Data Processing Agreement
Last updated: April 25, 2026
This Data Processing Agreement ("DPA") supplements the Terms of Service between Mistvine, Inc. ("Processor") and the customer organization ("Controller") and governs the processing of personal data under GDPR, UK GDPR, and the Swiss Federal Act on Data Protection (FADP).
This DPA applies automatically to all customers who are subject to EU/UK/Swiss data protection law. No separate signature is required.
Table of Contents
- 1. Definitions
- 2. Scope and Purpose
- 3. Processing Details
- 4. Processor Obligations
- 5. Controller Obligations
- 6. Data Subject Rights
- 7. Subprocessors
- 8. International Transfers
- 9. Security Measures
- 10. Data Breach Notification
- 11. Audit Rights
- 12. Term and Termination
- 13. Liability
- 14. Governing Law
- Annex I: Processing Details
- Annex II: Technical & Organizational Measures
- Annex III: Subprocessor List
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person processed through the Services.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, or erasure.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates, including employees and team members of the Controller's organization.
"Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Scope and Purpose
The Processor processes Personal Data solely for the purpose of providing the Services as described in the Terms of Service and as documented in Annex I. The Processor will not process Personal Data for any other purpose without prior written consent.
3. Processing Details
See Annex I for complete details on categories of data subjects, types of personal data, and purposes of processing.
4. Processor Obligations
The Processor shall: process Personal Data only on documented instructions from the Controller; ensure persons authorized to process have committed to confidentiality; implement appropriate technical and organizational security measures; assist the Controller in responding to Data Subject requests; and delete or return all Personal Data upon termination.
5. Controller Obligations
The Controller shall: ensure it has a lawful basis for processing; provide accurate and complete data; promptly inform the Processor of any Data Subject requests; and comply with all applicable data protection laws.
6. Data Subject Rights
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR, including access, rectification, erasure, restriction of processing, data portability, and objection.
7. Subprocessors
The Controller provides general written authorization for the Processor to engage subprocessors. The Processor maintains a current subprocessor list at /legal/subprocessors (the authoritative source) and reproduces a snapshot in Annex III for reference. The Processor will notify the Controller at least 30 days before adding or replacing any subprocessor; the Controller may object on reasonable data protection grounds within the notification period.
8. International Transfers
Personal Data is stored and processed in the United States. For transfers from the EEA/UK/Switzerland, the Processor relies on Standard Contractual Clauses (SCCs) as adopted by the European Commission.
9. Security Measures
See Annex II for complete technical and organizational security measures. These include encryption at rest and in transit, access controls, audit logging, and incident response procedures.
10. Data Breach Notification
The Processor shall notify the Controller without undue delay, and no later than 72 hours, after becoming aware of a Personal Data breach. The notification shall include the nature of the breach, categories and approximate number of Data Subjects affected, and measures taken to address the breach.
11. Audit Rights
The Controller may audit the Processor's compliance with this DPA upon reasonable notice. The Processor shall make available to the Controller all information necessary to demonstrate compliance.
12. Term and Termination
This DPA shall remain in effect for the duration of the Terms of Service. Upon termination, the Processor shall delete all Personal Data within 30 days, unless retention is required by law.
13. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.
14. Governing Law
This DPA is governed by the laws of the State of Delaware, except that data protection provisions shall be governed by applicable data protection law (GDPR, UK GDPR, or FADP).
Annex I: Processing Details
Categories of Data Subjects
Employees, contractors, and team members of the Controller's organization who use the Services.
Types of Personal Data
Names, email addresses, job titles, team assignments, performance feedback, goal data, sentiment votes (anonymous), meeting notes, and career development data.
Purposes of Processing
Providing the performance management, feedback, team health, and career development features of the Services as described in the Terms of Service.
Annex II: Technical & Organizational Measures
Encryption at rest (AES-256) and in transit (TLS 1.2+); Row-Level Security (RLS) in PostgreSQL; JWT-based authentication via Supabase Auth; Role-based access control; Audit logging for sensitive operations; Regular security assessments; Incident response procedures with 72-hour notification.
Annex III: Subprocessor List
Authoritative source: /legal/subprocessors. The subprocessors page is updated whenever the list changes; the snapshot below is provided for reference only and the linked page wins if they ever drift.
Snapshot date: April 25, 2026. The Controller will be notified of changes per Section 7.
Questions about this DPA? Contact support@mistvine.com