Effective: 04/19/2022
Mesh Labs is a technology company headquartered in New York City, which focuses on providing subscription-based software services.
For more information about our services, please refer to our website:
https://withmesh.com
This Privacy Policy is applicable to Mesh Labs (“we,” “our,” or “us”) as related to our services, which collectively include:
This Privacy Policy sets out the essential details relating to your personal data relationships with Mesh Labs as:
Clients contract the use of our application and give access to their employees and other third parties, as solely decided by them, by creating users who access the application with their email address and credentials. The clients’ administrators grant end users roles, which result in different permissions and access rights to the information held in the Client account.
We may ask you to provide personal information when:
If you choose to provide us with a third-party’s personal information (the person’s name, email and company) when managing users and contacts, creating content, or taking part in our marketing or referral programs, you represent that you have the third-party’s permission to do so.
We collect personal information that may include first and last name, business email address, phone number and/or company name.
As an end user of the application, we collect your name, business email address and any comments you make in the application.
In addition, we may collect data uploaded by you, your employer or other users of the application that may be required to use Mesh Labs services. We expect all users to follow their organization’s privacy policy and any applicable regulatory requirements when uploading, accessing and using personal information into our application. The data uploaded may include personal information like:
As a job applicant, we may also collect your resume and cover letter.
We collect information about your visits to the website and the application when you land on any of our web pages through cookies and similar tracking technology.
For further information about the types of cookies we use, you can access our Cookie Policy at this link https://withmesh.com/cookie-policy.
The information collected includes:
We may also collect information when you open email messages from us or click on links within those email messages.
We may combine the information we collect from your direct interactions with us with information obtained through other third-party sources, such as x. We also obtain and/or purchase lists from third parties about individuals and companies interested in our products.
The personal information collected includes your name, email address, business address, job title, company name, and telephone number.
We use your personal information to:
Please note that sometimes we may record the video conferencing call in which you participate to analyze and improve our staff’s communication skills. If we do so, we will be announcing it at the beginning of the conference call and in the meeting invite, and we will be providing a link to our Privacy Policy in the meeting invites and on the registration page.
We do not sell your information to any third party.
If you are an end user of our application, your personal information may be viewed by other users with access to the application.
We use third parties to help us provide our services. They will have access to your information as collected by the website or the application, as reasonably necessary to perform the contracted tasks on our behalf. We sign contractual agreements to obligate them to protect the personal information, only use it to deliver the contracted services to us, prohibit them from selling it and not disclose it without our knowledge and permission.
|
Service Provider Name |
Business Purpose |
Information Collected by the Service Provider |
Data Location |
| AWS Redshift | Data hosting | Customer and Organization account information and end-user data imported from Integration Systems including but not limited to Salesforce, Hubspot, Outreach, LinkedIn Ads, Google Analytics, and Customer databases. | AWS us-east-1 (Northern Virginia) |
| Planetscale | Data hosting | Customer and Organization account information, including but not limited to names, email addresses, and phone numbers. | AWS us-east-1 (Northern Virginia) |
| Redis Cloud | Data hosting | Customer and Organization account information, including but not limited to names, email addresses, and phone numbers. | AWS us-east-1 (Northern Virginia) |
| Mixpanel | Product analytics | Customer activity on Mesh software; Customer and Organization account information, including but not limited to names, email addresses, and phone numbers. | United States |
| Segment | Product analytics | Customer activity on Mesh software; Customer and Organization account information, including but not limited to names, email addresses, and phone numbers. | United States |
| Product analytics, Customer support communications | Customer and Organization account information, including but not limited to names, email addresses, and phone numbers. | Various | |
| Slack | Customer support communications | Customer and Organization account information, including but not limited to names, email addresses, and phone numbers. | Various |
It is possible that we may need to disclose personal information when required by law, subpoena or other legal processes as identified in the applicable legislation.
We attempt to notify our clients about legal demands for their personal data when appropriate in our judgment unless prohibited by law or court order or when the request is an emergency.
We can also share your personal data as part of a sale, merger, change in control or in preparation for any of these events.
Any other entity which buys us or part of our business will have the right to continue to use your data, but only in the manner set out in this Privacy Policy unless you agree otherwise.
We are committed to protecting the security of all of the personal information we collect and use.
We use a variety of physical, administrative and technical safeguards designed to help protect it from unauthorized access, use and disclosure. We have implemented best-practice standards and controls in compliance with internationally recognized security frameworks. We use encryption technologies to protect data at rest and in transit.
We provide the same suite of services to all of our clients and end users worldwide.
We offer the following rights to all individuals regardless of their location or applicable privacy regulations.
For personal information we have about you, you can:
You have the right to obtain information about what personal information we process about you or to obtain a copy of your personal information.
If you have provided personal information to us, you may contact us to obtain an outline of what information we have about you or a copy of the information.
If you are an end user of the application, you can log in to see the personal information in the account or approach your employer for more information.
You have the right to be notified of what personal information we collect about you and how we use it, disclose it and protect it.
This Privacy Policy describes what personal information we collect and our privacy practices. We may also have additional privacy notices and statements available to you at the point of providing information to us directly.
Change or correct your personal information.
You have the right to update/correct your personal information or ask us to do it on your behalf.
You can edit your information through the user account in the application or ask us to change or correct it by contacting us at compliance@withmesh.com.
Delete or erase your personal information.
You have the right to request the deletion of your personal information at any time. We will communicate back to you within reasonable timelines the result of your request. We may not be able to delete or erase your personal information, but we will inform you of these reasons and any further actions available to you.
Object to the processing of your personal information.
You have the right to object to our processing of your personal information for direct marketing purposes. This means that we will stop using your personal information for these purposes.
Ask us to restrict the processing of your personal information.
You may have the right to ask us to limit the way that we use your personal information.
Export your personal data.
You have the right to request that we export to you in a machine-readable format all of the personal information we have about you.
We do not process personal information through the use of automated means.
If you would like to exercise any of the rights described above, please contact us at compliance@withmesh.com.
You also have the right to lodge a complaint with the local organizations in charge of enforcing the privacy legislation applicable in your territory.
We retain information as long as it is necessary to provide the services to you and our clients, subject to any legal obligations to further retain such information.
We may also retain information to comply with the law, prevent fraud, collect fees, resolve disputes, troubleshoot problems, assist with investigations, enforce our Terms of Service and take other actions permitted by law.
The information we retain will be handled following this Privacy Policy.
Information connected to you that is no longer necessary and relevant to provide our services may be de-identified or aggregated with other non-personal data. This information may provide insights that are commercially valuable to Mesh Labs, such as statistics of the use of the services.
We process data in the United States and rely on legally-provided mechanisms to lawfully transfer data across borders, such as contracts incorporating data protection and sharing obligations.
We will only collect and process your personal data where we have a lawful reason for its collection.
When you visit our website and provide us with your personal information, we collect and use it with your consent.
As an application end user, you consent to our collection of your personal information when you log in for the first time. However, your employer has control of the account and may upload and share additional personal information. Your employer’s responsibility is to ensure that collecting, using and sharing the personal information uploaded to the application complies with all applicable legislation.
You can review the terms and conditions of use here: https://withmesh.com/terms-of-service
Where we rely on your consent to process personal data, you have the right to withdraw or decline your consent at any time. If you have any questions about the lawful bases upon which we collect and use your personal data, please contact us at compliance@withmesh.com.
You may choose to receive or not receive marketing communications from us. Please click the “Unsubscribe” link in the email we sent you to stop receiving marketing communications.
You may choose which information we collect automatically from your device by controlling cookie settings on your browser or by selecting your preferences through our Cookie Policy. https://withmesh.com/cookie-policy
Even if you opt-out of receiving marketing communications, we may still communicate with you regarding security and privacy issues, servicing your account, fulfilling your requests, or administering any promotion or any program in which you may have elected to participate.
You may contact us to exercise any of your rights or ask for more information about your personal information and our privacy practices by contacting us at compliance@withmesh.com.
This Cookie Policy describes the types of cookies and similar technologies that Mesh uses, how we use them, and your options for managing cookies.
A cookie is a small piece of information that is downloaded to your computer or mobile device to enable certain features and functionality. Cookies are intended to help you access and use websites and applications faster and more efficiently and to provide a more personalized experience. For example, cookies can help you enter a site without having to login, resume where you left off, remember your preferences, and track and analyze how you use a site so the site can be improved. The cookies we use may be associated with Mesh’s domain (first-party cookies) or a third party’s domain (third-party cookies).
We use cookies and other similar technologies such as pixels, beacons and tags for the purposes described below. The cookies we use can be categorized into four categories: essential, marketing, personalization, and analytics. Some essential cookies that we use are “session cookies,” meaning that even though they have a defined lifespan, they are refreshed each time you visit our website or application.
We use Google Analytics to measure aggregate website statistics on our website to track performance over time. Learn more about how Google Analytics uses your data.Prevent your data from being used by Google Analytics.
| Purpose | Lifespan | Third Party Cookies |
|---|---|---|
|
Essential Required to operate and enable basic functionality on our website. You may be able to block these cookies using your browser settings, but then parts of our website or service may not work. These cookies cannot be turned off in your Mesh account settings. |
1 minute to 12 months | Segment, LogRocket, Amplitude, Cloudfront, Stripe, Datadog |
|
Marketing Used to deliver advertising that is more relevant to you and to measure the effectiveness of our advertising campaigns. These cookies may be set through our site by our advertising partners. If you do not allow these cookies, you will experience less targeted advertising. |
1 minute to 12 months | LinkedIn, Facebook, Google, Microsoft, and TikTok, Hubspot, Awin (Shareasale), MadKudu, PartnerStack |
|
Personalization Allows us to remember your preferences and settings (such as your user name, language, or the region you are in) and provide enhanced, more personal features. If you do not allow these cookies, parts of our website or service may not work properly and you will have a less personalized experience. |
1 week to 9 months | Intercom |
|
Analytics Helps us understand how our website performs, how you interact with our site, and whether there may be technical issues. Most analytics are collected in aggregated and anonymized form. If you do not allow these cookies, we will not be able to monitor our performance or understand how you use our website or services in order to make improvements. |
1 minute to 24 months | Google Analytics, Sprig |
Most browsers allow you to manage how cookies are set and to clear cookies and browsing data. See your browser settings for how to do this. Be aware that if you choose not to enable or disable some types of cookies, certain features and functionality on our website may not work and your overall user experience may be worse.
You can customize your cookie preferences in your Mesh account settings. We may use a cookie management tool to record consent for cookies that are not necessary for the basic functioning of our website. We may ask for your consent to use these types of cookies periodically to ensure that we stay up to date on your cookie preferences. Please note that cookies that are needed for our website to function cannot be disabled.
Also, some third-party advertising networks, like Google, allow users to opt out of or customize preferences associated with their internet browsing. Learn more about this feature from Google here. You can also opt out of interest-based targeting provided by participating businesses through the Digital Advertising Alliance at http://youradchoices.com and the European Interactive Digital Advertising Alliance at http://www.youronlinechoices.eu/.
If you have any questions regarding this policy or how we use cookies, please contact us at privacy@mesh.com.
Last Updated: August 1, 2022
This Data Protection Addendum (“Addendum”) forms part of the agreement between Customer and Mesh Labs covering Customer’s use of the Services (as defined below) (“Agreement”).
I. Introduction
1. Definitions
Capitalized terms not defined in this Section 1 will have the meaning given to them in this Addendum or the Agreement.
II. Controller and Processor
2. Relationship of the Parties
2.1 Mesh Labs as a Processor. The parties acknowledge and agree that with regard to the processing of Customer Content, Customer may act either as a controller or processor and Mesh Labs is a processor. Mesh Labs will process Customer Content in accordance with Customer’s instructions as set forth in Section 5 (Customer Instructions).
2.2 Mesh Labs as a Controller of Customer Account Data. The parties acknowledge that, with regard to the processing of Customer Account Data, Customer is a controller and Mesh Labs is an independent controller, not a joint controller with Customer. Mesh Labs will process Customer Account Data as a controller in order to (a) manage the relationship with Customer; (b) carry out Mesh Labs’s core business operations, such as accounting and filing taxes; (c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) perform identity verification; (e) comply with Mesh Labs’s legal or regulatory obligation to retain Subscriber Records; and (f) as otherwise permitted under Applicable Data Protection Law and in accordance with this Addendum, the Agreement, and the Mesh Labs Privacy Notice.
2.3 Mesh Labs as a Controller of Customer Usage Data. The parties acknowledge that, with regard to the processing of Customer Usage Data, Customer may act either as a controller or processor and Mesh Labs is an independent controller, not a joint controller with Customer. Mesh Labs will process Customer Usage Data as a controller in order to carry out the necessary functions as a service provider, such as: (a) Mesh Labs’s accounting, tax, billing, audit, and compliance purposes; (b) to provide, optimize, and maintain the Services, platform and security; (c) to investigate fraud, spam, wrongful or unlawful use of the Services; (d) as required by applicable law or regulation; or (e) as otherwise permitted under Applicable Data Protection Law and in accordance with this Addendum, the Agreement, and the Mesh Labs Privacy Notice.
3. Purpose Limitation. Mesh Labs will process personal data in order to provide the Services in accordance with the Agreement. Schedule 1 (Details of Processing) of this Addendum further specifies the nature and purpose of the processing, the processing activities, the duration of the processing, the types of personal data and categories of data subjects.
4. Compliance. Customer is responsible for ensuring that (a) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and its own processing of personal data and (b) it has, and will continue to have, the right to transfer, or provide access to, personal data to Mesh Labs for processing in accordance with the terms of the Agreement and this Addendum.
III. Mesh Labs as a Processor – Processing Customer Content
5. Customer Instructions. Customer appoints Mesh Labs as a processor to process Customer Content on behalf of, and in accordance with, Customer’s instructions (a) as set forth in the Agreement, this Addendum, and as otherwise necessary to provide the Services to Customer, and which includes investigating security incidents and preventing spam, fraudulent activity, and violations of the Mesh Labs Acceptable Use Policy, and detecting and preventing network exploits or abuse; (b) as necessary to comply with applicable law or regulation, including Applicable Data Protection Law; and (c) as otherwise agreed in writing between the parties (“Permitted Purposes”).
5.1 Lawfulness of Instructions. Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer acknowledges that Mesh Labs is neither responsible for determining which laws or regulations are applicable to Customer’s business nor whether Mesh Labs’s provision of the Services meets or will meet the requirements of such laws or regulations. Customer will ensure that Mesh Labs’s processing of Customer Content, when done in accordance with Customer’s instructions, will not cause Mesh Labs to violate any applicable law or regulation, including Applicable Data Protection Law. Mesh Labs will inform Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate any applicable law or regulation, including Applicable Data Protection Law.
5.2 Additional Instructions. Additional instructions outside the scope of the Agreement or this Addendum will be agreed to between the parties in writing, including any additional fees that may be payable by Customer to Mesh Labs for carrying out such additional instructions.
6. Confidentiality
6.1 Responding to Third Party Requests. In the event any Third Party Request is made directly to Mesh Labs in connection with Mesh Labs’s processing of Customer Content, Mesh Labs will promptly inform Customer and provide details of the same, to the extent legally permitted. Mesh Labs will not respond to any Third Party Request without Customer’s prior consent, except as legally required to do so or to confirm that such Third Party Request relates to Customer.
6.2 Confidentiality Obligations of Mesh Labs Personnel. Mesh Labs will ensure that any person it authorizes to process Customer Content has agreed to protect personal data in accordance with Mesh Labs's confidentiality obligations in the Agreement.
7. Sub-processors
7.1 Authorization for Onward Sub-processing. Customer provides a general authorization for Mesh Labs to engage onward sub-processors that is conditioned on the following requirements:
(a) Mesh Labs will restrict the onward sub-processor’s access to Customer Content only to what is strictly necessary to provide the Services, and Mesh Labs will prohibit the sub-processor from processing the personal data for any other purpose;
(b) Mesh Labs agrees to impose contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Customer Content to the standard required by Applicable Data Protection Law, including the requirements set forth in Schedule 4 (Jurisdiction Specific Terms) of this Addendum; and
(c) Mesh Labs will remain liable for any breach of this Addendum that is caused by an act, error, or omission of its sub-processors.
7.2 Current Sub-processors and Notification of Sub-processor Changes. Customer consents to Mesh Labs engaging third party sub-processors to process Customer Content within the Services for the Permitted Purposes provided that Mesh Labs maintains an up-to-date list of its sub-processors at Sub-processors doc. With respect to changes in infrastructure providers, Mesh Labs will endeavor to give written notice sixty (60) days prior to any change, but in any event will give written notice no less than thirty (30) days prior to any such change. With respect to Mesh Labs’s other sub-processors, Mesh Labs will endeavor to give written notice thirty (30) days prior to any change, but will give written notice no less than ten (10) days prior to any such change.
7.3 Objection Right for new Sub-processors. Customer may object to Mesh Labs's appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection. In such an event, the parties agree to discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach a resolution within ninety (90) days from the date of Mesh Labs’s receipt of Customer’s written objection, Customer may discontinue the use of the affected Services by providing written notice to Mesh Labs. Such discontinuation will be without prejudice to any fees incurred by Customer prior to the discontinuation of the affected Services. If no objection has been raised prior to Mesh Labs replacing or appointing a new sub-processor, Mesh Labs will deem Customer to have authorized the new sub-processor.
8. Data Subject Rights. As part of the Services, Mesh Labs provides Customer with a number of self-service features, including the ability to delete, obtain a copy of, or restrict use of Customer Content. Customer may use these self-service features to assist in complying with its obligations under Applicable Data Protection Law with respect to responding to requests from data subjects via the Services at no additional cost. To the extent Customer does not have the ability to resolve a data subject request through the self-service features, upon Customer’s request, Mesh Labs will provide reasonable additional and timely assistance to assist Customer in complying with its data protection obligations with respect to data subject rights under Applicable Data Protection Law.
9. Impact Assessments and Consultations. Mesh Labs will provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer’s expense only if such reasonable cooperation will require Mesh Labs to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Law.
10. Return or Deletion of Customer Content. Mesh Labs will, in accordance with Section 3 (Duration of the Processing) of Schedule 1 (Details of Processing) of this Addendum, delete or return to Customer any Customer Content stored within the Services.
10.1 Extension of Addendum. Upon termination of the Agreement, Mesh Labs may retain Customer Content in storage for the time periods set forth in Schedule 1 (Details of Processing) of this Addendum, provided that Mesh Labs will ensure that Customer Content (a) is processed only as necessary for the Permitted Purposes and (b) remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
10.2 Retention Required by Law. Notwithstanding anything to the contrary in this Section 10, Mesh Labs may retain Customer Content, or any portion of it, if required by applicable law or regulation, including Applicable Data Protection Law, provided such Customer Content remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
IV. Security and Audits
11. Security
11.1 Security Measures. Mesh Labs has implemented and will maintain the technical and organizational security measures as set forth in the Agreement. Additional information about Mesh Labs’s technical and organizational security measures to protect Customer Data is set forth in Schedule 2 (Technical and Organizational Security Measures) of this Addendum.
11.2 Determination of Security Requirements. Customer acknowledges the Services include certain features and functionalities that Customer may elect to use which impact the security of Customer Data processed by Customer’s use of the Services, such as, but not limited to, encryption of voice recordings, availability of multi-factor authentication on Customer’s account, or optional Transport Layer Security (TLS) encryption. Customer is responsible for reviewing the information Mesh Labs makes available regarding its data security, including its audit reports, and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations, including its obligations under Applicable Data Protection Law. Customer is further responsible for properly configuring the Services and using features and functionalities made available by Mesh Labs to maintain appropriate security in light of the nature of Customer Data processed as a result of Customer’s use of the Services.
11.3 Security Incident Notification. Mesh Labs will provide notification of a Security Incident in the following manner:
(a) Mesh Labs will, to the extent permitted by applicable law, notify Customer without undue delay, but in no event later than fourty-eight (48) hours after Mesh Labs’s discovery of a Security Incident impacting Customer Data of which Mesh Labs is a processor;
(b) Mesh Labs will, to the extent permitted and required by applicable law, notify Customer without undue delay of any Security Incident involving Customer Data of which Mesh Labs is a controller; and
(c) Mesh Labs will notify Customer of any Security Incident via email to the email address(es) designated by Customer in Customer’s account.
Mesh Labs will make reasonable efforts to identify a Security Incident, and to the extent a Security Incident is caused by Mesh Labs’s violation of this Addendum, remediate the cause of such Security Incident. Mesh Labs will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a regulatory authority or any data subjects impacted by a Security Incident.
12. Audits. The parties acknowledge that Customer must be able to assess Mesh Labs’s compliance with its obligations under Applicable Data Protection Law and this Addendum, insofar as Mesh Labs is acting as a processor on behalf of Customer.
V. International Provisions
13. Jurisdiction Specific Terms. To the extent Mesh Labs processes personal data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms) of this Addendum, the terms specified in Schedule 4 with respect to the applicable jurisdiction(s) apply in addition to the terms of this Addendum.
VI. Miscellaneous
15. Cooperation and Data Subject Rights. In the event that either party receives (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, and data portability, as applicable) or (b) any Third Party Request relating to the processing of Customer Account Data or Customer Usage Data conducted by the other party, such party will promptly inform such other party in writing. The parties agree to cooperate, in good faith, as necessary to respond to any Third Party Request and fulfill their respective obligations under Applicable Data Protection Law.
16. Conflict. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms set forth in Schedule 4 (Jurisdiction Specific Terms) of this Addendum; (2) the terms of this Addendum outside of Schedule 4 (Jurisdiction Specific Terms); (3) the Agreement; and (4) the Mesh Labs Privacy Notice. Any claims brought in connection with this Addendum will be subject to the terms and conditions, including, without limitation, the exclusions and limitations set forth in the Agreement.
17. Updates. Mesh Labs may update the terms of this Addendum from time to time; provided, however, Mesh Labs will provide at least thirty (30) days prior written notice to Customer when an update is required as a result of (a) changes in Applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services. The then-current terms of this Addendum are available at https://www.withmesh.com/legal#dpa.
DETAILS OF PROCESSING
1. Nature and Purpose of the Processing. Mesh Labs will process personal data as necessary to provide the Services under the Agreement. Mesh Labs does not sell Customer’s personal data or Customer end users’ personal data and does not share such end users’ information with third parties for compensation or for those third parties’ own business interests.
1.1 Customer Content. Mesh Labs will process Customer Content as a processor in accordance with Customer’s instructions as set forth in Section 5 (Customer Instructions) of this Addendum.
1.2 Customer Account Data. Mesh Labs will process Customer Account Data as a controller for the purposes set forth in Section 2.2 (Mesh Labs as a Controller of Customer Account Data) of this Addendum.
1.3 Customer Usage Data. Mesh Labs will process Customer Usage Data as a controller for the purposes set forth in Section 2.3 (Mesh Labs as a Controller of Customer Usage Data) of this Addendum.
2. Processing Activities.
2.1 Customer Content. Personal data contained in Customer Content will be subject to the following basic processing activities:
(a) the provision of products and services which allows Customer to integrate, manage and control its data relating to end users. Storage of personal data on Mesh Labs’s network.
2.2 Customer Account Data. Personal data contained in Customer Account Data will be subject to the processing activities of providing the Services.
2.3 Customer Usage Data. Personal data contained in Customer Usage Data will be subject to the processing activities of providing the Services.
3. Duration of the Processing. The period for which personal data will be retained and the criteria used to determine that period is as follows:
3.1 Customer Content.
(a) Services. Prior to the termination of the Agreement, (x) Mesh Labs will process stored Customer Content for the Permitted Purposes until Customer elects to delete such Customer Content via the Services and (y) Customer agrees that it is solely responsible for deleting Customer Content via the Services. Upon termination of the Agreement, Mesh Labs will (i) provide Customer one (1) year after the termination effective date to obtain a copy of any stored Customer Content via the Services; (ii) automatically delete any stored Customer Content one (1) year after the termination effective date; and (iii) automatically delete any stored Customer Content on Mesh Labs’s back-up systems one (1) year after the termination effective date. Any Customer Content archived on Mesh Labs’s back-up systems will be securely isolated and protected from any further processing, except as otherwise required by applicable law or regulation.
3.2 Customer Account Data. Mesh Labs will process Customer Account Data as long as required (a) to provide the Services to Customer; (b) for Mesh Labs’s legitimate business needs; or (c) by applicable law or regulation. Customer Account Data will be stored in accordance with the Mesh Labs Privacy Notice.
3.3 Customer Usage Data. Upon termination of the Agreement, Mesh Labs may retain, use, and disclose Customer Usage Data for the purposes set forth in Section 1.3 (Customer Usage Data) of this Schedule 1, subject to the confidentiality obligations set forth in the Agreement. Mesh Labs will anonymize or delete Customer Usage Data when Mesh Labs no longer requires it for the purposes set forth in Section 1.3 (Customer Usage Data) of this Schedule 1.
4. Categories of Data Subjects.
4.1 Customer Content. Customer’s end users.
4.2 Customer Account Data. Customer’s employees and individuals authorized by Customer to access Customer’s Mesh Labs account or make use of the MFA Services or telephone number assignments received from Mesh Labs.
4.3 Customer Usage Data. Customer’s end users.
5. Categories of Personal Data. Mesh Labs processes personal data contained in Customer Account Data, Customer Content, and Customer Usage Data.
6. Sensitive Data or Special Categories of Data.
6.1 Customer Content. Sensitive Data may, from time to time, be processed via the Services where Customer or its end users choose to include Sensitive Data within the communications that are transmitted using the Services. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer’s end users to transmit or process, any Sensitive Data via the Services.
6.2 Customer Account Data and Customer Usage Data.
(a) Sensitive Data may be found in Customer Account Data in the form of Subscriber Records containing passport or similar identifier data necessarily processed in order to receive telephone number assignments.
(b) Customer Usage Data does not contain Sensitive Data.
The full text of Mesh Labs’s technical and organizational security measures to protect Customer Data is available at https://www.withmesh.com/legal#security (“Security Overview”).
Where applicable, this Schedule 2 will serve as Annex II to the EU Standard Contractual Clauses. The following table provides more information regarding the technical and organizational security measures set forth below.
Technical and Organizational Security Measure | Evidence of Technical and Organizational Security Measure |
Measures of pseudonymisation and encryption of personal data | See Section 13 (Encryption) of the Security Overview |
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | See Section 18 ( Resilience and Service Continuity) and Section 19 (Customer Data Backups) of the Security Overview |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | See Section 18 ( Resilience and Service Continuity) and Section 19 (Customer Data Backups) of the Security Overview |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | See Section 3 (Security Organization and Program), Section 7 (Security Certifications and Attestations), and Section 15 (Penetration Testing) of the Security Overview |
Measures for user identification and authorisation | See Section 11 (Access Controls) of of the Security Overview |
Measures for the protection of data during transmission | See Section 13 (Encryption) and Section 19 (Customer Data Backups) of the Security Overview |
Measures for the protection of data during storage | See Section 8 (Hosting Architecture and Data Segregation) and Section 13 (Encryption) of the Security Overview |
Measures for ensuring physical security of locations at which personal data are processed | See Section 9 (Physical Security) of the Security Overview |
Measures for certification/assurance of processes and products | See Section 3 (Security Organization and Program) and Section 7 (Security Certifications and Attestations) of the Security Overview |
Measures for allowing data portability and ensuring erasure | Customer is able to request export or deletion of Customer Content by submitting a request to datarights@withmesh.com. |
Technical and organizational measures to be taken by the [sub]-processor to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the Customer. | When Mesh Labs engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, Mesh Labs and the sub-processor enter into an agreement with data protection obligations substantially similar to those contained in this Addendum. Each sub-processor agreement must ensure that Mesh Labs is able to meet its obligations to Customer. In addition to implementing technical and organizational measures to protect personal data, sub-processors must (a) notify Mesh Labs in the event of a Security Incident so Mesh Labs may notify Customer; (b) delete personal data when instructed by Mesh Labs in accordance with Customer’s instructions to Mesh Labs; (c) not engage additional sub-processors without Mesh Labs’s authorization; d) not change the location where personal data is processed; or (e) process personal data in a manner which conflicts with Customer’s instructions to Mesh Labs. |
1. Australia:
1.1 The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).
1.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.
1.3 The definition of “Sensitive Data” includes “Sensitive Information” as defined under Applicable Data Protection Law.
2. Brazil:
2.1 The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados (LGPD).
2.2 The definition of “Security Incident” includes a security incident that may result in any relevant risk or damage to data subjects.
2.3 The definition of “processor” includes “operator” as defined under Applicable Data Protection Law.
3. California:
3.1 The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (CCPA).
3.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law and, for clarity, includes any Personal Information contained within Customer Account Data, Customer Content, and Customer Usage Data.
3.3 The definition of “data subject” includes “Consumer” as defined under Applicable Data Protection Law. Any data subject rights, as set forth in Section 8 (Data Subject Rights) of this Addendum, apply to Consumer rights. In regards to data subject requests, Mesh Labs can only verify a request from Customer and not from Customer’s end user or any third party.
3.4 The definition of “controller” includes “Business” as defined under Applicable Data Protection Law.
3.5 The definition of “processor” includes “Service Provider” as defined under Applicable Data Protection Law.
3.6 Mesh Labs will process, retain, use, and disclose personal data only as necessary to provide the Services under the Agreement, which constitutes a business purpose. Mesh Labs agrees not to (a) sell (as defined by the CCPA) Customer’s personal data or Customer end users’ personal data; (b) retain, use, or disclose Customer’s personal data for any commercial purpose (as defined by the CCPA) other than providing the Services; or (c) retain, use, or disclose Customer’s personal data outside of the scope of the Agreement. Mesh Labs understands its obligations under the Applicable Data Protection Law and will comply with them.
3.7 Mesh Labs certifies that its sub-processors, as set forth in Section 7 (Sub-processors) of this Addendum, are Service Providers under Applicable Data Protection Law, with whom Mesh Labs has entered into a written contract that includes terms substantially similar to this Addendum. Mesh Labs conducts appropriate due diligence on its sub-processors.
3.8 Mesh Labs will implement and maintain reasonable security procedures and practices appropriate to the nature of the personal data it processes as set forth in Section 11 (Security) of this Addendum.
4. Canada:
4.1 The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).
4.2 Mesh Labs’s sub-processors, as set forth in Section 7 (Sub-processors) of this Addendum, are third parties under Applicable Data Protection Law, with whom Mesh Labs has entered into a written contract that includes terms substantially similar to this Addendum. Mesh Labs has conducted appropriate due diligence on its sub-processors.
4.3 Mesh Labs will implement technical and organizational measures as set forth in Section 11 (Security) of this Addendum.
5. European Economic Area (EEA):
5.1 The definition of “Applicable Data Protection Law” includes the General Data Protection Regulation (EU 2016/679) (“GDPR”).
5.2 When Mesh Labs engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the European Union has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.
5.3 Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
5.4 Customer acknowledges that Mesh Labs, as a controller, may be required under Applicable Data Protection Law to notify a regulatory authority of Security Incidents involving Customer Usage Data. If a regulatory authority requires Mesh Labs to notify impacted data subjects with whom Mesh Labs does not have a direct relationship (e.g., Customer’s end users), Mesh Labs will notify Customer of this requirement. Customer will provide reasonable assistance to Mesh Labs to notify the impacted data subjects.
6. Israel:
6.1 The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).
6.2 The definition of “controller” includes “Database Owner” as defined under Applicable Data Protection Law.
6.3 The definition of “processor” includes “Holder” as defined under Applicable Data Protection Law.
6.4 Mesh Labs will require that any personnel authorized to process Customer Content comply with the principle of data secrecy and have been duly instructed about Applicable Data Protection Law. Such personnel sign confidentiality agreements with Mesh Labs in accordance with Section 6 (Confidentiality) of this Addendum.
6.5 Mesh Labs must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in Section 11 (Security) of this Addendum and complying with the terms of the Agreement.
6.6 Mesh Labs must ensure that the personal data will not be transferred to a sub-processor unless such sub-processor has executed an agreement with Mesh Labs pursuant to Section 7.1 (Authorization for Onward Sub-processing) of this Addendum.
7. Japan:
7.1 The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).
7.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.
7.3 The definition of “controller” includes “Business Operator” as defined under Applicable Data Protection Law. As a Business Operator, Mesh Labs is responsible for the handling of personal data in its possession.
7.4 The definition of “processor” includes a business operator entrusted by the Business Operator with the handling of personal data in whole or in part (also a “trustee”), as defined under Applicable Data Protection Law. As a trustee, Mesh Labs will ensure that the use of the entrusted personal data is securely controlled.
8. Mexico:
8.1 The definition of “Applicable Data Protection Law” includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations (FLPPIPPE).
8.2 When acting as a processor, Mesh Labs will:
(a) treat personal data in accordance with Customer’s instructions set forth in Section 5 (Customer Instructions) of this Addendum;
(b) process personal data only to the extent necessary to provide the Services;
(c) implement security measures in accordance with Applicable Data Protection Law and Section 11 (Security) of this Addendum;
(d) keep confidentiality regarding the personal data processed in accordance with the Agreement;
(e) delete all personal data upon termination of the Agreement in accordance with Section 10 (Return or Deletion of Customer Content) of this Addendum; and
(f) only transfer personal data to sub-processors in accordance with Section 7 (Sub-processors) of this Addendum.
9. Singapore:
9.1 The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).
9.2 Mesh Labs will process personal data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 11 (Security) of this Addendum and complying with the terms of the Agreement.
10. Switzerland:
10.1 The definition of “Applicable Data Protection Law” includes the Swiss Federal Act on Data Protection, as revised (FADP).
10.2 When Mesh Labs engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that Switzerland has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.
10.3 To the extent that personal data transfers from Switzerland are subject to the EU Standard Contractual Clauses in accordance with Section 2.3 of Schedule 3 (Cross Border Data Transfer Mechanisms), the following amendments will apply to the EU Standard Contractual Clauses:
(a) references to "EU Member State" and "Member State' will be interpreted to include Switzerland, and
(b) insofar as the transfer or onward transfers are subject to the FADP:
(i) references to "Regulation (EU) 2016/679" are to be interpreted as references to the FADP;
(ii) the "competent supervisory authority" in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner;
(iii) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be goverened by the laws of Switzerland; and
(iv) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.
11. United Kingdom (UK):
11.1 References in this Addendum to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).
11.2 When Mesh Labs engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the United Kingdom has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the UK International Data Transfer Agreement or pursuant to a Binding Corporate Rules approval granted by competent United Kingdom data protection authorities.
11.3 Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.
11.4 Customer acknowledges that Mesh Labs, as a controller, may be required under Applicable Data Protection Law to notify a regulatory authority of Security Incidents involving Customer Usage Data. If a regulatory authority requires Mesh Labs to notify impacted data subjects with whom Mesh Labs does not have a direct relationship (e.g., Customer’s end users), Mesh Labs will notify Customer of this requirement. Customer will provide reasonable assistance to Mesh Labs to notify the impacted data subjects.
Last Updated: July 12, 2022
This Mesh Labs Security Overview (“Security Overview”) is incorporated into and made a part of the agreement between Mesh Labs and Customer covering Customer’s use of the Services (as defined below) (“Agreement”).
1. Definitions
“Services” means, for the purposes of this Security Overview, any software, services, or application programming interfaces branded as "Mesh Labs", "Mesh Analytics" or "Mesh".
2. Purpose. This Security Overview describes Mesh Labs' security program, security certifications, and technical and organizational security controls to protect (a) Customer Data from unauthorized use, access, disclosure, or theft and (b) the Services. As security threats change, Mesh Labs continues to update its security program and strategy to help protect Customer Data and the Services. As such, Mesh Labs reserves the right to update this Security Overview from time to time; provided, however, any update will not materially reduce the overall protections set forth in this Security Overview. The then-current terms of this Security Overview are available at https://www.withmesh.com/legal#security. This Security Overview does not apply to any (a) Services that are identified as alpha, beta, not generally available, limited release, developer preview, or any similar Services offered by Mesh Labs
3. Security Organization and Program. Mesh Labs maintains a risk-based assessment security program. The framework for Mesh Labs' security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. Mesh Labs' security program is intended to be appropriate to the nature of the Services and the size and complexity of Mesh Labs' business operations. The program covers: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Disaster Recovery Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, and Security Monitoring and Incident Response. Security is managed at the highest levels of the company, with Mesh Labs' Chief Information Security Officer (CISO) meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives. Information security policies and standards are reviewed and approved by management at least annually and are made available to all Mesh Labs employees for their reference.
4. Confidentiality. Mesh Labs has controls in place to maintain the confidentiality of Customer Data in accordance with the Agreement. All Mesh Labs employees and contract personnel are bound by Mesh Labs' internal policies regarding maintaining the confidentiality of Customer Data and are contractually obligated to comply with these obligations.
5. People Security
5.1 Employee Background Checks. Mesh Labs performs background checks on all new employees at the time of hire in accordance with applicable local laws. Mesh Labs currently verifies a new employee’s education and previous employment and performs reference checks. Where permitted by applicable law, Mesh Labs may also conduct criminal, credit, immigration, and security checks depending on the nature and scope of a new employee’s role.
5.2 Employee Training. At least once (1) per year, Mesh Labs employees must complete a security and privacy training which covers Mesh Labs' security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. Mesh Labs' dedicated security team also performs phishing awareness campaigns and communicates emerging threats to employees. Mesh Labs has also established an anonymous hotline for employees to report any unethical behavior where anonymous reporting is legally permitted.
6. Third Party Vendor Management
6.1 Vendor Assessment. Mesh Labs may use third party vendors to provide the Services. Mesh Labs carries out a security risk-based assessment of prospective vendors before working with them to validate they meet Mesh Labs' security requirements. Mesh Labs periodically reviews each vendor in light of Mesh Labs' security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal or regulatory requirements. Mesh Labs ensures that Customer Data is returned and/or deleted at the end of a vendor relationship.
6.2 Vendor Agreements. Mesh Labs enters into written agreements with all of its vendors which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for Customer Data that these vendors may process.
7. Security Certifications and Attestations. Mesh Labs holds the following security-related certifications and attestations: Mesh Labs is partnered with Tugboat Logic by Onetrust and are in the process of SOC 2 ceritification. A Letter of Engagement is available upon request.
8. Hosting Architecture and Data Segregation
8.1 Amazon Web Services and Heroku. The Mesh Labs Services are hosted on Amazon Web Services (“AWS”) and Heroku in the United States of America and protected by the security and environmental controls of Amazon.com Inc and Salesforce Inc, respectively. The production environment for each Customer within AWS where the Mesh Labs Services and Customer Data are hosted are logically isolated in a Virtual Private Cloud (VPC). Customer Data stored within AWS is encrypted at all times. AWS does not have access to unencrypted Customer Data. More information about AWS security is available at https://aws.amazon.com/security/ andhttps://aws.amazon.com/compliance/shared-responsibility-model/. For AWS SOC Reports, please seehttps://aws.amazon.com/compliance/soc-faqs/. More information about Heroku security is available at https://www.heroku.com/policy/security and https://devcenter.heroku.com/articles/security-privacy-compliance
8.2 Planetscale and Redis Enterprise Cloud. Mesh Labs Customer Data is stored in Planetscale and occasionally cached in Redis Enterprise Cloud in the United States of America and protected by the security and environment controls of Planetscale Inc and Redis Ltd, respectively. More information about Planetscale security is available at https://planetscale.com/docs/concepts/security. More information about Redis security is available at https://redis.com/company/compliance-and-privacy/
8.3 Services. For the Services, all network access between production hosts is restricted, using access control lists to allow only authorized services to interact in the production network. Access control lists are in use to manage network segregation between different security zones in the production and corporate environments. Access control lists are reviewed regularly. Mesh Labs separates Customer Data using logical identifiers. Customer Data is tagged with a unique customer identifier that is assigned to segregate Customer Data ownership. The Mesh Labs APIs are designed and built to identify and allow authorized access only to and from Customer Data identified with customer specific tags. These controls prevent other customers from having access to Customer Data.
9. Physical Security. AWS, Planetscale, Heroku, and Redis are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication (2FA) a minimum of two (2) times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. In addition, Mesh Labs headquarters and office spaces have a physical security program that manages visitors, building entrances, closed circuit televisions, and overall office security. All employees, contractors, and visitors are required to wear identification badges.
10. Security by Design. Mesh Labs follows security by design principles when it designs the Services. Mesh Labs also applies the Mesh Labs Secure Software Development Lifecycle (Secure SDLC) standard to perform numerous security-related activities for the Services across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities include, but are not limited to, the performance of (a) internal security reviews before deploying new Services or code; (b) penetration tests of new Services by independent third parties; and (c) threat models for new Services to detect potential security threats and vulnerabilities.
11. Access Controls
11.1 Provisioning Access. To minimize the risk of data exposure, Mesh Labs follows the principles of least privilege through a team-based-access-control model when provisioning system access. Mesh Labs personnel are authorized to access Customer Data based on their job function, role, and responsibilities, and such access requires approval. Access rights to production environments that are not time-based are reviewed at least semi-annually. An employee’s access to Customer Data is promptly removed upon termination of their employment. In order to access the production environment, an authorized user must have a unique username and password and multi-factor authentication enabled. Before an engineer is granted access to the production environment, access must be approved by management and the engineer is required to complete internal training for such access including training on the relevant team’s systems. Mesh Labs logs high risk actions and changes in the production environment. Mesh Labs leverages automation to identify any deviation from internal technical standards that could indicate anomalous/unauthorized activity to raise an alert within minutes of a configuration change.
11.2 Password Controls. Mesh Labs' current policy for employee password management follows the NIST 800-63B guidance, and as such, our policy is to use longer passwords, with multi-factor authentication, but not require special characters or frequent changes. For Mesh Labs employees, password requirements include an eight (8) character minimum, with at least three (3) of the following characteristics: upper case letter, lower case letter, number, or special character. When a customer logs into its account, Mesh Labs hashes the credentials of the user before it is stored. A customer may also require its users to add another layer of security to their account by using two-factor authentication (2FA).
12. Change Management. Mesh Labs has a formal change management process it follows to administer changes to the production environment for the Services, including any changes to its underlying software, applications, and systems. Each change is carefully reviewed and evaluated in a test environment before being deployed into the production environment for the Services. All changes, including the evaluation of the changes in a test environment, are documented using a formal, auditable system of record. A rigorous assessment is carried out for all high-risk changes to evaluate their impact on the overall security of the Services. Deployment approval for high-risk changes is required from the correct organizational stakeholders. Plans and procedures are also implemented in the event a deployed change needs to be rolled back to preserve the security of the Services.
13. Encryption. For the Mesh Labs Services, (a) the databases that store Customer Data are encrypted using the Advanced Encryption Standard and (b) Customer Data is encrypted when in transit between Customer’s software application and the Services using TLS v1.2. For the Mesh Labs Services, Mesh Labs provides opportunistic TLS v1.1 or higher for emails in transit between Customer’s software application and the recipient’s email server. The Mesh Labs Services are designed to opportunistically try outbound TLS v1.1 or higher when attempting to deliver an email to a recipient. This means that if a recipient's email server accepts an inbound TLS v1.1 or higher connection, Mesh Labs will deliver an email over a TLS encrypted connection. If a recipient’s email server does not support TLS, Mesh Labs will deliver an email over the default unencrypted connection. The Mesh Labs Services provide an optional feature, which Customer has to enable, that allows Customer to enforce TLS encryption. If Customer enables the enforced TLS feature, Mesh Labs will only deliver an email to a recipient if the recipient’s email server accepts an inbound TLS v1.1 or higher connection. For the Segment Services, Customer Data is encrypted at rest using the Advanced Encryption Standard.
14. Vulnerability Management. Mesh Labs maintains controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements. Mesh Labs uses a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities in Mesh Labs' cloud infrastructure and corporate systems. Critical software patches are evaluated, tested, and applied proactively. Operating system patches are applied through the regeneration of a base virtual-machine image and deployed to all nodes in the Mesh Labs cluster over a predefined schedule. For high-risk patches, Mesh Labs will deploy directly to existing nodes through internally developed orchestration tools.
15. Security Incident Management. Mesh Labs maintains security incident management policies and procedures in accordance with NIST SP 800-61. Mesh Labs' Security Incident Response Team (T-SIRT) assesses all relevant security threats and vulnerabilities and establishes appropriate remediation and mitigation actions. Mesh Labs retains security logs for one hundred and eighty (180) days. Access to these security logs is limited to T-SIRT. Mesh Labs utilizes third-party tools to detect, mitigate, and prevent Distributed Denial of Service (DDoS) attacks.
16. Discovery, Investigation, and Notification of a Security Incident. Mesh Labs will promptly investigate a Security Incident upon discovery. To the extent permitted by applicable law, Mesh Labs will notify Customer of a Security Incident in accordance with the Data Protection Addendum. Security Incident notifications will be provided to Customer via email to the email address designated by Customer in its account.
17. Resilience and Service Continuity
17.1 Resilience. The hosting infrastructure for the Mesh Labs Services and Segment Services (a) spans multiple fault-independent availability zones in geographic regions physically separated from one another and (b) is able to detect and route around issues experienced by hosts or even whole data centers in real time and employ orchestration tooling that has the ability to regenerate hosts, building them from the latest backup.
17.2 Service Continuity. Mesh Labs also leverages specialized tools available within the hosting infrastructure for the Services to monitor server performance, data, and traffic load capacity within each availability zone and colocation data center. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, these specialized tools increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. Mesh Labs is also immediately notified in the event of any suboptimal server performance or overloaded capacity.
18. Customer Data Backups. Mesh Labs performs regular backups of Customer Data, which is hosted on AWS’s, Planetscale', and Redis Enterprise Cloud's data center infrastructure. Customer Data that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using the Advanced Encryption Standard.
Availability and uptime: This is the amount of time that services are running and accessible to the customer. Uptime is generally tracked and reported every calendar month.
Downtime: This is the total accumulated time the service is unavailable.
Service Commitment
Mesh Labs will use commercially reasonable efforts to make service available with an uptime percentage of at least 99.9%.
Policy conditions:
If the service commitment is not met, the customer shall be eligible to receive a service credit.
Including the response mode and timing to consumers' requests required by relevant laws.
Service credit description and conditions.
SLA Exclusions.
Mesh Labs knows that providing the best possible support to our customers is critical to making our customers successful.
The following services are covered:
Effective support of in-scope services is a result of maintaining consistent service levels.
Mesh Labs will provide ongoing support to customers using the approved service support channel and knowledge base resources. When a request or transaction is submitted, Mesh Labs will authenticate the customer to verify their identity in proportion to the risk of the request or transaction.
In support of services outlined in the agreement,Mesh Labs will respond to service-related incidents and/or requests submitted by the customer within the following timeframes:
This policy describes how Mesh Labs, Inc. collects and processes personal data with respect to data subjects covered by the EU General Data Protection Regulation. Depending on your geographic location, some parts of this statement may not apply to you. Except as described below, we are the data controller of personal data collected from our website and a data processor for our customers supplied data. Our physical address is 85 Broad Street, Floor 17, New York, NY 10004 and you may reach us by emailing gdpr@withmesh.com.
Osano International Compliance Services Limited, ATTN: FMYZ3, Dublin Landings, North Wall Quay, Dublin, 1D01C4E0
Osano UK Compliance LTD, ATTN: FMYZ, 42-46 Fountain Street, Belfast, Antrim, BT1 - 5EF
The GDPR principles exist to aid companies to stay and remain within the boundaries of the regulation; they also help to understand its main objectives. Therefore, we comply with the contours and principles expressed to be the core of GDPR compliance, which are:
We may collect information about you during your visit and when you use our website, app, and services. To give you more information on the sources of the data we collect from you, consider that we are doing so;
The nature of the processing is as follows:
The types of processing identified as likely high risk are those involving personally identifying information (PII), such as contact information and engagement/communication history. We will take appropriate measures to ensure that such data is processed in accordance with GDPR requirements.
Nature and scope of the data: The data collected and processed by Mesh includes, but is not limited to, marketing and sales information, such as lead and opportunity data, revenue data, marketing engagement, website traffic, ad interactions. It does not include special category or criminal offense data. The amount of data collected and used varies depending on the size and activity of our customers. This could be a large amount of data, potentially including records related to millions of individuals.
Frequency & Retention: The data collected and processed by Mesh is updated in real-time, as marketing and sales activities occur. This data is retained for as long as it is necessary for the purposes of providing business services, or as required by law.
Impact & Geography: The number of individuals affected by the processing of data by Mesh varies depending on the size and activity of our customers. It may include thousands or millions of individuals and those individuals may be located anywhere in the world (largely depending on the geographic location and presence of our customers).
We collect the following categories of personal data:
Remember that you have the right at all times not to disclose any personal information to us. However, this may impact and possibly limit your use of the Website and App and we may not be able to provide you any Services to the extent that your personal data is required to enable us to provide such data.
We use your personal information for various purposes.
We follow the directives of the GDPR in informing you about our uses, basis, and purposes for the collection and processing of your personal data. In the event that any such purpose changes, we will make sure to inform you about any changes to the purposes of why and what we collect and process your data for.
Under no circumstance will we sell, trade, or rent any of your personal information, regardless of its source or purpose. However, with your previous consent, we may share personal data with recipients under certain circumstances and with the following parties;
Under the GDPR, all companies must have a legal basis for processing personal information. We rely on the following legal bases for collecting and processing personal data:
Our lawful basis for processing is based on our customer’s consent from their clients and prospects either via their terms and conditions or other contractual agreement. Our default assumption is that any customer we work with has received the required consent to capture their client data and process it via first or third party resources. In our contractual agreements with our customers, this will be explicitly agreed upon.
Many US companies have commercial interests and businesses inside the EU and therefore handle the personal data of EU citizens directly protected by the GDPR. As a result, EU authorities, through the EU Commission, have determined the need for valid mechanisms for companies to make such data transfers without putting any personal data protected under the GDPR at risk of infringement. These are the most important of such mechanisms.
The terms of the data processing addendum ("Mesh DPA") available below are hereby incorporated by reference and shall apply to the extent Mesh processes any Personal Data (as defined in the Mesh DPA) that is subject to the GDPR on Customer’s behalf.
For the purposes determined within this statement and to provide complete and compliant services to you, we engage and use data processors with which we may share some categories of your collected data. These subprocessors are under an agreement with us and may use your data for the specific purposes we require and in compatibility with this statement and our privacy policy.
The GDPR has granted data subjects specific rights respecting their personal data. This applicability may depend on your nationality and geographic location. These are your rights:
Right of knowledge or confirmation. You have the right to obtain a confirmation of whether your personal data is being processed
Right of access. You may require from the controller free information about the storage of your personal information and also obtain a copy of this information. Additionally, you have a right to know the purposes of the processing of any personal information, the categories of personal information collected or processed and stored, and the recipients of the personal information, if any.
Right of rectification. You have the right to correct or request the correction of your personal information.
Right to be forgotten (erasure). You shall have the right to have your personal data erased without delay, provided that processing is unnecessary. The controller shall consider if such information is no longer necessary for the purposes it was collected for and that there are no overriding legitimate grounds for processing.
Right of restriction of processing. You have the right to request that processing of your personal data be restricted when:
Right of Data Portability. You have the right to receive their personal information in a structured and machine-readable format. You shall have the right to transmit the data to another controller without further observation by the original controller. You may also request that personal data be transferred directly from one controller to another.
Right to object. You have the right to object to the processing of your personal information, at any time.
Right not to be subject to automatic decision-making, including profiling. you have the right not to be subject to this kind of processing.
Right to withdraw consent. If you have consented to the collection or use of your personal information, you have the right to withdraw your consent at any time.
Additionally, if you feel we have failed to address any of your requests regarding your personal data, you may have the right to lodge a complaint with a Data Protection Authority. Here is a list of the contacts for them: https://edpb.europa.eu/about-edpb/about-edpb/members_en To practice your aforementioned rights, please contact us at the physical or email address provided in our Privacy Policy. Before we grant or process any requests for your rights, we may require verification of your identity.
We have appointed a Data Protection Officer. You may contact him at:
Michael Wang
85 Broad Street, Floor 17
New York, NY 10004
If you think the DPO is not the correct party to address for any questions or inquiries about this Statement contact us to our provided contact data above. We can provide a copy of our DPIA by request.