Data Processing Addendum

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person, as defined in applicable Data Protection Laws.
• “Processing” means any operation or set of operations performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• “Controller” means the entity that determines the purposes and means of Processing Personal Data.
• “Processor” means the entity that processes Personal Data on behalf of the Controller.
• “Sub-processor” means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
• “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
• “Customer Content” means all Personal Data that Customer or its end users submit to the Service, including messages, contacts, attachments, and AI interaction data.
• “Data Protection Laws” means all applicable laws relating to data protection and privacy, including GDPR (EU 2016/679), UK GDPR, CCPA/CPRA, and any other applicable legislation.

2. Roles of the Parties

• Customer Content: Customer is the Controller and MindPath BI is the Processor. We process Customer Content solely on your instructions as described in the Agreement and this DPA.
• Account Data: MindPath BI is an independent Controller for account registration data, billing information, and usage analytics needed to operate, secure, and improve the Service. This does not create a joint-controller relationship.

3. Scope of Processing

Data Subjects: Customer’s end users, customers, contacts, and any individuals whose data is submitted to the Service.

4. Sub-processors

A current list of Sub-processors is maintained on our Subprocessors page.

• Advance notice: We will provide at least 10 calendar days’ notice before engaging a new Sub-processor by updating the Subprocessors page and notifying customers who have subscribed to updates.
• Objection right: You may object in writing within 5 calendar days of notification. If we cannot reasonably accommodate the objection, your sole remedy is to terminate the affected Service for convenience.
• Liability: We remain liable for our Sub-processors’ compliance with this DPA to the same extent as if we performed the processing ourselves.

5. Security Measures

We implement and maintain appropriate technical and organizational measures to protect Personal Data, including:

• Encryption at rest — Fernet symmetric encryption for sensitive credentials; database-level encryption for all stored data.
• Encryption in transit — TLS/HTTPS for all data in transit.
• Access control — Role-based access control (RBAC) with defense-in-depth multi-tenant isolation (application-level + PostgreSQL Row-Level Security).
• Webhook integrity — HMAC-SHA256 signature verification for all inbound webhook payloads.
• Malware scanning — ClamAV INSTREAM scanning of inbound attachments with configurable fail-open/fail-closed policy.
• Input sanitization — HTML escaping and content sanitization on write endpoints.
• Audit logging — Security-relevant events are logged and retained per our data retention schedule.

6. Data Breach Notification

• We will notify you of a confirmed Personal Data breach without undue delay and no later than 72 hours after becoming aware of it, consistent with GDPR Article 33.
• Notification will include, to the extent available: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
• You are responsible for notifying supervisory authorities and affected Data Subjects as required by applicable law.

7. Data Subject Rights

We will assist you in fulfilling your obligations to respond to Data Subject requests (access, rectification, erasure, portability, restriction, and objection) within the following service levels:

• Acknowledgment: Within 3 business days of receiving your request for assistance.
• Completion: Within 30 calendar days for standard requests.
• If an extension is needed, we will communicate before day 30 where legally permitted.

Where technically feasible, we provide self-service tools within the product for Customer administrators to respond to Data Subject requests directly.

8. International Data Transfers

• Primary processing: Application data is hosted in the European Union (OVH, France).
• US Sub-processors: Certain Sub-processors (Sentry, GitHub) are located in the United States. Transfers to US Sub-processors are governed by the EU Standard Contractual Clauses (SCCs) as approved by the European Commission.
• UK transfers: For transfers from the UK, we rely on the UK International Data Transfer Addendum to the EU SCCs.
• AI processing: AI inference via Google Gemini may be processed in the US/EU. Google’s data processing terms apply as disclosed on our Subprocessors page.
• We do not currently participate in the EU-US Data Privacy Framework (DPF). This will be updated if certification is obtained.

9. Data Return and Deletion

Upon termination of the Agreement:

• Days 0–30 (Export Window): You may request a full export of your Customer Content in JSON or CSV format. We will provide reasonable assistance for data migration.
• Days 31–60 (Staged Deletion): Customer Content enters a staged deletion queue. Access is revoked and data is prepared for irreversible purge.
• Days 61–90 (Final Purge): All Customer Content is irreversibly deleted from production systems, backups, and derived data (including AI embeddings and knowledge graph entries).
• Certificate of Destruction: Upon request, we will issue a certificate of destruction within 10 business days of validated completion of the purge.

Retention beyond 90 days occurs only where required by applicable law or regulatory obligation, and we will inform you of such requirements.

10. Audit Rights

• Upon written request (no more than once per calendar year), we will provide a summary of our security practices, including any third-party audit reports or certifications available at that time.
• We will respond to reasonable due-diligence questionnaires related to our processing of Personal Data.
• If a more detailed audit is required by Data Protection Laws, we will cooperate in good faith, subject to reasonable scope, timing, and confidentiality requirements.

11. Liability

Each party’s liability under this DPA is subject to the limitations of liability set forth in the Agreement (Terms of Service). This DPA does not create any separate or additional liability beyond the Agreement.

12. Term and Termination

This DPA takes effect on the date Customer accepts the Agreement and remains in effect for the duration of the Agreement. Our obligations under this DPA survive termination to the extent we continue to process Personal Data (including during the deletion lifecycle described in Section 9).

13. California-Specific Provisions (CCPA/CPRA)

To the extent that the California Consumer Privacy Act applies:

• MindPath BI acts as a Service Provider with respect to Customer Content.
• We process Customer Content only for the business purposes specified in the Agreement.
• We do not sell or share (as defined by the CCPA/CPRA) Customer Content.
• We do not combine Customer Content with personal information received from other sources, except as permitted by law.
• We certify that we understand and will comply with these restrictions.

14. Contact

For questions about this DPA or to exercise any rights described herein, contact us at josef@mindpathbi.com.