Data Processing Agreement
version of 2024, 26th of February
When you, whether as a User (within the meaning of the Terms and Conditions of Use) or as a Client (within the meaning of the Terms and Conditions of Service or any other master agreement entered into with Mindee hereinafter referred to indistinctly as the “Agreement”) (the “Contracting Party”), enter into an agreement with Mindee for access to and use of any one of our remote automated document and image processing services whatsoever available on the Website or the Platform (the “Services”), you agree that the resulting Personal Data processing be governed by the provisions of this Data Processing Agreement.
This Data Processing Agreement supplement the provisions of the Agreement. Consequently, in the event of any contradiction between the stipulations of the Agreement and the stipulations of this Data Processing Agreement, the Parties agree that the stipulations of the latter shall prevail.
For the purposes hereof, Mindee and the Contracting Party are together referred to as the “Parties” and individually as a “Party”. Terms beginning with a capital letter and not defined herein have the meaning that is attributed to them in the applicable contractual document (namely the Terms and Conditions of Use of our Website, the Terms and Conditions of Service of our Platform or any other master agreement entered into with Mindee) into which this Data Processing Agreement (when Mindee is acting as a Processor) is incorporated.
Terms such as “Processing”, “Controller”, “Processor”, “Personal Data”, and “Data Subject” used in this Data Processing have the meaning that is attributed to them in the Applicable Regulations.
DATA PROCESSING AGREEMENT PERTAINING TO MINDEE’S SERVICES
- Compliance with Applicable Regulations
The execution of the Terms of Use of the Website and the Terms of Service of the Platform requires Personal Data processing.
Each Party undertakes to comply with its respective obligations pursuant the Applicable Regulations.
- Processing carried out by Mindee as a Processor
Mindee acts as a Processor on behalf of the Contracting Party for the processing operations defined in Annex 1-A for the provision of Services and in Annex 1-B for the training of Client Data sets for the improvement of Services.
By exception, the Contracting Party expressly authorizes Mindee to re-use Incoming Data in accordance with the Applicable Regulations in order to pseudonymized and/or anonymized these Personal Data. Mindee shall have the right to use pseudonymized or anonymized Personal Data of Incoming Data for the production of statistics on usage for Services supervision and reporting, for research and development purposes, in particular in order to improve the Platform and/or Websites and the Services.
In addition, in case the Contracting Party requests Mindee to activate the feedback endpoint feature, the Contracting Party expressly authorizes Mindee to re-use the feedbacks it can send to Mindee pertaining to Results that it has corrected in case of errors, for analysis and improvement purposes.
- Obligations of Mindee acting as a Processor
Mindee undertakes to:
- process Personal Data only for the purposes described in Annex 1-A and Annex 1-B;
- process Personal Data in accordance with Contracting Party’s instructions as set forth in the Agreement. If Mindee considers that an instruction constitutes a violation of Applicable Regulations, it will inform the Contracting Party. In addition, if Mindee is required to transfer data to a third country or to an international organization, pursuant to European Union law or the laws of a member State to which it is subject, Mindee shall inform the Contracting Party of this obligation prior to the processing, unless the law in question prohibits such information on public interest grounds;
- ensure the confidentiality of the Personal Data processed under this Data Processing Agreement;
- ensure that persons authorized to process Personal Data (including sub-data processors): some text
- undertake to comply with confidentiality obligations, or are subject to an appropriate statutory duty of confidentiality;
- receive the necessary training in terms of Personal Data protection;
- make available to the Contracting Party, upon written request, all information that is reasonably necessary to demonstrate compliance with its obligations and to enable audits to be carried out in accordance with article 9 below;
- keep a record of processing activities carried out on behalf of the Contracting Party in accordance with Applicable Regulations;
- take into account, with respect to its tools, products, applications or services necessary for the performance of the Services, the principles of data protection by design and data protection by default;
- take all measures required pursuant to article 32 of the GDPR;
- provide assistance to the Contracting Party that is reasonably necessary to respond to requests for the exercise rights by data subjects concerned by the processing operations falling under this article 3;
- carry out the actions requested by the Contracting Party on the Personal Data in response to data subjects’ requests to exercise their rights;
- provide the Contracting Party with reasonable assistance required as part of an impact assessment relating to the Processing falling under the article 2 of the Data Processing Agreement to be carried out by the Contracting Party or for the preliminary consultation of a supervisory authority, the time spent for such assistance may be invoiced by Mindee.
- General obligations of the Contracting Party acting as a Controller
When acting as Controller in accordance with article 2 of this Data Processing Agreement, the Contracting Party undertakes to:
- ensure compliance with all the essential principles of the Applicable Regulation, in particular by defining relevant purposes for Processing of Personal and adequate legal basis;
- document in writing any instructions concerning Mindee’s Processing of Data Subjects’ Personal Data;
- inform Mindee if Services are used to process special categories of Personal Data;
- supervise Processing entrusted to Mindee;
- cooperate with Mindee for the performance of privacy impact assessment (if needed) and in the event of data breach, in particular to answer swiftly to Mindee;
- maintain its own compliance documentation with Applicable Regulation; and
- if applicable, provide the contact details of its DPO.
- Information and Rights of Data Subject
It is the Contracting Party’s responsibility to provide information on the protection of Personal Data to the Data Subjects involved in the Processing at the time of collection of the Personal Data.
Where the lawfulness of the processing carried out by Mindee on behalf of the Contracting Party is based on consent of the Data Subjects, in particular if the Contracting Party uses the Services to process special categories of personal data as defined in article 9 of the GDPR, the Contracting Party is alone responsible, towards Mindee, to inform and get the Data Subject’s consent in the forms and according to the requirements prescribed by Applicable Regulations.
If a Data Subject sends a request to the Contracting Party to exercise his/her rights, the Contracting Party is bound to inform Mindee of it, within the deadlines set by Applicable Regulations, so that Mindee can communicate the information in its possession and/or implement the rights of the Data Subject according to the instructions of the Contracting Party.
Where Data Subject make request to Mindee to exercise their rights, Mindee will promptly send such requests by email to the Contracting Party (and its Data Protection Officer, if Mindee has its contact details). Mindee is not authorized to respond to Data Subject’s exercise of their rights without the prior written consent of the Contracting Party.
- Mindee’s Sub-processors
The Contracting Party expressly authorizes Mindee to appoint sub-processors, and to replace or add any subsequent sub-processors. Prior to appointing a sub-processor, Mindee will inform the Contracting Party by any means (including e-mail) and the Contracting Party shall have seven (7) calendar days to object it. Any objection by the Contracting Party must be legitimate and duly motivated (such as a lack of appropriate security measures). If the Contracting Party does not notify its opposition after this period, the Contracting Party shall be deemed to have accepted such sub-processor. In case of persistent opposition from the Contracting Party, Mindee shall cease to rely on such sub-processor, as far as feasible, or if impossible the Contracting Party may terminate, without breach, all or part of the Agreement that requires use of this sub-processor.
Mindee undertakes to enter into a legal agreement with its sub-processors and to impose obligations that are at least as strict as those applicable to Mindee in relation to the Contracting Party pursuant to this Data Processing Agreement. If the sub-processor does not comply with its obligations in terms of Personal Data protection, Mindee will remain fully liable towards the Contracting Party for its sub-processors according to the terms of the Agreement.
As of the effective date of the Data Processing Agreement, Mindee relies on the sub-processor listed in Annex 2.
- Data Transfers
Where necessary, the Contracting Party expressly authorizes Mindee to transfer Personal Data to countries located outside the European Economic Area (EEA) or which do not benefit from an adequacy decision rendered by the European Commission, subject to implementing, prior to transfer, the appropriate safeguards, in accordance with articles 45 and 46 of the GDPR. Mindee undertakes to comply with the Standard Contractual Clauses (“SCC”) adopted by the European Commission on June 4th 2021. To this end Contracting Party grants to Mindee a general mandate to enter, in its name and on its behalf, into any SCCs in order to govern the transfer of Personal Data to a sub-processor established in a country outside the EEA or not benefiting from an adequacy decision to carry out processing operations.
The eventual transfers of Personal Data outside the EEA are listed in Annex 2.
- Security
8.1. Security measures
Mindee represents to the Contracting Party that it implements technical and organizational measures that, taking into account the state of the art, the costs of implementation and the nature, the scope, the context and the purposes of processing, as well as the associated risks, are appropriate to ensure a level of security that is adapted to the Personal Data processing.
Mindee has a SOC 2 certification and implements several measures and uses several tools to detect vulnerabilities.
Mindee ensures the confidentiality and the integrity of the Personal Data processed and undertakes to comply with the following obligations and to have them complied with by its employees:
- not to make any copy of the Personal Data and the materials that are entrusted to it, except for those necessary to carry out the processing, without the prior approval of the Contracting Party;
- not to use the Personal Data for purposes other than those stated in the processing;
- not to disclose the Personal Data to third parties;
- to take all appropriate measures in order to avoid any misappropriation or fraudulent use of the Personal Data during the processing.
Mindee will ensure that all of its employees authorized to process Personal Data are bound by confidentiality obligations equivalent to that which Mindee has to the Contracting Party and train its employees every years on data protection and security.
Mindee has implemented different security policies for its employees pertaining to password, vendor management, encryption, disaster recovery and business continuity plan, asset management or acceptable use.
The systematic, organisational and technical measures implemented by Mindee are listed in Annex 3
8.2 Notification of Personal Data breach
Mindee undertakes to notify the Contracting Party of any Personal Data breach without undue delay after becoming aware of the breach. Notification will be made by email sent to the point of contact of the Contracting Party or its Data Protection Officer or any other contact in charge of Personal Data breaches identified by the Contracting Party.
This notification will be accompanied by any relevant documentation in order to enable the Contracting Party, if necessary, to notify the breach to the competent supervisory authority and to the Data Subjects, as applicable.
- Audit
The Contracting Party is authorized to carry out or to have carried out, at its own expense, at any time during performance of the Agreement but no more than one per year, an audit of all or part of the Processing falling under article 3 performed by Mindee as a Processor.
Any audit must be subject to a prior notice, sent at least six(6) weeks before the audit is held, and an agreement of the Parties on the scope of the audit.
Mindee reserves the right to invoice the Contracting Party for its assistance in the audit.
The audit will be carried out by the Contracting Party’s internal team or by persons mandated by the Contracting Party (provided that such third parties are not competitors of Mindee) subject to professional secrecy and to a non-disclosure agreement entered with Mindee, protecting Mindee’s information to which they will have access in the course of the audit.
The audit will be performed during Mindee’s business hours and must not disturb Mindee’s activities. The audit must not, in any way whatsoever, interfere with (i) the technical and organizational measures deployed by Mindee, (ii) the security and the confidentiality of the data of other clients of Mindee, or (iii) the proper functioning and organization of Mindee’s business.
The draft audit report will be submitted to Mindee, which will produce its observations in writing. They will be attached to the final report.
If the findings of the audit report reveal breaches of Mindee’s obligations as a Processor, Mindee will take reasonable steps to remedy them within a period of time agreed between the Parties, at no additional cost for the Contracting Party.
If the findings of the audit report contain recommendations tending to the modification of or improvement to the audited rules and procedures, the conditions for their implementation, as well as any potential additional costs, will first be agreed upon by the Parties. In any case, Mindee shall have the final decision upon these modifications or improvements.
- Disposal of Personal Data
At the end of the Agreement, depending on the Contracting Party’s choice, when Mindee acts as a Processor pursuant to article 2 of this Data Processing Agreement, Mindee undertakes to;
- destroy, in an automated or manual manner, all Personal Data processed on behalf of the Contracting Party; or
- return to the Contracting Party or to the processor designated by him, in a format commonly used and readable by the Contracting Party or an interoperable format the Personal Data processed by Mindee as a processor. The return will be accompanied by the destruction of all existing copies in Mindee’s information systems.
In any case, Mindee shall apply the storage periods detailed in Annexes 1-A and 1-B to Personal Data. By way of exception, Personal Data may be subject to an additional retention period to enable Mindee to comply with its applicable legal obligations.
- Contact
For any question relating to the Data Processing Agreement or to Mindee’s Services, please contact Mindee by email:
- Mindee at: contact@mindee.com
- Mindee’s DPO at: dpo@mindee.com
These addresses are not to be used for data subjects’ exercise of rights concerned, all such requests are to be sent exclusively by e-mail to privacy@mindee.com or by letter to Mindee’s registered office referred to in the preamble and addressed to the attention of Mindee’s DPO.
- Warranty and liability
Each Party shall be responsible:
- in accordance with law, of its failures vis-à-vis the other Party in the performance of the Data Processing Agreement;
- of compliance with the Applicable Regulations and guarantees the other Party in the event of non-compliance with its obligations and if such non-compliance causes it direct and certain harm.
Consequently, the Contracting Party shall remain solely liable for any and all damages that may result, for Mindee and for the Data Subjects of the Personal Data processing, from failure to comply with its obligations. Notwithstanding the above, the liability cap provided for in the Terms of Use and Terms of Services shall apply to this Data Processing Agreement.
The Parties agree that in the event Mindee is held liable, under article 82 of the GDPR or by any competent supervisory authority, for a breach that is attributable to the Contracting Party, the Contracting Party shall indemnify and hold Mindee harmless from and against all costs, fees (including attorney fees), fines and damages incurred by Mindee.
Annex 1-A : Provision of Services
For the purposes of providing the Services, Mindee processes Client Data including Incoming Data and Results following the processing of a Request via its APIs and/or as part of Maintenance remotely (by SaaS, Software as a Service) based on a public cloud infrastructure hosted by one of Mindee’s sub processor according to the terms and conditions set out in this Data Processing Agreement and in the AgreementPurposes of Processing
| Purpose of Processing | Purpose 1: Processing Incoming Data for Request management as part of the Services and provide Result to Users Purpose 2: Processing Client Data for Maintenance of the Services |
| Categories of data subjects | Identifiable individuals (such as Contracting Party’s, Affiliated Entities’ or End Clients’ customer, prospect or supplier) in the Incoming Data and Results. |
| Category of Personal Data | Purposes 1 and 2: types of data (Incoming Data and Results) as featured in the Documentation for each relevant API; |
| Source of Personal Data | - Users - Incoming Data disclosed by Users and Results |
| Recipient of Personal Data | - Mindee’s staff expressly authorized for processing purposes - Mindee’s sub-data processors - Contracting Party, Affiliated Entities, Third Party Service Providers staff members or any other member of End Clients’ staff |
| Automated decision-making(art. 22 GDPR) | No |
| Storage Period | If the API is synchronous: - Incoming Data: a few milliseconds, the time to process the Request; - Results: a few milliseconds, the time for the Module or the Platform to process the Request and to send a Result If the API is asynchronous then incoming data and results shall be stored for a period of 7 days |
–
Annex 1-B : Training of Client Data sets
For the purposes of providing the Services, Mindee may be processing sets of Incoming Data disclosed by the Client and Results processed following a Request to train its algorithms developed for the API to improve Services..
| Purposes of Processing | Purpose 1: Processing sets of Client Data to improve Services and algorithms Purpose 2: creation of an API at the request of the Contracting Party and use of the Incoming Data of the Contracting Party to train this API |
| Categories of data subjects | - Individuals like customer, prospect or supplier of the Contracting Party, Affiliated Entities or end clients concerned by the Incoming Data. |
| Category of Personal Data | - Types of data (Incoming Data and Results) as featured in the Documentation for each relevant API; - Request data; - Anomaly Report data input by the Client or resulting from technical administration measures on the Website or the Platform. |
| Source of Personal Data | - Users - Incoming Data disclosed by Users and Result |
| Recipient of Personal Data | - Mindee’s staff expressly authorized for processing purposes Mindee’s sub-data processors - Client’s staff in charge of following up with data subjects requests to exercise rights |
| Automated decision-making (art. 22 GDPR) | No |
| Cell Storage period | Maximum 3 years, except for data used to measure the performance of models over time, which are archived for the term of the Agreement. If the Contracting Party chooses to use an API without training, Incoming Data will not be stored by Mindee to train the API. |
Annex 2 – List of Sub-processors and data transfer outside of the EEA
| Name of Processor | Processing activities | Location | Guarantees for transfers outside the EU |
|---|---|---|---|
| AWS | Platform Hosting | Ireland (for European Contracting Party) or United States (for American Contracting Party) | N/A |
| Google Cloud Platform | Computation | Belgium | N/A |
| Microsoft Azure | Computation / LLM in the case of a use of an API using LLM provided by Mindee | European Union for European Contracting Party or Contracting Party located outside of the United States or United States for American Contracting Party | N/A |
| Google Vision | Provider of OCR services if the Contracting Party creates its own API on the Platform Or in the case of a use of an API using LLM provided by Mindee | European Union for European Contracting Party or Contracting Party located outside of the United States United States for American Contracting Party | N/A |
| Google Workspace | Communication | Ireland | N/A |
| Salesforce | CRM | France | N/A |
| Intercom | Support | Ireland | N/A |
Annex 3 – Security of processing
As stated in article 8 of this Agreement, the agreements between the parties regarding specific technical and organizational security measures are outlined below. The implemented measures are included in this annex and will be supplemented or modified as needed. Controller deems these measures appropriate for the processing of personal data.
Description of the technical and organizational security measures implemented by Mindee:
- Implemented security policy and periodic updating and implementation of the updated security policy;
- Implemented code of conduct;
- Confidentiality obligations in employment contracts;
- Secure storage of data files;
- Logical access controls through knowledge, such as passwords or personal access codes, two-factor authentication;
- Use of a password manager
- Logical access controls through physical access means, such as a security pass;
- Monitoring of assigned rights;
- Logging and control of system access (including monitoring for signs of unauthorized access to personal data);
- Implementation of recovery procedures;
- Encryption of Personal Data during electronic transfer to external parties;
- Compliance with the confidentiality provisions of this agreement;
- Designation of a limited number of individuals responsible for the execution of the processing and authorized to grant themselves access, who are expressly authorized to perform only the actions necessary for the execution of the Master Service Agreement;
- The duration for storing personal data is in accordance with applicable laws or policies;
- Measures for detecting vulnerabilities and incident management like Annual penetration tests.