MINDMATRIX Legal Documentation
Data Processing Addendum
This Data Processing Addendum sets out the controller and processor responsibilities between MINDMATRIX and each Customer where Customer-controlled personal data is processed through the MINDMATRIX platform.
This document should be read together with the MINDMATRIX Privacy Policy, Commercial Licence & Platform Terms, Cookies & Telemetry Notice, Subprocessor List and any applicable order form, proposal or service agreement.
1. Roles
The Customer is controller for personal data relating to its own customers, leads, enquiries, communications, job records, media, attachments and business operations where the Customer determines the purposes and means of processing.
MINDMATRIX acts as processor where it stores, routes, classifies, summarises, exports or otherwise handles Customer-controlled personal data on the Customer's behalf through the platform.
MINDMATRIX may act as controller for personal data processed for its own account administration, billing, onboarding, support, platform security, legal compliance, service management and product improvement purposes.
2. Processing Scope
Processing may include capture and routing of communications from approved channels such as email, web forms, WhatsApp and any later approved channels.
Processing may also include enquiry sorting, classification, summarisation, thread management, attachment handling, workflow assistance, quote-preparation support, exports and related platform operations.
Authentication, audit logs, usage monitoring, operational telemetry and authorised support access may also be processed where required to secure, operate, support and improve the service.
3. Customer Instructions and Responsibilities
The Customer is responsible for configuring lawful communications, providing required privacy notices, obtaining any required permissions or consents, maintaining accurate Customer account information and ensuring that its use of MINDMATRIX complies with applicable data protection, marketing, cookie and communications laws.
The Customer must not instruct MINDMATRIX to process personal data in a way that is unlawful, discriminatory, deceptive, unsafe or otherwise impermissible.
The Customer remains responsible for the content, accuracy and lawfulness of personal data submitted to or processed through the platform by the Customer, its authorised users or its connected channels.
4. Security Principles
MINDMATRIX will use reasonable technical and organisational measures designed to protect personal data against unauthorised access, accidental or unlawful destruction, loss, alteration, disclosure, misuse or unlawful processing.
Such measures may include access controls, authentication controls, role-based permissions, system monitoring, security logging, provider security controls, operational procedures and staff or contractor confidentiality obligations.
Customer-facing automation should remain disclosed and reviewable where appropriate, and Customers should maintain suitable human review, escalation and handover processes for customer-facing communications.
5. Subprocessors and Transfers
MINDMATRIX may use subprocessors to deliver hosting, messaging, email, AI-assisted functionality, support, storage, billing, authentication and related platform operations.
MINDMATRIX shall take reasonable steps to appoint subprocessors that are appropriate for the relevant service and to require subprocessors to process personal data under contractual, confidentiality, security and data protection obligations.
Personal data may be processed or stored in the United Kingdom, the European Economic Area, the United States or other jurisdictions depending on provider infrastructure and service configuration. Where required, MINDMATRIX shall use appropriate transfer safeguards.
6. Assistance, Retention and Deletion
MINDMATRIX will provide reasonable assistance for deletion, export, correction or rights-response workflows where required by applicable law and where technically and commercially practical.
Customers remain responsible for their own privacy notices, lawful basis, customer relationship decisions and data subject rights handling where they determine the purposes and means of processing.
Customer-controlled personal data shall be retained, returned, deleted or anonymised in accordance with the Customer's instructions, platform functionality, applicable agreement terms and any legal, security, technical or operational limitations.