LEGAL

Data Processing Agreement

Last updated: April 16, 2026 · GDPR Article 28 compliant

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Financial Holding LLC ("Processor", "ClareMesh") and the Customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller.

1. Definitions

"Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings given in the GDPR (Regulation 2016/679). "Customer Data" means any personal data that the Controller provides to or that is collected by the Processor in connection with the Service.

2. Scope and purpose of processing

The Processor processes Customer Data solely to provide the Service as described in the Terms of Service. The categories of data processed include: account identifiers (email, name, organization), usage metadata (transform counts, API call logs), and technical data (IP addresses for security). The Processor does not process the Controller's end-user financial data — this data is processed within the Controller's own infrastructure.

3. Processor obligations

The Processor shall: (a) process Personal Data only on documented instructions from the Controller; (b) ensure that persons authorized to process Personal Data have committed to confidentiality; (c) implement appropriate technical and organizational security measures as described at claremesh.com/security; (d) not engage sub-processors without prior written authorization; (e) assist the Controller in responding to data subject requests; (f) delete or return all Personal Data upon termination; and (g) make available all information necessary to demonstrate compliance with this DPA.

4. Sub-processors

The Controller authorizes the use of the sub-processors listed at claremesh.com/security/sub-processors. The Processor will notify the Controller at least 30 days before engaging a new sub-processor and will provide the Controller with an opportunity to object. Each sub-processor is bound by data protection obligations no less protective than those in this DPA.

5. Security measures

The Processor implements security measures including: encryption in transit (TLS 1.2+) and at rest, row-level security for multi-tenant data isolation, hashed credential storage, access controls and audit logging, regular security assessments, and incident response procedures. The full list of 61 security controls is documented at claremesh.com/security/controls.

6. Data breach notification

The Processor shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data breach. The notification shall include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

7. Data transfers

The Service is hosted in the us-east-1 region (Virginia, USA). For transfers of Personal Data outside the European Economic Area, the parties rely on the Standard Contractual Clauses (Commission Implementing Decision 2021/914) which are incorporated by reference into this DPA. The Controller may request a copy of the SCCs by contacting malik@claremesh.com.

8. Data retention and deletion

Upon termination of the Service, the Processor will delete all Customer Data within 30 days unless retention is required by applicable law. The Controller may export all data prior to termination using the data export feature in the Settings page.

9. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller. The Controller shall provide at least 30 days' prior written notice of any audit. Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.

10. Governing law

This DPA shall be governed by the laws of the State of Maryland, USA. For data subjects in the European Economic Area, the GDPR shall apply to the extent of any conflict with local law.