Data processing addendum
This page summarizes our standard data processing addendum ("DPA"), which forms part of the terms between PersonaMesh, Inc. ("Processor") and any customer ("Controller") whose use of the Service involves processing personal data subject to GDPR, UK GDPR, the Swiss FADP, or analogous laws.
The full executable DPA is available on request from trust@personamesh.ai and can be signed before you sign up if your procurement requires it.
Roles
- You are the Controller of any personal data you submit to the Service.
- We are the Processor, processing on your documented instructions.
- Sub-processors operate under our Processor obligations; see sub-processors.
Categories of data
- Account data — names, work emails, role.
- Content — personas, memories, conversations, knowledge documents, audit events.
- Usage data — request logs, metered events, error traces.
Subject matter, duration, and purpose
Processing is for the duration of the customer's subscription plus 30 days for backup recovery, and for the purposes set out in the terms: providing, securing, billing, diagnosing, and improving the Service.
Technical and organizational measures
- TLS 1.3 in transit; AES-256 at rest; KMS-backed envelope encryption for sensitive payloads.
- API keys hashed at rest; sessions HMAC-signed and HttpOnly.
- Hash-chained tamper-evident audit log.
- Per-tenant rate limiting and per-persona budget caps.
- Default-deny network policy; egress allowlists per tool.
- Cosign-signed containers; CycloneDX SBOM attestations.
- Logical workspace isolation enforced and tested per release; physical isolation available on Enterprise.
The full controls inventory is on the security page.
International transfers
Where data leaves the European Economic Area, the United Kingdom, or Switzerland, we rely on the EU Standard Contractual Clauses (Module Two), the UK Addendum, and / or the Swiss DPA Annex. We support customer-selected data residency in us-east, us-west, eu-west, and ap-southeast.
Sub-processors
We use a small set of sub-processors, listed at /subprocessors. We give 30 days' notice before adding or replacing one; Controllers may object in writing.
Data subject rights
We assist Controllers in responding to data subject requests (access, rectification, erasure, restriction, portability, objection). Most requests are fulfillable directly through the API and Studio (delete persona, forget memory, export workspace).
Breach notification
We will notify Controllers of a personal data breach without undue delay (and in any case within 72 hours of discovery) with the information required under Article 33 GDPR.
Audits
We provide our SOC 2 reports, pen-test summaries, and applicable certifications under NDA. Customers with a written DPA may exercise audit rights in line with Article 28(3)(h) GDPR; reasonable confidentiality and notice apply.
Return and deletion
On termination, we return or delete all personal data within 30 days (90 days for cold backups), at the Controller's choice.
Contact
DPA execution: trust@personamesh.ai
Privacy + DSARs: privacy@personamesh.ai