Data Processing Addendum

You retain ownership of the data, files, and content you upload or connect to PackMesh ("Customer Data"). PackMesh does not claim exclusive rights to Customer Data and will process it only to deliver the services, provide support, and meet legal obligations.

PackMesh may generate aggregated, de-identified, or statistical insights from service usage to improve models and publish benchmarks. PackMesh owns these derived analytics, provided they do not identify you or include personal or confidential information.

For Customer Data, PackMesh acts as a processor. You act as the controller and are responsible for obtaining any required consents and providing accurate instructions.

• Encryption in transit, role-based access controls, and credential management for production systems.
• Logical segregation of customer environments where applicable.
• Logging and monitoring of administrative access and data changes.
• Employee confidentiality agreements and security awareness training.
• Data backups aligned to business continuity and disaster recovery plans.

PackMesh may update security measures over time as long as they do not materially reduce protection. Upon request and subject to confidentiality, PackMesh may share summaries of security controls or available third-party assessments (e.g., SOC 2 or penetration testing reports).

PackMesh uses subprocessors (such as cloud infrastructure and analytics providers) to support the service. All subprocessors are bound by written agreements requiring confidentiality and data protection standards materially similar to those described in this DPA. PackMesh remains responsible for subprocessors’ performance. A current list of subprocessors is published at /legal/subprocessors.

PackMesh will reasonably assist you in responding to data subject requests or regulator inquiries relating to Customer Data processed by PackMesh, to the extent required by applicable law and feasible given the service architecture. You are responsible for authenticating requesters and providing the necessary instructions.

Upon termination or at your request, PackMesh will delete or return Customer Data in a commercially reasonable timeframe, except where retention is required by law or to resolve disputes. Backups will age out on standard retention schedules.

Customer Data may be transferred to subprocessors in other jurisdictions subject to appropriate safeguards, such as Standard Contractual Clauses where applicable. You authorize PackMesh to make such transfers to deliver the services.

PackMesh will keep Customer Data confidential and will limit access to personnel and subprocessors who need it to perform the services and are bound by confidentiality obligations. You agree to treat PackMesh confidential information with similar care.

Where required by an applicable enterprise agreement, PackMesh will reasonably support audits or provide available compliance reports related to security controls, subject to confidentiality and reasonable scheduling.

Unless separately executed in a signed Business Associate Agreement, PackMesh does not act as a Business Associate under HIPAA and Customer Data should not include protected health information. Additional regulated data may require specific written terms as described in our Regulated Data and BAA Terms.