Data Processing Agreement

(1)   THIS AGREEMENT is made on the Effective Date between Mesh Security Limited trading as Mesh, a company incorporated and registered in Ireland, with company number 678618 whose registered address is at 51 Brack Road, Sandyford, Dublin D18 CV48, Ireland (“Mesh”) and the Client.

(A) Background. Mesh and the Client have entered into the Services Agreement for the provision of the Mesh Services.  To the extent that Mesh will Process Personal Data for and on behalf of the Client during the course of providing the Mesh Services, the provisions of this Data Processing Agreement shall apply and are incorporated by reference into the Services Agreement.  By placing an order for the Mesh Services and entering into the Services Agreement, the Client agrees to the terms of this Agreement and that this Agreement shall be binding and form part of the Services Agreement.

(B) Change to Mesh Services. If the Mesh Services are altered during the term of this Agreement and the altered Mesh Services involve new or amended Processing of the Client Personal Data, the parties will ensure that Annex I is updated as appropriate before such Processing commences.

(C) Processor. In respect of the Processing of Client Personal Data carried out by Mesh pursuant to this Agreement, the parties agree that Mesh is the Processor or sub-Processor of the Client Personal Data, as the context requires, and the Client is the controller or Processor of the Client Personal Data, as the context requires.

(D) Compliance. Each party agrees to comply with, and process all Client Personal Data, in accordance with Applicable Data Protection Law.

(E) Prevailing Terms. If there is any conflict or inconsistency between this Agreement and the Services Agreement or any other terms and conditions or agreements between the parties, this Agreement will take precedence and apply to the extent of the conflict or inconsistency.

IT IS HEREBY AGREED:

1. DEFINITIONS

1.1  For the purposes of this Agreement, capitalised terms shall have the meanings given below:

 “Agreement” means this Data Processing Agreement.

 “Applicable Law” means all applicable laws, statutes, regulations from time to time in force.

 “Applicable Data Protection Law” means:

(a) to the extent the GDPR applies, the law of the European Union or any member state of the European Union to which a party is subject, which relates to the Processing of the Client Personal Data;

(b) to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom to which a party is subject, which relates to the Processing of the Client Personal Data; and

(c) any other Applicable Law to which a party is subject which relates to the Processing of the Client Personal Data.

“Authorised User” has the meaning given in the Services Agreement.           

“Client” means the client or customer of Mesh as defined in the relevant Services Agreement.                               

"Client Personal Data" means the Client Personal Data or Customer Personal Data as defined in the Services Agreement, which includes but is not limited to the Client Personal Data set out in Annex I.                                   

“Complaint” means a complaint relating to either party’s obligations under Applicable Data Protection Law relevant to this Agreement, including any compensation claim from a Data Subject and any notice, investigation or other action from a regulatory authority.

“Controller” has the meaning given to it in the GDPR.

“Data Subject” has the meaning given to it in the GDPR.

“Effective Date” means the effective date of the Services Agreement and this Agreement (which shall be one and the same date).

“End User Customer” has the meaning given in the Services Agreement, as applicable.

"GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data as applicable as of 25 May 2018, as may be amended from time to time.

"Mesh Services" has the meaning given in the Services Agreement.    

“Personal Data” has the meaning given to it in the GDPR. 

“Personal Data Breach” has the meaning given to it in the GDPR

“Processing”  has the meaning given to it in the GDPR and the expression “process” shall be construed accordingly.

“Processing Instructions” has the meaning set out in paragraph 2.4.1.

“Processor” has the meaning given to it in the GDPR.

“Request” means a request from or on behalf of a Data Subject of the Client Personal Data to exercise any rights of Data Subjects under Applicable Data Protection Law.

“Services Agreement” means the relevant services agreement entered into by the Client and Mesh in relation to the provision of the Mesh Services.

"SCCs” means the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to Third Countries as set out in the Annex to Commission Decision 2021/914/EU of 4th June 2021, the standard forms  of which can be accessed in the EU languages at the following link: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

“Sub-Processor” means another Processor engaged by Mesh to Process the Client Personal Data.

“Third Country” means all states that are not members of the European Economic Area (“EEA”) or which have not been recognised by the European Commission as providing an adequate level of protection for Personal Data.

“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the UK Data Protection Act 2018. 

2. PROCESSING

2.1 Scope, purpose and duration. A description of the scope and purpose and duration of the Processing permitted under this Agreement (including the type of Client Personal Data and categories of Data Subject involved) is set out Annex I.

2.2 Compliance. Both parties will comply with all applicable requirements of the Applicable Data Protection Law. This Agreement is in addition to, and does not relieve, remove or replace, a party's obligations or rights under Applicable Data Protection Law.

2.3. Client Obligations.  Without prejudice to paragraph 2.2, the Client:

2.3.1 will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Client Personal Data to Mesh or the lawful collection and Processing of the same by Mesh for the duration and purposes of this Agreement and/or the Services Agreement; and

2.3.2 confirms, acknowledges and agrees that Mesh may rely on any Processing Instruction, confirmation, approval or agreement given by the Client in relation to the Client Personal Data as if that of the Client’s Controller End User Customer (as applicable) and that all such Processing Instructions, confirmations, approvals and agreements given by the Client in relation to the Client Personal Data comply in all respects with the Processing Instructions, confirmations, approvals and agreements of its Controller End User Customer, as applicable.

2.4 Processing Instructions. Mesh shall, in relation to Client Personal Data:

2.4.1  Process that Client Personal Data only on the documented instructions of the Client, which shall be to process the Client Personal Data for the purposes of providing the Mesh Services (“Processing Instruction(s)”) unless Mesh is required by Applicable Law to otherwise process that Client Personal Data (Purpose). Where Mesh is relying on Applicable Law as the basis for Processing the Client Personal Data, Mesh shall notify the Client of this before performing the processing required by the Applicable Law unless those Applicable Law prohibit Mesh from so notifying the Client on important grounds of public interest. Mesh shall inform the Client if, in the opinion of Mesh, the instructions of the Client infringe Applicable Data Protection Law;

2.4.2 unless prohibited by Applicable Law, immediately notify the Client if Applicable Law requires it to process the Client Personal Data other than in accordance with Processing Instructions (such notification to be made before such Processing takes place); and

2.4.3 immediately notify the Client if Mesh becomes aware of a Processing Instruction that infringes Applicable Data Protection Law. Following such notification the Client shall have the right to temporarily suspend the Processing Instruction and either amend it to the extent the Client considers this is necessary for the purpose of complying with Applicable Data Protection Law.

3. SECURITY

3.1 Mesh shall implement the technical and organisational measures to protect against unauthorised or unlawful processing of the Client Personal Data and against accidental loss or destruction of, or damage to, the Client Personal Data, which the Client has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.

3.2 The measures referred to in paragraph 3.1 shall at all times:

3.2.1 be of at least the minimum standard required by Applicable Data Protection Law;

3.2.2 be of a standard no less than the standards compliant with good industry practice for the protection of Personal Data. 

4. PERSONAL DATA BREACHES

4.1 If Mesh becomes aware of, receives a notification regarding, or reasonably suspects a Personal Data Breach it shall:

4.1.1 without undue delay notify the Client of the Personal Data Breach;

4.1.2 without undue delay provide the Client with detailed information about:

(a) the nature of the Personal Data Breach including the categories and approximate number of Data Subjects and the Client Personal Data records concerned;

(b) a description of the likely consequences of the Personal Data Breach; and

(c) a description of the measures taken or proposed to be taken by Mesh to address the Personal Data Breach;

4.1.3 take all necessary steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach and to prevent a recurrence of such Personal Data Breach;

4.1.4 document any Personal Data Breach, comprising the facts relating to the Personal Data Breach, its effects and the remedial action taken; and

4.1.5 provide such reasonable assistance and cooperation as the Client may require in order for the Client (or its Controller End User Customer) to respond to the Personal Data Breach.

4.2 Requests, Complaints and Reasonable Assistant

4.2.1 In the event Mesh receives a Request it shall:

(a) assist the Client insofar as this is possible (taking into account the nature of the Processing and the information available to Mesh), and at the Client's cost and written request, in responding to any Request from a Data Subject and in ensuring the Client's (and/or its End User Customer’s (as applicable)) compliance with its obligations under Applicable Data Protection Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

(b) record the Request and without undue delay (and in any event within three (3) calendar days of receipt) forward it to the Client; and

(c) not respond to the Request without the Client’s prior written approval.

4.2.2 Mesh shall promptly inform the Client if it receives a Complaint and provide the Client with full details of the Complaint.

5 PERSONNEL

5.1 Mesh shall ensure that its personnel (and shall procure that the personnel of any Sub-Processor):

5.1.1 are obligated to maintain the security and confidentiality of any Client Personal Data to which they have access; and

5.1.2 do not process the Client Personal Data other than in accordance with Processing Instructions except where Processing of the Client Personal Data is required by Applicable Law in which case Mesh shall, where practicable and not prohibited by Applicable Law, notify the Client of any such requirement before Processing.

6. SUB-PROCESSORS AND INTERNATIONAL TRANSFERS

6.1 The Client provides (and, to the extent relevant and applicable, confirms that’s its Controller End User Customer’s has provided) its prior, general authorisation for Mesh to:

6.1.1 appoint Processors to Process the Client Personal Data, provided that Mesh:

(a) shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Law, and are consistent with the obligations imposed on Mesh in this Agreement;

(b) shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of Mesh; and

(c) shall inform the Client of any intended changes concerning the addition or replacement of the processors, thereby giving the Client the opportunity to object to such changes provided that if the Client objects to the changes and cannot demonstrate, to Mesh's reasonable satisfaction, that the objection is due to an actual or likely breach of Applicable Data Protection Law, the Client shall indemnify Mesh for any losses, damages, costs (including legal fees) and expenses suffered by Mesh in accommodating the objection.

6.1.2 transfer the Client Personal Data to a Third Country as required for the Purpose, provided that Mesh shall ensure that all such transfers are effected in accordance with Applicable Data Protection Law. For these purposes, the Client shall promptly comply with any reasonable request of Mesh, including any request to enter into the SCCs adopted by the EU Commission from time to time (where the GDPR applies to the transfer) or adopted by the Commissioner from time to time (where the UK GDPR applies to the transfer). 

6.3 The sub-Processors and transfers approved by the Client and/or its Controller End User Customers, as applicable, as at the date of this Agreement are set out in Annex I.

7. RECORDS AND AUDITS

Mesh shall maintain records to demonstrate its compliance with this Agreement and shall allow for reasonable audits by the Client or the Client's designated auditor, for this purpose, on reasonable written notice.

8. DELETE OR RETURN

Mesh shall at the written direction of the Client, delete or return the Client Personal Data and copies thereof to the Client on termination of the Agreement unless Mesh is required by Applicable Law to continue to process that Client Personal Data. For the purposes of this paragraph 8, Client Personal Data shall be considered deleted where it is put beyond further use by Mesh.

9. LIMITATION OF LIABILITY

Mesh's liability for any losses howsoever arising out of or in connection with this Agreement shall be as set out and subject to the limitations of exclusions of liability as set out in the Services Agreement.

10. OTHER TERMS

Subject to recital (E), all other terms of the Services Agreement shall apply.

11. GOVERNING LAW AND JURISDICTION

11.1 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of Ireland.

11.2 Each party irrevocably agrees that the courts of Ireland shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).