Effective Date: 02.27.2025
This Data Processing Agreement (“DPA”) forms part of the agreement between MindClon Ltd., registered in England and Wales (“Processor”), and the Customer (“Controller”).
This DPA applies where MindClon processes Personal Data on behalf of the Customer under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.
1. Definitions
Processor: The entity that processes data on behalf of the Controller.
Personal Data: Any information relating to an identified or identifiable natural person.
Special Category Data: Personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person’s sex life or sexual orientation.
Processing: Any operation performed on Personal Data, including collection, storage, organisation, analysis, retrieval, or deletion.
Controller: The entity that determines the purposes and means of processing.
2. Scope of Processing
MindClon processes Personal Data solely on documented instructions from the Controller for the purpose of providing its Services, including but not limited to:
- Structured cognitive modelling
- Reflection and decision logging
- Emotional signal modelling (where applicable)
- Perception and inference mapping
- Institutional analytics and reporting
- Data export and audit preparation
The nature and purpose of processing is defined by the Customer’s configuration and deployment of the Services.
3. Roles of the Parties
For purposes of UK GDPR:
- The Customer acts as Controller.
- MindClon acts as Processor.
MindClon does not determine the purposes of Customer data beyond providing the contracted Services.
4. Special Category Data
Where the Customer uploads or processes Special Category Data (including clinical, health, biometric, or psychological information):
- The Controller is responsible for establishing a lawful basis under Article 6 UK GDPR and, where applicable, a condition under Article 9 UK GDPR.
- MindClon processes such data only on documented instruction and implements enhanced technical safeguards.
MindClon does not independently collect Special Category Data.
5. Confidentiality
MindClon ensures that:
- Access rights are role-based and auditable.
- Personnel are bound by confidentiality obligations.
- Access to Personal Data is limited to authorised individuals.
6. Security Measures
MindClon implements appropriate technical and organisational measures, including:
- Encryption of data in transit and at rest
- Role-based access control
- Audit logging
- Infrastructure monitoring
- Secure hosting environments
- Logical data segregation between customers
Security measures are regularly reviewed and updated.
7. Subprocessors
MindClon may engage subprocessors to provide infrastructure or technical services.
MindClon ensures that:
- The Controller may object to new subprocessors on reasonable grounds.
- Subprocessors are bound by equivalent data protection obligations.
- A list of subprocessors is available upon request.
8. Data Subject Rights
MindClon shall assist the Controller in responding to data subject requests under UK GDPR, including:
- Access requests
- Rectification
- Erasure
- Restriction of processing
- Data portability
- Objection to processing
The Controller remains responsible for fulfilling such requests.
9. Data Breach Notification
In the event of a Personal Data breach, MindClon shall:
- Notify the Controller without undue delay after becoming aware of the breach.
- Provide relevant information necessary to assess risk and regulatory obligations.
- Cooperate in remediation and mitigation efforts.
The Controller is responsible for notifying the Information Commissioner’s Office (ICO) where required.
10. International Transfers
Where Personal Data is transferred outside the United Kingdom, MindClon shall ensure appropriate safeguards are in place, including:
- The UK International Data Transfer Agreement (IDTA); or
- The UK Addendum to the EU Standard Contractual Clauses; or
- Adequacy decisions recognised under UK law.
Details of hosting locations are available upon request.
11. Data Retention and Deletion
Upon termination of the Services, and subject to contractual terms:
- Personal Data shall be deleted or returned to the Controller.
- Backups shall be removed within a commercially reasonable timeframe.
- Certain data may be retained where required by law.
12. Audit and Compliance
Upon reasonable notice, MindClon shall provide information necessary to demonstrate compliance with this DPA and UK GDPR obligations.
Formal audits may be conducted subject to confidentiality and security safeguards.
13. Liability
Liability for data protection matters shall be governed by the primary Services Agreement between the parties.
14. Governing Law
This DPA is governed by the laws of England and Wales.