Data Processing Agreement

1. Purpose and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between MindCortex ("Processor") and the customer ("Controller") and governs the processing of personal data by MindCortex on behalf of the Controller in connection with the Mind Cortex service ("Service").

This DPA applies to the extent that the Processor processes personal data on behalf of the Controller in providing the Service. Where there is any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person processed through the Service.
• Processing: Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.
• Sub-processor: Any third party engaged by the Processor to process personal data on behalf of the Controller.
• Data Subject: The identified or identifiable natural person to whom personal data relates.
• Data Protection Laws: All applicable laws relating to the processing of personal data, including GDPR (EU) 2016/679, UK GDPR, Swiss FADP, CCPA/CPRA, and any successor legislation.
• Standard Contractual Clauses (SCCs): The standard contractual clauses for the transfer of personal data to processors established in third countries, as adopted by the European Commission.

3. Processing Instructions

The Processor shall process personal data only on documented instructions from the Controller, as set out in this DPA, the Agreement, and any subsequent written instructions agreed by both parties. The Processor shall not process personal data for any purpose other than providing the Service, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification.

If the Processor believes that an instruction from the Controller infringes Data Protection Laws, the Processor shall promptly notify the Controller.

4. Scope of Processing

MindCortex processes personal data solely to provide the Service as described in the Agreement. This includes:

• Storing and organizing user-created content (notes, files, meeting recordings)
• Providing AI-powered features including responses, categorization, search, and knowledge retrieval
• Creating and searching semantic indexes of user content
• Processing meeting audio for transcription and analysis
• Sending transactional emails (notifications, reminders, digests)
• Processing payments and managing subscriptions

The details of processing activities, categories of data subjects, and types of personal data are described in Annex A below.

5. AI Processing

The Processor uses third-party AI models (as listed in the Sub-Processors table) to provide AI-powered features of the Service. The following safeguards apply:

• No model training. The Processor does not use Controller personal data to train, fine-tune, or improve any machine learning or AI models. The Processor maintains contractual agreements with its AI sub-processors that prohibit them from using Controller data to train their models.
• Transient processing. Content sent to AI sub-processors is processed to deliver results and is not retained by the sub-processor beyond what is necessary to complete the API request.
• Purpose limitation. AI processing is performed solely for the purpose of delivering Service features to the Controller, in accordance with the Controller's instructions.

6. Confidentiality

The Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall not disclose personal data to any third party except as necessary to provide the Service, as instructed by the Controller, or as required by applicable law.

7. Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Row-level security (RLS) policies ensuring strict data isolation between users
• Authentication via Supabase Auth with support for passwordless (passkeys/FIDO2)
• Rate limiting and Web Application Firewall (Cloudflare WAF)
• Nonce-based Content Security Policy (CSP)
• Regular security monitoring and incident response procedures
• Access controls limiting employee access to production data

8. Sub-Processors

The Controller provides general written authorization for the Processor to engage the sub-processors listed below. The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of sub-processors by updating this list and notifying the Controller via the email address associated with the Controller's account.

The Controller may object to a new sub-processor within 14 days of notification by providing a written objection with reasonable grounds relating to data protection. If the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the affected portion of the Service with 30 days' written notice.

9. International Data Transfers

The Processor shall not transfer personal data to a country outside the EEA, UK, or Switzerland unless appropriate safeguards are in place. For transfers to the United States, the Processor relies on:

• The EU-US Data Privacy Framework, where the sub-processor is certified
• EU Standard Contractual Clauses (Module Two: Controller to Processor), incorporated by reference into this DPA
• Data processing agreements with each sub-processor that include equivalent transfer safeguards

10. Data Subject Rights

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under applicable Data Protection Laws, including:

• Access: Users can view all their data through the application interface.
• Rectification: Users can edit their content and profile information at any time.
• Erasure: Users can delete individual items or request full account deletion.
• Portability: Users can export their data in machine-readable format (JSON/ZIP) via the in-app export feature.
• Restriction: Account suspension preserves data without active processing.

11. Compliance Assistance

Taking into account the nature of processing and the information available, the Processor shall assist the Controller in ensuring compliance with the Controller's obligations under Data Protection Laws, including obligations relating to security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation with supervisory authorities. Such assistance shall be provided at the Controller's reasonable expense.

12. Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

13. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws, and shall allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller. The Processor shall satisfy audit obligations by:

• Providing relevant security certifications or audit reports upon written request, no more than once per year
• Responding to reasonable written information requests within 30 days
• Permitting on-site audits at the Controller's expense with 30 days' prior written notice, during business hours, subject to reasonable confidentiality obligations

14. Data Return and Deletion

Upon termination of the Agreement, the Processor shall, at the Controller's election:

• Return all personal data to the Controller in a commonly used, machine-readable format via the Service's export functionality, or
• Delete all personal data and existing copies, unless applicable law requires further storage.

The Controller shall make its election within 30 days of termination. If no election is made, the Processor shall delete all personal data within 90 days of termination. Upon request, the Processor shall provide written confirmation of deletion. For team accounts, orphaned content is retained for a configurable period (default 90 days) to allow recovery, after which it is permanently deleted.

15. Liability

Each party's liability arising out of or related to this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA shall limit either party's liability for fraud, willful misconduct, or liability that cannot be limited by applicable law. The Processor's total aggregate liability for all claims arising under this DPA shall not exceed the total fees paid by the Controller to the Processor in the 12 months preceding the claim.

16. Governing Law

This DPA shall be governed by the laws that govern the Agreement, except where the mandatory provisions of Data Protection Laws of the data subject's jurisdiction apply, in which case those provisions shall prevail. Nothing in this DPA limits the rights of data subjects to lodge complaints with their local supervisory authority.

17. Term

This DPA remains in effect for the duration of the Agreement. The obligations regarding data protection survive the termination of this DPA for as long as the Processor retains or processes personal data on behalf of the Controller.

18. Contact

For questions about this DPA or to exercise data protection rights, contact us at [email protected].