Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Meshbase ("Processor" or "we") and you ("Controller" or "Customer") and governs the processing of Personal Data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1.1 Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Meshbase on behalf of the Customer.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Subject" means the individual to whom Personal Data relates.
• "Controller" means the entity that determines the purposes and means of processing Personal Data (the Customer).
• "Processor" means the entity that processes Personal Data on behalf of the Controller (Meshbase).
• "Sub-processor" means any third party engaged by Meshbase to process Personal Data.

This DPA applies to all processing of Personal Data by Meshbase on behalf of the Customer in connection with the provision of the Meshbase Service. The Customer acts as the Controller and Meshbase acts as the Processor.

The subject matter, duration, nature, and purpose of the processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex A below.

The Customer warrants and represents that:

• It has the legal right to transfer Personal Data to Meshbase for processing
• It has provided all necessary notices and obtained all necessary consents from Data Subjects
• The processing instructions provided to Meshbase comply with applicable data protection laws
• It will comply with its obligations as a Controller under applicable data protection laws

4.1 Processing Instructions

Meshbase shall process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. The Customer's use of the Service constitutes documented instructions for processing.

4.2 Confidentiality

Meshbase shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

Meshbase shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Regular backup and disaster recovery procedures
• Monitoring and logging of access to Personal Data
• Employee training on data protection and security

4.4 Sub-processors

The Customer provides general authorization for Meshbase to engage Sub-processors. Current Sub-processors are listed in Annex B. Meshbase shall:

• Maintain an up-to-date list of Sub-processors
• Notify the Customer of any intended changes concerning the addition or replacement of Sub-processors
• Ensure Sub-processors are bound by data protection obligations equivalent to those in this DPA
• Remain fully liable to the Customer for the performance of Sub-processors

4.5 Data Subject Rights

Meshbase shall, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject to exercise their rights under data protection laws. Meshbase shall provide reasonable assistance to the Customer in responding to such requests.

4.6 Personal Data Breach

Meshbase shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification shall include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

5.1 International Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). Meshbase shall ensure that such transfers are made in compliance with applicable data protection laws, using appropriate safeguards such as:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Other legally recognized transfer mechanisms

6.1 Data Protection Impact Assessments

Meshbase shall provide reasonable assistance to the Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, where required by law.

6.2 Audits and Inspections

Meshbase shall make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice and confidentiality obligations.

7.1 Return or Deletion

Upon termination of the Service or upon Customer's request, Meshbase shall, at the Customer's choice:

• Return all Personal Data to the Customer in a commonly used, machine-readable format, or
• Delete all Personal Data and certify to the Customer that it has done so

Meshbase may retain Personal Data to the extent required by applicable law, provided that Meshbase shall ensure the confidentiality of such Personal Data and only process it as necessary for the purpose(s) specified in the applicable law.

7.2 Deletion Timeline

Unless otherwise instructed by the Customer, Personal Data shall be deleted within 30 days of account termination.

Each party's liability arising out of or related to this DPA shall be subject to the limitations and exclusions of liability set forth in the Terms of Service.

Meshbase shall indemnify the Customer against any claims, damages, or losses arising from Meshbase's breach of this DPA or applicable data protection laws, except to the extent such claims arise from the Customer's instructions or actions.

This DPA shall remain in effect for as long as Meshbase processes Personal Data on behalf of the Customer. Upon termination of the Terms of Service, this DPA shall automatically terminate, subject to the data retention and deletion provisions in Section 7.

This DPA shall be governed by the same law as the Terms of Service. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts specified in the Terms of Service.

Subject Matter

The subject matter of processing is the provision of the Meshbase headless CMS platform, including content management, storage, and API delivery services.

Duration

Processing shall continue for the duration of the Customer's subscription to the Service, plus the retention period specified in Section 7.

Nature and Purpose of Processing

Meshbase processes Personal Data for the following purposes:

• Storing and managing content created by the Customer
• Delivering content via API to the Customer's applications
• Providing media library and file storage services
• Enabling team collaboration features
• Providing customer support and technical assistance
• Monitoring and improving Service performance and security

Types of Personal Data

The types of Personal Data processed may include:

• Customer account information (name, email, company details)
• End-user data stored in Customer's content (as determined by Customer)
• Usage and analytics data
• Technical data (IP addresses, device information, logs)
• Any other Personal Data uploaded by the Customer to the Service

Categories of Data Subjects

Data Subjects may include:

• Customer's employees and authorized users
• Customer's end-users (whose data is stored in Customer's content)
• Customer's customers and business contacts
• Any other individuals whose Personal Data is processed through the Service

Meshbase currently engages the following Sub-processors to provide the Service:

Note: This list may be updated from time to time. Customers will be notified of any changes to Sub-processors in accordance with Section 4.4 of this DPA.

For questions or concerns regarding this Data Processing Agreement, please contact:

Data Protection Officer
Email: [email protected]
Website: meshbase.com