MindsHub
Star Log in Get started

Legal

Data Processing Addendum

Last updated:

This Data Processing Addendum (“DPA”) governs MindsDB’s Processing of Customer Data in connection with any Agreement to which this is attached (the “Agreement”). In the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall prevail to the extent of any such conflict.

1. Definitions

For purposes of this DPA, the following terms shall have the meanings ascribed to them herein. Other terms capitalized but not defined in this DPA shall have the meanings given to them in the Agreement.

  • 1.1.Consumer” shall have the meaning given to it under any applicable Privacy Law.
  • 1.2.Controller” or “Business” shall have the meaning given to it under any applicable Privacy Law.
  • 1.3.Customer Data” means Personal Data that is provided to or obtained by MindsDB in the provision of support services to Licensee pursuant to Attachment 4 of this Agreement, Professional Services, Technical Services or Training Services.
  • 1.4.Data Subject” and “Supervisory Authority” have the meaning given to them in the GDPR.
  • 1.5.Sale” shall have the meaning given to it under any applicable Privacy Law.
  • 1.6.Share” shall have the meaning given to it under the CCPA.
  • 1.7.Personal Data” means any Customer Materials that constitutes “personal data,” “personal information,” “personally identifiable information,” or any analogous term under any applicable Privacy Law.
  • 1.8.Personal Data Breach” means any unauthorized access to, or use of, Customer Data in the possession or control of MindsDB.
  • 1.9.Processor” or “Service Provider” shall have the meaning given to it under any applicable Privacy Law.
  • 1.10.Privacy Laws” means, collectively, all applicable European and U.S. federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply to MindsDB’s Processing of Customer Data to provide the Support Services, Professional Services, Technical Services or Training Services to, or relating to, Customer pursuant to the Agreement, including, as applicable:
    • 1.10.1. General Data Protection Regulation (EU) 2016/679 (the “GDPR”) and its national implementations in the European Economic Area;
    • 1.10.2. e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC) and its national implementations in the European Economic Area;
    • 1.10.3. UK General Data Protection Regulation, the UK Data Protection Act 2018 and the Privacy and Electronic Communications Regulations;
    • 1.10.4. California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”);
    • 1.10.5. Colorado Privacy Act;
    • 1.10.6. Connecticut Personal Data Privacy and Online Monitoring Act;
    • 1.10.7. Montana Consumer Data Privacy Act;
    • 1.10.8. Oregon Consumer Privacy Act;
    • 1.10.9. Texas Data Privacy and Security Act;
    • 1.10.10. Utah Consumer Privacy Act; and
    • 1.10.11. Virginia Consumer Data Protection Act.
  • 1.11.SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021, on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time.
  • 1.12.Third-Party Controller” shall have the meaning given to it under any applicable Privacy Law.
  • 1.13.UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).

2. Scope, Roles, and Termination

  • 2.1. Applicability. This DPA applies only to MindsDB’s Processing of Customer Data in the provision of the Support Services, Professional Services, Technical Services or Training Services to or on behalf of Licensee pursuant to the Agreement for the nature, purposes, and duration set forth in Appendix A to this DPA.
  • 2.2. Roles of the Parties. For the purposes of the Agreement and this DPA, Licensee is the party responsible for determining the purposes and means of Processing Customer Data as the Controller or Business, as applicable, and appoints MindsDB as a Processor or Service Provider, as applicable, to Process Customer Data on behalf of Licensee for the limited and specific purposes set forth in Appendix A.
  • 2.3. Obligations at Termination. Upon termination of the Agreement, except as set forth therein or herein, MindsDB will discontinue Processing and destroy or return Customer Data in its or its subcontractors and sub-processors possession without undue delay. MindsDB may retain Customer Data to the extent required by law but only to the extent and for such period as required by such law and always provided that MindsDB shall ensure the confidentiality of all such Customer Data. MindsDB may anonymize the Customer Data to satisfy its obligations under this clause.

3. Compliance

  • 3.1. Compliance with Obligations. MindsDB (a) shall comply with the obligations of all applicable Privacy Laws, (b) shall provide the level of privacy protection required by the applicable Privacy Laws, and (c) shall provide Licensee with commercially reasonable assistance requested by Licensee designed to enable Licensee to fulfill its own obligations under Privacy Laws. Upon the reasonable request of Licensee, MindsDB shall use commercially reasonable efforts to make available to Licensee all information in MindsDB’s possession designed to demonstrate MindsDB’s compliance with this subsection.
  • 3.2. Compliance Assurance. Licensee has the right to take reasonable and appropriate steps to ensure that MindsDB uses Customer Data consistent with Licensee’s obligations under applicable Privacy Laws and this DPA.
  • 3.3. Audit. Upon reasonable request, MindsDB must make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested no more than once per year by Licensee, and performed by an independent auditor as agreed upon by Licensee and MindsDB. The foregoing shall only extend to those documents and facilities relevant and material to the Processing of Customer Data and shall be conducted during normal business hours and in a manner that causes minimal disruption. MindsDB will inform Licensee if MindsDB believes that Licensee’s instruction under this Section 3.3 infringes Privacy Laws. MindsDB may suspend the audit or inspection or withhold requested information until Licensee has modified or confirmed the lawfulness of the instructions in writing. MindsDB and Licensee each bear their own costs related to an audit.

4. Restrictions on Processing

  • 4.1. Limitations on Processing. MindsDB will Process Customer Data solely as set forth in the Agreement or this DPA. Except as permitted by applicable Privacy Laws, the Agreement, or this DPA, MindsDB is prohibited from (i) Selling or Sharing Customer Data, (ii) retaining, using, or disclosing Customer Data for any purpose other than for the specific purpose of performing the Support Services specified in Appendix A, (iii) retaining, using, or disclosing Customer Data outside of the direct business relationship between the parties, and (iv) combining Customer Data with Personal Data obtained from, or on behalf of, sources other than Licensee.
  • 4.2. Confidentiality. MindsDB shall ensure that its employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to Customer Data.
  • 4.3. Subcontractors; Sub-processors. Licensee hereby authorizes MindsDB to engage subcontractors and sub-processors. MindsDB’s current subcontractors and sub-processors are set forth in Appendix C. MindsDB shall notify Licensee of any intended changes concerning the addition or replacement of subcontractors or sub-processors. MindsDB shall ensure that MindsDB’s subcontractors or sub-processors who Process Customer Data on MindsDB’s behalf agree in writing to the same or equivalent restrictions and requirements that apply to MindsDB in this DPA with respect to Customer Data, as well as to comply with the applicable Privacy Laws, and shall be responsible to Licensee for any breach thereof by its subcontractors and sub-processors.
  • 4.4. Right to Object. Licensee may object in writing to MindsDB’s appointment of a new subcontractor or sub-processor on reasonable grounds relating to a potential or actual violation of Privacy Laws by notifying MindsDB in writing within thirty (30) calendar days of receipt of notice in accordance with Section 4.3. In the event of such Licensee objection, the parties shall discuss Licensee’s concerns in good faith with a view to achieving a commercially reasonable resolution of Licensee’s objection.

5. Consumer and Data Subject Rights

  • 5.1. MindsDB shall provide commercially reasonable assistance to Licensee for the fulfillment of Licensee’s obligations to respond to Consumer and Data Subject rights requests under applicable Privacy Laws regarding Customer Data.
  • 5.2. MindsDB shall not be required to delete any Customer Data to comply with a Consumer’s request directed by Licensee if retaining such information is specifically permitted or required by applicable Privacy Laws.
  • 5.3. Taking into account the nature of the Processing, and the information available to MindsDB, MindsDB shall assist Licensee, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Licensee’s own obligations under Privacy Laws (i.e., to comply with requests to exercise Data Subject rights and to conduct data protection impact assessments) and prior consultations with Supervisory Authorities.

6. International Data Transfers

  • 6.1. Licensee hereby authorizes MindsDB to perform international data transfers to any country deemed adequate by the European Commission or the competent authorities, as appropriate, including Canada, on the basis of adequate safeguards in accordance with Privacy Laws or pursuant to the SCCs referred to in Sections 6.2 and 6.3.
  • 6.2. By entering into this DPA, MindsDB and Licensee conclude Module 2 (controller-to-processor) of the SCCs and, to the extent Licensee is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: (i) the “data exporter” is Licensee, (ii) the “data importer” is MindsDB, (iii) the optional docking clause in Clause 7 is implemented, (iv) Option 2 of Clause 9(a) is implemented and the time period therein is 30 calendar days, (v) the optional redress clause in Clause 11(a) is struck, (vi) Option 1 in Clause 17 is implemented and the governing law is the law of Ireland, (vii) the courts in Clause 18(b) are the Courts of Dublin, Ireland, and (viii) Annex I, II and III to module 2 of the SCCs are Appendix A, B and C to this DPA, respectively.
  • 6.3. By entering into this DPA, MindsDB and Licensee conclude the UK Addendum, which is hereby incorporated and applies to international data transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Licensee and the “Importer” is MindsDB, their details are set forth in this DPA, and the Agreement, (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 6.2 of this DPA, (iii) in Table 3, Annexes 1 (A and B) to the “Approved EU SCCs” are Appendix A, B, C to this DPA respectively, and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
  • 6.4. If MindsDB’s compliance with Privacy Laws applicable to international data transfers is affected by circumstances outside of MindsDB’s control, including if a legal instrument for international data transfers is invalidated, amended, or replaced, then Licensee and MindsDB will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative standard contractual clauses or UK standard contractual clauses are approved by supervisory authorities, MindsDB reserves the right to amend the Agreement and this DPA by adding to or replacing, the standard contractual clauses or UK standard contractual clauses in order to ensure continued compliance with Privacy Laws.

7. Deletion of Customer Data

  • 7.1. Upon direction by Licensee, and in any event no later than 30 days after receipt of a request from Licensee, MindsDB shall promptly delete Customer Data as directed by Licensee, unless MindsDB is required by law to retain such data, in which case MindsDB shall, on ongoing basis, isolate and protect the security and confidentiality of such Customer Data and prevent any further processing except to the extent required by such law and shall destroy or return to Licensee all other Customer Data not required to be retained by MindsDB by law.

8. Security

  • 8.1. MindsDB shall implement and maintain no less than commercially reasonable security procedures and practices, appropriate to the nature of the information, to protect Customer Data from unauthorized access, destruction, use, modification, or disclosure. MindsDB’s technical and organizational measures are listed in Appendix B.
  • 8.2. Upon becoming aware of a Personal Data Breach, MindsDB shall notify Licensee without undue delay and within 48 hours and shall provide timely updates and information relating to the Personal Data Breach as it becomes known or as is reasonably requested by Licensee, and will cooperate with Licensee, as reasonably requested by Licensee, in connection with the same.

9. Sale of Data

  • 9.1. The parties acknowledge and agree that the exchange of Personal Data between the parties does not form part of any monetary or other valuable consideration exchanged between the parties with respect to the Agreement or this DPA.

10. Changes to Applicable Privacy Laws

  • 10.1. The parties agree to negotiate in good faith any additional agreements or amendments to this DPA that are required to comply with any applicable Privacy Laws.

Appendix A — Description of the Transfer and Processing Details

A. List of Parties

Data exporter:

  • Name: Licensee (as defined in the Agreement)
  • Activities relevant to the data transferred under these Clauses: Licensee receives MindsDB’s services as described in the Agreement and MindsDB Processes Customer Data on behalf of Licensee in that context.
  • Date: Date the Agreement is entered into by Licensee and MindsDB.
  • Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller.

Data importer:

  • Name: MindsDB (as defined in the Agreement)
  • Activities relevant to the data transferred under these Clauses: MindsDB provides its services to Licensee as described in the Agreement and Processes Customer Data on behalf of Licensee in that context.
  • Date: Date the Agreement is entered into by Licensee and MindsDB.
  • Role (controller/processor): Processor on behalf of Licensee, or sub-processor on behalf of Third-Party Controller.

B. Description of International Data Transfer

Categories of Data Subjects whose Personal Data is transferred:

  1. Licensee and users

Categories of Customer Data transferred:

  1. Contact information (e.g., name, email, etc.)
  2. Message logs
  3. SQL query logs
  4. File data

Sensitive data transferred: N/A.

Frequency of the transfer: On a continuous basis.

Nature of the processing: Licensee has requested that MindsDB provides its services in accordance with the Agreement and the DPA.

Purpose(s) of the data transfer and further processing: The purpose of the Processing is included in the Agreement and the DPA.

Retention period: Customer Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Privacy Laws.

For transfers to (sub-) processors: For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.

C. Competent Supervisory Authority

  • The competent authority for the Processing of Customer Data relating to data subjects located in the EEA is the supervisory authority of Ireland.
  • The competent authority for the Processing of Customer Data relating to data subjects located in the UK is the UK Information Commissioner.

Appendix B — Security Measures

1. Security Policy Management

At all locations controlled by MindsDB where Customer Data is processed, accessed, or stored, MindsDB will maintain, monitor, and enforce industry standard written data protection policies and procedures designed to establish and facilitate MindsDB’s security program and comply with applicable Privacy Law. MindsDB agrees as follows:

  • 1.1. MindsDB will appoint one or more employees in its organization with responsibility for oversight of MindsDB’s security program and the management of Personal Data Breaches.
  • 1.2. MindsDB will assign responsibility for managing third-party processing of Customer Data.

2. Customer Data Access Control Management, Communications, and Security Controls

MindsDB will establish, monitor, and enforce (and update as necessary) comprehensive security access control policies, procedures, or other measures applicable to MindsDB-controlled systems (such systems “MindsDB Systems” and such measures, “Measures”), including Measures designed to:

  • 2.1. Ensure that only authorized users have approved access to Customer Data from approved devices at approved times. Apply the principle of least privilege (e.g., role-based access controls) as the basis of access authorization for MindsDB Systems. User access rights for MindsDB Systems will be reviewed regularly to ensure that users of MindsDB Systems have access to systems and Customer Data necessary to perform job functions and that access rights are promptly removed on the termination of personnel.
  • 2.2. Ensure Customer Data is stored and transmitted in an encrypted format, and use commercially reasonable, industry standard encryption key management, including storing and transmitting encryption keys separately from the data. To the extent technically feasible, but in all situations where required by Privacy Law, where Customer Data is transmitted across public networks, transmitted wirelessly, or stored on portable devices, Customer Data will be encrypted.
  • 2.3. Ensure that all servers, workstations, laptops, network devices, and appliances that contain Customer Data adhere to a hardening standard commensurate with industry expectations and will be updated per MindsDB’s approved patch management process.
  • 2.4. Ensure that all software used by MindsDB to Process Customer Data is patched in accordance with software vendor recommendations.
  • 2.5. Protect all network connections to MindsDB Systems in accordance with at least industry standard operating and security practices.

3. Systems Logging and Monitoring

  • 3.1. For all MindsDB Systems, MindsDB will maintain and monitor operating system and application user-level audit logging of all users and personnel, and secure logs against alteration.

To the extent applicable to MindsDB’s Processing of Customer Data, MindsDB will maintain at least industry standard data loss prevention controls such as email monitoring and remote locking and “wiping” of devices.

Appendix C — Subcontractor and Sub-processor Details

To support delivery of MindsDB’s services, MindsDB may engage and use third parties as subcontractors and sub-processors to Process certain Customer Data. This Appendix C provides information about the identity, location, and role of each subcontractor and sub-processor.

Entity NamePurpose of ProcessingLocation of Processing
Amazon (AWS)TestingUS
Azure (Microsoft)TestingUS
GitHub (Microsoft)Change ManagementUS
HubSpotSupport TicketsUS, EU
Slack (Salesforce)Support Tickets and Real-time CommunicationUS
Google Docs (Google)AnalysisUS
GMail (Google)Support TicketsUS
Raketa LLC FranceContractorsFR
DeelContractorsNZ, GB, CO, LK, CA, MK