DPA

Purpose

This page summarizes UmamiMind’s Data Processing Addendum (DPA) approach for processing personal data on behalf of customers under applicable data protection laws (including GDPR where relevant). It is a procurement-friendly overview; the contractual DPA is provided during contracting.

Roles and scope

• Customer typically acts as Data Controller; UmamiMind acts as Data Processor for customer content and related service data.
• Processing occurs only for documented customer instructions and to provide, secure, and support the services.
• Processing is limited to the minimum necessary to deliver the agreed services and maintain platform security and reliability.

Typical data categories (example)

The specific categories depend on customer usage. Common categories for an enterprise AI orchestration platform include:

• Account and access data (user identifiers, roles, authentication metadata)
• Operational content (prompts, workflow inputs, configuration, run outputs)
• Security and operational telemetry (audit events, traces, error logs, service metrics)
• Support communications (tickets, emails, and case notes where applicable)

Security measures (summary)

• Encryption in transit (TLS) and encryption at rest via the selected hosting/storage providers (deployment dependent)
• Role-based access control, least privilege, and administrative access logging
• Audit logging for sensitive actions and operational monitoring for reliability
• Secure development practices: code review, CI checks, controlled deployments, and rollback

Subprocessing, transfers, and data subject rights

• Subprocessors are governed through security/privacy review and contractual safeguards.
• Where cross-border transfers apply, contractual transfer mechanisms (e.g., SCCs) are handled as part of the DPA and customer agreement package (where relevant).
• UmamiMind supports customers in responding to data subject requests by providing deletion/export tooling and support workflows where technically feasible and contractually agreed.

Retention and deletion

Retention depends on customer configuration and operational needs (security logs, troubleshooting, billing). Upon termination or request, UmamiMind supports deletion of customer content within agreed timelines, subject to legal retention obligations and security constraints.

Incident notification

In the event of a personal data breach, UmamiMind will notify affected customers without undue delay and provide mitigation and investigation updates as available.

Pilot-stage notice

This summary reflects pilot-stage operations. Final contractual DPA terms are provided during contracting.