Data Processing Agreement

In this Data Processing Agreement ("DPA"):

• "Controller" means the business customer (you) who determines the purposes and means of processing personal data.
• "Processor" means VaultSpark Studios LLC, which processes personal data on behalf of the Controller.
• "Data Subject" means an individual whose personal data is processed (e.g., your employees using MindFrame through a team account).
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on personal data.
• "GDPR" means EU Regulation 2016/679 (General Data Protection Regulation).

This DPA governs the processing of personal data by VaultSpark (as Processor) on behalf of the business customer (as Controller) in connection with the use of MindFrame's:

• Teams module (team accounts, invite codes, team leaderboards, manager dashboard)
• Employer Report module (employee cognitive analytics and reporting)
• Research API (anonymised aggregate data access)

VaultSpark (as Processor) agrees to:

• Process personal data only on documented instructions from the Controller
• Ensure that all personnel authorised to process the personal data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures (see Section 6)
• Not engage sub-processors without prior written authorisation from the Controller (see Section 5 for the list of authorised sub-processors)
• Assist the Controller in fulfilling its obligations to respond to Data Subject rights requests
• Delete or return all personal data upon termination of the service relationship, at the Controller's option
• Make available all information necessary to demonstrate compliance with GDPR Article 28
• Notify the Controller without undue delay (within 72 hours where feasible) upon becoming aware of a personal data breach affecting Controller's data

You (as Controller) agree to:

• Have a lawful basis for instructing VaultSpark to process personal data on your behalf
• Inform your employees or users that their cognitive session data is processed by MindFrame
• Not instruct VaultSpark to process personal data in a way that would violate applicable data protection law
• Respond to Data Subject rights requests within applicable timeframes (with VaultSpark's assistance)

VaultSpark uses the following sub-processors to deliver MindFrame. By accepting this DPA, you authorise the use of these sub-processors:

VaultSpark will notify Controllers of any intended changes to this sub-processor list at least 14 days in advance, providing an opportunity to object.

VaultSpark implements the following technical and organisational security measures to protect personal data:

VaultSpark is based in the United States. When personal data from the EEA, UK, or Switzerland is transferred to the United States, the transfer is governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission (Controller-to-Processor module), which are incorporated into this DPA by reference.

Upon termination of the business relationship:

• Employee/user session data and cognitive records will be deleted within 30 days of written request
• Team configuration data will be deleted within 30 days
• Financial records required by law (7 years) will be retained in anonymised form

VaultSpark will provide Controllers with all information reasonably necessary to demonstrate compliance with this DPA. Controllers may request an audit no more than once per 12-month period, with at least 30 days' written notice. Audits are conducted at the Controller's expense.

This DPA is incorporated into and forms part of the MindFrame Terms of Service. By using MindFrame's Teams, Employer Report, or Research API features on behalf of a business entity, you accept this DPA.

For a countersigned DPA (required by some enterprise procurement processes), email legal@usemindframe.com and we will provide a signed copy within 5 business days.