Corporate Data Processing Terms
Last updated: Jul 12, 2023
1. INTRODUCTION
1.1 Mindset provides the Customer specific software as a service and associated downloadable applications (collectively, the Deliverables) under Mindset’s other applicable terms of service (or, where applicable, a specific agreement negotiated and signed between the parties) (being the Agreement). These data processing terms (DPTs), as referenced in Mindset’s general customer terms, apply to customers like the Customer who are subject to such Corporate Terms.
1.2 In connection with the provision of the Deliverables, the parties anticipate that Mindset may process specific Personal Data regarding which Customer or any member of the Customer Group may be a data controller under applicable Local Data Protection Laws or perform similar functions under similar Data Protection Laws. This page sets out the DPTs that apply to the processing of such Personal Data by Mindset on the Customer’s behalf to give the Customer comfort that adequate safeguards are in place to protect such Personal Data required by the Data Protection Laws.
1.3 Together with the Agreement, these DPTs apply to the contract between the parties to exclude any other terms that the Customer may seek to impose or incorporate or implied by trade, custom, practice or course of dealing.
1.4 Mindset publishes these DPTs on its website. The Customer should print or save a copy of these DPTs for its records.
1.5 Mindset may amend these DPTs from time to time as set out in clause 14 of the Corporate Terms. Mindset will provide you with at least twenty-eight (28) days of notice before making the effective date of a material (i.e. non-typographic) change. Every time the Customer agrees to a licence or subscription with Mindset, it should check these DPTs to ensure that it understands the terms that will apply to the contract between the parties. This version one (1) of these DPTs was most recently updated on 12th July 2023. Historic versions can be obtained by contacting Mindset.
2. DEFINITIONS
2.1 These DPTs use the following definitions:
Adequate Country means a country or territory that is recognised under relevant Local Data Protection Laws as providing sufficient protection for Personal Data;
Affiliate means, concerning a party, any corporate entity that, directly or indirectly, Controls, is Controlled by, or is under Common Control with such party (but only for so long as such Control exists);
Agreement has the meaning given to it in clause 1.1 above;
Corporate Terms has the meaning given to it in clause 1.1 above;
Customer or Data Exporter means the corporate or enterprise customer that has entered into the Agreement with Mindset under
Customer Group means the Customer and any of its Affiliates;
Data Subject Request means a request from or on behalf of a data subject relating to access to, or rectification, erasure or data portability or withdrawal of consent, or any other rights recognised and granted under Data Protection Laws, in respect of that person’s Personal Data or an objection from or on behalf of a data subject to the processing of its Personal Data;
Data Protection Laws mean the Local Data Protection Laws or any other directly applicable legislation and regulatory requirements force from time to time which applies to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications) for the processing of Personal Data by Mindset on the Customer’s behalf in connection with the Deliverables;
Deliverables has the meaning given to it in clause 1.1 above;
DPTs has the meaning given to it in clause 1.1 above;
End-User means an organisation to whom the Customer or a member of the Customer Group provides services from time to time (i.e., typically the Customer’s customers) and who, or a member of whose End-User Group, is a data controller of Personal Data under Local Data Protection Laws;
End-User Group means an End User and any of its Affiliates;
Security Measures means those technical and organisational security measures described in Mindset’s ISP in respect of Personal Data it processes on behalf of the Customer, as well as any measures it is required to implement by law.
GDPR means the General Data Protection Regulation (Regulation (EU) 2016/679 on the protection of natural persons about the processing of personal data and on the free movement of such data);
ISP means Mindset’s Information Security Policy;
Local Data Protection Laws mean all laws and regulations of the European Union, the European Economic Area, their member states, and the United Kingdom, applicable to the processing of Personal Data under the Agreement, including (where applicable) (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”) and the EU GDPR as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) (together, collectively, the “GDPR”), (ii) the Swiss Federal Act on Data Protection, (iii) the UK Data Protection Act 2018, and (iv) the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time;
Mindset or Data Importer means Mindset AI Ltd (company number 12318480) of 68-80 Hanbury Street, London, England, E1 5JL;
Mindset Group means Mindset and any of its Affiliates;
Notice means Mindset’s Data Privacy Policy
Personal Data means all data which is defined as ‘personal data’ or Personally Identifiable Information (PII) under Local Data Protection Laws and which is provided by the Customer to Mindset (directly or indirectly), and accessed, stored or otherwise processed by Mindset as a data processor as part of its provision of the Deliverables to the Customer and to which Local Data Protection Laws apply from time to time;
processing, the data controller, the data subject, the supervisory authority and the data processor shall have the meanings ascribed to them in relevant Local Data Protection Laws; and
Security Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed in connection with the provisioning of the Deliverables;
Sensitive Information means credit or debit card numbers; personal financial account information; national insurance or social security numbers or equivalents; passport numbers; driver’s licence numbers or similar identifiers; passwords; details of racial or ethnic origin; physical or mental health condition or information; or other financial or health information, including any information defined under the UK Data Protection Legislation as ‘Sensitive Personal Data’ (or any analogous term which may apply from time to time), or any information subject to the US Health Insurance Portability and Accountability Act, the Payment Card Industry Data Security Standards, and other regulations, laws or industry standards designed to protect similar information as amended or applicable worldwide from time to time;
Standard Contractual Clauses means (i) where the EU GDPR or Swiss Data Protection Laws apply, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries adopted pursuant to or permitted under Article 46 of EU GDPR (EU SCCs); and (ii) where the UK GDPR applies, the international data transfer agreement adopted pursuant to or permitted under Article 46 of the UK GDPR (UK IDTA), provided that, in each case, same complies with the requirements of applicable Data Protection Laws from time to time.
An entity exercises Control over another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or according to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it according to its constitutional documents or according to a contract; and two entities are treated as being in Common Control if either control the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.
3. STATUS OF THE PARTIES
3.1 In accordance with the Local Data Protection Laws, the type of Personal Data that the parties expect to be processed under these DPTs and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects are determined by the Customer as the Controller of such personal data, but the parties acknowledge that such personal data is indicatively described in accordance with the nature of the Deliverables in the Notice and, including for the purposes of the Standard Contractual Clauses, may change if the Notice is updated. The Personal Data should not include any Sensitive Information and Customer is expressly prohibited from uploading such Personal Data using the Deliverables pursuant to the terms of the Agreement.
3.2 Each party warrants concerning Personal Data that it will comply (and will procure that any of its personnel comply and use commercially reasonable efforts to procure that its sub-processors comply) with the obligations imposed upon them respectively under Data Protection Laws. However, Mindset is not responsible for determining the requirements of or compliance with any Data Protection Laws or other laws applicable to Customer, Customer Group or their industry that are not generally applicable to Mindset as a service provider and processor of personal data made available to it via the Deliverables.
3.3 As between the parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and how the Customer or its End-User(s) acquired Personal Data, and, without limitation, will ensure or procure that the data controller (if different from the Customer) has ensured that it has all necessary appropriate consents and notices in place to enable lawful transfer of any Personal Data provided to Mindset, for the duration and purposes of the Agreement, including where applicable that the relevant third parties have been informed of, and (where required under Local Data Protection Laws) have given their consent to, such use, processing, and transfer as required by the Data Protection Legislation.
3.4 Regarding the parties’ rights and obligations under these DPTs regarding the Personal Data, the parties with this acknowledge and agree that the Customer or the relevant End-User(s) is/are the data controller, and Mindset is the data processor. Accordingly, Mindset agrees that it shall process all Personal Data per its obligations under these DPTs, and as per the Customer’s lawful written instructions set out in the Agreement and the Customer’s use and configuration of features of the Deliverables. Customer hereby gives Mindset permission to use, transfer and process such personal data as set forth in these DPTs.
3.5 Nothing in these DPTs shall apply to the Personal Data comprised in the Customer employees names, contact numbers and email addresses with whom Mindset is transacting or is required to transact, or who have contacted Mindset, which Mindset may process as an independent data controller acting in its legitimate interests in compliance with the Local Data Protection Laws as contemplated under the Agreement and the Notice, including, for example, data relating to the Customer’s, Customer’s Group or End Customer or End Customer’s Group employees who have subscribed for marketing communications from Mindset (as more particularly outlined in the Notice).
4. MINDSET OBLIGATIONS
4.1 Concerning all Personal Data, Mindset shall:
(a) only process Personal Data to provide the Deliverables, and shall act only per (i) these DPTs, (ii) the Notice or ISP; and (iii) the Customer’s reasonable written instructions (assuming they do not conflict with the DPA, Notice or Local Data Protection Laws);
(b) as soon as reasonably practicable upon becoming aware, inform the Customer if, in Mindset’s opinion, any instructions provided by the Customer under clause 4.1(a) infringe the Local Data Protection Laws;
(c) implement appropriate technical and organisational measures to ensure a security level appropriate to the risks presented by Personal Data processing as required by the Local Data Protection Laws. Such efforts include, without limitation, the security measures set out in the ISP from time to time (which shall apply for the purposes of the Standard Contractual Clauses, where applicable). Mindset may adapt such measures from time to time, for example, as a result of the development of regulations, technology and other industry considerations, provided that the level of protection afforded to the data shall not be materially reduced without Customer’s written consent. During the term of the Agreement, Customer may request Mindset to provide Customer within a reasonable period of time with an updated description of the implemented technical and organisational protection measures.
(d) take reasonable steps, insofar as they are within its reasonable control, to ensure that only authorised personnel within Mindset have direct access to any confidential Personal Data (bearing in mind that Mindset cannot control such access on the part of its sub-processors) and that any persons whom it permits to have access to the Personal Data are subject to appropriate obligations of confidentiality, subject to any caveats or exclusions in the Agreement or Notice;
(e) as soon as reasonably practicable upon having reasonable certainty of same (but in no event later than in 72 hours from such point), notify the Customer of any actual or alleged incident of unauthorised or accidental disclosure of or access to any Personal Data by any of Mindset’s staff, sub-processors, or any other identified or unidentified third party (a Security Breach);
(f) provide the Customer with reasonable cooperation and assistance in respect of a Security Breach and all practical information in Mindset’s possession concerning such Security Breach insofar as it reasonably affects the Customer or any End User or member of an End User Group, in each case as soon as reasonably practicable and per the Local Data Protection Laws, including the following to the extent then known: (i) the possible cause of the Security Breach; (ii) the categories and approximate number of Personal Data records involved; (iii) the categories and approximate number of data subjects concerned; (iv) a summary of the possible consequences for the relevant data subjects; (v) an overview of the unauthorised recipients of the Personal Data; and (vi) the measures taken by Mindset to mitigate any damage;
(g) not make any announcement about a Security Breach (a Breach Notice) referencing the Customer, its Personal Data, or its End-Users without (i) the prior written consent of the Customer (not to be unreasonably withheld or delayed); and (ii) prior written approval by the Customer of the content, media and timing of the Breach Notice insofar as it relates to the Customer, its End-Users or it’s Personal Data; unless required to make a disclosure or announcement by applicable law; this shall not include generic notices about Security Breaches impacting all or a portion of the personal data processed by Mindset, to the extent that no reference is made to the Customer, its Personal Data or its End-Users. For clarity, a party’s obligation to report or respond to a Security Breach is not and will not be construed as an acknowledgement by that party of any fault or liability with respect to the Security Breach;
(h) promptly (and in any event within ten working days of receipt) notify the Customer if it receives a Data Subject Request. Mindset shall not respond to a Data Subject Request without the Customer's prior written consent except, where applicable, to confirm that such request relates to the Customer, to which disclosure the Customer agrees. Upon the Customer's request, Mindset shall at no extra charge to the Customer provide reasonable assistance to the Customer or the relevant End-Customer (as the Customer's request shall specify) to facilitate a Data Subject Request (provided that for any unreasonable request Mindset shall obtain the Customer’s prior written consent);
(i) per the provisions of the Agreement and Notice, Mindset will delete all Personal Data (including copies thereof) processed according to these DPTs following termination or expiry of the Agreement; and
(j) Mindset is not responsible for compliance with Customer’s, End-User’s or their respective Affiliates statutory or legal data retention requirements, but it responsible for the integrity, security, maintenance and retention of the Personal Data stored on its platform as set out in the Agreement and herein; and
(k) where Customer or Customer’s relevant End-User, or their respective Affiliates (as the Customer’s request may specify) requires reasonable assistance concerning their obligations under Data Protection Laws in respect of (i) undertaking a data protection impact assessment; (ii) notifications to the supervisory authority under Local Data Protection Laws or communications to data subjects by the Customer or the End-Customer in response to any Security Breach; and (iii) the Customer's or its End-Customer(s)' compliance with their respective obligations under the Local Data Protection Laws concerning the security of processing Mindset shall provide reasonable cooperation and assistance, insofar as it is within its reasonable control and competence, to that person to comply with their obligations (including any obligation to consult with competent data protection authorities). Mindset shall be entitled to invoice Customer on a time and material basis at the Mindset’s then current rates for any time expended for any such assistance.
4.2 Mindset has appointed an individual, the Data Privacy Officer, responsible for privacy and data protection matters. The appointed person can be reached at legal@mindset.ai.
4.3 Where Personal Data is not made available through self-Service access to Customer or Customer’s Authorised Users, Mindset will, without undue delay and in accordance with any time period specified under the applicable Data Protection Laws either: (a) provide Customer, in its role of controller, with the direct ability through Mindset's platform to access, correct, delete or otherwise fulfil requests from data subjects to exercise their rights under Data Protection Laws in respect of their personal data; or (b) otherwise provide assistance to Customer to access, correct, delete or otherwise fulfil requests from Data Subjects to exercise their rights under Data Protection Laws in respect of their the Personal Data in accordance with the instructions of Customer and insofar as this is possible. The Customer acknowledges and agrees that in the event any such cooperation and assistance requires additional resources on the part of Mindset, such effort will only be provided by Mindset on a chargeable basis (calculated on the basis of Mindset’s standard hourly rates, provided that this shall be pre-agreed with Customer). Mindset shall be under no obligation to provide any such assistance except as specified within this clause 4.3. Where Customer requests that Mindset block, delete and/or return Personal Data, Customer understands, acknowledges, and agrees that it can affect Mindset’s ability to perform the Deliverables as a result of Mindset complying with such request. As such, Mindset shall not have any liability for breach of performance or any losses incurred by Customer arising from or in connection with Mindset’s inability to perform the Deliverables in accordance with the Agreement as consequence of Mindset fulfilling Customer's request.
5. CUSTOMER RESPONSIBILITIES
5.1 Customer shall comply with Data Protection Laws as well as any other Laws applicable to Customer or Customer’s industry. If compliance with any such specific laws requires any actions with regard to data protection on the part of Mindset in addition to the obligations set forth in these DPTs, such actions will only be taken upon mutual agreement between the Parties. For the avoidance of doubt, where agreed by the Parties, Mindset will use commercially reasonable efforts to accommodate additional requirements. In any event, Customer will provide reasonable advance notice of the required actions, cooperate fully with Mindset in respect thereof and compensate Mindset for any such efforts that require additional services or investment or modifications in the Deliverables, as agreed in advance by the Parties.
5.2 Customer warrants that, where it provides any personal data to Mindset for Processing by Mindset:
(a) it has duly informed the relevant data subjects of their rights and obligations, and in particular has informed them of the possibility of Mindset processing their personal data on Customer’s behalf and in accordance with its instructions;
(b) it has complied with all applicable Data Protection Laws in the collection and provision to Mindset of such personal data and has taken all necessary steps to ensure that Mindset can Process such personal data, including by obtaining the data subjects' consent, if required; and
(c) the Processing of such personal data in accordance with the instructions of the relevant controller is lawful.
5.3 Customer shall take reasonable steps to keep personal data up to date to ensure the data are not inaccurate or incomplete with regard to the purposes for which they are collected.
5.4 If a data subject contacts Mindset directly in order to exercise his or her individual rights such as requesting a copy, correction or deletion of his or her data or wanting to restrict or object to the Processing activities, Mindset will promptly, and in any event as soon as reasonably practicable upon Mindset becoming aware of any such request), direct such data subject to Customer. In support of the above, Mindset may provide Customer’s basic contact information to the requestor (but shall not otherwise reply to same), and, to the extent disclosed by the data subject, data subject’s basic contact information and a summary of the request to Customer. Customer shall inform data subjects that they may exercise these rights solely vis-à-vis Customer. Customer agrees to answer to and comply with any such request of a data subject in accordance with applicable Data Protection Laws.
5.5 With regard to components that Customer provides or controls, including but not limited to workstations connecting to Mindset Services, data transfer mechanisms used, and credentials issued to Customer Authorised Users, Customer shall implement and maintain the required technical and organisational measures for data protection.
5.6 Customer must notify Mindset promptly about any possible misuse of its accounts or authentication credentials or any security issue related to its use of the Deliverables.
6. SUB-PROCESSING
6.1 The Customer grants a general authorisation to Mindset to appoint other Mindset Group members, third-party hosting services providers and the different categories of service providers named in the Notice and ISP (as amended from time to time) as sub-processors (or authorised receivers for the purposes of the UK IDTA).
6.2 Mindset confirms that it has entered or (as the case may be) will join with the third-party processor into a written agreement substantially on that third party's standard terms of business, which shall include an obligation to keep all personal data confidential and process it only in accordance with the purposes for which Mindset has instructed them to deliver services, and applicable Local Data Protection Laws.
6.3 As between the Customer and Mindset, Mindset shall remain fully liable for all acts or omissions of any third-party processor appointed by it according to this clause.
7. NOTIFICATIONS
7.1 Unless legally prohibited from doing so, Mindset shall promptly notify Customer if it or any of its sub-processors, with regard to Customer’s Personal Data:
(a) receives an inquiry, a subpoena or a request for inspection or audit from a competent public authority relating to the processing by Mindset; or
(b) intends to disclose Personal Data to any competent public authority outside the scope of the Deliverables of the Agreement. At the request of Customer, Mindset shall provide a copy of the documents delivered to the competent authority to Customer.
7.2 Any notification under these DPTs, including a Security Breach notification, will be delivered to one or more of Customer’s contact persons via e-mail. Upon request of Customer, Mindset shall provide Customer with an overview of the contact information of the registered Customer’s contact persons. It is Customer’s sole responsibility to timely report any changes in contact information (including “Key Contact” and “Importer Data Subject Contact” as described below) and to ensure Customer’s contact persons maintain accurate contact information.
7.3 If either party is subject to an inquiry by a data protection authority, regulator or agency, the scope of which includes operations or information within the other party’s control, each party agrees to provide reasonable cooperation to the other party.
8. DATA TRANSFERS
8.1 The Customer acknowledges and agrees that Personal Data may be transferred or stored outside the EU, EEA, UK or the country where the relevant data subjects are located for Mindset and its authorised sub-processors to provide the Deliverables and fulfil Mindset’s other obligations under the Agreement. Any transfer from one territorial jurisdiction to another territorial jurisdiction (the EU constituting one single jurisdiction for the purpose of this Article) will only be undertaken in compliance with the applicable Data Protection Laws, such as the execution of an additional data transfer addendum, as required.
8.2 To the extent any processing of Personal Data relating to EU, EEA or UK data subjects by Mindset takes place in any country outside the EU, EEA or UK (except if in an Adequate Country), the parties agree that the Standard Contractual Clauses will apply in respect of that processing. Mindset will comply with the obligations of the ‘data importer’ or ‘importer’ in the relevant Standard Contractual Clauses. The Customer will comply with the duties of the ‘data exporter’ or ‘Exporter’. If there is any direct conflict between the Standard Contractual Clauses and these DPTs, the Standard Contractual Clauses shall prevail strictly to the extent of such conflict only. At Customer’s request, where the current Standard Contractual Clauses no longer apply, the parties shall execute new standard contractual clauses for transfers to data processors in third countries adopted according to Article 46, Paragraph 2 (c) or (d) of the GDPR, replacing the then existing Standard Contractual Clauses.
8.3 The Customer acknowledges and accepts that the provision of Deliverables under the Agreement may require personal data processing by sub-processors in countries outside the UK, EU or EEA.
8.4 If, in the performance of these DPTs or the Agreement, Mindset transfers any Personal Data to a sub-processor located, or permits processing of any Personal Data by a sub-processor outside of the EEA except if in an Adequate Country (without prejudice to clause 4), Mindset shall in advance of any such transfer ensure that a legal mechanism to achieve adequacy in respect of that processing such as the Standard Contractual Clauses (where applicable). Where the transfer would be a restricted transfer but for the Standard Contractual Clauses being put in place, then the Standard Contractual Clauses shall, if they provide a lawful mechanism for such transfer, be deemed incorporated into the Agreement and will apply to such transfer.
8.5 The following term shall apply to the Standard Contractual Clauses are deemed to have been put in place, the following terms shall apply to same (as applicable), in addition to the terms set out elsewhere in these DPTs: (i) Mindset may appoint sub-processors as set out and subject to the requirements of clause 8.3 of these DPTs; (ii) where the EU SCCs apply, they and any connected actions under these DPTs or the Agreement shall be governed by the laws of the Republic of Ireland and subject to the exclusive jurisdiction of the courts of the Republic of Ireland; (iii) where the UK IDTA applies, it and any connected actions under these DPTs or the Agreement shall be governed by the laws of England; and subject to the exclusive jurisdiction of the courts of England; (iv) where the UK IDTA applies, Mindset’s key contact shall be contacted at legal@Mindset.com, and the Customer’s “key contact” and “Importer Data Subject Contact” shall be the person and email address specified in the Customer’s sign up form when subscribing for the Deliverables as part of the Agreement via the Mindset website, unless otherwise specified herein; (v) the Standard Contractual Clauses may only be terminated if there is a breach of their terms or the Agreement, following the principles set out in the Agreement, or the parties agree in writing; (vi) where the EU SCCs apply, the relevant parts of the Privacy Notice shall apply as Appendix 1 of the EU SCCs and the relevant parts of the ISP shall apply as Appendix 2 of the Standard Contractual Clauses, and where the UK IDTA applies, the relevant parts of the Privacy Policy and ISP shall populate Tables 1 – 4 of Part 1 of the IDTA (to the extent not already provided for elsewhere in these DPTs).
9. GENERAL
9.1 These DPTs are without prejudice to the parties’ rights and obligations under the Agreement, which shall continue to have full force and effect. Collectively, these DPTs (including the Standard Contractual Clauses) and the Agreement constitute the complete agreement and merge all prior discussions and agreements between the parties regarding the Deliverables. In the event of any conflict between the terms of these DPTs and the terms of the Agreement, these DPTs shall prevail so far as the subject matter concerns the processing of Personal Data, but the terms of the Agreement shall otherwise prevail.
9.2 These DPTs contains references to the ISP, Notice and Standard Contractual Clauses, and in the event of any conflict or inconsistency between these various documents, the following order of precedence shall apply: (i) the Standard Contractual Clauses; (ii) these DPTs; (iii) the Notice; and (iv) the ISP.
9.3 These DPTs apply to the Agreement and remain in force until processing of Personal Data by Mindset is no longer required (a) in the framework of or pursuant to the Agreement or (b) for a period after termination of the Agreement or the relevant Services for any reason whatsoever, in accordance with Customer’s explicit instructions or other legally permissible basis.