Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Miromind API Service Agreement or other agreement between Customer and Miromind that references this DPA and governs Customer’s use of the Services (the “Agreement”), and applies to Miromind’s processing of Customer Data (defined below). Capitalized terms used but not otherwise defined in this DPA will have the meaning set forth in the Agreement. Miromind may amend this DPA from time to time on reasonable notice to Customer to the extent such changes are required due to changes in Data Protection Laws. If there is any conflict between the terms of this DPA and the Agreement, the conflicting terms in this DPA will govern.

  1. Definitions

1. Personal Data” means any information relating to an identified or identifiable natural person processed by MiroMind on behalf of the Customer.

2. Data Protection Laws” means all applicable privacy and data protection laws, including the EU/UK GDPR, the California Consumer Privacy Act (CCPA), and Singapore’s Personal Data Protection Act (PDPA), as amended from time to time

3.Sub-processor” means any third party appointed by MiroMind to process Personal Data in connection with the Services.

4.Standard Contractual Clauses” means the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries

  1. Processing of Personal Data

1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and MiroMind is the Processor. MiroMind shall process Personal Data only in accordance with Customer’s documented instructions.

2. Customer Instructions. This DPA and the Agreement constitute Customer’s complete and final instructions to MiroMind for the Processing of Personal Data. Processing outside the scope of these instructions shall require a prior written agreement between the parties.

3. Limitation of Purpose. MiroMind shall process Personal Data only for the purposes described in Annex I (e.g., providing the AI Services, troubleshooting, and improving service performance).

4. Compliance. MiroMind shall comply with all Data Protection Laws applicable to its role as a Processor. If MiroMind believes an instruction from the Customer violates applicable law, it shall inform the Customer immediately.

  1. Personnel & Confidentiality

1. Confidentiality. MiroMind shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements.  

2. Reliability. MiroMind shall take commercially reasonable steps to ensure the reliability of any MiroMind personnel engaged in the processing of Personal Data.

  1. Appointment of Sub-processors

1. Use of Sub-processors. Customer provides a general written authorization to MiroMind to engage Sub-processors (such as cloud service providers or specialized technical support) to process Personal Data on Customer’s behalf.

2. List of Sub-processors. MiroMind shall maintain an up-to-date list of its Sub-processors (e.g., on its official website or a dedicated compliance portal). MiroMind shall provide the current list to the Customer upon request.

3. Contracts with Sub-processors. MiroMind shall enter into written agreements with its Sub-processors which contain data protection obligations consistent in all material respects with those set out in this DPA, to the extent commercially reasonable and applicable to the specific services provided by such Sub-processor.

  1. Security & Audits

1. Technical and Organizational Measures. MiroMind shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, or alteration. These measures include, but are not limited to:

(1) Encryption: Encryption of data at rest and in transit.

(2) Access Control: Strict physical and logical access controls to computing clusters and code repositories.

(3) Isolation: Implementation of hardware or software-based isolation (e.g., "Kill Switch" mechanisms) to prevent unauthorized cross-border access in sensitive scenarios.

2. Breach Notification. MiroMind shall notify the Customer without undue delay (and in any event within 48-72 hours) after becoming aware of a Security Incident affecting Customer’s Personal Data. MiroMind shall provide sufficient information to allow the Customer to meet its obligations under Data Protection Laws.

  1. Data Subject Rights

1. Assistance. Taking into account the nature of the AI processing, MiroMind shall provide reasonable assistance to the Customer (at Customer's expense) to fulfill Customer’s obligation to respond to requests from individuals exercising their rights (e.g., access, deletion, or portability).

  1. Audit

1. Self-Certification and Audit. MiroMind shall provide Customer with reasonable information to demonstrate compliance with this DPA. Customer’s audit right shall be satisfied by the provision of MiroMind’s internal security summaries or existing third-party audit reports (if available).

2. Cost and Scope. Any further audit or inspection requested by the Customer shall be: (i) conducted at Customer’s sole expense; (ii) limited to once every two years; (iii) subject to a minimum of 60 days’ prior notice; and (iv) restricted to systems strictly necessary for the Services, excluding any of MiroMind's proprietary AGI models or core compute infrastructure code.

  1.  Data Deletion and Return

1. Termination. Upon termination of the Services or at the Customer’s written request, MiroMind shall, at the Customer’s option, delete or return all Personal Data in its possession, unless applicable law requires continued storage of such data.

2. Certification. MiroMind shall, upon request, provide written certification that it has complied with its deletion obligations under this Section.

Annex I DETAILS OF PROCESSING

1. Subject Matter

The subject matter of the Processing is the Personal Data provided by the Customer or its end-users in connection with the use of MiroMind’s advanced AI services, reasoning engines, and related technical support.

2. Duration of Processing 

The Processing shall continue for the duration of the Agreement, plus the period until all Personal Data is deleted or returned in accordance with MiroMind’s data retention policy.

3. Nature and Purpose of Processing

MiroMind will process Personal Data as necessary to perform the Services, which may include:

Service Delivery: Providing AI-driven inference, reasoning, and content generation.

Optimization: Improving system performance, troubleshooting technical issues, and ensuring security (including the operation of "Kill Switch" protocols where necessary).

Support: Responding to Customer inquiries and technical support requests.

Compliance: Meeting legal, regulatory, and audit obligations associated with MiroMind’s global operations.

4. Categories of Data Subjects

The Personal Data processed may concern the following categories of individuals:

Customer’s employees, contractors, and authorized representatives.

Customer’s end-users (individuals who interact with Customer’s applications powered by MiroMind).

Any other individuals whose Personal Data is included in the Input provided by the Customer.

5. Categories of Personal Data

The Personal Data may include, but is not limited to:

Identification & Contact Information: Name, email, title, organization.

Technical Data: IP addresses, device identifiers, logs, and metadata.

User-Generated Content (Input/Output): Any Personal Data contained in the prompts, queries, or documents uploaded by the Customer to the MiroMind platform.

6. Sensitive Data 

The parties do not anticipate the processing of sensitive data (e.g., health information, political opinions). If the Customer intends to process such data, it must provide prior written notice to MiroMind and comply with additional security requirements.