LAST UPDATED: JUNE 2026
When Mesa processes personal data that an operator loads into the platform about its candidates and contacts, the operator is the controller and Mesa is the processor. This addendum forms part of the agreement between the operator and Mesa.
Mesa processes customer personal data only to provide the service, following the operator's documented instructions, and for the duration of the agreement.
Mesa uses vetted subprocessors (for example hosting, communications, and analytics providers) under written terms that carry through the protections in this addendum. We make the current list available on request and give notice of material changes.
Mesa maintains technical and organizational measures appropriate to the risk, described on the Security page, including access controls, encryption in transit, and tenant isolation.
Mesa assists the operator in responding to data subject requests and notifies the operator without undue delay after becoming aware of a personal data breach affecting customer data.
On termination, Mesa deletes or returns customer personal data in line with the agreement and applicable law, subject to retention required by law.
To request a signed DPA or the subprocessor list, reach us through the contact page.