This Data Processing Agreement (“DPA”) forms part of the agreement between GreenMesh d.o.o. and the Customer for the provision of the Widgelix platform (the “Principal Agreement”). It governs the processing of personal data carried out by GreenMesh on behalf of the Customer, and is concluded under Article 28 of the GDPR.
| Processor | GreenMesh d.o.o., Reg. 8767530000, Štihova ulica 13, 1000 Ljubljana, Slovenia |
| Controller | The Customer identified in the Principal Agreement |
01Definitions and roles
Terms such as “personal data”, “processing”, “controller”, “processor”, “data subject”, and “personal data breach” have the meanings given in the GDPR (Regulation (EU) 2016/679). With respect to personal data processed through the Platform, the Customer is the controller and GreenMesh is the processor. Where the Customer is itself a processor for a third-party controller, GreenMesh acts as a sub-processor and this DPA applies accordingly.
Telemetry scope — the Platform is designed to process device and sensor telemetry, not the personal data of building occupants or tenants. This DPA applies to the extent that telemetry or other Customer Data processed via the Platform constitutes personal data under the GDPR. The specific categories are set out in Annex 1.
02Subject-matter and instructions
GreenMesh processes personal data only on documented instructions from the Customer, including as set out in this DPA and the Principal Agreement, unless required to do otherwise by EU or Member-State law (in which case GreenMesh will inform the Customer, unless legally prohibited). The subject-matter, duration, nature, and purpose of processing, and the categories of data and data subjects, are described in Annex 1.
03Duration
This DPA applies for as long as GreenMesh processes personal data on behalf of the Customer under the Principal Agreement.
04Confidentiality
GreenMesh ensures that persons authorised to process the personal data are bound by appropriate confidentiality obligations and are subject to access controls on a need-to-know basis.
05Security measures
GreenMesh implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art and the nature of the processing, in accordance with Article 32 GDPR. The measures are described in Annex 2.
06Sub-processors
The Customer grants GreenMesh general authorisation to engage sub-processors, subject to the following. GreenMesh:
- maintains the list of sub-processors in Annex 3 and informs the Customer of any intended addition or replacement at least 30 days in advance, giving the Customer the opportunity to object on reasonable data-protection grounds;
- imposes on each sub-processor, by written contract, data-protection obligations equivalent to those in this DPA; and
- remains fully liable to the Customer for the performance of each sub-processor's obligations.
07Assistance to the Customer
Taking into account the nature of the processing, GreenMesh assists the Customer by appropriate technical and organisational measures, insofar as possible, to:
- respond to requests from data subjects exercising their rights under Chapter III GDPR; and
- ensure compliance with the Customer's obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the information available to GreenMesh.
08Personal data breaches
GreenMesh notifies the Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting the Customer's personal data, and provides the information reasonably required to enable the Customer to meet its breach-notification obligations under Articles 33 and 34 GDPR.
09International transfers
The Platform is hosted on Amazon Web Services. Customer Data is hosted primarily in the European Union (Germany). Certain services or backups may involve processing in the United States or Australia. Where personal data is transferred outside the European Economic Area, GreenMesh ensures a valid Chapter V GDPR transfer mechanism is in place — the European Commission's Standard Contractual Clauses, the EU–US Data Privacy Framework where the recipient is certified, and additional safeguards where required. GreenMesh does not otherwise transfer the Customer's personal data outside the EEA except on the Customer's instruction or as necessary to provide the Platform.
10Return and deletion
On termination of the Principal Agreement, GreenMesh, at the Customer's choice, deletes or returns the personal data and deletes existing copies, unless EU or Member-State law requires storage. The Customer may export Customer Data within 30 days of termination.
11Audits
GreenMesh makes available to the Customer the information necessary to demonstrate compliance with Article 28 GDPR, and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates, on at least 30 days' prior written notice, no more than once per year (except where required by a supervisory authority or following a personal data breach), during business hours, subject to confidentiality and without compromising the security of other customers.
12Liability and miscellaneous
Liability under this DPA is subject to the limitations agreed in the Principal Agreement, to the extent permitted by law. If there is a conflict between this DPA and the Principal Agreement on data-protection matters, this DPA prevails. This DPA is governed by the law of the Republic of Slovenia.
Annex 1 — Details of processing
| Item | Description |
|---|---|
| Subject-matter | Provision of the Widgelix IoT platform and related services |
| Duration | The term of the Principal Agreement |
| Nature and purpose | Hosting, storage, transmission, visualisation, and rule-based processing of device telemetry to provide the Platform |
| Type of personal data | Account user contact data (name, email); device identifiers; and, only where the Customer so configures, telemetry that may relate to an identifiable person (e.g. location or occupancy data) |
| Categories of data subjects | The Customer's authorised users; and individuals only where the Customer's telemetry relates to an identifiable person |
| Special category data | None. The Customer must not configure the Platform to process special-category data without a separate written agreement |
Annex 2 — Technical and organisational measures
GreenMesh maintains the following measures, appropriate to the risk:
- Access control — role-based access, unique credentials, and least-privilege permissions
- Encryption — TLS for data in transit; encryption at rest for stored Customer Data
- Network security — firewalls, network segregation, and monitoring
- Logging and audit trails of access and significant actions
- Backups and tested recovery procedures
- Hosting on AWS data centres certified to ISO 27001 and equivalent standards, primarily in the EU (Germany)
- Staff confidentiality undertakings and security-awareness practices
- Vulnerability management and timely patching
Annex 3 — Approved sub-processors
The following sub-processors are engaged in providing the Platform. GreenMesh will notify the Customer of any intended change at least 30 days in advance (Section 6).
| Sub-processor | Purpose / location |
|---|---|
| Amazon Web Services EMEA SARL | Cloud hosting and infrastructure — EU (Germany), with certain services in the United States and Australia |
| MailerLite / MailerSend | Transactional and notification emails — EU servers; provider US-based (DPF) |
| Postmark (ActiveCampaign) | Transactional email delivery — United States (SCCs) |
| Stripe | Billing and payment processing — EU and United States |
Signatures
Agreed by the parties' authorised representatives: