Data ProcessingAgreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Mynd Labs, Inc. ("Processor") and the customer ("Controller") and applies to the processing of personal data by Processor on behalf of Controller in connection with the Services.

Controller determines the purposes and means of processing personal data. Processor processes personal data only on documented instructions from Controller, including with regard to transfers of personal data to a third country, unless required to do so by applicable law.

The personal data processed under this DPA relates to:

• ↳Controller's end users and customers
• ↳Controller's employees and authorized users
• ↳Individuals whose data is processed through agent workflows configured by Controller

Processor shall:

• ↳Process personal data only on Controller's documented instructions
• ↳Ensure that persons authorized to process personal data have committed themselves to confidentiality
• ↳Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• ↳Not engage another processor without prior specific or general written authorization of the Controller
• ↳Assist Controller in ensuring compliance with obligations under GDPR Articles 32-36
• ↳Delete or return all personal data upon termination of the Services

Processor maintains the following security measures:

• ↳Encryption of personal data at rest (AES-256) and in transit (TLS 1.3)
• ↳Access controls with role-based permissions and multi-factor authentication
• ↳Regular security assessments and penetration testing
• ↳Incident response procedures with 72-hour breach notification
• ↳Business continuity and disaster recovery plans

A current list of sub-processors is available upon request. Controller will be notified of any changes to sub-processors, and may object to such changes in accordance with applicable law.

Where personal data is transferred outside the EEA, Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission. Enterprise customers may select data residency options to restrict processing to specific regions.

Controller may audit Processor's compliance with this DPA, subject to reasonable notice (at least 30 days) and confidentiality obligations. Processor will cooperate with any such audit and provide reasonable access to relevant facilities and records.

For DPA-related inquiries, contact us at dpa@myndlabs.tech.