Last Updated: January 22, 2026
This Data Processing Agreement ("DPA") forms part of the Agreement between Art of X UG (haftungsbeschränkt) ("Processor", "we", "us") and the Customer ("Controller", "you") for the use of our services.
2.1 This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller in connection with the services.
2.2 The Processor shall process Personal Data only for the purposes of providing the services as described in the main Agreement and in accordance with the Controller's documented instructions.
| Category | Description |
|---|---|
| Subject Matter | Provision of AI-powered synthetic panel and persona services |
| Duration | For the term of the Agreement |
| Nature and Purpose | Analysis, simulation, and generation of synthetic responses |
| Types of Personal Data | Names, contact information, professional data, behavioral data as provided by Controller |
| Categories of Data Subjects | Customer employees, end users, panel participants |
The Processor shall:
4.1 Process Personal Data only on documented instructions from the Controller, unless required by law.
4.2 Ensure that persons authorized to process Personal Data have committed to confidentiality.
4.3 Implement appropriate technical and organizational measures to ensure security of processing, including:
4.4 Not engage another processor (Sub-processor) without prior written authorization from the Controller.
4.5 Assist the Controller in responding to data subject requests (access, rectification, erasure, portability).
4.6 Assist the Controller in ensuring compliance with obligations regarding security, breach notification, and data protection impact assessments.
4.7 At the Controller's choice, delete or return all Personal Data upon termination of services.
4.8 Make available all information necessary to demonstrate compliance and allow for audits.
5.1 The Controller grants general authorization for the engagement of Sub-processors, subject to the requirements in this section.
5.2 Current Sub-processors are listed at: https://getminds.ai/legal/subprocessors
5.3 The Processor shall inform the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object.
5.4 The Processor shall ensure that Sub-processors are bound by data protection obligations no less protective than those in this DPA.
6.1 The Processor shall not transfer Personal Data outside the European Economic Area (EEA) unless appropriate safeguards are in place, such as:
6.2 The Controller authorizes transfers to Sub-processors in the United States under the EU-US Data Privacy Framework or SCCs as applicable.
7.1 The Processor shall notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Data breach.
7.2 The notification shall include:
8.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA.
8.2 The Controller may conduct audits, including inspections, upon reasonable notice. The Processor may charge reasonable fees for audit support beyond annual audits.
9.1 Each party's liability under this DPA is subject to the limitations set forth in the main Agreement.
9.2 The Processor shall indemnify the Controller for damages arising from the Processor's breach of this DPA or applicable data protection laws.
10.1 This DPA shall remain in effect for the duration of the Agreement.
10.2 Upon termination, the Processor shall, at the Controller's option, delete or return all Personal Data within 30 days, unless retention is required by law.
Art of X UG (haftungsbeschränkt) Goethestr. 59, 10625 Berlin, Germany
For questions regarding this DPA, contact: [email protected]
No account yet?