Privacy policy

Mindmesh is built from the ground up with privacy and security in mind.

Google API Services User Data Policy, including the Limited Use requirements.🔐

Mindmesh is a trade name owned by Just Spot inc. This Privacy policy applies to Mindmesh, Just Spot inc and its subsidiary Spot Sas.

Mindmesh ("we", "our", "us") has been audited for SOC2 Type II, awarded on January 14th 2022. 
Mindmesh has been penetration-tested in December 2022
Mindmesh is certified for usage of restricted and sensitive Google API scopes.

Mindmesh implements all industry-standard security protocols to secure your data.
🔐 Your data is secure, encrypted, always available and backed up.
🔐 Access control is preserved from your tools: employees only access what they are allowed to.

What data does Mindmesh collect ?

Personal data
When creating an account, Mindmesh collects your first and last name, email address, and profile picture if applicable. Your personal data, including your email, is safely stored and used only on a per-need basis to make Mindmesh function optimally for you and your team.In particular, your email is only used to identify you across the various software connected to Mindmesh, and to send you updates relevant to your Mindmesh account including targeted messages based on your usage. We will never communicate your email (or any of your personal data) to third parties for commercial purposes. See below ("How does Mindmesh use personal data?") for additional information. When connecting integrations, Mindmesh may collect additional personal data in the form of content (tasks, issues, documents, ...) and user information (see exhaustive details below in Data from Integrations). When visiting the Mindmesh Website and App, Mindmesh collects usage data (which may include browser and device information) which is sent to our partners AWS, Google Analytics, Mixpanel, Hotjar and Open AI for analytics purposes (it allows us to understand the usage of Mindmesh and improve the platform). We will never sell your data or let it be used by other companies, people or entities except Mindmesh.

Data from Integrations
When you add an integration, Mindmesh will collect additional data from the third party service you are connecting. This will vary by integration, will be detailed when creating the integration, and your authorization will be requested to access this specific data in accordance with the authorization rules provided by that service. As a rule of thumb, Mindmesh will request read-only access rights to collect:The users, user groups, documents, or other pieces of content stored within the software you are connecting and which you have authorized to. This allows to populate Mindmesh with the content you need to access from within Mindmesh. The access rights for documents by users and groups - this allows us to ensure that the only people able to access documents within Mindmesh are those who actually have access to them.Note that whenever possible, Mindmesh will ask for your authorization while connecting your tool (OAuth 2.0 scopes) so that you are certain of the scope of data and actions we are accessing. Mindmesh will never ask for more than what it needs to function correctly. Data collected through third party software integrations is encrypted and stored on our secure infrastructure until you decide to disconnect said integration or delete your account. See "Which steps does Mindmesh follow to ensure data security" and "How long does Mindmesh retain data?" for more details on this.


Which steps does Mindmesh follow to ensure data security and integrity ?

Data security
All data ingested and exchanged within Mindmesh and between Mindmesh and your services is encrypted in transit (SSL) and at rest (AES-256) - these are industry standards.The databases on which your data is secured are situated on a private network within our virtual private cloud and not directly accessible from the internet - only from Mindmesh's servers.Aside from our analytics processors (Mixpanel, Hotjar), all of the data collected is stored on AWS. All data is stored and remains within the European Union, except for the anonymized data sent to our analytics processors (Mixpanel, Hotjar, Google Analytics) or to the data sent to Open AI to render our services. Should this be an issue, contact your customer support representative to have these third party services disabled for your account. Please refer to the corresponding services' privacy policies for more information
- AWS (Ireland https://aws.amazon.com/compliance/) 
- Open AI (https://openai.com/policies/privacy-policy)

All cloud storage and networking used is compliant with PCI, HIPAA, SOC 1,2,3 as well as ISO/IEC 27001:2013, 27017:2015, 27018:2019, 9001:2015 among others. Mindmesh is compliant with GDPR (for further details on this compliance, read the sections below).
Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please contact us immediately.In the event that personal information is compromised as a result of a security breach, we will promptly notify the affected parties.

Data access by Mindmesh employees
A Mindmesh employee will never try to access non-anonymized personal data unless they have requested explicit consent for support or debugging purposes from a relevant member of your organization, and will provide proof of said consent if requested. The following employees at Mindmesh have potential access to your personal data (authorized refers to a small subset of the listed employees who have the credentials required to access the data in question, not the procedure above which remains required for authorized employees):
Authorized software engineers may have access to all data stored in Mindmesh.
Authorized customer success or support representatives may have access to all data stored in Mindmesh, aside from the contents of documents imported from integrations.
Mindmesh software engineers, data analysts or product managers may have access to anonymized data for debugging or product improvement purposes.

Data integrity and availability
Mindmesh performs regular backups of all stored data. These backups are retained for a short period (7 days at most), to be used in case of disruption of service leading to data corruption or unavailability. All Mindmesh infrastructure components (databases, servers ...) are replicated and configured to automatically failover in the event of failure.

How does Mindmesh use personal data ?

Mindmesh uses the data collected to:
- Make the product's features function, in particular allow you to find, view, modify or delete content you have created, or imported from other sources.
- Ensure data privacy within your Mindmesh account through respect of externally set permissions
-Promote, analyze, modify and improve our products, systems, and tools, and develop new products and services through the use of collected usage statistics.
- Respond to inquiries, send service notices and provide customer support.

How does Mindmesh disclose personal data ?

We don't. We do not sell your data and we do not share it with third parties - except those outlined above, for analytics or web hosting purposes.

How long does Mindmesh retain data ?

Mindmesh will retain data as long as the account is active. Should the account become inactive for more than 12 months, as defined by the absence of any user activity, the data will be deleted (you will be warned several times before that).Upon deletion of an integration, all data imported through that integration is deleted. Some data which is deleted through the UI of the Mindmesh app may not be actually deleted from our servers, but kept for reversal purposes, or to ensure consistency (for example, archiving a document will not delete it fully from Mindmesh, otherwise it would be reimported during the next synchronization). Upon deletion of an account, all data within that account is deleted.

How may I request deletion of my data ?

To delete your data, in the app, go to your User Settings, open the "Danger Zone" panel, and delete your account. This will delete all of your data from your servers. We may retain backups of your data for an additional 7 days for restoration and investigation purposes - no data will be retained beyond 7 days.
To delete the data related to an integration but not your all of your account, you may delete this particular integration from the integration settings.



What are my rights concerning my data ?

If you would like to review, correct, or update personal data that you have previously disclosed to us, you may do so by signing in to your Mindmesh account or by contacting us.Depending on your location and subject to applicable law, you may have the following rights with regard to the Personal Data we control about you:
- The right to request confirmation of whether Mindmesh processes personal data relating to you, and if so, to request a copy of that personal data;
- The right to request that Mindmesh rectifies or updates your personal data that is inaccurate, incomplete or outdated;
- The right to request that Mindmesh erase your personal data in certain circumstances provided by law;
- The right to request that Mindmesh restrict the use of your personal data
- The right to request that we export to another company, where technically feasible, your personal data that we hold in order to provide services to you.

Where the processing of your personal data is based on your previously given consent, you have the right to withdraw your consent at any time.To exercise your rights, contact us at dpo@mindmesh.com (DPO). 
For your protection, we may need to verify your identity before responding to your request, such as verifying that the email address from which you send the request matches your email address that we have on file.

Opting out of receiving electronic communications from us

If you no longer want to receive marketing-related emails from us, you may opt-out via the unsubscribe link included in such emails. We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails from us, we may still send you important administrative messages that are required to provide you with Mindmesh's services.

Note: we may change this Privacy Policy from time to time to reflect new services, changes in our Personal Data practices or relevant laws.
The “Last updated” legend at the top of this Privacy Policy indicates when this Privacy Policy was last revised. Any changes are effective when we post the revised Privacy Policy on the Services. We may provide you with disclosures and alerts regarding the Privacy Policy or Personal Data collected by posting them on our website.


Vulnerability disclosure program
Mindmesh,
September 15, 2022

Introduction
Mindmesh is committed to ensuring the security of the American public by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.
This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.We encourage you to contact us to report potential vulnerabilities in our systems.

Authorization
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized we will work with you to understand and resolve the issue quickly, and Mindmesh will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Guidelines
Under this policy, “research” means activities in which you:
- Notify us as soon as possible after you discover a real or potential security issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence.
- Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
- Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Test methods
The following test methods are not authorized:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testingScope

This policy applies to the following systems and services:
*.mindmesh.com

Any other subdomain of mindmesh.com and all customer applications are excluded from this policy. 

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing.
Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at hello@mindmesh.com before starting your research.

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.

Reporting a vulnerability

We accept vulnerability reports either :
- at this form:
https://docs.google.com/forms/d/e/1FAIpQLSfrSRsmKRtCpXUbkbt3x_dJNOVp7-8LtaoWW-fnfVLsOpfmKg/viewform
- or via hello@mindmesh.com
Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.We do not support PGP-encrypted emails. For particularly sensitive information, submit through our HTTPS web form.

What we would like to see from you
In order to help us triage and prioritize submissions, we recommend that your reports:
- Describe the location the vulnerability was discovered and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
- Be in English, if possible.

What you can expect from us
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
- Within 3 business days, we will acknowledge that your report has been received.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
- We will maintain an open dialogue to discuss issues.

Questions
Questions regarding this policy may be sent to hello@mindmesh.com.
We also invite you to contact us with suggestions for improving this policy.Document change history

Version:  1.1
Date: April 28, 2023
Description: First issuance