[DRAFT — pending legal counsel review] This is a plain-language summary of our Data Processing Addendum. The binding DPA is in legal sign-off and is available on request for your procurement and security review.
Legal
Data Processing Addendum
How MeshWorks Wireless Oy (Finland) processes personal data on your behalf when you use IRIS — summarised in plain language.
Last updated: [PLACEHOLDER]
Controller and processor roles
When you send alerts through IRIS, you are the controller of the recipient data and alert content you provide, and MeshWorks Wireless Oy acts as your processor. We process that data only to deliver the service and on your documented instructions.
GDPR Article 28 framing
The DPA is structured to meet the requirements of Article 28 GDPR, covering scope and purpose of processing, confidentiality, security measures, subprocessing, assistance with data-subject requests, breach notification, and deletion or return of data at the end of the engagement.
Subprocessors
We use a small, deliberate set of subprocessors to deliver IRIS. The current list, their purpose, and their region are published on the subprocessors page, along with the mechanism by which we notify customers of changes.
Data residency
IRIS runs on Cloudflare’s EU edge with state pinned to EU jurisdiction. EU data residency is a property of the architecture. Where a subprocessor involves a transfer, the DPA sets out the applicable safeguards.
Security measures
The specific technical and organisational measures (TOMs) are enumerated as an annex to the full DPA. [PLACEHOLDER — final TOM annex pending legal sign-off.]
Full DPA available on request
We will share the complete Data Processing Addendum for your procurement and security review.