Data Processing Agreement

1. Purpose

This Data Processing Agreement ("DPA") forms part of the Terms of Service between MindCortex ("Processor") and the customer ("Controller") and governs the processing of personal data by MindCortex on behalf of the Controller in connection with the Mind Cortex service.

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person processed through the Service.
Processing: Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.
Sub-processor: Any third party engaged by the Processor to process personal data on behalf of the Controller.
Data Subject: The identified or identifiable natural person to whom personal data relates.

3. Scope of Processing

MindCortex processes personal data solely to provide the Service as described in the Terms of Service. This includes:

Storing and organizing user-created content (notes, files, meeting recordings)
Generating AI-powered responses, summaries, and categorizations
Creating and searching vector embeddings for semantic retrieval
Processing meeting audio for transcription and analysis
Sending transactional emails (notifications, reminders, digests)

4. Security Measures

MindCortex implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Row Level Security (RLS) policies ensuring strict data isolation between users
Authentication via Supabase Auth with support for passwordless (passkeys/FIDO2)
Rate limiting and Web Application Firewall (Cloudflare WAF)
Regular security monitoring and incident response procedures
Access controls limiting employee access to production data

5. Sub-Processors

The Controller authorizes the use of the following sub-processors. MindCortex will notify the Controller before adding or replacing sub-processors.

Sub-Processor	Purpose	Location
Supabase	Database, authentication, file storage	US (Virginia)
OpenAI	AI processing, embeddings, transcription	US
AssemblyAI	Meeting transcription and summarization	US
Resend	Transactional and notification emails	US
RevenueCat / Stripe	Subscription billing and payment processing	US
PostHog	Product analytics (with user consent only)	US / EU
Sentry	Error monitoring and performance tracking	US
Vercel	Application hosting and edge delivery	US

6. Data Subject Rights

MindCortex will assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection laws, including:

Access: Users can view all their data through the application interface.
Rectification: Users can edit their content and profile information at any time.
Erasure: Users can delete individual items or request full account deletion.
Portability: Users can export their data in standard formats.
Restriction: Account suspension preserves data without active processing.

7. Breach Notification

MindCortex will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

8. Data Retention and Deletion

Upon termination of the Service or upon request, MindCortex will delete or return all personal data to the Controller and delete existing copies, unless applicable law requires storage of the personal data. For team accounts, a configurable data retention period (default 90 days) applies to orphaned content after team deletion.

9. Term and Termination

This DPA remains in effect for the duration of the Service agreement. The obligations regarding data protection survive the termination of this DPA for as long as MindCortex processes personal data on behalf of the Controller.

10. Contact

For questions about this DPA or to exercise data protection rights, contact us at [email protected].