This Data Processing Agreement ("DPA") forms a vital part of the Terms of Service between Meshless ("Processor") and the customer ("Controller") and strictly governs the processing of personal data within the Meshless 3D Service infrastructure.
This DPA applies where Meshless processes personal data on behalf of the Controller, including telemetry data of the Controller's end-users interacting with embedded 3D assets.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws (e.g., GDPR, CCPA).
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Sub-processor" means any third party engaged by Meshless to process Personal Data on the Controller's behalf.
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
2. Scope of Processing
Meshless processes the following limited categories of Personal Data on behalf of the Controller:
| Category | Examples | Purpose |
|---|---|---|
| Account Data | Admin names, email addresses | Workspace authentication and authorization |
| Billing Data | Corporate billing details | Invoice generation (Processed by Merchant of Record) |
| Telemetry Data | Anonymized IPs, session IDs | Fraud prevention, rate limiting, and aggregate viewer analytics |
Note: Meshless intentionally does not process special categories of personal data (sensitive data as defined under GDPR Article 9). We do not deploy cross-site tracking cookies on your end-users.
3. Controller Obligations
The Controller represents and warrants that:
- It possesses a lawful basis for processing Personal Data and instructing Meshless to process it.
- It has provided all required privacy notices to its end-users regarding the embedding of third-party 3D viewer iframes.
- Its instructions to Meshless are lawful and comply with applicable data protection laws.
4. Processor Obligations
Meshless formally commits to:
- Process Personal Data only on the documented instructions of the Controller (via the Dashboard or API).
- Ensure that engineering personnel authorized to access systems are bound by strict confidentiality agreements.
- Implement robust technical security measures, including AES-256 encryption at rest and TLS 1.3 in transit (detailed in our Security Policy).
- Promptly assist the Controller in responding to data subject rights requests (e.g., data exports or account deletion).
- Irretrievably delete or return all Personal Data upon termination of the Service.
5. Authorized Sub-processors
To deliver a globally scalable Service, Meshless engages the following highly vetted sub-processors:
| Sub-processor | Purpose | Location / Global Edge |
|---|---|---|
| Cloudflare | Edge Routing, CDN, DDoS Protection, R2 Storage | Global Edge |
| Clerk | Secure Identity & Access Management (Authentication) | USA / Global |
| Paddle | Merchant of Record (Subscription Billing & Tax) | UK / Global |
| Resend | Transactional Email Delivery (Invites, Password Resets) | USA |
Meshless will notify Controllers of any intended changes to this sub-processor list with at least 30 days' notice, providing an opportunity to object.
6. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA), Meshless relies on robust legal mechanisms:
- Standard Contractual Clauses (SCCs): European Commission-approved SCCs are incorporated into our Data Processing Addendums with all sub-processors (e.g., Cloudflare, Clerk) located outside the EEA.
7. Data Subject Rights & Deletion
Meshless provides automated tools via the Dashboard to export workspace data or permanently delete projects. Upon receiving a verifiable data subject request that cannot be fulfilled via the Dashboard, Meshless will:
- Provide technical assistance within the timeframe required by law (typically 30 days).
- Ensure that deleted
.glband.gltffiles are permanently purged from R2 storage.
8. Security Incidents (Breach Notification)
In the highly unlikely event of a verified Personal Data breach affecting your workspace, Meshless will:
- Notify the Controller's administrative contacts without undue delay, and strictly within 72 hours of discovery.
- Provide comprehensive technical logs required for the Controller to meet its own notification obligations.
- Cooperate fully in remediation and forensic investigations.
9. Audits and Compliance
The Controller may request to review Meshless's data processing activities. To maintain the security of our infrastructure, Meshless satisfies audit requests by providing comprehensive Security Questionnaires and compliance documentation under NDA, rather than permitting direct infrastructure penetration testing by third parties.
10. Execution
This DPA is incorporated directly into the Terms of Service. By accepting the Terms of Service during registration, the Controller automatically agrees to this DPA.
For Enterprise plans requiring a physical countersignature, please contact our legal team at legal@meshless.io.