Last Updated: March 4, 2026
This Data Processing Agreement ("DPA") pursuant to Art. 28 GDPR forms part of the Agreement between Art of X UG (haftungsbeschränkt) ("Processor", "we", "us") and the Customer ("Controller", "you") for the use of our services (the "Main Agreement").
2.1 This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller in connection with the services.
2.2 The Processor shall process Personal Data only for the purposes of providing the services as described in the Main Agreement and in accordance with the Controller's documented instructions.
2.3 The duration of the Processing corresponds to the term of the Main Agreement, unless further obligations arise from the provisions of this DPA.
| Category | Description |
|---|---|
| Subject Matter | Provision of the AI-powered platform "Minds AI", including synthetic panels, AI personas, and related services |
| Duration | For the term of the Main Agreement |
| Nature and Purpose | Processing of data provided by the Controller for the creation of customer-specific AI models and personas. Analysis, simulation, and generation of synthetic responses. Controller data is not used for training general-purpose models or models accessible to third parties. |
| Types of Personal Data | Contact data (name, email), access credentials, usage data, content data provided by the Controller (text, images, audio), technical data (IP address, browser), payment data (via Stripe) |
| Categories of Data Subjects | Controller's employees and agents, end users invited by the Controller, individuals whose data is entered into the platform by the Controller |
4.1 The Processor shall process Personal Data only on the basis of documented instructions from the Controller, including the instructions set out in this DPA and the Main Agreement, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information.
4.2 Instructions may be given in writing or in text form (including email). Oral instructions shall be confirmed in text form without undue delay.
4.3 The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes data protection law (Art. 28(3) sentence 3 GDPR). The Processor shall be entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Controller.
The Processor shall:
5.1 Process Personal Data only within the scope of the Controller's instructions and not for its own purposes.
5.2 Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).
5.3 Implement and maintain appropriate technical and organizational measures (TOMs) pursuant to Art. 32 GDPR throughout the duration of this DPA. The current TOMs are described in Appendix 1 – Technical and Organizational Measures (TOM) of this DPA and available at https://getminds.ai/legal/tom.
5.4 Immediately inform the Controller if the Processor becomes aware of any violations of the GDPR or other data protection regulations in connection with the Processing.
5.5 Designate a Data Protection Officer where required by law. The current Data Protection Officer is:
Prof. Dr. Norman Uhlmann, h3ko Innovations GmbH, Pappelallee 64, 16359 Biesenthal, Germany. Email: [email protected]
6.1 The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligations to respond to requests for exercising the data subjects' rights laid down in Chapter III of the GDPR (access, rectification, erasure, restriction of processing, data portability, objection).
6.2 If a data subject contacts the Processor directly with a request, the Processor shall forward the request to the Controller without undue delay.
7.1 The Processor shall assist the Controller, taking into account the nature of the Processing and the information available to the Processor, in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, in particular:
7.2 The Processor shall assist the Controller with requests and investigations by data protection supervisory authorities relating to the commissioned Processing.
8.1 The Controller hereby grants the Processor general written authorization to engage Sub-processors pursuant to Art. 28(2) GDPR, subject to the requirements of this section.
8.2 The current Sub-processors at the time of conclusion of this DPA are listed at https://getminds.ai/legal/subprocessors.
8.3 The Processor shall notify the Controller of any intended addition or replacement of Sub-processors at least 14 days before the planned change, giving the Controller the opportunity to object.
8.4 If the Controller raises objections within the notice period, the parties shall endeavor to reach an amicable solution. If this is not possible, the Controller shall have the right to terminate the Main Agreement with immediate effect.
8.5 The Processor shall contractually ensure that Sub-processors are bound by data protection obligations no less protective than those set out in this DPA (Art. 28(4) GDPR). The Processor shall be liable for the acts and omissions of its Sub-processors as for its own acts and omissions.
9.1 Processing of Personal Data in a third country or by an international organization shall only take place where the specific conditions of Articles 44 et seq. GDPR are met.
9.2 For Sub-processors located in the United States, transfers are carried out on the basis of:
9.3 For Sub-processors in the United Kingdom, the European Commission's adequacy decision (Decision 2021/1772) applies.
9.4 The Processor monitors the status of applicable adequacy decisions and transfer mechanisms and shall inform the Controller if changes require an adjustment to the transfer basis.
10.1 The Processor shall notify the Controller without undue delay, and in any event within 48 hours, upon becoming aware of a Personal Data breach.
10.2 The notification shall include at a minimum:
10.3 The Processor shall assist the Controller in fulfilling the notification obligations pursuant to Articles 33 and 34 GDPR.
11.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.
11.2 The Controller shall be entitled to conduct audits, including inspections, at the Processor's premises or have them conducted by an appointed auditor. Such audits shall take place upon reasonable notice (at least 14 days) during normal business hours and shall not unreasonably disrupt the Processor's business operations.
11.3 The Processor may present current audit reports, certifications, or extracts thereof to demonstrate compliance.
11.4 Appointed third-party auditors must be bound by confidentiality obligations in advance. Audit costs shall be borne by the Controller, unless a breach by the Processor is established.
12.1 Upon termination of the Main Agreement, the Processor shall delete all Personal Data processed on behalf of the Controller within 30 days, unless the Controller requests the return of the data in a common, machine-readable format.
12.2 Deletion shall be carried out in accordance with the current state of the art and shall be confirmed to the Controller in writing upon request.
12.3 Where retention is required under Union or Member State law, the Processor shall inform the Controller of the retention obligation and the data concerned.
13.1 The parties' liability shall be governed by Art. 82 GDPR.
13.2 The Processor shall be liable to the Controller for damages attributable to Processing that does not comply with the GDPR or the Controller's instructions.
13.3 The Processor shall be liable for the acts and omissions of its Sub-processors as for its own acts and omissions.
13.4 Liability is otherwise subject to the limitations set forth in the Main Agreement, insofar as this is compatible with the mandatory provisions of the GDPR.
14.1 This DPA shall be governed by the laws of the Federal Republic of Germany.
14.2 The exclusive place of jurisdiction for all disputes arising from or in connection with this DPA shall be Berlin, to the extent legally permissible.
14.3 Amendments and supplements to this DPA must be made in writing.
14.4 Should any provision of this DPA be or become invalid, the validity of the remaining provisions shall not be affected.
14.5 In the event of conflicts between this DPA and the Main Agreement, this DPA shall prevail with respect to the protection of Personal Data.
Art of X UG (haftungsbeschränkt) Goethestr. 59, 10625 Berlin, Germany Managing Directors: Friedrich von Borries and Alexander Doudkin
For questions regarding this DPA, contact: [email protected]
Last Updated: February 20, 2026
Art of X UG (haftungsbeschränkt) ("Minds AI") implements the following technical and organizational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk involved in the processing of personal data.
Minds AI infrastructure is hosted exclusively with certified cloud providers:
Physical security (biometric access controls, 24/7 surveillance, access logging) is fully managed by the cloud providers.
These technical and organizational measures are reviewed regularly and updated as necessary to ensure a level of protection consistent with the current state of the art.
No account yet?