Skip to main content
Draft — pending legal review. Boilerplate placeholders ([YOUR LEGAL ENTITY], [REGISTERED ADDRESS]) must be filled in by your counsel. Some clauses (international transfer mechanisms, audit cadence, retention schedules) should be tuned to your contracts. This text is a starting point, not legal advice and not a substitute for a negotiated DPA with enterprise customers.

Data Processing Addendum

Effective April 26, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between [YOUR LEGAL ENTITY] ("HelpMesh", "Processor") and the Customer ("Controller") for the use of the HelpMesh customer support platform (the "Service"). It applies where HelpMesh processes personal data on behalf of the Customer in scope of GDPR, UK-GDPR, PDPL, DPDPA, or comparable laws.

1. Definitions

Terms not defined here have the meaning given in the GDPR or analogous local law. For the avoidance of doubt: "Customer Data" means tickets, conversations, attachments, contacts, custom fields, knowledge base articles, and any other content the Controller submits to the Service.

2. Subject matter and duration

Subject: provision of the Service. Duration: for the term of the Customer's subscription, plus 30 days for export, then deletion.

3. Nature and purpose

Hosting, transmission, display, search, classification, automation, AI-powered features (sentiment analysis, summarization, draft replies), notification fanout, and reporting.

4. Categories of data subjects and personal data

Data subjectsCategories of data
Customer's end-users (the people the Customer supports)Name, email, phone, WhatsApp number, IP address, conversation content, attachments, custom-field values, language preference
Customer's agents and adminsName, email, role, login activity, IP address

5. Roles

  • The Controller determines the purpose and means of processing personal data and is the data controller for end-user data submitted to the Service.
  • The Processor (HelpMesh) processes personal data only on the documented instructions of the Controller, including these Terms and DPA.

6. Sub-processors

The Customer authorizes HelpMesh to engage the sub-processors listed at /legal/subprocessors. HelpMesh will provide at least 30 days' notice of any new sub-processor and will impose data protection obligations no less protective than this DPA. The Customer may object on reasonable grounds; in that case the parties will work in good faith to find a resolution, and if none is found, the Customer may terminate without penalty for the affected portion of the Service.

7. Security measures

  • TLS 1.2+ in transit; AES-256 at rest.
  • Per-tenant isolation enforced at the database query layer.
  • Role-based access controls; multi-factor authentication for admins.
  • Immutable audit log of access and mutations, retained two years.
  • Quarterly access reviews; annual penetration testing (where contracted).
  • Incident response plan with 72-hour breach notification per applicable law.

A more detailed list of technical and organizational measures (TOMs) is available at /legal/security.

8. International transfers

Customer Data is hosted in Mumbai (ap-south-1). Where data is transferred out of the originating jurisdiction (e.g. for support access by HelpMesh personnel located elsewhere), HelpMesh relies on Standard Contractual Clauses (EU/UK), Standard Contractual Provisions (UAE PDPL), or other appropriate transfer mechanisms.

9. Data subject requests

HelpMesh provides Controller-facing tools for export, deletion, and access of personal data. Where a data subject contacts HelpMesh directly, we will refer them to the Controller without disclosing internal information. We will assist the Controller in responding to data subject requests within the time frames required by applicable law.

10. Breach notification

HelpMesh will notify the Customer without undue delay (and within 72 hours where feasible) after becoming aware of a personal data breach affecting Customer Data, with information sufficient to meet the Customer's own notification obligations.

11. Audit

On reasonable notice and no more than once per 12 months (or more frequently if required by a regulator or following a confirmed breach), HelpMesh will make available to the Customer information necessary to demonstrate compliance with this DPA. SOC 2 reports and similar third-party attestations may be used in lieu of on-site audits where applicable.

12. Return and deletion

Upon termination, HelpMesh will, at the Customer's choice, return or delete all Customer Data within 30 days, except where retention is required by law (e.g. tax, regulatory). Backups are purged within 90 days.

13. Liability

Each party's liability under this DPA is subject to the limitations set out in the Master Agreement.

14. Governing law

This DPA is governed by the same law as the Master Agreement (see /legal/terms), except where data protection law mandates a different governing law.

15. Contact

Data Protection Officer: dpo@helpmesh.io
Postal: [YOUR LEGAL ENTITY], [REGISTERED ADDRESS]