Data Processing Agreement

Back to legal

Last updated: June 12, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms an agreement between Mello ("Data Processor") and you or your organization ("Data Controller" or "you") regarding the processing of personal data in connection with your use of Mello Assistant (the "Service").

This DPA supplements the Terms of Service and Privacy Policy. Unless otherwise defined, terms used in this DPA have the meanings given in the GDPR or other applicable data protection laws.

2. Scope of Processing

2.1 Subject Matter

The subject matter of the processing is your use of the Service to capture, store, and manage personal data as directed by you.

2.2 Nature and Purpose

Mello processes personal data solely to provide the Service as described in the Terms of Service. The processing involves:

  • Storing user account information
  • Processing data you voluntarily submit to the Service
  • Transmitting data at your direction
  • Providing customer support

2.3 Categories of Data Subjects

This DPA applies to the personal data of:

  • Users of Mello Assistant
  • Any individuals whose data is submitted to the Service by users

2.4 Types of Personal Data

Mello processes the following types of personal data on your behalf:

  • Account information (name, email address)
  • Content you voluntarily submit to the Service
  • Usage data and analytics (as described in the Privacy Policy)

3. Data Processor Obligations

3.1 Processing Instructions

Mello will process personal data only on your documented instructions, including with regard to:

  • Collection of personal data
  • Storage and retention periods
  • Disclosure to third parties
  • Transfer to third countries

3.2 Confidentiality

Mello ensures that personnel authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures

Mello implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest
  • Regular security testing and assessments
  • Access controls and authentication mechanisms
  • Incident response procedures

3.4 Sub-Processors

Mello uses sub-processors to provide the Service. Current sub-processors are listed at mello.life/subprocessors. We will notify you of any changes to sub-processors with at least 30 days' notice.

3.5 Data Subject Requests

Mello will assist you in responding to data subject requests. Where such requests are made directly to Mello, we will redirect them to you or respond as required by applicable law.

3.6 Data Breaches

In the event of a personal data breach, Mello will:

  • Notify you without undue delay (and in any event within 72 hours of becoming aware)
  • Provide information about the nature and scope of the breach
  • Assist you in fulfilling breach notification obligations

4. Data Controller Obligations

As Data Controller, you are responsible for:

  • Ensuring you have the legal basis to process personal data submitted to the Service
  • Ensuring that data submitted to the Service is accurate and limited to what is necessary
  • Complying with all applicable data protection laws
  • Responding to data subject requests and inquiries
  • Ensuring you have appropriate consent from data subjects where required

5. International Data Transfers

Mello may transfer personal data outside the European Economic Area (EEA) or your jurisdiction. Such transfers are performed:

  • Under Standard Contractual Clauses (SCCs) approved by the European Commission
  • Under other valid transfer mechanisms as permitted by applicable law

6. Deletion and Return of Data

Upon termination of your account or request, Mello will:

  • Delete personal data within 30 days of the request, unless legal retention requirements apply
  • Delete backup copies within 90 days, unless legal retention requirements apply

At your request, we will return your data in a commonly used, machine-readable format prior to deletion.

7. Audit Rights

You may audit Mello's compliance with this DPA by:

  • Requesting relevant certifications and audit reports (e.g., SOC 2, ISO 27001)
  • For Enterprise customers: On-site audits with reasonable advance notice (minimum 30 days)

8. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service.

9. Contact Us

For questions about this DPA or to request data processing agreements for specific compliance needs: