Cookie Usage

We use cookies to enhance your browsing experience, strengthen security, and analyze website traffic. By clicking Accept, you consent to our use of cookies. Learn More

Legal

Data Processing Agreement

Understanding how we process and protect personal data helps ensure transparency, security, and compliance across the GeniusMesh platform.

This Data Processing Agreement (“DPA”) forms part of the applicable Terms of Service or other agreement between GeniusMesh, Inc. (“GeniusMesh”, “we”, “our”, or “us”) and the Customer governing the Customer’s access to and use of the GeniusMesh platform and related services.

This DPA explains how GeniusMesh processes Personal Data on behalf of its Customers and outlines our commitments as a Data Processor under the General Data Protection Regulation (GDPR).

Where GeniusMesh processes Personal Data on behalf of a Customer, the Customer acts as the Data Controller, and GeniusMesh acts as the Data Processor.

This page provides an overview of the GeniusMesh Data Processing Agreement for ease of reference. The executed agreement between GeniusMesh and the Customer remains the legally binding document.

Definitions

For the purposes of this DPA:

  • Controller means the natural or legal person, public authority, agency, or other body that determines the purposes and means of processing Personal Data.
  • Processor means GeniusMesh, which processes Personal Data on behalf of the Controller.
  • Personal Data means any information relating to an identified or identifiable natural person.
  • Subprocessor means a third-party service provider engaged by GeniusMesh to process Personal Data on behalf of GeniusMesh in connection with the delivery of its Services.
  • GDPR means Regulation (EU) 2016/679 (General Data Protection Regulation).
  • Standard Contractual Clauses (SCCs) means the contractual clauses approved by the European Commission for international transfers of Personal Data where applicable.

Scope of this DPA

This Data Processing Agreement applies whenever GeniusMesh processes Personal Data on behalf of a Customer in connection with providing the GeniusMesh platform and related services.

The DPA governs the processing of Personal Data performed by GeniusMesh solely for the purpose of delivering the contracted services.

Where there is any inconsistency between this DPA and the applicable customer agreement relating to the processing of Personal Data, the provisions of this DPA shall prevail.

Roles and Responsibilities

The Customer determines the purposes and means of processing Personal Data and acts as the Data Controller.

GeniusMesh processes Personal Data only on documented instructions from the Customer and only as necessary to provide the contracted services.

Customer (Data Controller)GeniusMesh (Data Processor)
Determines the purposes and means of processingProcesses Personal Data on documented customer instructions
Establishes the lawful basis for processingImplements appropriate technical and organizational security measures
Responds to Data Subject requestsAssists Customers in fulfilling applicable GDPR obligations

Categories of Personal Data and Data Subjects

Depending on the services used, GeniusMesh may process Personal Data relating to:

Data Subjects

  • Customer users
  • Platform users
  • Website visitors
  • Billing contacts
  • Sales prospects
  • Job candidates
  • Employees
  • Users interacting with AI-powered workflows

Personal Data

  • Name
  • Address
  • Date of Birth
  • Age
  • Education
  • Email address
  • Gender
  • Image
  • Job title
  • Language
  • Phone number
  • Username and User ID
  • Related Person and Related URL
  • Billing information
  • Payment card details (processed by Stripe)
  • Platform usage and interaction data
  • Authentication information
  • Session and analytics data
  • Sales and CRM information
  • Employment history
  • Skills and qualifications
  • Business correspondence
  • One-Time Passcode (OTP) information
  • AI workflow inputs, prompts, conversation history, contextual information, and generated outputs (where applicable)

As described in our DPA, GeniusMesh does not intentionally collect or process special categories of Personal Data unless expressly agreed with the Customer.

Purpose of Processing

GeniusMesh processes Personal Data solely to provide the services requested by the Customer.

Processing activities may include, but are not limited to:

  • User authentication
  • Account management
  • Platform administration
  • Delivery of leadership development and talent management solutions
  • AI-powered platform features
  • AI-powered workflow automation
  • Customer support
  • Security monitoring
  • Platform analytics and improvement
  • Database hosting and application data storage
  • Recruitment and talent sourcing
  • CRM and customer relationship management
  • Billing and payment processing
  • Transactional email communications
  • SMS and OTP verification
  • Transactional communications

Personal Data is processed only to the extent necessary to deliver and support the GeniusMesh platform.

Managed Database Services

GeniusMesh utilizes MongoDB Atlas as its primary managed database platform for storing and processing application data, customer information, configuration data, and operational data.

MongoDB Atlas provides a secure, cloud-hosted database environment with encryption in transit and at rest. Customer data is stored and processed in accordance with the security measures and data protection commitments described in this Data Processing Agreement.

AI-Powered Services

GeniusMesh utilizes Microsoft Azure AI Foundry to provide AI-powered features, workflow automation, intelligent platform capabilities, natural language processing, and agentic AI services.

When Customers choose to use AI-powered functionality, Customer-provided prompts, inputs, conversation history, contextual information, and generated outputs may be processed through Microsoft Azure AI services solely for the purpose of delivering the requested functionality.

Such processing is performed in accordance with applicable data protection laws, this Data Processing Agreement, and GeniusMesh’s security and privacy practices.

Data Processing Commitments

When processing Personal Data on behalf of Customers, GeniusMesh commits to:

  • Process Personal Data only on documented customer instructions.
  • Process Personal Data only for the purposes of delivering the contracted services.
  • Maintain the confidentiality of Customer Personal Data.
  • Assist Customers with Data Subject rights requests where required.
  • Assist Customers with Data Protection Impact Assessments (DPIAs), where applicable.
  • Notify Customers of Personal Data Breaches without undue delay where required under applicable law.
  • Return or securely delete Customer Personal Data following termination of services unless retention is required by law.
  • Provide advance notice before appointing new subprocessors in accordance with the DPA.

Technical and Organizational Measures

GeniusMesh maintains administrative, technical, and organizational safeguards designed to protect Customer Personal Data throughout its lifecycle.

Security Governance

Our security program includes:

  • Information security governance
  • Security policies and procedures
  • Annual risk assessments
  • Vendor management
  • Incident management
  • Security awareness training

Infrastructure Security

The GeniusMesh platform is hosted primarily on Amazon Web Services (AWS) and utilizes additional managed cloud services to support database hosting and AI-powered capabilities.

Infrastructure includes:

  • Amazon EKS
  • Amazon VPC
  • AWS Network Load Balancer
  • Kong API Gateway
  • Amazon S3
  • AWS Secrets Manager
  • AWS Key Management Service (KMS)
  • Amazon CloudWatch
  • Amazon MQ
  • MongoDB Atlas
  • Microsoft Azure AI Foundry

Infrastructure is secured through private networking, encryption, centralized monitoring, secure credential management, and access controls.

Access Controls

Access to Customer Personal Data is protected through:

  • Role-Based Access Control (RBAC)
  • Multi-Factor Authentication (MFA) or Single Sign-On (SSO)
  • Least privilege access
  • AWS Identity and Access Management (IAM)
  • Periodic access reviews
  • Audit logging

Data Protection

Security controls include:

  • Encryption in transit
  • Encryption at rest
  • Secure secrets management
  • Continuous monitoring
  • Vulnerability management
  • Backup and disaster recovery

Additional details are described in Annex II of the DPA.

International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), GeniusMesh implements appropriate safeguards in accordance with applicable data protection laws.

Where required, international transfers are governed by the European Commission’s Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.

Audit & Compliance

Upon reasonable request, GeniusMesh will provide Customers with information reasonably necessary to demonstrate compliance with applicable data protection obligations.

Where applicable, Customers may exercise audit rights in accordance with the terms of the DPA.

Personal Data Breach Notification

GeniusMesh maintains documented procedures for identifying, managing, and responding to Personal Data Breaches.

Where required by applicable law, GeniusMesh will notify affected Customers without undue delay and provide reasonable assistance to support regulatory notification obligations and mitigation efforts.

Return and Deletion of Personal Data

Upon termination of the applicable agreement, GeniusMesh will return or securely delete Customer Personal Data in accordance with the DPA unless retention is required by applicable law.

Annex I – Description of Processing

Annex I of the executed Data Processing Agreement describes:

  • The parties to the data transfer
  • Categories of Data Subjects
  • Categories of Personal Data
  • Nature and purpose of processing
  • Processing activities
  • Transfer frequency
  • Retention periods
  • International transfer information

It also describes the cloud platforms and technologies used by GeniusMesh in delivering its Services.

Annex II – Technical and Organizational Measures

A detailed description of the administrative, technical, and organizational safeguards implemented by GeniusMesh is included in Annex II of the executed Data Processing Agreement.

These measures include:

  • Information Security Governance
  • Infrastructure Security
  • Personnel Security
  • Access Controls
  • Encryption
  • Monitoring and Logging
  • Vulnerability Management
  • Backup and Disaster Recovery
  • Incident Response

Annex III – Approved Subprocessors

GeniusMesh engages carefully selected third-party subprocessors to support the delivery, operation, maintenance, and continuous improvement of its Services. Each subprocessor is engaged only where necessary to provide the Services and is contractually required to implement appropriate technical and organizational measures to protect Personal Data in accordance with applicable data protection laws.

The current list of approved subprocessors, including the services provided, processing purpose, category, processing location or region, and vendor website, is maintained in the GeniusMesh Trust Center and is available at: https://trust.geniusmesh.com

The Trust Center is reviewed and updated whenever subprocessors are added, removed, or materially changed, in accordance with the notification obligations set out in this Data Processing Agreement.

GeniusMesh remains responsible for the performance of its approved subprocessors and for ensuring that they meet the applicable data protection obligations required under this Data Processing Agreement.

Contact Us

If you have any questions regarding this Data Processing Agreement or GeniusMesh’s privacy and security practices, please contact:

Security & Privacy Team
Email: security@geniusmesh.com

Effective Date: July 09, 2026