This is a plain-language summary of our Data Processing Addendum. The binding DPA is available on request for your procurement and security review.
Legal
Data Processing Addendum
How MeshWorks Wireless Oy (Finland) processes personal data on your behalf when you use IRIS — summarised in plain language.
Last updated: 7 June 2026
Controller and processor roles
When you send alerts through IRIS, you are the controller of the recipient data and alert content you provide, and MeshWorks Wireless Oy acts as your processor. We process that data only to deliver the service and on your documented instructions.
GDPR Article 28 framing
The DPA is structured to meet the requirements of Article 28 GDPR, covering scope and purpose of processing, confidentiality, security measures, subprocessing, assistance with data-subject requests, breach notification, and deletion or return of data at the end of the engagement.
Subprocessors
We use a small, deliberate set of subprocessors to deliver IRIS. The current list, their purpose, and their region are published on the subprocessors page, along with the mechanism by which we notify customers of changes.
Data residency
IRIS runs on Cloudflare’s EU infrastructure: our core database and alerting state (D1 and Durable Objects) are pinned to the EU region, while some edge components (KV and Queues) are globally distributed by Cloudflare, holding the minimum needed and covered by the EU–US DPF / SCCs. Where a subprocessor involves a transfer, the DPA sets out the applicable safeguards.
Security measures
In summary: TLS in transit, AES-256 at rest, cryptographic webhook-signature verification, role-based access control, tenant isolation, append-only audit logs, and pseudonymisation of identifiers in long-retained records. The full technical and organisational measures (TOMs) are enumerated in Annex C of the DPA, available on request.
Full DPA available on request
We will share the complete Data Processing Addendum for your procurement and security review.