Data Processing Addendum
Version 1.0 · Effective March 11, 2026
Standard DPA for enterprise customers processing personal data through Bespoke Mentis products. Required for GDPR Article 28 compliance.
How to Execute a DPA
This page provides the standard terms of our Data Processing Addendum. To execute a signed DPA for your organization, email with subject line "DPA Request — [Company Name]". We will send a countersigned DPA within 5 business days. Enterprise customers may also request a HIPAA Business Associate Agreement (BAA) or custom DPA modifications by the same process.
§ 1 — Definitions
§ 2 — Processing Details
| Nature of processing | Storage, retrieval, analysis, AI-assisted transformation, and delivery of outputs — as required to provide the contracted product services (MIOS, Agent Conexus, Foresight, Mentis Console) |
| Purpose of processing | To deliver the enterprise AI platform services described in the applicable Order Form or MSA |
| Duration of processing | For the term of the applicable agreement plus any data retention period specified in the DPA or Privacy Policy |
| Types of personal data | Business contact data, professional details, CRM records, outbound pipeline data, pharmaceutical intelligence data, engineering project data, and other data submitted by the Controller through the Services |
| Categories of data subjects | Controller's employees, contractors, clients, prospects, and other individuals whose data is submitted to the Services by the Controller |
§ 3 — Processor Obligations
Bespoke Mentis, as Processor, agrees to:
- Process personal data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorized to process personal data have committed to confidentiality
- Implement appropriate technical and organizational security measures (see § 5)
- Not use personal data to train, fine-tune, or improve AI models — including third-party AI models — without explicit written consent
- Not process personal data for any purpose other than providing the contracted services
- Assist the Controller in responding to Data Subject rights requests (access, deletion, portability, etc.) within the timeframes required by applicable law
- Notify the Controller without undue delay (and within 72 hours where feasible) after becoming aware of a personal data breach
- Maintain records of processing activities as required by GDPR Article 30
- Make available all information necessary to demonstrate compliance with GDPR Article 28 obligations
- Allow for and contribute to audits and inspections by the Controller or a mandated auditor, upon reasonable written notice
- Delete or return all personal data upon termination of services, per the Controller's documented instructions, and delete existing copies unless applicable law requires otherwise
§ 4 — Sub-processors
The Controller provides general written authorization for Bespoke Mentis to engage the sub-processors listed at bespokementis.com/legal/subprocessors. Bespoke Mentis will:
- Provide at least 14 days' advance notice before adding or replacing any sub-processor that processes personal data covered by this DPA
- Ensure all sub-processors are bound by data processing terms equivalent to those in this DPA
- Remain fully liable to the Controller for the performance of sub-processors' data protection obligations
- Maintain an up-to-date sub-processor list and notify Controllers subscribed to notifications of changes
To receive sub-processor change notifications, email with subject line "Subscribe to Sub-processor Notifications."
§ 5 — Security Measures (Technical & Organizational)
Bespoke Mentis implements the following measures to protect personal data:
Encryption
- ✓AES-256 encryption at rest
- ✓TLS 1.3 encryption in transit
- ✓AES-256-GCM for OAuth tokens (Signal/Gmail)
Access Control
- ✓Role-based access control (RBAC)
- ✓Multi-factor authentication for admin access
- ✓Principle of least privilege
- ✓Access logging and audit trails
Infrastructure
- ✓SOC 2 Type II certified infrastructure (Vercel/Neon)
- ✓Isolated per-tenant data environments
- ✓Data residency in United States (default)
- ✓No data center co-location — managed cloud only
Monitoring
- ✓24/7 automated security monitoring
- ✓Anomaly detection on API access
- ✓Security event logging (12-month retention)
- ✓Cryptographic evidence chain on AI decisions
Testing
- ✓Periodic third-party penetration testing
- ✓Vulnerability disclosure program
- ✓Dependency scanning in CI/CD
- ✓Regular security reviews
Process
- ✓Incident response plan with 72-hour notification SLA
- ✓Employee security training
- ✓Vendor security assessment for all sub-processors
- ✓Data minimization by design
§ 6 — International Transfers
Where personal data is transferred from the EU/EEA/UK to the United States, the transfer is governed by:
- Standard Contractual Clauses (Module 2: Controller-to-Processor) — EU Commission Implementing Decision 2021/914, incorporated into this DPA by reference. The applicable annexes are provided in the executed DPA document
- UK International Data Transfer Agreement (IDTA) — For transfers subject to UK GDPR
- Supplementary measures as documented in the Transfer Impact Assessment (TIA) provided upon request
§ 7 — Data Subject Rights Assistance
Bespoke Mentis will assist the Controller in fulfilling Data Subject rights requests through:
- Providing technical capability to locate, export, or delete specific data subject records upon written request from the Controller
- Processing Controller requests within 10 business days
- Notifying the Controller if Bespoke Mentis receives a Data Subject request directly, without acting on it pending Controller instructions
§ 8 — Term and Termination
This DPA remains in effect for the duration of the applicable MSA or Order Form. Upon termination or expiry:
- Bespoke Mentis will delete or return all personal data within 30 days of the termination date, per the Controller's written instructions
- Bespoke Mentis will certify deletion in writing upon request
- Backup data containing personal data will be overwritten within the applicable backup rotation cycle (maximum 90 days)
- Obligations under this DPA that by their nature survive termination (confidentiality, breach notification, audit rights) remain in effect
§ 9 — Liability
Each party is liable for damages arising from its own breach of this DPA. Bespoke Mentis's liability under this DPA is subject to the limitation of liability provisions in the applicable MSA or, where no MSA exists, in the Terms of Service. Nothing in this DPA limits liability for breaches of GDPR where such liability cannot be limited under applicable law.
§ 10 — Governing Law
This DPA is governed by the laws of the State of California, except to the extent that the SCCs require the law of an EU Member State to govern transfers from the EU/EEA. For UK transfers, the IDTA is governed by English law.
Request a Signed DPA
To receive a countersigned DPA, request a HIPAA BAA, or discuss custom data processing terms, contact our legal team. We aim to respond within 5 business days.
Email:
Subject line: "DPA Request — [Your Company Name]"
Include: Your company legal name, jurisdiction, applicable product(s), and any specific requirements