Data Processing Addendum (DPA)

Effective date: 2026

This Data Processing Addendum (“DPA”) applies to UmamiMind’s provision of the Mission Control platform (the “Service”) to an organization (“Customer”). To the extent UmamiMind processes Personal Data on behalf of Customer in connection with the Service, this DPA governs that processing and is incorporated into the parties’ applicable agreement.

1. Roles of the Parties

  • Customer is the “Controller” (or “Business”) of Personal Data.
  • UmamiMind is the “Processor” (or “Service Provider”) acting on Customer’s instructions.

2. Scope of Processing

UmamiMind will process Personal Data only as necessary to provide the Service, including governed AI workflows, auditability, security monitoring, and support.

  • Categories of data subjects: Customer users, administrators, and end users (as applicable).
  • Types of Personal Data: account identifiers, user content submitted to the Service, usage metadata, logs.
  • Purpose: operate, secure, and improve the Service; enforce policies and budgets; provide support.
  • Duration: for the term of the agreement plus any configured retention period and legal requirements.

3. Customer Instructions

Customer instructs UmamiMind to process Personal Data to provide the Service. Customer may configure governance controls (policies, budgets, model allowlists, retention) within the Service which constitute documented instructions. UmamiMind will inform Customer if an instruction appears to violate applicable law.

4. Confidentiality

UmamiMind ensures personnel authorized to process Personal Data are bound by confidentiality obligations appropriate to their access.

5. Security Measures

UmamiMind maintains technical and organizational measures designed to protect Personal Data, including access controls, encryption in transit, audit logging, and environment isolation. Security controls may evolve as the Service is improved.

6. Subprocessors

UmamiMind may engage subprocessors to provide infrastructure and AI capabilities. UmamiMind will maintain contractual obligations with subprocessors consistent with this DPA and remains responsible for their performance. A current list is available on the Subprocessors page.

7. International Transfers

Where Personal Data is transferred internationally, UmamiMind will use appropriate transfer mechanisms where required (e.g., Standard Contractual Clauses) and apply supplementary safeguards as appropriate to the risk.

8. Assistance

Considering the nature of processing, UmamiMind will provide reasonable assistance to Customer to (a) respond to data subject requests and (b) support Customer’s security, breach notification, and impact assessment obligations, as applicable.

9. Deletion and Return

Upon termination of the Service, UmamiMind will delete or return Personal Data in accordance with the agreement and Customer-configured retention settings, unless retention is required by law.

10. Audits

Customer may audit UmamiMind’s compliance with this DPA through (a) documentation made available by UmamiMind (including security and governance materials) and (b) reasonable audit requests, subject to confidentiality, security, and scheduling constraints.

11. Precedence

If there is a conflict between this DPA and the agreement, this DPA controls with respect to Personal Data processing obligations.

12. Contact

For DPA inquiries, contact:
privacy@umamimind.ai