and processing of data submitted by Customer or accessed from Connected Systems at Customer's direction |
| Categories of Data Subjects | Determined by Customer; may include Customer's employees, contractors, customers, contacts, leads, and other individuals whose data is stored in Connected Systems |
| Categories of Personal Data | Determined by Customer; may include names, email addresses, phone numbers, job titles, company information, transaction records, and other data stored in Connected Systems |
| Sensitive Data | None processed by default; Customer is responsible for not submitting sensitive data unless Customer has implemented appropriate safeguards |
| Frequency of Transfer | Continuous, for the duration of the Agreement |
| Retention Period | As specified in Section 9 of this DPA |
Annex II — Technical and Organizational Measures:
The technical and organizational measures implemented by MeshMesh are described in Section 4 of this DPA and in the Security section of the MeshMesh Privacy Policy.
Contact
For questions regarding this DPA, please contact privacy@meshmesh.io.