[YOUR LEGAL ENTITY], [REGISTERED ADDRESS]) must be filled in by your counsel. Some clauses (international transfer mechanisms, audit cadence, retention schedules) should be tuned to your contracts. This text is a starting point, not legal advice and not a substitute for a negotiated DPA with enterprise customers.Data Processing Addendum
Effective April 26, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between [YOUR LEGAL ENTITY] ("HelpMesh", "Processor") and the Customer ("Controller") for the use of the HelpMesh customer support platform (the "Service"). It applies where HelpMesh processes personal data on behalf of the Customer in scope of GDPR, UK-GDPR, PDPL, DPDPA, or comparable laws.
1. Definitions
Terms not defined here have the meaning given in the GDPR or analogous local law. For the avoidance of doubt: "Customer Data" means tickets, conversations, attachments, contacts, custom fields, knowledge base articles, and any other content the Controller submits to the Service.
2. Subject matter and duration
Subject: provision of the Service. Duration: for the term of the Customer's subscription, plus 30 days for export, then deletion.
3. Nature and purpose
Hosting, transmission, display, search, classification, automation, AI-powered features (sentiment analysis, summarization, draft replies), notification fanout, and reporting.
4. Categories of data subjects and personal data
| Data subjects | Categories of data |
|---|---|
| Customer's end-users (the people the Customer supports) | Name, email, phone, WhatsApp number, IP address, conversation content, attachments, custom-field values, language preference |
| Customer's agents and admins | Name, email, role, login activity, IP address |
5. Roles
- The Controller determines the purpose and means of processing personal data and is the data controller for end-user data submitted to the Service.
- The Processor (HelpMesh) processes personal data only on the documented instructions of the Controller, including these Terms and DPA.
6. Sub-processors
The Customer authorizes HelpMesh to engage the sub-processors listed at /legal/subprocessors. HelpMesh will provide at least 30 days' notice of any new sub-processor and will impose data protection obligations no less protective than this DPA. The Customer may object on reasonable grounds; in that case the parties will work in good faith to find a resolution, and if none is found, the Customer may terminate without penalty for the affected portion of the Service.
7. Security measures
- TLS 1.2+ in transit; AES-256 at rest.
- Per-tenant isolation enforced at the database query layer.
- Role-based access controls; multi-factor authentication for admins.
- Immutable audit log of access and mutations, retained two years.
- Quarterly access reviews; annual penetration testing (where contracted).
- Incident response plan with 72-hour breach notification per applicable law.
A more detailed list of technical and organizational measures (TOMs) is available at /legal/security.
8. International transfers
Customer Data is hosted in Mumbai (ap-south-1). Where data is transferred out of the originating jurisdiction (e.g. for support access by HelpMesh personnel located elsewhere), HelpMesh relies on Standard Contractual Clauses (EU/UK), Standard Contractual Provisions (UAE PDPL), or other appropriate transfer mechanisms.
9. Data subject requests
HelpMesh provides Controller-facing tools for export, deletion, and access of personal data. Where a data subject contacts HelpMesh directly, we will refer them to the Controller without disclosing internal information. We will assist the Controller in responding to data subject requests within the time frames required by applicable law.
10. Breach notification
HelpMesh will notify the Customer without undue delay (and within 72 hours where feasible) after becoming aware of a personal data breach affecting Customer Data, with information sufficient to meet the Customer's own notification obligations.
11. Audit
On reasonable notice and no more than once per 12 months (or more frequently if required by a regulator or following a confirmed breach), HelpMesh will make available to the Customer information necessary to demonstrate compliance with this DPA. SOC 2 reports and similar third-party attestations may be used in lieu of on-site audits where applicable.
12. Return and deletion
Upon termination, HelpMesh will, at the Customer's choice, return or delete all Customer Data within 30 days, except where retention is required by law (e.g. tax, regulatory). Backups are purged within 90 days.
13. Liability
Each party's liability under this DPA is subject to the limitations set out in the Master Agreement.
14. Governing law
This DPA is governed by the same law as the Master Agreement (see /legal/terms), except where data protection law mandates a different governing law.
15. Contact
Data Protection Officer: dpo@helpmesh.io
Postal: [YOUR LEGAL ENTITY], [REGISTERED ADDRESS]