Last Updated:
August 20th, 2025
Effective for all customers from:
August 20th, 2025
How this applies
This DPA forms part of MindfulScale’s Terms of Service (the Terms) and is incorporated by reference. By creating an account, executing an order, or using the Services, the Customer (as defined in the Terms) agrees to this DPA to the extent MindfulScale processes Customer Personal Data as a processor. No separate signature is required. If MindfulScale materially updates this DPA, we will provide at least 30 days’ advance notice by email to the account owner and/or an in‑app notice.
1. Parties & Roles
Processor: MindfulScale Ltd, 63 Craddocks Avenue, Ashtead, KT21 1PE ("MindfulScale").
Controller: The Customer as defined in the Terms.
For MindfulScale’s own business operations (e.g., billing, account security, product analytics), MindfulScale acts as an independent controller under its Privacy Notice.
2. Scope & Instructions
MindfulScale processes Customer Personal Data solely to provide the automation Services and only on the documented instructions of Customer, unless required by law. Customer shall not submit special category data or children’s data unless expressly agreed in writing with additional safeguards.
3. Security of Processing (Art. 32)
MindfulScale maintains appropriate technical and organisational measures (TOMs) proportionate to risk, including:
Identity & Access Management: Least‑privilege role‑based access; quarterly access reviews; immediate revocation on termination; separate accounts per environment; no shared accounts; secrets stored server‑side with restricted access and never in code/tickets.
Cryptography: Encryption in transit (TLS 1.2+) and at rest for core data stores; OAuth refresh/access tokens encrypted; encryption keys stored server‑side with regular rotation.
Logging & Monitoring: Centralised logs with restricted access; security alerting; retention per §7.
Vendor Management: Sub‑processor due diligence and flow‑down of protections; see §5.
4. Data Subject Rights, DPIAs & Audits
MindfulScale will assist Customer with data subject requests, DPIAs, and consultations considering the nature of processing and information available. Upon reasonable notice, Customer may perform audits as described in the full DPA (information, reports, and, where needed, limited audit access under NDA).
5. Sub‑processors
MindfulScale uses the following sub‑processors to deliver the Services and will provide at least 30 days’ advance notice of changes via email and/or in‑app notice.
Sub‑processor | Purpose | Data Types | Regions used by MindfulScale | Transfer Mechanism | Link |
|---|---|---|---|---|---|
DigitalOcean | Hosting (backend compute/storage) | Customer Data processed by backend services | US (New York City) | UK IDTA/UK Addendum | https://www.digitalocean.com/security |
Vercel | Frontend hosting / edge delivery | App UI, request metadata | US (Washington DC) and UK (London) edge | UK IDTA/UK Addendum | https://vercel.com/security |
Better Stack | Uptime monitoring / logging/status | Operational metadata; may include log data | EU (default); US as applicable | EU processing (no restricted transfer). If US used: UK IDTA/UK Addendum | |
Sentry | Error tracking | Error telemetry; may include limited payload samples | US (default) and EU region available | UK IDTA/UK Addendum; where certified, UK–US Data Bridge may apply | |
Laravel Forge | Server provisioning/management | Operational metadata (no Customer Data intended) | US | UK IDTA/UK Addendum | |
OpenAI | Model inference | Prompts/outputs supplied by Customer (may include personal data if provided) | US (default); EU options for eligible accounts | UK IDTA/UK Addendum | |
Anthropic | Model inference | Prompts/outputs supplied by Customer (may include personal data if provided) | US and EU | UK IDTA/UK Addendum |
6. Breach Notification
MindfulScale will notify Customer without undue delay, and in any case within 72 hours of becoming aware of a personal data breach affecting Customer Personal Data, with information on nature, scope, impact, and mitigation.
7. Retention & Deletion
Logs & artifacts: Currently retained indefinitely. MindfulScale plans to introduce automatic deletion after 30 days once retention controls are released.
OAuth tokens/credentials: Deleted immediately when a user removes a connection.
Backups: Encrypted automated backups retained for 14 days on a rolling basis; destroyed on schedule.
End of contract: On request or termination, MindfulScale will delete or return Customer Personal Data; standard target within 30 days, unless otherwise required by law.
8. International Transfers
Primary regions: Backend data hosted in New York City, USA (DigitalOcean). Frontend served from Washington DC (US) or London (UK) (Vercel edge), depending on user location.
Transfer tools (default): MindfulScale relies on the UK IDTA/UK Addendum for transfers to US providers. Where a recipient is self‑certified under the UK–US Data Bridge, that mechanism may be used for the relevant transfer.
TRA: MindfulScale will conduct Transfer Risk Assessments and provide high‑level summaries on request.
9. Order of Precedence
In case of conflict: UK data protection law → IDTA/UK Addendum → this DPA (data‑protection matters) → Terms of Service → documentation.
10. Contact
Security: security@mindfulscale.com
Privacy: privacy@mindfulscale.com
This click‑through DPA is intended to satisfy UK GDPR Art. 28 requirements for processor contracts.
