Back to Security Page

Data Privacy

Our GDPR Commitment

This document is designed to help Mesh Payments customers and users understand, and where applicable, comply, with the General Data Protection Regulation (“GDPR”). The GDPR is the most significant change to European data privacy legislation in the last 20 years and went into effect on May 15, 2018.

GDPR is designed to give European Union (“EU”) citizens more control over their data and seeks to unify a number of existing privacy and security laws under one comprehensive law.

Mesh Payments has made information security and data privacy foundational principles of everything we do, and we recognize the importance of adhering to regulations to advance information security and data privacy for citizens of the EU.

GDPR Compliance

We appreciate that our customers have requirements under the GDPR that are directly impacted by their use of our Services. Below are several GDPR initiatives that have been implemented across our Services:

  • Investment in security – We’ve increased our investment in security. This includes implementing dependency vulnerability detection, improved auditing and logging across all services, new internal security policies, staff security training, improved secret management, SSO and 2FA enforcement, and more.
  • Employee training – We ensure our team are trained in handling customer data and personal information, and that they maintain the confidentiality and security of that data.
  • Updated terms – We have updated the structure and language used in all of our terms and policies to more clearly communicate what information we collect, what we use it for, who we share it with, what your rights are, and more.
  • Data Processing Agreement – We support the EU’s Standard Contractual Clauses through a Data Processing Agreement that you can sign and return to us.
  • Data subprocessors – We list all of our third party Data subprocessors and share information on what we use them for and where they are located.
  • Data Subject Access Request procedure – We’ve streamlined our Data Subject Access Request procedure and documented the procedure on our website.
  • Data portability – We’ve improved our data export features so customers may export customer data and personal information in a machine-readable format at any time.

Our Security

We appreciate that we are entrusted with valuable and sometimes sensitive user research data, which is why we have built security into every layer of our architecture, pursuing a ‘privacy by design’ approach to the design and development of our Services.

Our application is built on AWS world-class, modern cloud infrastructure designed to ensure the safety of your data. We have carefully chosen proven third party cloud providers that have a great security track record, and we employ best practices including regular backups, data encryption, sanitized logging, and common attack prevention.

Read more about our security practices

International Data Transfers

We offer customers a robust international data transfer framework as a part of our Data Processing Agreement (“DPA”).

This addendum ensures that our customers can lawfully transfer personal data to our Services outside of the European Economic Area by relying on the Standard Contractual Clauses. Our DPA also contains specific provisions to assist customers in their compliance with the GDPR.

Contact us to view and sign the DPA

Data Portability and Right to be Forgotten

We help you honor your customers’ requests to export their data. Mesh Payments provides data portability and data management tools for exporting product and user data.

We also help customers meet obligations under the GDPR ‘right to be forgotten’ (or ‘right to erasure’) clause by making it easy to request the deletion of personal data from Mesh Payments. For more information on this procedure, see Data Subject Access Request.

Privacy and Consent

Your privacy is important to us, and so is being transparent about how we collect, use, and share your information. In our Privacy Policy, we share what information we collect, how we use and store that data, and how you can access and control your information.

Contact Us

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) gives consumers more control over the personal information that businesses collect about them.

Mesh paymentsdoes not currently meet the criteria described that would have the CCPA apply to our business operations. Namely because we do not:

  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
  • Derive 50% or more of our annual revenue from selling California resident's personal information.

However, we understand that some Mesh payments customers may want to ensure that their use of our services, and any California resident’s personal information that we process on behalf on our customers, is compliant with their own obligations under the CCPA.

This page helps to clarify how we process any personal information on behalf of our customers as it relates to the CCPA.

Processing of Personal Information

You do not sell personal information to us. We will not:

  • Sell any personal information,
  • Retain, use, or disclose the personal information for a commercial purpose, other than for providing the services, as further described in our Master Subscription Agreement and in our Privacy Policy; and
  • further retain, use, or disclose the personal information except for business purposes or as otherwise authorized by the CCPA.

However, we understand that some Mesh payments customers may want to ensure that their use of our services, and any California resident’s personal information that we process on behalf on our customers, is compliant with their own obligations under the CCPA.

This page helps to clarify how we process any personal information on behalf of our customers as it relates to the CCPA.

Our Obligations to You

Consumer Rights Requests

We will provide reasonable assistance to you in facilitating compliance with consumer rights requests.

Personal Information Deletion

On termination, you have the option to request the return or deletion of personal information. This request must be made within 30 days of termination.

We will make the data available for download by you in a machine readable format. Thereafter we will permanently delete the personal information from the live systems in any event.

Following permanent deletion from the live systems, partial data resides on the our archival and backup systems for a period of up to 7 years.

Confidentiality

We will ensure that all employees and contractors involved in the handling of personal information are aware of the confidential nature of the personal information and are contractually bound to keep the personal information confidential.

Back to Security Page
mesh logo

Solutions

Benefits

Integrations

Pricing

Mesh by Role

Company

Legal

Resources

The Mesh Prepaid Visa Card is issued by Metropolitan Commercial Bank (Member FDIC) pursuant to a license from
Visa U.S.A. Inc. “Metropolitan Commercial Bank” and “Metropolitan” are registered trademarks of Metropolitan Commercial Bank ©2014.

Mesh Payments is powered by Nium in the following regions: Europe, UK, Singapore, Hong Kong and Australia. You can read the full terms hеre.

By using this website you agree to our cookie policy.