This Schedule is Annex A to the Mindsetor Master Service Agreement ("MSA"). It documents how Mindsetor B.V. ("Mindsetor", "we") handles personal data on its own behalf as sole data controller (Article 4(7) GDPR). It does not establish a controller-to-processor relationship under Article 28 GDPR; the customer ("Customer") is a purchaser of Mindsetor's service, not a controller of the personal data processed through the platform. This document discharges the transparency, accountability, and information-provision expectations that a procurement / DPO reviewer would otherwise look for in an Article 28 DPA, framed correctly under the controller relationship that actually applies.
Mindsetor B.V. — Brightlands Smart Services Campus, Smedestraat 2, 6411 CR Heerlen, Netherlands. KvK 42042393 · RSIN 869442958. Email: support@mindsetor.com. Mindsetor is the sole data controller (Art. 4(7) GDPR) for personal data processed through the Platform, including users' health data, mood self-reports, derived risk and wellbeing scores, gamification data, and Care Hub session metadata.
Customer — the organisation that has entered into a Master Service Agreement with Mindsetor and whose employees are granted access to the Platform. The Customer is a purchaser of Mindsetor's service. The Customer does not determine the purposes or means of processing of individual users' personal data and is not a data controller of that data.
User — an individual employee, contractor, or family-plan member who has registered an account on the Platform. The User is the data subject for the purposes of Articles 12-23 GDPR. Users provide explicit consent (Art. 9(2)(a)) directly to Mindsetor during onboarding. For Care Hub clinical sessions, processing also rests on Art. 9(2)(h) (provision of health care/treatment) read with Art. 9(3) and Dutch WGBO Art. 7:454 BW.
Mindsetor designs the burnout-prevention service end-to-end: it determines what data is collected, the lawful basis, the retention periods, the algorithms and risk scoring methods, the sub-processors engaged, and the privacy controls. The Customer does not give Mindsetor processing instructions; the Customer purchases access to a finished service. Per EDPB Guidelines 07/2020 on the concepts of controller and processor, this fact pattern is a controller relationship, not an Art. 28 processor relationship. A processor DPA would misrepresent the legal relationship and would mis-allocate Art. 33 / 34 / 13-14 / 30 / 35 obligations to the Customer that Mindsetor in fact owes directly. This Schedule supplies the same protections a procurement reviewer would look for in a DPA, structured around the actual relationship.
Mindsetor processes the following categories of personal data under the lawful bases listed:
| Category | Lawful basis (Art. 6 + Art. 9 where applicable) |
|---|---|
| Account data (first name, work email, year of birth, employer association, join code) | Contract performance — Art. 6(1)(b) |
| Health data from HealthKit / Health Connect / Garmin (steps, heart rate, resting HR, HRV (SDNN/RMSSD), sleep stages, sleep quality) | Explicit consent — Art. 9(2)(a) |
| Self-reported mood (valence, energy, affect labels, life-domain context) | Explicit consent — Art. 9(2)(a) |
| Derived risk and wellbeing scores (V4.1 Risk Engine) | Explicit consent — Art. 9(2)(a). Informational scores only; not a solely automated decision under Art. 22(1). |
| Care Hub booking metadata + clinical session notes | Booking flow: Art. 6(1)(b) + Art. 9(2)(a). Clinical interaction itself: Art. 9(2)(h) (health care/treatment) read with Art. 9(3) and Dutch WGBO Art. 7:454 BW. |
| Gamification data (points, streaks, badges, leaderboard position, nickname) | Contract performance — Art. 6(1)(b) |
| Aggregated, k=10 + sparse-cell-suppressed employer reporting (output) | Outputs are non-personal under GDPR Recital 26 once aggregation has been applied (CBS statistical-disclosure-control methodology). Inputs covered by the consent basis recorded above. |
| Push-notification tokens (FCM) | Notification consent + Contract — Art. 6(1)(b) |
Mindsetor engages the sub-processors listed below on its own behalf to assist in delivering the service. Each is bound by a written contract imposing equivalent data-protection obligations under Art. 28(1) and 28(3) GDPR (Mindsetor's Art. 28 obligations to its own sub-processors).
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Google Ireland Limited (Firebase / Google Cloud Platform) | Database, authentication, Cloud Functions, hosting, analytics | EU (europe-west1, Belgium) | EU processing (no transfer) |
| Firebase Cloud Messaging (Google Ireland Limited / Google LLC) | Push-notification delivery | EU / USA | Commission Implementing Decision (EU) 2021/914 SCCs Module 2 (controller-to-processor); Google EU-US Data Privacy Framework certification |
| Agora Lab, Inc. | Video infrastructure for Care Hub specialist sessions | USA | Commission Implementing Decision (EU) 2021/914 SCCs Module 2 (controller-to-processor); transfer impact assessment on file |
| Garmin Ltd. | Health-data synchronisation via OAuth API (steps, sleep, HRV, heart rate) | USA / EU | Commission Implementing Decision (EU) 2021/914 SCCs Module 2; EU-US Data Privacy Framework where applicable |
Mindsetor will publish notice of any new sub-processor at mindsetor.com/data-handling-annex and notify subscribing organisations by email at least 30 days in advance. The Customer may object to a new sub-processor by written notice within the 30-day period; if Mindsetor cannot accommodate the objection (for example, by routing the Customer's data through an alternative sub-processor), the Customer may terminate the affected portion of the service without penalty for the remainder of the term and receive a pro-rata refund for unused fees.
OTP-email delivery for organisational-membership verification is provided through Firebase Authentication (sub-processor entry 1, Google Ireland Limited / Google Cloud). Apple Sign-In and Google Sign-In are user-side identity providers; Mindsetor authenticates the resulting tokens but does not share personal data with them as Art. 28 sub-processors. There are no additional sub-processors beyond those listed above.
max-age=31536000; includeSubDomains; preload.The Customer never has access to individual users' health data, mood scores, risk scores, or session content. Aggregated data is delivered only above the thresholds below.
| Data category | Retention period |
|---|---|
| Account data | Until account deletion or end of Service Agreement, plus 2 years for legal-claim defence |
| Activity, sleep, and mood data | 3 years after last activity (automated enforcement scheduled for Q3 2026; until then, deletion on request via support@mindsetor.com) |
| Risk scores and insights | Duration of account |
| Care Hub clinical session notes | 20 years from last entry — Art. 6(1)(c) + Art. 9(2)(h) GDPR; Dutch WGBO Art. 7:454 BW (as amended effective 1 January 2020) |
| Care Hub booking metadata | Duration of account |
| Gamification data | Duration of account |
| Aggregated employer reporting | Duration of Service Agreement |
| Audit logs (compliance) | Indefinite — Art. 6(1)(f) read with Art. 5(2) accountability |
The Mindsetor Pseudonymisation and Anonymisation Procedure (`docs/gdpr/anonymisation_procedure.md`) describes the technical and organisational steps that enforce these retention periods once Workstream C1 ships in Q3 2026. Until then, retention is enforced via per-request deletion handled within GDPR Art. 12(3) timelines.
Users can exercise the following rights directly with Mindsetor at support@mindsetor.com:
Mindsetor responds within one month per GDPR Art. 12(3); complex requests may extend by up to two further months with reasoned notice within the first month.
Mindsetor as sole controller notifies the Autoriteit Persoonsgegevens under Art. 33(1) without undue delay and in any event within 72 hours of becoming aware of a personal data breach likely to result in a risk to the rights and freedoms of natural persons. Affected data subjects are notified directly under Art. 34 where the breach is likely to result in a high risk to their rights and freedoms.
Mindsetor will additionally inform the Customer in good faith for transparency where (a) the breach materially affects the Customer's workforce or service continuity, or (b) the Customer has a separate Arbowet duty triggered by the incident. This is not an Art. 33(2) processor-to-controller notification (no such relationship exists) — it is operational courtesy.
The full procedure is documented in the Mindsetor Breach Response Procedure (`docs/gdpr/breach_response_procedure.md`), aligned to Art. 33(1) "likely to result in a risk" trigger and Art. 33(5) breach register; a procurement copy is available on request.
Personal-data primary processing occurs in the EU (`europe-west1`, Belgium). Transfers to USA-located sub-processors (Agora, Firebase Cloud Messaging where US infrastructure is involved, Garmin) are made under Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Standard Contractual Clauses Module 2 (controller-to-processor), supplemented where applicable by the recipient's certification under the EU-US Data Privacy Framework. Transfer impact assessments are documented internally and available on request.
Mindsetor will respond to reasonable customer information requests in support of the Customer's own accountability obligations, including:
For procurement teams whose internal playbook requires a bilateral on-site audit, Mindsetor accepts reasonable on-site or remote audits with at least 30 days' written notice, at the Customer's cost, no more than once per twelve-month period (or as needed in response to a documented incident), conducted in a way that does not unreasonably interfere with Mindsetor's operations or compromise the confidentiality of other customers' data. SOC 2 Type II / ISO 27001 third-party audits are planned for 2027 once enterprise demand and revenue support an external programme; until then, the documents above (and a CSA CAIQ self-assessment) substitute for third-party certification.
Mindsetor is not directly in scope of NIS2 / the Dutch Cybersecurity Act (Cbw). It supports its Customers' supply-chain compliance with their own NIS2 obligations through: incident notification (per §8 above; NIS2 24-hour early warning + 72-hour full notification timelines documented in `docs/compliance/incident_response_nis2.md`), the technical and organisational measures in §4, the audit and assurance access in §10, and the sub-processor change-notification mechanism in §3. A formal NIS2 scope assessment is documented internally and shared on request.
This Schedule applies for the term of the Master Service Agreement to which it is attached. Mindsetor may update this Schedule from time to time to reflect changes in law, sub-processors, or technical and organisational measures. Material changes are communicated by email to the Customer's designated contact at least 30 days in advance, with a right of objection on the same terms as for sub-processor changes (§3). The current version is always available at mindsetor.com/data-handling-annex; the version attached to the signed MSA is the version that applies if the Customer does not accept a subsequent update.
All data-protection inquiries: support@mindsetor.com.
Mindsetor has not designated a Data Protection Officer under GDPR Art. 37(1). The formal assessment, applying the EDPB Guidelines 4/2017 four-factor "large-scale" test, is documented internally and available on request; David Chakrian (Founder & Director) is the documented data-protection escalation point.