All You Need To Know About
Data Processing At Mend.io

The following applies to our personal data processing with respect to our customers’ data:

1. PROCESSING.

• • Personal Data: Mend.io only processes personal data in order to be able to conclude and execute contracts with customers (e.g., billing, clarification of questions, support tickets, etc.) and to manage the accounts of users designated by the customer.
  • Technical Data: We compile statistical and aggregated information related to the performance, operation and use of our solution based, inter alia, on customer data, in a form that does not identify any customer or any individual, for our internal business use (e.g., monitor usage to ensure licensing compliance, to create statistical analyses, for research and development purposes and to improve and market the Services).
  • Customers personal data is not used for any other purpose.
  • We do not sell customers personal data.

2. PERSONAL DATA WE COLLECT AND DATA SUBJECTS. 

• • We may collect the name, email address and phone number of the customer’s users.
  • The data subjects are the customer’s users (employees).

3. OUR ROLE AS DATA CONTROLLER/ DATA PROCESSOR. 

• • The GDPR delineates the roles of controller and processor based on the influence stakeholders have in determining the means and purposes of data processing.
  • Mend.io processes contact data and user data as a controller and not as a processor. Why? Because Mend processes such personal data of the customer’s users, as required for the performance of the contracts with the customers, including the provision of support services, to ensure the functionality and security of the Mend.io systems, and for the account administration and billing purposes. The determination of the purposes and means of the data processing is therefore carried out by Mend.io.

4. DATA RETENTION. We keep audit logs for a time period of 90 days and backups for a time period of 30 days. All data is deleted following termination of the customer’s subscription. For additional information – see our Data Retention and Archiving Policy at: https://www.mend.io/data-retention-and-archiving-policy/

5. PROCESSING BY THIRD PARTIES AND DATA TRANSFER. 

• • As an essential part of our services, we use processors and provide them access to the data collected (e.g., our CRM system, customer management solution, support tickets management system).
  • We ensure that any data transfer is in full compliance with applicable data protection regulations and we remain liable for any act or omission of such third parties as if made by us directly. We have necessary agreements with such third parties in place to ensure compliance with applicable data protection regulations.

6. PSEUDONYMIZATION AND DATA MINIMIZATION. We have invested significant resources and implemented technical and organizational measures to minimize the personal data we process and ensure that we only process the data necessary for the specific purpose. We pseudonymize the customer’s contributing developers’ emails. Once pseudonymized, the emails cannot be re-identified by Mend.io.

7. DATA SUBJECT REQUESTS. 

• • We comply and respond to any Data Subject Requests (DSR) relating to the personal data processed by our solution, such as requests for access and deletion of personal data.
  • When the DSR is related to a specific customer, we refer the data subject to such customer and will also notify and cooperate with the customer in parallel.
  • We support our customers in their efforts to respond to any DSR.

8. DATA PROTECTION SECURITY MEASURES. 

• • Mend.io implements a comprehensive approach to data security, encompassing advanced authentication, access control and data confidentiality among other things.
  • Mend.io utilizes industry standard, production-grade data storage and security solutions and incorporates common security best practices. Data storage is backed up frequently and on a regular basis, with both main storage and backup  encrypted at rest and in transfer
  • Mend.io has achieved the ISO 27001 certification and received a SOC 2 Type II attestation report evidencing that appropriate internal controls are in place relating to the security, availability, and confidentially of customer information within our environment.

9. ABOUT OUR PRIVACY TEAM. As a privacy-first organization, Mend.io takes great pride of its data protection practices. Our privacy team includes experienced and certified privacy experts, as well as external reputable data protection law firms and experts. We are monitoring changes in global data protection regulations as applicable to Mend.io and assessing our compliance, and when necessary, implementing required steps and procedures on an-ongoing basis.  For additional information see our Privacy Policy at: https://www.mend.io/privacy-policy/.