Plain-English summary
This box is informational. The DPA below is what binds you and us.
- When this applies: Whenever you (the Studio) use the Service to process personal data of other people (your clients, project contacts, portal users, contacts in your CRM and so on). In that processing, you are the controller and iMeshh is the processor.
- What we promise: We only process the personal data on your instructions, we keep it secure, we use only approved sub-processors, we tell you quickly if there is a breach, we help you respond to data-subject requests, and we give it back to you (or delete it) when our contract ends.
- What you promise: You have a lawful basis for asking us to process the data, you have given any privacy notices to your data subjects that are required by law, and you do not upload special-category data unless you have a specific lawful basis.
- How to make a request: Email office@imeshh.com — most requests are also actionable in Settings.
1. About this DPA
This Data Processing Agreement ("DPA") forms part of the iMeshh Pro Terms of Service ("Terms") between iMeshh Ltd ("iMeshh", "Processor") and the customer that has accepted the Terms ("Customer", "Controller", "you"). It applies whenever iMeshh processes personal data on the Customer's behalf in connection with the Customer's use of the Service.
In this DPA:
- "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Supervisory Authority" and "Personal Data Breach" have the meanings given in the UK GDPR.
- "UK GDPR" means the UK General Data Protection Regulation as defined in the Data Protection Act 2018.
- "EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
- "Data Protection Law" means the UK GDPR, the UK Data Protection Act 2018, the Data (Use and Access) Act 2025, the EU GDPR (where applicable), the California Consumer Privacy Act as amended (where applicable), and any other applicable law, regulation or order relating to the processing of personal data and privacy.
- "Customer Personal Data" means Personal Data processed by iMeshh on the Customer's behalf under the Terms.
- "Sub-processor" means any third party that iMeshh engages to process Customer Personal Data on the Customer's behalf.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- "UK Addendum" means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018.
- "UK IDTA" means the International Data Transfer Agreement issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018.
- "Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with a party, where "control" means ownership of more than 50% of the voting equity or equivalent.
Capitalised terms not defined in this DPA have the meaning given in the Terms.
In the event of any conflict between this DPA and the Terms in respect of the processing of Customer Personal Data, this DPA prevails.
2. Scope, roles and duration
2.1 Roles
For the purpose of Customer Personal Data:
- The Customer is the Controller of Customer Personal Data; or, where the Customer uses the Service to process Personal Data on behalf of a third party (so that the Customer is itself a Processor acting for another controller), the Customer acts as that Processor.
- iMeshh is the Processor, acting on the Customer's documented instructions. Where the Customer acts as a Processor for a third-party controller, iMeshh acts as the Customer's Sub-processor; in that case the Customer remains responsible for relaying that controller's instructions through the Customer, and warrants that its own arrangement with that controller permits iMeshh's engagement on these terms.
This DPA does not apply to:
- Personal Data of the Customer's own personnel (Studio Owners, Studio Members) that iMeshh processes to provide the Service to the Customer directly. For that processing iMeshh is itself Controller and the Privacy Policy applies.
- Personal Data that iMeshh processes for its own analytics, security, billing, fraud-prevention and Service-improvement purposes, where iMeshh acts as Controller.
2.2 Processing details
The subject matter, duration, nature and purpose of processing, types of Personal Data and categories of Data Subjects are set out in Annex I.
2.3 Duration
This DPA takes effect when the Customer first uses the Service to process Customer Personal Data and continues for as long as iMeshh processes Customer Personal Data on the Customer's behalf, plus any post-termination period required for the secure return or deletion of Customer Personal Data under Section 11.
3. Customer's instructions
iMeshh will process Customer Personal Data only on the documented instructions of the Customer (including with regard to transfers to third countries), unless required to do otherwise by applicable law. The Customer's instructions are:
- the Terms (including this DPA);
- the configuration options that the Customer chooses within the Service (for example, choosing to share a deliverable, enabling an AI Feature, granting a Client access to a Project, choosing data residency settings where offered); and
- any additional written instructions the Customer gives iMeshh in connection with the Service.
If iMeshh is required by law to process Customer Personal Data otherwise than on the Customer's instructions, iMeshh will, before processing, inform the Customer of the legal requirement (unless that law prohibits such notification on important grounds of public interest).
If, in iMeshh's opinion, an instruction infringes Data Protection Law, iMeshh will inform the Customer promptly. iMeshh is not required to investigate the lawfulness of the Customer's instructions, but it may decline to follow an instruction it believes would cause iMeshh to breach Data Protection Law.
4. Customer's responsibilities
The Customer:
- will comply with its obligations as Controller under Data Protection Law;
- warrants and represents that it has a valid lawful basis for instructing iMeshh to process Customer Personal Data in the way set out in this DPA, the Terms and the Customer's configuration of the Service;
- will provide all required privacy notices to its own Data Subjects (including Clients invited into the Client Portal and contacts uploaded into the Service);
- will not upload to the Service personal data of children under 18 except where it has a clear lawful basis, and will not upload special-category personal data within the meaning of Article 9 UK GDPR unless it has a specific lawful basis under Article 9(2) and has taken any other measures required by Data Protection Law;
- will respond to Data Subject requests it receives, and use the features iMeshh provides (Settings → Preferences, data export, content delete and so on) to do so where they are sufficient;
- will configure the Service appropriately for the sensitivity of the Customer Personal Data it processes (for example, by setting expiries and passwords on Share Links containing confidential material).
5. Confidentiality
iMeshh ensures that any person it authorises to process Customer Personal Data (whether an employee, contractor or other personnel) is subject to a contractual or statutory duty of confidentiality, and is trained on Data Protection Law and iMeshh's information-security policies.
6. Security
iMeshh implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by the processing, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks to the rights and freedoms of Data Subjects. The measures in force at the date of this DPA are set out in Annex II.
iMeshh may update Annex II from time to time to reflect changes in technology and best practice, provided that the overall level of protection is not reduced.
7. Sub-processors
7.1 Authorisation
The Customer gives general authorisation for iMeshh to engage Sub-processors to process Customer Personal Data, subject to this Section 7.
The Sub-processors engaged at the date of this DPA are listed in Annex III and at pro.imeshh.com/dpa.
7.2 Contractual obligations on Sub-processors
iMeshh will impose on each Sub-processor, by written contract, data-protection obligations that are no less protective than those in this DPA, in line with Article 28(4) UK GDPR.
7.3 Notice of new Sub-processors
iMeshh will give the Customer at least 30 days' prior notice by email and/or in-product notification before engaging a new Sub-processor or replacing an existing Sub-processor for Customer Personal Data. The notice will identify the new Sub-processor, the location of processing and the categories of Personal Data and Data Subjects affected.
7.4 Right to object
The Customer may object to a new Sub-processor in writing within the notice period on reasonable grounds related to data protection. If iMeshh and the Customer cannot reach agreement on the objection within a reasonable period, the Customer may terminate the affected Subscription by giving written notice; iMeshh will refund any pro-rata amount paid for the period after the effective termination date.
7.5 Liability for Sub-processors
iMeshh remains liable to the Customer for the performance of each Sub-processor's data-protection obligations in respect of Customer Personal Data.
8. International transfers
Customer Personal Data may be transferred outside the United Kingdom and outside the European Economic Area to the locations identified in Annex III.
For any transfer that is not to a country with an applicable adequacy decision, the transfer is made under one or more of the following safeguards:
- the UK-US Data Bridge (the UK Extension to the EU-US Data Privacy Framework), where the recipient organisation is certified;
- the EU-US Data Privacy Framework, where the recipient organisation is certified and the transfer originates from the EEA;
- the UK Addendum to the SCCs, for transfers originating from the United Kingdom;
- the standalone UK IDTA, where appropriate;
- the SCCs, for transfers originating from the EEA.
By accepting this DPA, the Customer:
- authorises iMeshh to enter into these safeguards with each Sub-processor on the Customer's behalf;
- to the extent the Customer is established in the EEA and acts as a "data exporter" of the SCCs, agrees that the SCCs (Module Two: Controller to Processor — or, where the Customer is itself a Processor for a third-party controller under Section 2.1, Module Three: Processor to Processor) are incorporated into this DPA by reference and apply between the Customer (as data exporter) and any non-adequate Sub-processor (as data importer), with the docking clause selected and Clause 17 Option 1 (governing law of the Member State of the supervisory authority) and Clause 18 (forum and jurisdiction in the Member State of the supervisory authority) populated accordingly;
- to the extent the Customer is established in the United Kingdom, agrees that the UK Addendum is incorporated into this DPA by reference with Part 1 populated as in this DPA and Annex III, and Part 2 incorporating the SCCs as above.
iMeshh will provide a signed copy of the relevant transfer instrument on request.
9. Assistance with Data Subject requests
Taking into account the nature of the processing, iMeshh will assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under Chapter III UK GDPR (and equivalent provisions of other Data Protection Law).
iMeshh provides self-service tools that the Customer can use directly:
- a per-Studio data export (Settings → Preferences → Data Export);
- account, project, asset, client, invoice and comment deletion;
- Studio Member and Client access management.
Where a Customer cannot resolve a Data Subject request using self-service tools, iMeshh will assist the Customer on reasonable request, within a reasonable time, and free of charge for routine requests. Where a request is manifestly unfounded or excessive (in particular because it is repetitive), iMeshh may charge a reasonable fee to cover its administrative costs.
If iMeshh receives a Data Subject request that relates to Customer Personal Data, iMeshh will not respond directly to the Data Subject (other than to acknowledge receipt and confirm that the Customer is the responsible Controller). iMeshh will pass the request to the Customer without undue delay.
10. Personal Data Breach
iMeshh will notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting Customer Personal Data. The notification will include, as far as known at the time:
- the nature of the Personal Data Breach;
- the categories and approximate number of Data Subjects and Personal Data records concerned;
- the likely consequences of the Personal Data Breach;
- the measures iMeshh has taken or proposes to take to address it, including, where appropriate, measures to mitigate its possible adverse effects;
- the name and contact details of iMeshh's point of contact for the breach.
Where iMeshh cannot provide all of this information in the initial notification, it will provide it in phases without undue further delay.
iMeshh will assist the Customer in complying with the Customer's own breach-notification obligations under Articles 33 and 34 UK GDPR, taking into account the nature of the processing and the information available to iMeshh.
11. Return or deletion on termination
On termination or expiry of the Terms (or the part of them that relates to a particular set of Customer Personal Data), iMeshh will, at the Customer's choice:
- return all Customer Personal Data to the Customer (typically via the data-export feature); and/or
- delete all Customer Personal Data,
within a reasonable period after termination (typically the 30-day read-only grace period followed by hard deletion as described in the Terms and the Privacy Policy), unless applicable law requires iMeshh to retain some or all of the Personal Data.
iMeshh will delete Customer Personal Data from backup media in line with iMeshh's standard backup-rotation schedule (rolling 7-day point-in-time recovery, as documented in the Privacy Policy).
iMeshh will confirm deletion in writing on request.
12. Audit and information
To enable the Customer to verify iMeshh's compliance with this DPA, iMeshh will:
- make available to the Customer, on request, the most recent versions of iMeshh's information-security policies, security questionnaires, vendor due-diligence documents, transfer impact assessments and any independent audit reports or certifications iMeshh holds;
- respond to reasonable security and privacy questionnaires from the Customer no more than once per year, except where required by a Supervisory Authority or following a Personal Data Breach affecting the Customer's data;
- on request and subject to the limitations below, allow for and contribute to an audit by the Customer or an independent auditor mandated by the Customer.
Audits under this Section 12 will be carried out:
- no more than once per year, except where required by a Supervisory Authority or following a Personal Data Breach affecting the Customer's data;
- on at least 30 days' written notice;
- during normal business hours;
- in a manner that does not unreasonably interfere with iMeshh's normal business operations;
- subject to a written non-disclosure agreement and to confidentiality obligations binding the auditor;
- at the Customer's cost (including iMeshh's reasonable costs of facilitating the audit), unless the audit reveals a material breach of this DPA by iMeshh, in which case iMeshh will bear those costs.
The Customer's audit rights may be satisfied by iMeshh providing third-party audit reports (such as SOC 2 reports of iMeshh's Sub-processors, ISO 27001 certifications or pen-test summary reports), where these are reasonably sufficient to demonstrate compliance.
13. Data Protection Impact Assessments
iMeshh will provide reasonable assistance to the Customer with any data protection impact assessment ("DPIA") or prior consultation with a Supervisory Authority that the Customer is required to carry out in respect of the Customer's use of the Service.
iMeshh's DPIA assistance is typically delivered through this DPA, the Privacy Policy, the Sub-processor list (Annex III), the security measures (Annex II) and iMeshh's published transfer impact assessment summaries. iMeshh will respond to reasonable additional written questions.
14. Liability
iMeshh's liability under or in connection with this DPA is subject to the same exclusions, exceptions and aggregate cap as set out in Section 22 of the Terms, except where mandatory Data Protection Law requires otherwise.
15. Changes to this DPA
iMeshh may update this DPA from time to time. If a change is material, iMeshh will give the Customer at least 30 days' notice by email or in-product notification, and ask the Customer to re-accept on next sign-in. Non-material changes (typos, clarifications, an updated Sub-processor list issued under Section 7.3) take effect when the version is updated.
If iMeshh is required to update this DPA to comply with a new or updated Data Protection Law (or guidance issued by a Supervisory Authority), iMeshh may do so on shorter notice and the updated DPA applies immediately on its publication.
16. Governing law
This DPA is governed by the same law and jurisdiction provisions as the Terms (Section 27 of the Terms). For transfers from the EEA under the SCCs, Clause 17 and Clause 18 of the SCCs apply as set out in Section 8.
Annex I — Description of Processing
| Item | Description |
|---|---|
| Subject matter of processing | The provision of the iMeshh Pro Service to the Customer (asset library, projects, deliverables, client portal, panoramas, gallery, invoicing, AI Features, desktop add-on) and the supporting infrastructure. |
| Duration of processing | The duration of the Customer's Subscription, plus the read-only grace period and any post-termination retention required by law or set out in the Privacy Policy. |
| Nature of processing | Storage, retrieval, hosting, transmission, display, organisation, indexing, search, structuring, alteration, copying, backup, restoration, deletion and disposal of Personal Data, as required to provide the Service in accordance with the Customer's configuration. |
| Purpose of processing | (a) Providing the Service to the Customer in accordance with the Terms; (b) at the Customer's direction, processing Personal Data of Data Subjects whom the Customer chooses to engage through the Service (Clients, project contacts, recipients of Share Links, contacts in the Customer's CRM-style records); (c) generating outputs from AI Features that the Customer chooses to use; (d) maintaining audit logs to support the Customer's accountability obligations. |
| Categories of Data Subjects | (a) The Customer's clients (individuals or representatives of organisations) who are invited into Projects via the Client Portal or recorded as contacts within the Service; (b) recipients of Share Links issued by the Customer; (c) individuals named or depicted in Customer-uploaded files (project briefs, deliverables, images, scenes, panoramas); (d) individuals whose contact details appear in invoices, quotes or messages the Customer sends through the Service. |
| Categories of Personal Data | (a) Identifiers: name, email address; (b) contact details: phone number, postal address, business address, VAT/tax registration number; (c) professional details: job title, company, role within a Project; (d) communications: content of messages, comments, approvals, rejections recorded against Project deliverables; (e) financial details (invoice line items, quote amounts, payment terms); (f) usage data of Client Portal users (sign-in times, views, downloads); (g) any other Personal Data incidentally contained in User Content uploaded by the Customer (for example, in a brief, a render, a CAD file or a panorama). |
| Special categories of Personal Data | None expected. The Customer is responsible for ensuring it has a specific lawful basis under Article 9(2) UK GDPR if it uploads special-category data, and for taking any other measures required. |
| Children's data | None expected. The Customer is responsible for ensuring it has a clear lawful basis if it processes Personal Data of children. |
| Frequency of transfer | Continuous, on the Customer's instruction (every API call, upload and download). |
Annex II — Technical and Organisational Security Measures
iMeshh implements the measures below, as in force at the date of this DPA. iMeshh may update them from time to time to reflect changes in technology and best practice provided the overall level of protection is not reduced.
A. Pseudonymisation and encryption
- TLS 1.2 or higher for all traffic in transit, with Strict-Transport-Security and modern cipher suites.
- Encryption at rest at the database layer (provided by Supabase) and the object-storage layer (provided by Cloudflare R2).
- Authentication tokens stored only as cryptographic hashes in the live database. Magic-link tokens single-use and time-limited.
- Stripe Elements used for card capture so that primary account numbers do not transit iMeshh systems.
B. Confidentiality, integrity, availability and resilience
- Multi-tenant isolation enforced at the application layer (every API request scoped to the Customer's Studio) and the database layer (row-level security policies in PostgreSQL).
- Role-based access control within each Studio (Owner, Admin, Manager, Member, Restricted Member).
- Multi-factor authentication available for Studio Owners. Mandatory multi-factor authentication for iMeshh administrative access.
- Principle of least privilege applied to staff access. Production access limited to a named subset of staff.
- HMAC signature verification on every inbound webhook (Stripe, Resend, RunPod, WooCommerce) with timestamp-based replay defence.
- Rate limiting on authentication, uploads, exports and the public API.
- Content Security Policy and X-Frame-Options headers on all UI surfaces.
- Tight Cross-Origin Resource Sharing policies on the API.
- Soft-delete model with cryptographic verification of the soft-delete flag in every query.
- Centralised structured logging of administrative actions in an immutable audit log.
C. Restoration after incident
- Daily database backups with a rolling 7-day window (provided by Supabase), plus independent, encrypted, off-site disaster-recovery backups of the database and uploaded files (provider: Backblaze, EU region) retained for up to 12 months then permanently deleted.
- Object storage with native redundancy (provided by Cloudflare R2).
- Documented incident-response and disaster-recovery procedures, reviewed at least annually.
- Sub-processor failure: failover and degradation modes documented for the primary Sub-processors.
D. Process for regularly testing, assessing and evaluating
- Static analysis and dependency vulnerability scanning in continuous integration.
- Security-focused code review for all changes to authentication, billing, share links, the API surface, and any change that touches Customer Personal Data.
- Periodic internal security reviews against an internal threat model.
- Annual review of this Annex against industry best practice.
E. Personnel
- All iMeshh personnel are subject to written confidentiality obligations.
- Onboarding includes a data-protection and security briefing.
- Access to Customer Personal Data is revoked promptly when no longer required.
F. Sub-processor management
- Pre-engagement security assessment for each new Sub-processor.
- Written processing agreement with each Sub-processor that meets the requirements of Article 28(4) UK GDPR.
- Annual review of in-place Sub-processors.
G. Physical security
- iMeshh does not operate its own data centres. All Customer Personal Data is stored in the data-centre facilities of the Sub-processors listed in Annex III, each of which operates physical security controls (24/7 monitoring, access logging, biometric or token-based access, environmental controls) appropriate to a modern cloud provider.
Annex III — Sub-processors
The Sub-processors listed below process Customer Personal Data at the date of this DPA. The current authoritative list is maintained at pro.imeshh.com/dpa. iMeshh will give at least 30 days' prior notice before adding or replacing a Sub-processor under Section 7.3.
| # | Sub-processor (legal entity) | Service provided | Location of processing | Categories of Personal Data | Transfer mechanism |
|---|---|---|---|---|---|
| 1 | Stripe Payments Europe, Limited (Ireland) and other Stripe entities as updated under Stripe's standard terms | Subscription billing, payment processing, tax calculation, invoicing | Ireland (primary); United States (sub-processing) | Billing contact name and email, billing address, VAT/tax ID, payment card metadata (last 4, expiry), Stripe customer/subscription IDs | EU SCCs; UK-US Data Bridge (Stripe is DPF-certified including UK Extension) |
| 2 | Supabase, Inc. (United States) | Authentication, primary relational database (PostgreSQL), realtime broadcast | EU region of Supabase where supported | All Customer Personal Data stored in the relational database (account, profile, projects, tasks, clients, deliverables, comments, invoices, AI generation metadata) | EU SCCs with UK Addendum |
| 3 | Cloudflare, Inc. (United States) | API hosting (Workers), file storage (R2), background queues, DNS, CDN | R2 object storage located in the European Union (Western Europe region); Workers run at Cloudflare's global edge close to the requesting user; control-plane operations processed in the United States | All User Content (uploaded files, gallery images, panorama assets, invoice PDFs, AI-generated images), API request/response metadata | EU SCCs; UK-US Data Bridge (Cloudflare is DPF-certified including UK Extension) |
| 4 | Vercel, Inc. (United States) | Frontend hosting for pro.imeshh.com and portal.imeshh.com | United States (primary); Frankfurt region for EEA traffic where supported | Request metadata, session cookies | EU SCCs; UK-US Data Bridge (Vercel is DPF-certified including UK Extension) |
| 5 | Plus Five Five, Inc. (d/b/a Resend) (United States) | Transactional and notification email delivery; inbound email for support replies | United States | Recipient name and email address, email body (which may include Project/Client/Deliverable content) | EU SCCs; UK-US Data Bridge (Resend is DPF-certified per its DPA) |
| 6 | Upstash, Inc. (United States) | Redis cache for rate limiting, plan cache and short-lived state | EEA region of Upstash (Frankfurt) where available | IP addresses (rate-limit keys), plan-tier cache (no direct PII) | EU SCCs; UK-US Data Bridge (Upstash is DPF-certified including UK Extension) |
| 7 | PostHog, Inc. (United States) | Product analytics (event capture, feature-usage analysis) | United States (us.i.posthog.com) | Pseudonymous user identifiers, event metadata (page views, feature usage), Studio ID. No email or name. | UK-US Data Bridge (PostHog is DPF-certified per their DPA); EU SCCs with UK Addendum |
| 8 | Anthropic, PBC (United States) | AI vision tagging for iMeshh-published Marketplace Assets (no User Content) | United States | Marketplace Asset thumbnails and product names. No Customer Personal Data. | EU SCCs with UK Addendum; Anthropic's API terms confirm customer API data is not used to train Anthropic models |
| 9 | RunPod, Inc. (United States) | Image-generation compute for the AI Studio module, only where the Customer actively uses the feature | United States | Source images and prompts submitted by the Customer to the AI Studio (which may contain User Content and incidental Personal Data) | EU SCCs with UK Addendum; RunPod does not retain generation outputs after delivery |
| 10 | Backblaze, Inc. (United States) | Off-site, encrypted disaster-recovery backups of the database and uploaded files | European Union (Amsterdam, EU Central region) | An encrypted copy of all Customer Personal Data held in the database and uploaded files; retained up to 12 months then permanently deleted | EU SCCs with UK Addendum (backup data stored in the EU) |
iMeshh's professional advisers (lawyers, accountants, auditors) and any successor in business (in the event of a sale of all or part of iMeshh's business) are not Sub-processors for the purposes of this Annex III, but are bound by separate confidentiality obligations.