Data Processing & Sub-processors

Data Processing Agreement (DPA) for MindLoad

Effective Date: October 30, 2025
Last Updated: April 23, 2026
Last Reviewed: April 23, 2026

This DPA remains effective from October 30, 2025. It was reviewed and updated in April 2026 for legal consistency with our Privacy Policy and related documents.

Between:

• Data Controller: You (the User)
• Data Processor: MindLoad AI

1. Introduction and Scope

This Data Processing Agreement ("DPA") supplements the MindLoad Privacy Policy and Terms of Service and governs the processing of personal data by MindLoad AI ("Processor") on behalf of Users ("Controllers") in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable data protection laws.

1.1 Purpose

This DPA establishes the terms under which MindLoad processes personal data to provide study and learning services, ensuring compliance with:

• GDPR (European Union)
• UK GDPR (United Kingdom)
• CCPA/CPRA (California, USA)
• Other applicable data protection laws

1.2 Definitions

Personal Data: Any information relating to an identified or identifiable natural person (e.g., name, email, study records)

Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion)

Controller: The entity determining the purposes and means of processing personal data (the User)

Processor: The entity processing personal data on behalf of the Controller (MindLoad AI)

Sub-Processor: A third-party processor engaged by the Processor to assist in processing activities

Data Subject: The individual whose personal data is processed (the User)

Supervisory Authority: A governmental data protection authority (e.g., ICO in the UK, CNIL in France)

2. Data Processing Details

2.1 Nature and Purpose of Processing

MindLoad processes personal data for the following purposes:

2.2 Duration of Processing

Processing Period:

• Active Accounts: Throughout the duration of the user's account
• Inactive Accounts: Up to 24 months after last activity
• Deleted Accounts: Personal data deleted within 30 days; backups deleted within 90 days
• Legal Holds: Data retained as required by law or pending legal proceedings

2.3 Categories of Data Subjects

• App Users: Individuals who create accounts and use MindLoad
• Students: Users leveraging study features
• Purchasers: Users who buy token packs

2.4 Types of Personal Data Processed

Identity Data:

• Email address
• Display name (optional)
• User ID (Firebase UID)

Authentication Data:

• Encrypted passwords
• OAuth tokens (Google, Apple, GitHub)
• Session tokens

Study Data:

• Flashcards created
• Quiz results and scores
• Study session duration and frequency
• Achievement progress
• Learning preferences

Content Data:

• Uploaded PDFs and documents
• Text and images submitted for AI processing
• User-generated notes and annotations

Device Data:

• Device model and OS version
• Device ID (for push notifications)
• IP address and timezone
• App version

Usage Data:

• Feature usage patterns
• Navigation paths
• Session logs
• Error and crash reports

Transaction Data:

• Token purchase records
• Transaction IDs
• Purchase receipts (via Apple/Google)
• Payment method type (not full card details)

Communication Data:

• Support requests and responses
• Feedback and feature requests
• Notification interaction data

3. Processor Obligations

3.1 Processing Instructions

MindLoad shall:

• Process personal data only on documented instructions from the Controller (the User)
• Not process data for any purpose other than providing MindLoad services
• Immediately inform the Controller if instructions violate GDPR or other data protection laws

3.2 Confidentiality

MindLoad ensures that:

• All personnel processing personal data are bound by confidentiality agreements
• Access to personal data is limited to authorized personnel only
• Confidentiality obligations survive termination of the service

3.3 Security Measures

MindLoad implements appropriate technical and organizational measures to ensure data security, including:

Technical Measures:

• Encryption in Transit: TLS 1.3 for all data transmission
• Encryption at Rest: AES-256 encryption for stored data (via Firebase)
• Access Controls: Role-based access control (RBAC), principle of least privilege
• Authentication: Multi-factor authentication for administrative access
• Monitoring: Real-time security monitoring, intrusion detection systems
• Logging: Audit logs for all data access and modifications
• Vulnerability Management: Regular security scans, penetration testing

Organizational Measures:

• Security Policies: Comprehensive information security policies
• Staff Training: Regular data protection and security training
• Incident Response: Documented incident response procedures
• Access Reviews: Quarterly reviews of data access privileges
• Vendor Management: Security assessments of sub-processors
• Compliance Audits: Annual third-party security audits

3.4 Data Breach Notification

In the event of a personal data breach, MindLoad shall:

1. Notify the Controller within 72 hours of becoming aware of the breach

2. Provide details including:

   • Nature of the breach (what data was affected)
   • Categories and approximate number of data subjects affected
   • Categories and approximate number of records affected
   • Likely consequences of the breach
   • Measures taken or proposed to address the breach
   • Contact point for more information

3. Assist the Controller in fulfilling the Controller's obligation to:

   • Notify the relevant Supervisory Authority (if required)
   • Notify affected Data Subjects (if required)
   • Document the breach

4. Implement remedial measures to prevent future breaches

3.5 Data Subject Rights

MindLoad shall assist the Controller in fulfilling requests from Data Subjects to exercise their rights under GDPR:

Right to Access: Provide copies of personal data (within 30 days)
Right to Rectification: Correct inaccurate data (immediately)
Right to Erasure ("Right to be Forgotten"): Delete data (within 30 days)
Right to Restriction: Limit processing temporarily
Right to Data Portability: Export data in machine-readable format (JSON)
Right to Object: Opt-out of processing (where applicable)
Right Not to be Subject to Automated Decision-Making: (Not applicable - we don't use automated decision-making for consequential decisions)

How MindLoad Assists:

• Provide technical capabilities for users to exercise rights in-app
• Respond to support requests for data access/deletion
• Provide data exports in structured format
• Implement privacy controls in the app

3.6 Data Protection Impact Assessments (DPIAs)

MindLoad shall provide reasonable assistance to the Controller in:

• Conducting Data Protection Impact Assessments (DPIAs) where required
• Consulting with Supervisory Authorities (if required)
• Providing information about processing activities, security measures, and risks

When DPIAs May Be Required:

• Large-scale processing of sensitive data
• Systematic monitoring of public areas
• Processing that may result in high risk to individuals' rights and freedoms

(Note: MindLoad's processing is unlikely to trigger DPIA requirements for most users)

3.7 Deletion and Return of Data

Upon termination of service (account deletion), MindLoad shall:

1. Delete all personal data from production systems within 30 days
2. Delete backups containing personal data within 90 days
3. Provide confirmation of deletion upon request
4. Retain only data required for legal compliance or legitimate business purposes (e.g., tax records, fraud prevention)

Exceptions: Data may be retained longer if:

• Required by law (e.g., financial records for tax purposes)
• Necessary for legal claims or disputes
• Anonymized and aggregated (no longer personal data)

4. Sub-Processors

4.1 Authorized Sub-Processors

MindLoad engages the following sub-processors to assist in providing services:

4.2 Sub-Processor Obligations

MindLoad ensures that all sub-processors:

• Are bound by data processing agreements equivalent to this DPA
• Implement appropriate security measures (equal to or exceeding those in Section 3.3)
• Are subject to regular audits and assessments
• Comply with GDPR and applicable data protection laws

4.3 Changes to Sub-Processors

Notice of Changes:

• MindLoad will provide at least 30 days' notice before engaging new sub-processors or changing existing ones
• Notice will be provided via email or in-app notification

Right to Object:

• Controllers (Users) have the right to object to new sub-processors on reasonable grounds
• If objection is valid and cannot be resolved, Controller may terminate the service and receive a pro-rated refund of unused tokens

4.4 Sub-Processor List

Current sub-processor list available at: https://mindload.app/subprocessors

Last updated: April 23, 2026

5. International Data Transfers

5.1 Transfer Mechanisms

MindLoad processes data primarily in the United States. For transfers of personal data from the EEA, UK, or Switzerland to the U.S., we rely on:

Standard Contractual Clauses (SCCs):

• Approved by the European Commission (Decision 2021/914)
• Incorporated by reference into this DPA
• Module Two: Controller-to-Processor transfers

Supplementary Measures:

• Encryption in transit and at rest
• Access controls and authentication
• Regular security audits
• Contractual commitments with sub-processors

5.2 Data Localization

Firebase Data Regions:

• Primary: United States (us-central1)
• Replication: Multi-region for redundancy and disaster recovery
• User Control: No option to restrict data to specific regions (Firebase limitation)

5.3 Transfer Impact Assessment

MindLoad has conducted a Transfer Impact Assessment (TIA) and determined that:

• U.S. laws do not impair the adequacy of protection for personal data
• Supplementary measures (encryption, access controls) provide adequate safeguards
• Risk of unlawful access by U.S. authorities is minimal for educational app data

Full TIA available upon request: [email protected]

6. Audits and Compliance

6.1 Right to Audit

Controllers have the right to:

• Audit MindLoad's compliance with this DPA and GDPR (or appoint an independent auditor)
• Request documentation of security measures and processing activities
• Conduct on-site inspections (with reasonable notice and during business hours)

Limitations:

• Audits must not disrupt normal business operations
• Audits limited to once per year (unless breach or material non-compliance)
• Auditor must sign a confidentiality agreement
• Costs borne by the Controller (unless non-compliance found)

6.2 Compliance Documentation

MindLoad maintains and provides upon request:

• Records of Processing Activities (Article 30 GDPR)
• Security policies and procedures
• Sub-processor agreements
• Data breach incident reports
• DPIA results (if applicable)
• Audit reports (third-party security audits)

6.3 Certifications and Standards

MindLoad and its sub-processors maintain:

• ISO 27001 (Information Security Management) - Firebase/Google
• SOC 2 Type II (Security, Availability, Confidentiality) - Firebase/Google
• GDPR Compliance certifications
• App Store / Play Store security requirements

Certificate copies available upon request: [email protected]

7. Liability and Indemnification

7.1 Liability Allocation

MindLoad is liable for damages caused by:

• Failure to fulfill processor obligations under GDPR
• Acting outside or contrary to lawful instructions from the Controller
• Negligence or willful misconduct in data processing

MindLoad is NOT liable for damages caused by:

• Controller's unlawful instructions
• Controller's failure to comply with GDPR
• Force majeure events beyond MindLoad's control
• Actions of the Controller or third parties

7.2 Limitation of Liability

Liability Cap:

• Total liability under this DPA shall NOT exceed the greater of:
  • The amount paid by the Controller in the past 12 months, OR
  • $10,000 USD

Exceptions (Unlimited Liability):

• Data breaches caused by gross negligence or willful misconduct
• Violations of fundamental data protection principles
• Liability that cannot be limited by law

7.3 Indemnification

MindLoad shall indemnify the Controller against:

• Fines imposed by Supervisory Authorities due to Processor's non-compliance
• Claims by Data Subjects resulting from Processor's breach of this DPA
• Third-party claims arising from Processor's data processing

Controller shall indemnify MindLoad against:

• Claims arising from Controller's unlawful instructions
• Claims resulting from Controller's failure to obtain necessary consents
• Claims arising from Controller's misuse of the service

8. Term and Termination

8.1 Term

This DPA takes effect when you create a MindLoad account and remains in effect until:

• You delete your account
• MindLoad terminates your account
• MindLoad discontinues the service

8.2 Effect of Termination

Upon termination:

1. MindLoad shall delete all personal data within 30 days (production systems)
2. MindLoad shall delete backups within 90 days
3. MindLoad shall provide written confirmation of deletion upon request
4. Provisions that survive: Liability, indemnification, confidentiality

8.3 Data Retrieval Before Termination

Before account deletion, Controllers may:

• Export study sets via in-app export feature (JSON format)
• Request a full data export via [email protected]
• Response time: Within 30 days

9. Supervisory Authority and Dispute Resolution

9.1 Supervisory Authority

Data Subjects (Users) have the right to lodge a complaint with a Supervisory Authority if they believe their data protection rights have been violated.

Relevant Supervisory Authorities:

• EU Member States: See https://edpb.europa.eu/about-edpb/about-edpb/members_en
• UK: Information Commissioner's Office (ICO) - https://ico.org.uk
• Switzerland: Federal Data Protection and Information Commissioner (FDPIC)
• California (CCPA): California Attorney General

9.2 Governing Law

This DPA is governed by:

• GDPR for EEA, UK, and Swiss users
• CCPA/CPRA for California users
• Applicable national data protection laws for other jurisdictions

9.3 Dispute Resolution

Disputes under this DPA shall be resolved:

1. Informal Negotiation: 30-day good-faith negotiation period
2. Mediation: Attempt mediation before formal proceedings
3. Arbitration or Court: Per Terms of Service dispute resolution provisions

Jurisdiction:

• EEA/UK users: Courts of the user's country of residence (for consumer disputes)
• Other users: Per Terms of Service

10. General Provisions

10.1 Order of Precedence

In case of conflict, the order of precedence is:

1. This Data Processing Agreement (DPA)
2. Standard Contractual Clauses (SCCs)
3. Privacy Policy
4. Terms of Service

10.2 Entire Agreement

This DPA, together with the Privacy Policy and Terms of Service, constitutes the entire agreement regarding data processing.

10.3 Amendments

MindLoad may update this DPA:

• Material changes: 30 days' notice via email
• Minor changes: Updated "Last Updated" date
• Continued use after changes constitutes acceptance

10.4 Severability

If any provision is invalid or unenforceable:

• Remaining provisions remain in effect
• Invalid provision modified to reflect parties' intent

10.5 Waiver

Failure to enforce any right does not waive that right.

10.6 Language

This DPA is written in English. Translations provided for convenience only; English version prevails in case of conflict.

11. Contact Information

11.1 Data Controller (User)

You are the Data Controller for your personal data. Exercise your rights via:

• In-App: Settings → Privacy & Security
• Email: [email protected]

11.2 Data Processor (MindLoad AI)

For DPA-related inquiries:

Email: [email protected]
Data Protection Officer: [email protected]
Privacy Team: [email protected]

Contact:
MindLoad AI - Data Protection
Privacy Team: [email protected]
Data Protection Officer: [email protected]

EU Representative (if applicable):
Contact: [email protected]
Data Protection Officer: [email protected]

11.3 Response Times

• Data Subject Requests: Within 30 days
• Data Breach Notifications: Within 72 hours
• General Inquiries: 3-5 business days

12. Acknowledgment

BY USING MINDLOAD, YOU ACKNOWLEDGE THAT:

✓ You have read and understood this Data Processing Agreement
✓ You agree to the processing of your personal data as described
✓ You understand your rights as a Data Subject
✓ You consent to international data transfers (where applicable)
✓ You acknowledge the use of sub-processors
✓ You agree to the Standard Contractual Clauses (EEA/UK/Swiss users)

Annex I: Standard Contractual Clauses (SCCs)

For EEA, UK, and Swiss Users:

This DPA incorporates by reference the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 (GDPR), as approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

Module Applied: Module Two (Controller-to-Processor)

Clauses: Full text of SCCs available at:

• https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
• https://mindload.app/sccs

Key Details:

• Data Exporter (Controller): You (the User)
• Data Importer (Processor): MindLoad AI
• Transfer: EEA/UK/Switzerland → United States
• Governing Law: Laws of [User's Country]
• Supervisory Authority: [User's National Data Protection Authority]

Annex II: Technical and Organizational Measures

Detailed security measures implemented by MindLoad:

A. Access Control

Physical Access:

• Cloud-hosted (no physical servers under our control)
• Firebase data centers: Biometric access, 24/7 security, access logs

Logical Access:

• Role-based access control (RBAC)
• Multi-factor authentication (MFA) for administrators
• Principle of least privilege
• Regular access reviews (quarterly)

B. Transmission Control

• TLS 1.3 encryption for all data in transit
• Certificate pinning to prevent man-in-the-middle attacks
• HTTPS only (no unencrypted HTTP)

C. Storage Control

• AES-256 encryption at rest (Firebase default)
• Encrypted backups (AES-256)
• Secure deletion (cryptographic erasure)

D. User Control

• User authentication via Firebase Auth (OAuth 2.0, OpenID Connect)
• Session management with secure tokens
• Account recovery with email verification

E. Access Rights Management

• Data minimization: Collect only necessary data
• Purpose limitation: Process only for specified purposes
• Storage limitation: Delete data after retention period

F. Separation Control

• Logical separation of user data (database isolation)
• Tenant isolation (each user's data separated)
• No shared resources between users

G. Pseudonymization and Anonymization

• Device IDs instead of personal identifiers (where possible)
• Anonymized analytics (Firebase Analytics)
• Aggregated statistics (no individual identification)

H. Integrity Control

• Checksums and hashing (SHA-256)
• Version control for data
• Audit logs for all modifications

I. Availability Control

• Firebase uptime: 99.95% SLA
• Redundancy: Multi-region replication
• Backups: Daily automated backups (90-day retention)
• Disaster recovery: Tested recovery procedures

J. Resilience

• Load balancing (Firebase auto-scaling)
• Failover mechanisms (multi-region)
• Monitoring and alerts (24/7 automated)

K. Incident Response

• Documented procedures for data breaches
• Incident response team (on-call 24/7)
• Post-incident reviews and improvements

L. Data Minimization and Storage Limitation

• Collect only necessary data
• Delete inactive accounts (24 months + 30-day notice)
• Purge deleted accounts within 30 days

Annex III: List of Sub-Processors

As of October 30, 2025:

1. Google Firebase (Google LLC)

Services: Authentication, Firestore, Cloud Storage, Cloud Functions, Analytics, Cloud Messaging
Data Processed: All user data
Location: United States (primary), multi-region
DPA: https://firebase.google.com/terms/data-processing-terms
Certifications: ISO 27001, SOC 2 Type II, GDPR-compliant

2. Apple Inc.

Services: In-app purchase processing (iOS)
Data Processed: Transaction data, purchase receipts
Location: United States
DPA: https://www.apple.com/legal/internet-services/itunes/dev/stdeula/
Certifications: PCI-DSS Level 1, GDPR-compliant

3. Google Play (Google LLC)

Services: In-app purchase processing (Android)
Data Processed: Transaction data, purchase receipts
Location: United States
DPA: https://play.google.com/intl/en_us/about/developer-distribution-agreement.html
Certifications: PCI-DSS Level 1, GDPR-compliant

Updated list: https://mindload.app/subprocessors

Data Processing Agreement Version: 1.1
Last Reviewed: April 23, 2026
Next Review Date: April 23, 2027

© 2025 MindLoad AI. All rights reserved.