Data Processing Agreement

Last updated: June 15, 2026

This Data Processing Agreement ("DPA") forms a vital part of the Terms of Service between Meshless ("Processor") and the customer ("Controller") and strictly governs the processing of personal data within the Meshless 3D Service infrastructure.

This DPA applies where Meshless processes personal data on behalf of the Controller, including telemetry data of the Controller's end-users interacting with embedded 3D assets.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws (e.g., GDPR, CCPA).
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Sub-processor" means any third party engaged by Meshless to process Personal Data on the Controller's behalf.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.

2. Scope of Processing

Meshless processes the following limited categories of Personal Data on behalf of the Controller:

CategoryExamplesPurpose
Account DataAdmin names, email addressesWorkspace authentication and authorization
Billing DataCorporate billing detailsInvoice generation (Processed by Merchant of Record)
Telemetry DataAnonymized IPs, session IDsFraud prevention, rate limiting, and aggregate viewer analytics

Note: Meshless intentionally does not process special categories of personal data (sensitive data as defined under GDPR Article 9). We do not deploy cross-site tracking cookies on your end-users.

3. Controller Obligations

The Controller represents and warrants that:

  • It possesses a lawful basis for processing Personal Data and instructing Meshless to process it.
  • It has provided all required privacy notices to its end-users regarding the embedding of third-party 3D viewer iframes.
  • Its instructions to Meshless are lawful and comply with applicable data protection laws.

4. Processor Obligations

Meshless formally commits to:

  • Process Personal Data only on the documented instructions of the Controller (via the Dashboard or API).
  • Ensure that engineering personnel authorized to access systems are bound by strict confidentiality agreements.
  • Implement robust technical security measures, including AES-256 encryption at rest and TLS 1.3 in transit (detailed in our Security Policy).
  • Promptly assist the Controller in responding to data subject rights requests (e.g., data exports or account deletion).
  • Irretrievably delete or return all Personal Data upon termination of the Service.

5. Authorized Sub-processors

To deliver a globally scalable Service, Meshless engages the following highly vetted sub-processors:

Sub-processorPurposeLocation / Global Edge
CloudflareEdge Routing, CDN, DDoS Protection, R2 StorageGlobal Edge
ClerkSecure Identity & Access Management (Authentication)USA / Global
PaddleMerchant of Record (Subscription Billing & Tax)UK / Global
ResendTransactional Email Delivery (Invites, Password Resets)USA

Meshless will notify Controllers of any intended changes to this sub-processor list with at least 30 days' notice, providing an opportunity to object.

6. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), Meshless relies on robust legal mechanisms:

  • Standard Contractual Clauses (SCCs): European Commission-approved SCCs are incorporated into our Data Processing Addendums with all sub-processors (e.g., Cloudflare, Clerk) located outside the EEA.

7. Data Subject Rights & Deletion

Meshless provides automated tools via the Dashboard to export workspace data or permanently delete projects. Upon receiving a verifiable data subject request that cannot be fulfilled via the Dashboard, Meshless will:

  • Provide technical assistance within the timeframe required by law (typically 30 days).
  • Ensure that deleted .glb and .gltf files are permanently purged from R2 storage.

8. Security Incidents (Breach Notification)

In the highly unlikely event of a verified Personal Data breach affecting your workspace, Meshless will:

  • Notify the Controller's administrative contacts without undue delay, and strictly within 72 hours of discovery.
  • Provide comprehensive technical logs required for the Controller to meet its own notification obligations.
  • Cooperate fully in remediation and forensic investigations.

9. Audits and Compliance

The Controller may request to review Meshless's data processing activities. To maintain the security of our infrastructure, Meshless satisfies audit requests by providing comprehensive Security Questionnaires and compliance documentation under NDA, rather than permitting direct infrastructure penetration testing by third parties.

10. Execution

This DPA is incorporated directly into the Terms of Service. By accepting the Terms of Service during registration, the Controller automatically agrees to this DPA.

For Enterprise plans requiring a physical countersignature, please contact our legal team at legal@meshless.io.