Legal · DPA

Data Processing Addendum

Last updated · May 16, 2026

This Data Processing Addendum (DPA) supplements the agreement under which WorkMesh Inc. provides the ContractSphere service to a customer (the "Agreement"). It governs the processing of personal data by WorkMesh as a processor on behalf of the customer as controller.

Roles

The customer is the controller and determines the purposes and means of processing. WorkMesh acts as processor and processes personal data only on documented instructions from the customer.

Subject matter, duration and nature of processing

The subject matter is the provision of the ContractSphere service. The duration is the term of the Agreement plus any return/deletion period. The nature includes intake, classification, multi-agent review, orchestration, and integration with the customer's systems of record.

Categories of data subjects

Customer's personnel, contractors, counterparty personnel referenced in contracts, and other individuals whose data appears in customer-submitted contracts.

Sub-processors

WorkMesh maintains a list of sub-processors and provides at least 30 days' prior notice of any addition. The customer may object on reasonable grounds.

Security

WorkMesh maintains administrative, physical, and technical safeguards aligned to SOC 2 Type II, including encryption in transit and at rest, role-based access control, least-privilege administrative access, vulnerability management, and an incident response process.

Bring Your Own Cloud

Customers electing BYOC deployment retain custody of contract content, embeddings, and model traffic within their own AWS, Azure, or GCP tenant. WorkMesh administers the service within agreed access scopes.

International transfers

Where applicable, the EU Standard Contractual Clauses (or UK IDTA / Swiss equivalent) apply and are incorporated by reference.

Audits

WorkMesh provides SOC 2 Type II reports and reasonable responses to security questionnaires. Customer audit rights are exercised on reasonable notice and during business hours, no more than once per year, except where required by law or following a security incident.

Return and deletion

On termination, WorkMesh will, at the customer's option, return or delete personal data within 60 days, subject to legal retention obligations.