Data Processing Agreement

Last updated: April 8, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between you ("Customer" or "Controller") and MindGryd Software Private Limited, a company incorporated under the laws of India ("MindGryd" or "Processor"), and governs the processing of personal data by MindGryd on behalf of Customer in connection with the Areev platform (the "Service").

This DPA applies to the extent that MindGryd processes personal data on behalf of Customer as a data processor. Where MindGryd processes personal data as an independent controller (e.g., account management, billing, website analytics), such processing is governed by the Privacy Policy, not this DPA.

1. Definitions

In addition to terms defined in the Agreement, the following definitions apply:

  • "Applicable Data Protection Law" means all laws and regulations applicable to the processing of personal data under this DPA, including (as applicable) the EU General Data Protection Regulation (GDPR), UK GDPR, Swiss Federal Act on Data Protection (FADP), California Consumer Privacy Act (CCPA/CPRA), India's Digital Personal Data Protection Act, 2023 (DPDPA), and the U.S. Health Insurance Portability and Accountability Act (HIPAA);
  • "Customer Content" means all data, including personal data, submitted to the Service by Customer or on Customer's behalf, including memory grains, embeddings, metadata, and agent interaction data;
  • "Data Subject" means an identified or identifiable natural person whose personal data is processed under this DPA;
  • "Personal Data" means any information relating to a Data Subject that is processed by MindGryd as part of Customer Content;
  • "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction;
  • "Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed under this DPA;
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission (Decision 2021/914), and as may be amended, superseded, or replaced from time to time;
  • "Sub-processor" means any third party engaged by MindGryd to process personal data on behalf of Customer.

2. Scope and Purpose of Processing

2.1 Role of the Parties

Customer is the data controller and determines the purposes and means of processing personal data. MindGryd is the data processor and processes personal data solely on behalf of Customer and in accordance with Customer's documented instructions.

2.2 Subject Matter and Duration

MindGryd processes personal data for the duration of the Agreement to provide the Service. The subject matter is the storage, retrieval, indexing, search, and management of Customer Content within the Areev AI agent memory database.

2.3 Categories of Data Subjects

Data subjects are determined by Customer and may include Customer's employees, contractors, end users, customers, or any other individuals whose personal data is submitted to the Service.

2.4 Types of Personal Data

The types of personal data processed are determined by Customer and may include names, contact information, identifiers, behavioral data, preferences, and any other personal data contained within memory grains or other Customer Content.

2.5 Special Categories of Data

Customer may submit special categories of personal data (e.g., health data subject to HIPAA) to the Service. Customer acknowledges that it is solely responsible for ensuring a lawful basis for processing such data and for enabling appropriate compliance features within the Service. MindGryd provides compliance tools (including PII/PHI detection, encryption, and audit trails) to assist Customer, but does not independently determine whether Customer Content contains special categories of data.

3. Customer Obligations

Customer shall:

  • Ensure that it has a lawful basis for processing personal data and for instructing MindGryd to process personal data on its behalf;
  • Provide all required notices to, and obtain all required consents or authorizations from, Data Subjects as required by Applicable Data Protection Law;
  • Ensure that its instructions to MindGryd comply with Applicable Data Protection Law;
  • Be solely responsible for the accuracy, quality, and legality of personal data submitted to the Service;
  • Configure the Service's compliance, encryption, and security features appropriately for its regulatory requirements;
  • Maintain independent backups of Customer Content where appropriate.

4. MindGryd Obligations as Processor

MindGryd shall:

  • Process personal data only on Customer's documented instructions, unless required to do so by applicable law, in which case MindGryd shall (to the extent permitted by law) inform Customer of the legal requirement before processing;
  • Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • Implement and maintain appropriate technical and organizational security measures as described in Section 6;
  • Not use personal data for any purpose other than providing the Service as described in the Agreement, including not using Customer Content to train or develop AI models or any other product;
  • Assist Customer, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to Data Subject requests (see Section 7);
  • Assist Customer in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of processing and the information available to MindGryd;
  • At Customer's choice, delete or return all personal data to Customer after the end of the provision of the Service, unless applicable law requires retention, and delete existing copies unless applicable law requires storage;
  • Make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, subject to the terms of Section 9.

5. Sub-processors

5.1 Authorization

Customer provides MindGryd with general authorization to engage sub-processors for the purpose of providing the Service. MindGryd shall maintain a list of current sub-processors, which Customer may request by contacting MindGryd at the address provided in Section 14.

5.2 Notification of Changes

MindGryd shall notify Customer of any intended changes concerning the addition or replacement of sub-processors at least fifteen (15) days prior to such engagement, giving Customer the opportunity to object. Notification will be provided via email to the address associated with Customer's account.

5.3 Objection Right

If Customer reasonably objects to a new sub-processor on data protection grounds, MindGryd shall use commercially reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable alternative. If MindGryd is unable to provide an alternative within thirty (30) days of receiving the objection, either party may terminate the affected portion of the Service by providing written notice. MindGryd shall provide a pro-rated refund of any prepaid fees for the terminated portion of the Service.

5.4 Sub-processor Obligations

MindGryd shall impose on each sub-processor data protection obligations no less protective than those set out in this DPA through a written contract. MindGryd remains fully liable to Customer for the performance of each sub-processor's obligations under such contract.

6. Security Measures

6.1 Technical and Organizational Measures

MindGryd implements and maintains appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

  • Encryption at rest: AES-256-GCM per-user encryption keys, with support for customer-managed keys via HashiCorp Vault, AWS KMS, or PKCS#11 HSM;
  • Encryption in transit: TLS 1.2 or higher for all data transmission;
  • Access controls: Role-based access control, API key authentication, and session management;
  • Audit logging: Immutable, hash-chained audit trail of all operations on Customer Content;
  • Infrastructure security: Regular security assessments, code reviews, and vulnerability management;
  • Data isolation: Strict logical separation of Customer Content between customers;
  • Personnel: Confidentiality obligations for all MindGryd personnel with access to personal data.

6.2 Security Improvements

MindGryd may update its security measures from time to time, provided that such updates do not materially decrease the overall level of protection afforded to personal data.

7. Data Subject Requests

MindGryd shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to exercise their rights under Applicable Data Protection Law (e.g., access, rectification, erasure, portability, restriction, or objection). MindGryd shall not respond to such requests directly except on Customer's documented instructions or as required by applicable law.

MindGryd provides the following Service features to assist Customer in responding to Data Subject requests:

  • Cryptographic erasure: Permanent deletion of all data associated with a user by destroying the per-user encryption key;
  • Data export: API and console capabilities for exporting Customer Content in structured formats;
  • Search and retrieval: Tools to locate and retrieve specific data within stored memory grains;
  • Audit trail: Verifiable records of all processing operations for accountability purposes.

Where MindGryd's assistance requires significant effort beyond standard Service functionality, MindGryd may charge reasonable fees based on the actual cost of providing such assistance.

8. Security Incident Notification

8.1 Notification

MindGryd shall notify Customer of a confirmed Security Incident without undue delay and in any event within seventy-two (72) hours of becoming aware of the incident. Notification shall be provided to the email address associated with Customer's account.

8.2 Content of Notification

The notification shall include, to the extent available at the time of notification:

  • A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and records affected;
  • The name and contact details of MindGryd's point of contact;
  • A description of the likely consequences of the Security Incident;
  • A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects.

Where it is not possible to provide all information at the same time, MindGryd shall provide information in phases without undue delay.

8.3 Exclusions

MindGryd's notification of, or response to, a Security Incident shall not be construed as an admission of fault or liability. MindGryd shall not be responsible for Security Incidents caused by Customer's actions, Customer's misconfiguration of the Service, unauthorized credential sharing, or third-party services outside MindGryd's control.

9. Audit Rights

9.1 Information and Reports

Upon Customer's written request (no more than once per twelve-month period, unless required by Applicable Data Protection Law or a supervisory authority), MindGryd shall make available information reasonably necessary to demonstrate compliance with this DPA. MindGryd may satisfy this obligation by providing: (a) a copy of its most recent SOC 2 Type II report or equivalent third-party audit report; (b) responses to a reasonable security questionnaire; or (c) other documentation demonstrating compliance.

9.2 On-site Audits

If Customer reasonably determines that the documentation provided under Section 9.1 is insufficient to verify compliance, Customer may request an on-site audit of MindGryd's processing activities, subject to the following conditions:

  • Customer shall provide at least thirty (30) days' prior written notice;
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt MindGryd's operations;
  • Customer shall bear its own costs of the audit. If the audit requires significant MindGryd personnel time, Customer shall reimburse MindGryd's reasonable costs;
  • Auditors shall be bound by confidentiality obligations and shall not access other customers' data or MindGryd's proprietary systems beyond what is strictly necessary;
  • Customer may engage an independent, qualified third-party auditor (subject to MindGryd's reasonable approval, not to be unreasonably withheld) to conduct the audit.

9.3 Regulatory Audits

Nothing in this section limits any audit rights that a supervisory authority, regulator, or other competent authority may have under Applicable Data Protection Law.

10. International Data Transfers

Where the processing of personal data under this DPA involves a transfer of personal data from the EEA, United Kingdom, or Switzerland to a country that has not been deemed adequate by the relevant authority, the parties agree that:

  • The Standard Contractual Clauses (Module Two: Controller to Processor) are hereby incorporated by reference and form an integral part of this DPA, with Customer as "data exporter" and MindGryd as "data importer";
  • For transfers from the UK, the UK International Data Transfer Addendum to the EU SCCs shall apply;
  • For transfers from Switzerland, the SCCs shall apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner;
  • MindGryd shall implement supplementary technical and organizational measures (including encryption at rest and in transit) where necessary to ensure an essentially equivalent level of protection.

MindGryd shall not be liable for acts of governmental authorities, changes in adequacy decisions, or legal developments in recipient countries that may affect the validity of transfer mechanisms, provided that MindGryd cooperates with Customer in good faith to implement alternative lawful transfer mechanisms if an existing mechanism is invalidated.

11. HIPAA Provisions

If Customer is a Covered Entity or Business Associate under HIPAA and uses the Service to process Protected Health Information (PHI), the following additional terms apply:

  • MindGryd shall be considered a Business Associate as defined under HIPAA;
  • MindGryd shall not use or disclose PHI other than as permitted or required by this DPA and the Agreement, or as required by law;
  • MindGryd shall implement safeguards as required by the HIPAA Security Rule to prevent unauthorized use or disclosure of PHI;
  • MindGryd shall report to Customer any use or disclosure of PHI not provided for by this DPA of which MindGryd becomes aware;
  • Customer must enable the appropriate compliance profile (HIPAA) within the Service configuration and is responsible for determining whether the Service's security controls satisfy its HIPAA obligations.

This Section 11 shall constitute the Business Associate Agreement between the parties to the extent required by HIPAA. Where there is a conflict between this Section and other provisions of this DPA, this Section shall prevail with respect to PHI.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement. Nothing in this DPA limits either party's liability to Data Subjects under Applicable Data Protection Law to the extent such limitation is not permitted by law.

Customer shall indemnify MindGryd against any claims, damages, losses, or expenses arising from: (a) Customer's breach of its obligations as data controller; (b) Customer's unlawful processing instructions; (c) Customer's failure to obtain required consents or provide required notices to Data Subjects; or (d) Customer's misconfiguration of the Service's compliance or security features.

13. Term and Termination

13.1 Term

This DPA takes effect on the date Customer first uses the Service and remains in effect for the duration of the Agreement. The obligations regarding personal data processing shall survive termination of the Agreement until all personal data has been deleted or returned in accordance with this DPA.

13.2 Effect of Termination

Upon termination of the Agreement, MindGryd shall:

  • Cease processing personal data on behalf of Customer, except as necessary to comply with applicable law;
  • Make Customer Content available for export for thirty (30) days (cloud deployments) or seven (7) days in read-only mode (self-hosted deployments);
  • After the export period, permanently delete all Customer Content, including by cryptographic erasure where applicable, unless applicable law requires continued retention;
  • Upon request, provide Customer with written confirmation of deletion.

14. Contact

For questions about this DPA, data protection matters, or to submit Data Subject requests, please contact:

MindGryd Software Private Limited
B116, Cheran Ma Nagar, Coimbatore, Tamil Nadu, India — 641035
Website: mindgryd.com
Email:

15. General

  • This DPA is incorporated into and forms part of the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of personal data;
  • This DPA, together with the Agreement, the Privacy Policy, and any applicable SCCs, constitutes the entire agreement between the parties regarding the processing of personal data;
  • This DPA is governed by the same governing law and jurisdiction as the Agreement;
  • MindGryd may update this DPA from time to time to reflect changes in Applicable Data Protection Law. Material changes will be communicated via email or through the Service at least thirty (30) days before taking effect. Continued use of the Service after such notice constitutes acceptance of the updated DPA.