This Data Processing Agreement ("DPA") forms part of the Terms of Service between Meshless, Inc. ("Processor") and the customer ("Controller") and governs the processing of personal data in connection with the Meshless Service.
This DPA applies where and to the extent Meshless processes personal data on behalf of the Controller, including personal data of the Controller's end users.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection law.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Sub-processor" means any third party engaged by Meshless to process Personal Data on the Controller's behalf.
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
2. Scope of Processing
Meshless processes the following categories of Personal Data on behalf of the Controller:
| Category | Examples | Purpose |
|---|---|---|
| Account data | Name, email address | Authentication, billing |
| Usage data | Feature interactions, API call metadata | Service delivery, abuse prevention |
| End-user session data | Anonymous viewer session IDs, IP-derived geolocation | CDN routing, analytics |
Meshless does not process special categories of personal data (sensitive data as defined under GDPR Article 9).
3. Controller Obligations
The Controller represents and warrants that:
- It has a lawful basis for processing Personal Data and for instructing Meshless to process it
- It has provided all required notices and obtained all required consents from data subjects
- Its instructions to Meshless are lawful and comply with applicable data protection law
4. Processor Obligations
Meshless agrees to:
- Process Personal Data only on the documented instructions of the Controller
- Ensure personnel authorized to process Personal Data are bound by confidentiality
- Implement appropriate technical and organizational security measures (see our Security page)
- Assist the Controller in responding to data subject rights requests to the extent reasonably possible
- Delete or return all Personal Data upon termination of the Service, at the Controller's choice
- Make available all information necessary to demonstrate compliance with this DPA
5. Sub-processors
Meshless engages the following categories of sub-processors to deliver the Service:
| Sub-processor | Location | Purpose |
|---|---|---|
| Amazon Web Services (AWS) | USA, EU | Infrastructure, storage, compute |
| Stripe | USA | Payment processing |
| Datadog | USA | Infrastructure monitoring and logging |
| Postmark | USA | Transactional email |
| Plausible Analytics | EU (Estonia) | Aggregate usage analytics |
Meshless will notify Controllers of any intended changes to sub-processors with at least 30 days' notice, providing an opportunity to object.
6. International Transfers
Where Personal Data is transferred outside the European Economic Area, Meshless relies on:
- Standard Contractual Clauses (SCCs) — European Commission-approved SCCs are incorporated by reference into agreements with sub-processors located outside the EEA.
- UK IDTA — for transfers from the United Kingdom.
7. Data Subject Rights
Upon receiving a verifiable data subject request forwarded by the Controller, Meshless will:
- Assist with access, rectification, erasure, portability, and restriction requests
- Respond within the timeframe required by applicable law (typically 30 days)
8. Security Incidents
In the event of a Personal Data breach, Meshless will:
- Notify the Controller without undue delay and within 72 hours of becoming aware
- Provide all information required for the Controller to meet its own notification obligations
- Cooperate fully in any investigation and remediation
9. Audits
The Controller may request an audit of Meshless's data processing activities no more than once per calendar year, with 30 days' written notice. Meshless may satisfy audit requests by providing its most recent third-party audit reports (e.g., SOC 2) under NDA.
10. Governing Law
This DPA is governed by the laws of the State of Delaware, United States, consistent with the Terms of Service, unless superseded by mandatory provisions of applicable data protection law.
11. Execution
This DPA is incorporated into and forms part of the Terms of Service. By accepting the Terms of Service, the Controller agrees to this DPA. Enterprise customers requiring a countersigned DPA should contact legal@meshless.io.