Data Processing Agreement

1. Definitions

"Controller" means the organization that has entered into a Service Agreement with MINDSETOR and determines the purposes and means of processing employee personal data through the Platform.

"Processor" means MINDSETOR (David Chakrian, sole proprietorship), Edmond Jasparstraat 48A, 6217HR Maastricht, Netherlands. KVK: 77361199.

"Data Subject" means an identified or identifiable natural person whose personal data is processed; in this context, employees and other authorized users of the Controller.

"Personal Data" means any information relating to a Data Subject, as defined in Article 4(1) GDPR.

"Special Category Data" means personal data revealing health information as defined in Article 9(1) GDPR, including biometric, physiological, and psychological well-being data.

"Platform" means the MINDSETOR mobile application and associated cloud services.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Purpose of Processing

The Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the MINDSETOR employee well-being platform, which includes:

Collecting and analyzing health metrics (sleep, activity, mood, heart rate variability) to generate individual well-being insights
Providing gamified engagement features (points, leaderboards, achievements) to encourage consistent well-being tracking
Facilitating 1:1 sessions with psychologists, lifestyle coaches, and mindfulness experts
Generating aggregated, anonymized team wellness reports for the Controller
Sending proactive nudges and reminders based on health data patterns

The duration of processing corresponds to the term of the Service Agreement between the Controller and the Processor.

3. Types of Personal Data Processed

3.1 Standard Personal Data

Category	Data Elements	Source
Account Data	First name, email address, year of birth, employer association	User input during registration
Usage Data	Features used, engagement metrics, points earned, login frequency	Platform interaction
Session Data	Booking times, session type, specialist assignment	Care Hub bookings

3.2 Special Category Data (Health Data — Art. 9 GDPR)

Category	Data Elements	Source
Activity Data	Steps, calories, heart rate, resting heart rate	Apple HealthKit / Google Health Connect
Sleep Data	Duration, consistency, quality metrics	Apple HealthKit / Google Health Connect
Stress Data	Heart Rate Variability (SDNN/RMSSD)	Apple HealthKit / Google Health Connect
Mood Data	Self-reported valence and energy ratings (5-point scales)	In-app check-ins
Well-being Insights	Burnout risk scores, weekly trend analysis	Algorithmically derived
Session Notes	Clinical notes from specialist sessions	Care Hub specialists

Processing of Special Category Data is based on explicit consent of the Data Subject (Art. 9(2)(a) GDPR), obtained during the onboarding process.

4. Categories of Data Subjects

Employees of the Controller who have voluntarily registered for the Platform
Family members of employees (when invited via the Family Plan)

5. Controller's Instructions

5.1. The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country. This DPA and the Service Agreement constitute the Controller's complete instructions at the date of execution.

5.2. The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other EU/Member State data protection provisions.

5.3. The Controller instructs the Processor to process Personal Data for the purposes described in Section 2 of this DPA.

6. Confidentiality

6.1. The Processor ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.2. Care Hub specialists (psychologists, coaches) are bound by professional codes of conduct (NIP for psychologists in the Netherlands) and are subject to statutory professional secrecy obligations.

7. Technical and Organizational Security Measures

The Processor implements the following measures pursuant to Article 32 GDPR:

7.1 Encryption

All data encrypted in transit (TLS 1.2+)
All data encrypted at rest (AES-256, managed by Google Cloud)
Firebase Authentication with secure session tokens

7.2 Access Control

Firestore security rules enforce strict user-level data isolation
Role-based access control (employee, specialist, employer, admin)
No employee-level health data accessible to the Controller or employer admin

7.3 Aggregation Threshold ("Employer Firewall")

Controller dashboards require a minimum of 10 active users before any aggregated analytics are displayed
Individual scores, mood data, session notes, and health metrics are never shared with the Controller
Leaderboard nicknames provide identity privacy

7.4 Infrastructure

Hosted on Google Cloud Platform (EU region: europe-west1)
Google Cloud holds SOC 2 Type II, ISO 27001, and ISO 27017 certifications
Automated backups with point-in-time recovery

7.5 Availability & Resilience

Google Cloud's 99.95% uptime SLA for Firestore and Cloud Functions
Multi-zone deployment for high availability

8. Sub-processors

8.1. The Controller provides general authorization for the Processor to engage Sub-processors, subject to the conditions in this Section.

8.2. The Processor shall inform the Controller of any intended additions or replacements of Sub-processors at least 30 days in advance, giving the Controller the opportunity to object.

8.3. The Processor shall impose the same data protection obligations as set out in this DPA on any Sub-processor by way of a contract.

8.4. The Processor remains fully liable for the performance of its Sub-processors.

Current Sub-processors

Sub-processor	Purpose	Location	Transfer Mechanism
Google Cloud Platform (Firebase)	Database (Firestore), Authentication, Cloud Functions, Hosting, Analytics	EU (europe-west1, Belgium)	Adequacy (EU processing)
Google Cloud Platform	Infrastructure, compute, storage	EU (europe-west1, Belgium)	Adequacy (EU processing)
Daily.co (Daily, Inc.)	Video calls for Care Hub specialist sessions	USA	Standard Contractual Clauses (SCCs)
Firebase Cloud Messaging (Google)	Push notification delivery	EU / USA	EU Data Processing Terms

The up-to-date list of Sub-processors is maintained at mindsetor.com/privacy (Section 8: Third-Party Processors).

9. Assistance with Data Subject Rights

9.1. The Processor shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including:

Right of Access (Art. 15) — Data Subjects can request a copy of their data via the in-app "Download My Data" feature or by emailing support@mindsetor.com
Right to Rectification (Art. 16) — Data Subjects can update their profile data in-app or request corrections via email
Right to Erasure (Art. 17) — Data Subjects can delete their account and all associated data via the in-app "Delete Account" function
Right to Restriction (Art. 18) — Upon request, processing can be limited to storage only
Right to Data Portability (Art. 20) — Data Subjects can export their data in machine-readable JSON format via the app
Right to Object (Art. 21) — Data Subjects can object to processing based on legitimate interest
Automated Decision-Making (Art. 22) — Data Subjects can request human review of automated well-being assessments by booking a Care Hub session

9.2. The Processor shall respond to Data Subject requests within 30 calendar days.

10. Personal Data Breach Notification

10.1. The Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach affecting data processed on behalf of the Controller.

10.2. The notification shall include:

The nature of the breach, including the categories and approximate number of Data Subjects and records affected
The name and contact details of the Processor's contact point
A description of the likely consequences of the breach
A description of the measures taken or proposed to address the breach

10.3. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each breach.

11. Data Protection Impact Assessments

11.1. The Processor shall assist the Controller with Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, as required under Articles 35 and 36 GDPR.

11.2. The Processor has conducted its own DPIA for the Platform, available at mindsetor.com/dpia.

12. Audit Rights

12.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR.

12.2. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice of at least 30 days.

12.3. Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.

13. Data Retention and Deletion

13.1. Upon termination of the Service Agreement, the Processor shall, at the Controller's choice:

Delete all Personal Data processed on behalf of the Controller within 90 days, or
Return all Personal Data to the Controller in a structured, machine-readable format (JSON)

13.2. The following retention periods apply during the term of the Agreement:

Data Type	Retention Period
Account data	Duration of employment + 2 years
Activity & sleep data	3 years after last activity
Specialist session notes	15 years (Dutch Wkkgz)
Gamification data	Duration of account

13.3. Upon individual account deletion, personal identifiers are permanently erased. Anonymized, non-identifiable metrics may be retained for research and product improvement.

14. International Data Transfers

14.1. The Processor processes the majority of Personal Data within the European Economic Area (Google Cloud, europe-west1, Belgium).

14.2. Where Personal Data is transferred to a third country (currently: Daily.co video sessions, USA), the Processor ensures adequate protection through Standard Contractual Clauses (SCCs) as adopted by the European Commission.

14.3. The Processor shall inform the Controller before processing in any new third country and ensure appropriate safeguards are in place.

15. Liability

15.1. Each party's liability under this DPA is subject to the limitations and exclusions set out in the Service Agreement.

15.2. The Processor shall indemnify the Controller for any damages caused by processing that does not comply with this DPA or the GDPR, to the extent attributable to the Processor.

16. Term and Termination

16.1. This DPA enters into force on the date of the Service Agreement and remains in effect for as long as Personal Data is processed on behalf of the Controller.

16.2. The obligations of the Processor regarding data deletion (Section 13) and confidentiality (Section 6) survive termination of this DPA.

17. Governing Law

17.1. This DPA is governed by Dutch law.

17.2. Disputes arising from this DPA shall be submitted to the competent court in Maastricht, Netherlands.

18. Contact

MINDSETOR (Processor)
David Chakrian
Edmond Jasparstraat 48A, 6217HR Maastricht, Netherlands
Email: support@mindsetor.com
KVK: 77361199