Data Processing Agreement

For personal data contained in Customer Data (the Output generated by running agents), the Customer is the controller and Mindcase is the processor. Mindcase provides a general-purpose extraction tool and does not determine the purposes or means of processing Customer Data; it never acts as the controller of that data, and the Customer is solely responsible for the lawfulness of the collection and use it directs. This DPA supplements and forms part of the Terms. Where there is a conflict between this DPA and the Terms with respect to processing of Customer Data, this DPA controls.

The subject-matter of the processing is the operation of the Mindcase Services. Mindcase processes the personal data that the Customer chooses to extract through agents, for the duration of the Customer’s use of the Services, for the purpose of delivering Output and operating the platform. The categories of data subjects and personal data are determined by the Customer through the agents and inputs it chooses.

Mindcase processes Customer Data only on the Customer’s documented instructions, including as set out in the Terms and as given through the Customer’s use of the Services (such as the agents and parameters it runs), unless required to act otherwise by law. The Customer is responsible for ensuring it has a lawful basis for the processing and that its instructions comply with applicable law.

Mindcase ensures that personnel authorized to process Customer Data are bound by appropriate confidentiality obligations and process Customer Data only as needed to provide the Services.

Mindcase maintains appropriate technical and organizational measures to protect Customer Data, including:

• encryption of data in transit and at rest;
• access controls and least-privilege access for personnel;
• short retention — job Output is automatically deleted after 7 days.

The Customer authorizes Mindcase to engage the sub-processors listed in our Privacy Policy to process Customer Data. Mindcase imposes data-protection obligations on its sub-processors that are substantially similar to those in this DPA (flow-down). Mindcase will provide notice of any new or replacement sub-processor and remains responsible for its sub-processors’ performance.

Taking into account the nature of the processing, Mindcase will provide reasonable assistance to the Customer in responding to data-subject requests and in meeting the Customer’s security, breach-notification, and impact-assessment obligations. In the event of a personal-data breach affecting Customer Data, Mindcase will notify the Customer without undue delay after becoming aware of it.

Where Customer Data is transferred across borders, Mindcase relies on appropriate safeguards and contractual protections with its sub-processors to protect that data consistent with applicable law.

Job Output is automatically deleted after 7 days in the ordinary course of the Services. On termination of the Services, Mindcase will delete or, where reasonably practicable and requested, return remaining Customer Data, except where retention is required by law.

On reasonable prior written request, and subject to confidentiality obligations, Mindcase will make available information reasonably necessary to demonstrate compliance with this DPA. Audits are limited to a reasonable scope and frequency and must not unreasonably disrupt Mindcase’s operations.

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, including the aggregate liability cap. This DPA forms part of and is governed by the Terms of Service.

Mindcase’s obligations are limited to those of a processor expressly set out in this DPA and required by applicable data-protection law. Nothing in this DPA makes Mindcase a controller of Customer Data; the Customer remains solely responsible for the lawful basis, the purpose, and the lawfulness of the processing it instructs, and Mindcase’s aggregate liability is capped as set out in the Terms.