Data Processing Agreement

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the Customer Terms of Service or other written agreement between Meshintex, Inc. doing business as Meshintex (“Processor”, “we”, “us”) and the entity agreeing to these terms (“Controller”, “Customer”, “you”) for the provision of Meshintex services (the “Agreement”).

This DPA reflects the parties' commitment to abide by applicable Data Protection Laws concerning the processing of Personal Data in connection with the Services provided under the Agreement.

2. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the Agreement.

3. Scope and Purpose of Processing

3.1 Scope

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Services under the Agreement.

3.2 Purpose

The Processor shall Process Personal Data only for the purposes of providing the Services as described in the Agreement and as further documented in the Controller's instructions. The categories of Personal Data and Data Subjects are determined by the Controller's use of the Services and typically include:

• Categories of Data Subjects: Customer's end users, employees, contractors, and other individuals whose data is submitted to the Services.
• Types of Personal Data: Name, email address, IP address, user agent information, and any other data submitted through the Services by the Controller.
• Processing Activities: Storage, analysis, monitoring, alerting, and incident management as necessary to provide the Services.

4. Obligations of the Processor

4.1 Processing Instructions

The Processor shall Process Personal Data only on documented instructions from the Controller, including with regard to transfers to a third country, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless prohibited by law.

4.2 Confidentiality

The Processor shall ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit and at rest.
• Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems.
• The ability to restore the availability and access to Personal Data in a timely manner in the event of an incident.
• Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures.

4.4 Subprocessing

The Processor shall not engage a Subprocessor without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes, giving the Controller the opportunity to object. A current list of Subprocessors is maintained at our Subprocessors page.

Where the Processor engages a Subprocessor, the Processor shall impose on the Subprocessor the same data protection obligations as set out in this DPA by way of a written contract.

4.5 Assistance to the Controller

Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws.

5. Obligations of the Controller

The Controller warrants and represents that:

• It has complied and will continue to comply with all applicable Data Protection Laws in respect of its use of the Services and its Processing instructions to the Processor.
• It has obtained all necessary consents or has another lawful basis for the transfer of Personal Data to the Processor for Processing in accordance with this DPA.
• It shall be responsible for the accuracy, quality, and legality of Personal Data and the means by which it acquired the Personal Data.
• It shall inform the Processor without undue delay if it becomes aware of any circumstances that could affect the lawfulness of the Processing under this DPA.

6. Data Subject Rights

The Processor shall, to the extent legally permitted, promptly notify the Controller if the Processor receives a request from a Data Subject to exercise any of the following rights:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making and profiling

The Processor shall not independently respond to such requests except on the documented instructions of the Controller or as required by applicable law.

7. Security Incident Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Security Incident affecting Personal Data processed on behalf of the Controller. Such notification shall include:

• A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected.
• The name and contact details of the Processor's data protection contact.
• A description of the likely consequences of the Security Incident.
• A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects.

8. International Data Transfers

The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA) unless appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Binding Corporate Rules.
• An adequacy decision by the European Commission for the recipient country.
• The EU–U.S. Data Privacy Framework, where applicable.

9. Duration and Termination

This DPA shall remain in effect for the duration of the Agreement. Upon termination, the Processor shall, at the choice of the Controller, delete or return all Personal Data and delete existing copies, unless applicable law requires storage of the Personal Data. The Processor shall certify in writing that it has complied with this provision upon the Controller's request.

10. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

The Controller shall provide reasonable prior written notice of any audit request. Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's business operations. The Controller shall bear the costs of any such audit unless the audit reveals a material breach of this DPA by the Processor.

11. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement. In no event shall either party's aggregate liability for claims arising out of or related to this DPA exceed the limitations set forth in the Agreement.

12. Contact Information

For questions or concerns about this DPA or our data processing practices, please contact us: