Data Processing Addendum

This Data Processing Addendum (including all Schedules attached hereto, the “DPA”) is incorporated into, and is subject to the terms and conditions of, the Master Services Agreement or other written or electronic agreement (“Agreement”) between the entity identified as “Customer” in the Agreement (“Customer”) and the Mindgard entity(ies) identified in the Agreement (“Mindgard”). This DPA applies to the extent Mindgard’s Processing of Customer Personal Data is subject to the Data Protection Laws. This DPA shall be effective for the term of the Agreement. 

1.          Definitions 

1.1.     For the purposes of this DPA: 
1.1.1.“Customer Personal Data” means the Personal Data described under Schedule 1 to this DPA; 
1.1.2.“Data Protection Laws” means all laws relating to data protection and privacy applicable to Mindgard’s Processing of Customer Personal Data in any jurisdiction where Customer and/or Mindgard operates, including without limitation, European Data Protection Law and the laws and regulations of the United States and its states, as amended from time to time, to the extent applicable to the relevant party; 
1.1.3.“Data Subjects” means the individuals identified in Schedule 1; 
1.1.4.“European Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all other privacy and data protection laws of the European Economic Area (“EEA”), and their respective Member States, Switzerland and the United Kingdom (“UK”), including without limitation the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) (the “UK GDPR”), and all laws implementing or supplementing the foregoing. 
1.1.5.“Personal Data” means any information that reasonably relates, directly or indirectly, to an identified or identifiable Data Subject; 
1.1.6.“Processing” (including its cognate "Process”) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 
1.1.7.“Security Incident” means a material breach of security leading to the unauthorized or unlawful access by a third party, or confirmed accidental or unlawful destruction, loss or alteration, of Customer Personal Data; 
1.1.8.“Standard Contractual Clauses” means (i) Module 2 of the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj (the “EU SCCs”); and 
1.1.9.“UK Addendum" means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner’s Office, in force as of 21 March 2022, available at international-data-transfer-addendum.pdf (ico.org.uk).  

1.2.     Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. 

2.          Processing of Customer Personal Data 
2.1.     Mindgard will Process Customer Personal Data on behalf of Customer and in accordance with Customer’s prior written instructions, including any instructions provided through Customer’s use of the Service. Mindgard is hereby instructed to Process Customer Personal Data to the extent necessary to provide the Service as set forth in the Agreement and this DPA and in accordance with Data Protection Laws. 

2.2.     Mindgard will inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Laws, unless it is prohibited from doing so by law on important grounds of public interest. 

2.3.     The details of Mindgard’s Processing of Customer Personal Data are described in Schedule 1. 

2.4.     If applicable laws preclude Mindgard from complying with Customer’s instructions, Mindgard will inform Customer of its inability to comply with the instructions, to the extent permitted by law. 

2.5.     Each of Customer and Mindgard will comply with their respective obligations under the Data Protection Laws. 

2.6.     Mindgard certifies that it will not (a) "sell” or “share” (each as defined in the Data Protection Laws) Customer Personal Data, (b) retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of providing the Services, (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Mindgard, and (d) combine Customer Personal Data with any Personal Data other than Customer Personal Data. 

3.          Restricted Data Transfers 
3.1.     In the event that Customer is subject to European Data Protection Law and the transfer of Customer Personal Data to Mindgard would be restricted in the absence of the Standard Contractual Clauses, the parties agree that the Standard Contractual Clauses shall be incorporated into this DPA with Customer as the “data exporter” and Mindgard as the “data importer.” 

3.2.     For purposes of the EU SCCs the parties agree that: 
3.2.1.In Clause 7, the optional docking clause will not apply; 
3.2.2.In Clause 9, Option 2 will apply and the time period for prior notice of Subprocessor changes will be as set forth in Section 5.1 of this DPA; 
3.2.3.In Clause 11, the optional language will not apply; 
3.2.4.For the purpose of Clause 17, the EU SCCs shall be governed by the laws of Ireland; 
3.2.5.For the purpose of Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland; 
3.2.6.For Annex I, Section A (List of Parties), (i) the data exporter’s and the data importer’s identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Customer is a controller, and Mindgard is a processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Services pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature of Annex I, Section A, as of the effective date of this DPA; 
3.2.7.For Annex I, Section B (Description of Transfer): (i) Schedule 1 to this DPA describes Mindgard’s Processing of Customer Personal Data; (ii) the frequency of the transfer is continuous (for as long as Customer uses the Services); (iii) Customer Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs and this DPA; (iv) Mindgard uses Subprocessors to support the provision of the Services. 
3.2.8.For Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Customer to Mindgard. Unless and until Customer communicates a competent supervisory authority to Mindgard, the competent supervisory authority shall be the Irish Data Protection Commission. 
3.2.9.For the purposes of Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Personal Data as described in Schedule 2. 

3.3.   For the purposes of the UK Addendum parties agree that Part 1, tables 1, 2 and 3 of the UK Addendum will be deemed to be completed like the equivalent provisions in the EU SCCs. For the purpose of Part 1, Table 4, the party that may end the UK Addendum in accordance with Section 19 of the UK Addendum is the importer. 

4.          Confidentiality and Security 
4.1.     Mindgard will require Mindgard’s personnel who access Customer Personal Data to commit to protect the confidentiality of Customer Personal Data. 
4.2.     Mindgard will implement commercially reasonable technical and organisational measures, as further described in Schedule 2, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data. 
4.3.     To the extent required by Data Protection Laws, Mindgard will provide Customer with reasonable assistance as necessary for the fulfilment of Customer’s obligations under Data Protection Laws to maintain the security of Customer Personal Data. 

5.          Subprocessing 
5.1.     Customer agrees that Mindgard may use the third-party suppliers to Process Customer Personal Data on its behalf for the provision of the Services under the Agreement (each a “Subprocessor”). A list of Mindgard’s current Subprocessors (the “List”) is available at https://mindgard.ai/legal/sub-processors. Such List may be updated by Mindgard from time to time. Mindgard may provide a mechanism to subscribe to notifications of new Subprocessors and Customer agrees to subscribe to such notifications where available.  At least ten (10) days before enabling any third party other than existing Subprocessors to access or participate in the processing of Customer Personal Data, Mindgard will add such third party to the List and notify Customer via email. Customer may object to such an engagement by informing Mindgard within ten (10) days of receipt of the aforementioned notice by Mindgard, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain subprocessors are essential to providing the Services and that objecting to the use of a subprocessor may prevent Mindgard from offering the Services to Customer. 

5.2.     If Customer reasonably objects to an engagement in accordance with Section 5.1, and Mindgard cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Mindgard. If Customer does not object to the engagement of a third party in accordance with Section 5.1 within ten (10) days of notice by Mindgard, that third party will be deemed an authorized Subprocessor for the purposes of this DPA. 

5.3.     Mindgard will impose on its Subprocessors substantially the same obligations that apply to Mindgard under this DPA. Mindgard will be liable to Customer for any breaches of this DPA caused by its Subprocessors’ acts and omissions as it would be for its own. 

6.          Data Subject Rights Customer is responsible for responding to any Data Subject requests relating to Customer Personal Data (“Requests”). If Mindgard receives any Requests during the term, Mindgard will advise the Data Subject to submit the request directly to Customer. Mindgard will provide Customer with self-service functionality or other reasonable assistance to permit Customer to respond to Requests. 

7.          Security Incidents Upon becoming aware of a Security Incident affecting Customer Personal Data, Mindgard will (i) promptly take measures designed to remediate the Security Incident and (ii) notify Customer without undue delay. Customer is solely responsible for complying with Security Incident notification requirements applicable to Customer. At Customer’s request, Mindgard will reasonably assist Customer’s efforts to notify Security Incidents to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under the Data Protection Laws. Mindgard’s notice of or response to a Security Incident under this Section 7 will not be an acknowledgement or admission by Mindgard of any fault or liability with respect to the Security Incident. 

8.          Data Protection Impact Assessment; Prior Consultation Taking into account the nature of the Processing and the information available to Mindgard, Mindgard will reasonably assist Customer in conducting data protection impact assessments and consultation with data protection authorities if Customer is required to engage in such activities under applicable Data Protection Laws and such assistance is necessary and relates to the Processing by Mindgard of Customer Personal Data. 

9.          Deletion of Customer Personal Data Customer instructs Mindgard to delete Customer Personal Data within 90 days of the termination of the Agreement and delete existing copies unless applicable law requires otherwise. The parties agree that the certification of deletion described in Clause 8.5 of the EU SCCs and Clause 12 of the UK SCCs, if applicable, shall be provided only upon Customer’s written request. Notwithstanding the foregoing, Mindgard may retain Customer Personal Data to the extent and for the period required by applicable laws provided that Mindgard maintains the confidentiality of all such Customer Personal Data and Processes such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage. 

10.       Audits 
10.1.   Customer may audit Mindgard’s compliance with its obligations under this DPA up to once per year. In addition, Customer may perform more frequent audits (including inspections) in the event: (1) Mindgard suffers a Security Incident affecting Customer Personal Data; (2) Customer has genuine, documented concerns regarding Mindgard’s compliance with this DPA or the Data Protection Laws; or (3) where required by the Data Protection Laws, including where mandated by regulatory or governmental authorities with jurisdiction over Customer Personal Data. Mindgard will contribute to such audits by providing Customer or Customer’s regulatory or governmental authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Service, as described below. 

10.2.   To request an audit, Customer must submit a detailed proposed audit plan to  legal@mindgard.ai at least one month in advance of the proposed audit start date. The proposed audit plan must describe the proposed scope, duration, start date of the audit, and the identity of any third party Customer intends to appoint to perform the audit. Mindgard will review the proposed audit plan and provide Customer with any concerns or questions (for example, Mindgard may object to the third party auditor as described in Section 10.3, provide an Audit Report as described in Section 10.4, or identify any requests for information that could compromise Mindgard confidentiality obligations or security, privacy, employment or other relevant policies). The parties will negotiate in good faith to agree on a final audit plan at least two weeks in advance of the proposed audit start date.  Nothing in this Section 10 shall require Mindgard to breach any duties of confidentiality. 

10.3.   Mindgard may object to third party auditors that are, in Mindgard’s reasonable opinion, not suitably qualified or independent, a competitor of Mindgard, or otherwise manifestly unsuitable.  Customer will appoint another auditor or conduct the audit itself if the parties cannot resolve the objection after negotiating in good faith. 

10.4.   If the requested audit scope is addressed in an SOC 2 or similar audit report performed by a qualified third party auditor on Mindgard’s systems that Process Customer Personal Data (“Audit Reports”) within twelve (12) months of Customer’s audit request and Mindgard confirms there are no known material changes in the controls audited, Customer agrees to accept the Audit Report in lieu of requesting an audit of the controls covered by the Audit Report. 

10.5.   The audit must be conducted at a mutually agreeable time during regular business hours at the applicable facility, subject to the agreed final audit plan and Mindgard’s health and safety or other relevant policies and may not unreasonably interfere with Mindgard business activities. 

10.6.   Any audits are at Customer’s expense and Customer will promptly disclose to Mindgard any perceived non-compliance or security concerns discovered during the audit, together with all relevant details. 

10.7.   The parties agree that the audits described in Clause 8.9 of the EU SCCs and Clause 5(f) of the UK SCCs, if applicable, shall be performed in accordance with this Section 10. 

11.       Analytics Data Customer acknowledges and agrees that Mindgard may create and derive from Processing related to the Service anonymized and/or aggregated data that does not identify or relate to Customer or any Data Subject (“Analytics Data”), and use, publicize or share with third parties such Analytics Data to improve the Service and for Mindgard’s other legitimate business purposes in accordance with Data Protection Laws. 

12.       Liability 
12.1.   Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement. 

12.2.   Customer acknowledges that Mindgard is reliant on Customer for direction as to the extent to which Mindgard is entitled to Process Customer Personal Data on behalf of Customer in performance of the Service.  Consequently, Mindgard will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by Mindgard in compliance with Customer’s instructions or (b) from Customer’s failure to comply with its obligations under the Data Protection Laws. 

13.       General Provisions With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. In the event of inconsistencies between the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail. 

SCHEDULE 1
Details of Processing 

1. Categories of Data Subjects. This DPA applies to Mindgard’s Processing of Customer Personal Data relating to Customer’s employees, contractors, clients/consumers, and other authorized users of the Service (“Data Subjects”). 
2. Types of Personal Data. The extent of Customer Personal Data Processed by Mindgard is determined and controlled by Customer in its sole discretion and includes user ID, passwords, and any other Personal Data that may be transmitted through the Service by Data Subjects. 
3. Subject-Matter and Nature of the Processing. Customer Personal Data will be subject to the Processing activities that Mindgard needs to perform in order to provide the Service pursuant to the Agreement. 
4. Purpose of the Processing. Mindgard will Process Customer Personal Data for purposes of providing the Service as set out in the Agreement. 
5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 9 of the DPA.  

SCHEDULE 2 
Security Measures 

Mindgard will implement and maintain the security practices and procedures set out in this Schedule 2.
1.     Staff responsible for the development, implementation and maintenance of Mindgard’s information security program.
2.     Review and assessment of risks to Mindgard’s organization, monitoring and maintaining compliance with Mindgard’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management as appropriate.
3.     Data security controls which include logical segregation of data, restricted (e.g., role-based) access and monitoring, and use of commercially available and industry standard encryption technologies for Customer Personal Data as appropriate.
4.     Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
5.     Strong authentication controls designed to manage and control digital access requirements through hardware authenticators, password strength, and password management requirements for assigned Mindgard credentials as appropriate.
6.     Change management procedures and tracking mechanisms designed to test, approve and monitor changes to Mindgard’s technology and information assets.
7.     Incident response procedures designed to allow Mindgard to investigate, respond to, mitigate and notify events related to Mindgard’s technology and information assets.
8.     Network security controls that provide for the use of enterprise firewalls and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack, as appropriate.
9.     Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.  

Protect your AI with Mindgard

Mindgard, the leading provider of Artificial Intelligence security solutions, helps enterprises secure their AI models, agents, and systems across the entire lifecycle. Mindgard’s solution uncovers shadow AI, conducts automated AI red teaming by emulating adversaries, and delivers runtime protection against attacks like prompt injection and agentic manipulation. Trusted by leading organizations in finance, healthcare, and technology, Mindgard is backed by investors including .406 Ventures, IQ Capital, Atlantic Bridge, and Lakestar.

©️ 2026 Mindgard limited
All rights Reserved