Data Processing Agreement

Last updated: 04 November, 2025

This Data Processing Agreement (“Agreement”) governs Mynder AS’s processing of personal data on behalf of its customers through the Mynder platform. The Agreement forms an integral part of the platform’s Terms of Use and applies to all use where Mynder acts as a Data Processor.

Parties

  • Data Controller: The Customer (legal entity using the Mynder platform)
  • Data Processor: Mynder AS, org. no. 831 377 372, Lars Hillesgate 19, 5008 Bergen, Norway – email: Hei[@]mynder.no.

    • Purpose of Processing

    Mynder processes personal data solely to deliver and improve the platform, never for its own purposes. Typical purposes include:

    • Account and user management
    • Access control and security
    • Compliance and risk management
    • Generation of policy drafts, assessments, and recommendations based on customer input
    • Technical support and service operation

    Mynder never processes personal data for its own independent purposes.

    Categories of Data Subjects and Data

  • Data Subjects: Employees of the Customer using the platform, system owners, supplier contacts, data protection officers, and security officers.
  • Data: Name, email address, company name, role, assessments, user input, metadata, and phone numbers for designated security or emergency contacts.

    • Duration

    This Agreement applies for as long as the Customer uses the Mynder platform.

    Mynder`s Obligation as Data Prosessor

    Mynder undertakes to:

    • Process data only in accordance with the Customer’s instructions
    • Ensure confidentiality, integrity, and availability
    • Implement appropriate technical and organisational measures
    • Maintain access control, logging, encryption, and secure data separation
    • Ensure that employees and sub-processors are bound by confidentiality obligations

    Use of Sub-processors

    To deliver a secure and scalable platform, Mynder uses reputable sub-processors who process personal data only on Mynder’s behalf and in accordance with this Agreement:

    • Microsoft Azure (EU/EEA): Primary cloud platform for hosting, storage, databases, and infrastructure. All data are stored in the EU/EEA (Ireland region) and encrypted at rest and in transit.
    • OpenAI via Azure (EU region): Used to analyse and generate text suggestions based on content provided by the Customer. Data are processed only during active use and are not retained for model training.
    • Zitadel (Switzerland – adequacy decision): Used for authentication, login, and identity management, providing role-based access control and MFA.
    • Google Cloud (EU region): Used to retrieve publicly available online information for analysis based on the Customer’s request.

    All sub-processors are bound by agreements ensuring the same level of data protection and security as this Agreement. An updated list is always available on Mynder’s website.

    Transfer to Third Countries

    Mynder strives to ensure that all processing takes place within the EU/EEA. In cases where data are transferred to third countries, valid transfer mechanisms such as the EU Standard Contractual Clauses (SCCs) or adequacy decisions are used.

    Security Measures

    Mynder implements technical and organisational measures to protect confidentiality, integrity, and availability, including:

    • Role-based access control (RBAC) and multi-factor authentication (MFA)
    • Principle of least privilege
    • Encryption at rest and in transit (TLS/HTTPS, AES-256)
    • Logging and monitoring of access and events
    • Segregation of customer data between environments
    • Regular audits of security practices and technical controls
    • Backup, recovery, and incident-handling procedures
    • Employee training on information security and confidentiality
    • Follow-up of sub-processors through contractual and risk assessments

    Customer Rights and Assistance

    Mynder assists the Customer in fulfilling obligations under the GDPR, including:

    • Access, rectification, and deletion of data
    • Handling of data subject requests
    • Notification and documentation of security breaches
    • Responses to supervisory authorities

    Audit and Inspection

    The Customer may verify that Mynder complies with this Agreement. Mynder will provide the necessary documentation and information to demonstrate compliance. Audits may be conducted by agreement and with reasonable notice, in a manner that does not unduly disrupt Mynder’s operations.

    Data Storage, Return and Deletion

    The Data Processor stores personal data for as long as necessary to fulfil the agreed purposes or while the Customer maintains an active account. When the purpose ceases or upon the Customer’s request, personal data will be deleted or anonymised in a secure manner so that they cannot be recovered or used.

    Operational data will be deleted or anonymised no later than 30 days after termination of the customer relationship. Data contained in backups or archives will be deleted or overwritten no later than 180 days after termination. System logs and metadata will be anonymised within 90 days unless longer retention is required for security, troubleshooting, or legal obligations.

    If the Customer requests earlier deletion, the request will be fulfilled without undue delay and no later than within 30 days.

    Amendments

    Mynder may update this Agreement. Material changes will be notified in advance. The current version is always available at www.mynder.no.

    Contact Information

    Questions regarding data processing, deletion, or sub-processor use may be directed to Mynder AS at Hei[@]mynder.no.

    Do you want a demo?
    We care about your data. Privacy policy.
    Tusen takk! Vi har mottatt din henvendelse.
    Oops! Something went wrong while submitting the form.
    © 2025 Mynder AS. All rights reserved.
    Privacy policy and Terms of use
    Databehandleravtale
    Etiske rettningslinjer