MUTINY DATA PROCESSING ADDENDUM (DPA)
Last Updated: April 7, 2026
This Data Processing Addendum ("DPA") supplements the Terms of Service or other written or electronic agreement between the parties (the "Agreement") entered into by and between the customer entity identified in the Agreement ("Customer") and Mutiny HQ Corporation, a Delaware corporation ("Provider" or "Mutiny")
By accepting the Agreement, or by executing an Order Form that references this DPA, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Affiliates (defined below). This DPA is incorporated into and forms part of the Agreement. Any terms not defined in this DPA have the meaning set forth in the Agreement.
1. DEFINITIONS
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
"CCPA" means the California Consumer Privacy Act, California Civil Code §§1798.100 et seq., as amended by the California Privacy Rights Act ("CPRA"), including any implementing regulations. The terms "business," "service provider," and "sale" have the meanings given under the CCPA.
"Data Breach" means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by Provider under this DPA. Data Breaches do not include unsuccessful attempts or activities that do not result in unauthorized access to Personal Data, including unsuccessful log-in attempts, pings, port scans, denial-of-service attacks, or other network attacks on firewalls or networked systems.
"Data Protection Legislation" means, as applicable to a party and its Processing of Personal Data: (i) EU Data Protection Laws; (ii) UK Data Protection Law; (iii) CCPA; and (iv) any other applicable data protection or privacy laws.
"EU Data Protection Laws" means Regulation (EU) 2016/679 (General Data Protection Regulation) ("GDPR") and the EU e-Privacy Directive (Directive 2002/58/EC). The terms "Controller," "Processor," "Process," "Processing," and "Data Subject" have the meanings given under the GDPR.
"Personal Data" means any information that (i) is protected as "personal data," "personal information," or "personally identifiable information" under Data Protection Legislation; and (ii) is Processed by Provider on behalf of Customer in the course of providing the Services, as more particularly described in Annex A of this DPA.
"Restricted Transfer" means a transfer of Personal Data from the EEA to a country not subject to an adequacy decision under Article 45 GDPR, or an equivalent mechanism.
"Standard Contractual Clauses" or "EU SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021.
"Sub-processor" means any third party engaged by Provider to assist in fulfilling its obligations under the Agreement that Processes Personal Data.
"UK Data Protection Law" means: (i) the UK GDPR (as saved into UK law by the European Union (Withdrawal) Act 2018); (ii) the Data Protection Act 2018; (iii) the UK International Data Transfer Addendum to EU SCCs ("IDTA"); and (iv) all applicable national data protection laws made under, pursuant to, or applicable in conjunction with any of the foregoing.
2. PROVIDER'S OBLIGATIONS
2.1 Roles
For purposes of GDPR and similar Data Protection Legislation, Customer (or the third party on whose behalf Customer is authorized to instruct Provider) is the Controller of Personal Data, and Provider shall Process Personal Data as a Processor (or sub-Processor, as applicable to Customer's use of the Services). For purposes of the CCPA (to the extent applicable), Customer is the "business" and Provider is the "service provider."
2.2 Permitted Purposes
Provider shall Process Personal Data only for the Permitted Purposes described in Annex A of this DPA, and in accordance with Customer's documented lawful instructions, except where otherwise required by applicable law. To the extent the CCPA applies, Customer's transfer of Personal Data to Provider is not a "sale," and Provider provides no monetary or other valuable consideration to Customer in exchange for Personal Data. Provider is obligated at all times to Process Personal Data in compliance with Data Protection Legislation and to fulfill all its obligations arising thereunder.
2.3 Processing Instructions
Provider shall immediately inform Customer if it becomes aware that Customer's Processing instructions infringe Data Protection Legislation. If Provider is unable to Process Personal Data in accordance with Customer's documented lawful instructions, Provider shall promptly notify Customer of its inability to comply.
2.4 Security Measures
Provider shall implement and maintain reasonable and appropriate technical and organizational measures designed to protect all Personal Data from Data Breaches and to preserve their security, integrity, and confidentiality. Such measures shall have regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to the rights and freedoms of natural persons. At a minimum, these measures shall include those identified in Annex C of this DPA.
2.5 Access and Confidentiality
Provider shall ensure that any personnel authorized to Process Personal Data (including employees, agents, and Sub-processors) are subject to appropriate confidentiality obligations (whether contractual or statutory), have received appropriate training regarding data protection, and are permitted to access Personal Data only on a need-to-know basis.
2.6 Data Returns and Deletion
Upon termination or expiration of the Agreement and upon request by Customer, Provider will, within thirty (30) days, delete or return to Customer all Personal Data in its possession or control, at Customer's election. Notwithstanding the foregoing, backup copies of Personal Data may be retained for up to ninety (90) days following deletion in accordance with Provider’s standard backup and disaster recovery processes, after which such data will be securely deleted. Provider may retain one archival copy solely for compliance purposes for the period required by applicable law, after which such copy shall be securely and permanently deleted. Upon written request, Provider shall provide a written certification confirming deletion of all Personal Data (other than any lawfully retained archival copy).
2.7 Prohibition on AI Model Training
Provider shall not use Personal Data to train, fine-tune, or improve any artificial intelligence, machine learning, or large language model without Customer’s prior written consent. For the avoidance of doubt, prompts, inputs, outputs, and other Customer Content that do not contain Personal Data are not subject to this restriction and may be used by Provider to operate, improve, and develop the Services. Provider shall implement and maintain technical and organizational measures designed to identify and remove or mask Personal Data (including names, email addresses, and other contact information) from data used for model training and service improvement purposes.
3. AUDIT RIGHTS
3.1 Right to Conduct Audits
Customer shall have the right to verify Provider's compliance with its obligations under this DPA. Upon Customer's written request, Provider shall make available relevant information, documentation, and up-to-date third-party audit reports and certifications (including SOC 2 Type II reports and ISO 27001 certificates, where available) to demonstrate compliance. If Customer reasonably determines that such documentation is insufficient, Customer may conduct or commission an on-site audit, subject to the following conditions: (i) written notice at least thirty (30) days in advance; (ii) specification of the audit agenda in the notice; (iii) audits not more than once per calendar year (unless required by a regulatory authority); (iv) all costs borne by Customer; and (v) the audit shall last no longer than one (1) business day (8 hours).
3.2 Independent Auditor
Where Customer requests an audit by an independent third-party auditor, Provider may object to an auditor that is, in Provider's reasonable opinion, not suitably qualified or independent, a competitor of Provider, or otherwise manifestly unsuitable. In such case, Customer shall appoint an alternative auditor acceptable to Provider, acting reasonably.
4. CUSTOMER'S OBLIGATIONS
4.1 Customer's Processing of Personal Data
Customer shall Process Personal Data in accordance with Data Protection Legislation. Customer has sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired it.
4.2 Customer's Compliance
Customer agrees that: (i) it shall comply with its obligations as Controller under Data Protection Legislation; (ii) it has provided notice and obtained (or shall obtain) all necessary consents or other lawful bases under Data Protection Legislation for Provider to Process Personal Data for the Permitted Purposes; (iii) it shall be responsible for providing required notices to data subjects; (iv) it has fulfilled (or shall fulfill) all applicable registration or notification obligations; and (v) it is responsible for its own Processing of Personal Data, including integrity, security, and protection of Personal Data under Customer's control.
4.3 Technical and Organizational Measures
Customer is responsible for the secure use of the Services, including securing user credentials and passwords, protecting Personal Data when in transit to and from the Services, and taking appropriate technical and organizational measures to secure Personal Data uploaded to the Services. Customer shall notify Provider immediately upon becoming aware of any unauthorized use of the Services or security breach.
5. COOPERATION
5.1 Data Subject Rights
To the extent Customer is unable to access relevant Personal Data within the Services independently, Provider shall, taking into account the nature of the Processing, provide reasonable assistance (including by appropriate technical and organizational measures) to enable Customer to: (i) respond to any data subject requests to exercise rights under Data Protection Legislation (including rights of access, correction, erasure, objection, restriction, and portability); and (ii) respond to any other correspondence, inquiry, or complaint received from a data subject, regulator, or third party in connection with the Processing of Personal Data ("Correspondence").
In the event that any Correspondence is made directly to Provider, Provider shall promptly notify Customer and shall not respond directly unless legally compelled to do so. If Provider is required to respond, it shall promptly notify Customer and provide a copy of the request, unless legally prohibited.
5.2 Data Protection Impact Assessments
To the extent required by Data Protection Legislation, Provider shall provide reasonable cooperation to enable Customer to carry out data protection impact assessments (DPIAs) and prior consultations with data protection authorities as required by applicable law.
5.3 Request for Disclosure
Provider shall promptly notify Customer of any legally binding request for disclosure of Personal Data by a judicial or regulatory authority, unless prohibited from doing so (e.g., by a court order or criminal law). Provider shall cooperate with Customer in seeking protective treatment for such disclosures.
6. SECURITY INCIDENTS
6.1 Data Breach Notification
Upon becoming aware of a Data Breach, Provider shall notify Customer without undue delay and, in any event, within seventy-two (72) hours of becoming aware of the Data Breach. Such notification shall include (to the extent available at the time of notification): (a) a description of the nature of the Data Breach; (b) the categories and approximate number of data subjects and Personal Data records affected; (c) the likely consequences of the Data Breach; (d) the measures taken or proposed to address the Data Breach; and (e) the contact details of Provider's data protection contact.
6.2 No Acknowledgement of Liability
Any notification provided by Provider to Customer regarding a Data Breach shall not be construed as an acknowledgement of any fault or liability on the part of Provider.
6.3 Mitigation
Provider shall take all reasonable measures and actions to remedy or mitigate the effects of the Data Breach and shall keep Customer informed of all material developments.
6.4 Customer-Caused Breach
If a Data Breach is caused or materially contributed to by Customer's actions or omissions, Provider will cooperate in the investigation at Customer's expense.
7. SUB-PROCESSING
7.1 Authorized Sub-processors
Customer provides general authorization for Provider to engage Sub-processors to Process Personal Data on Customer's behalf. The Sub-processors currently engaged by Provider are listed in Annex B. Customer authorizes the transfer of Personal Data to Provider's primary processing facilities in the United States and to Sub-processors listed in Annex B, subject to the safeguards in Section 8 and continued compliance with this DPA.
7.2 New Sub-processors
Provider shall provide at least thirty (30) days' prior written notice to Customer of the engagement of any new Sub-processor, by updating the sub-processor list at www.mutinyhq.com/dpa and, where applicable, notifying Customer via email or through an available notification service.
7.3 Objections
If Customer has a reasonable objection to any new Sub-processor on grounds related to data protection, Customer shall notify Provider in writing to privacy@mutinyhq.com within thirty (30) days of receiving notification. The parties will seek to resolve the matter in good faith. If no such objection is received within the thirty (30) day period, Customer shall be deemed to have consented to the new Sub-processor. If the parties are unable to resolve a legitimate objection, Customer may terminate the Agreement at no additional cost.
7.4 Sub-processor Obligations
Provider shall impose on each Sub-processor, by written contract, data protection obligations that are substantially equivalent to those set out in this DPA. Provider remains liable to Customer for the performance of each Sub-processor's obligations under this DPA to the extent Provider is responsible under this DPA.
8. DATA TRANSFERS
8.1 International Data Transfers
Provider shall take all measures necessary to ensure that the Processing and transfer of Personal Data to a territory other than where the Personal Data was first collected complies with Data Protection Legislation.
8.2 Standard Contractual Clauses
The parties agree that where and to the extent any transfer of Personal Data from Customer (as data exporter) to Provider (as data importer) constitutes a Restricted Transfer and EU Data Protection Laws require appropriate safeguards, such transfer shall be governed by the EU SCCs, which are incorporated by reference into and form an integral part of this DPA.
8.3 EU SCCs Configuration
For Personal Data subject to EU Data Protection Laws:
Where Customer is a Controller, Module Two (Controller to Processor) applies; where Customer is a Processor acting on behalf of third-party Controllers, Module Three (Processor to Processor) applies;
In Clause 7 (Docking Clause), the optional docking clause applies;
In Clause 9 (Use of Sub-processors), Option 2 (general written authorization) applies, and the notice and objection periods are as set out in Sections 7.2 and 7.3 of this DPA;
In Clause 11 (Redress), the optional language permitting data subjects to lodge complaints with an independent dispute resolution body does not apply;
In Clause 17 (Governing Law), Option 1 applies, and the EU SCCs are governed by Irish law;
In Clause 18(b) (Choice of Forum and Jurisdiction), disputes shall be resolved before the courts of Dublin, Ireland;
8.4 UK International Data Transfer Addendum
The parties agree that the IDTA will apply to Personal Data transferred from the United Kingdom to any country not recognized by the UK Information Commissioner's Office as providing adequate protection. The IDTA is incorporated by reference into this DPA and completed as follows:
Table 1 (Parties): The Start Date is the date of Customer's acceptance of the Agreement or execution of an applicable Order Form. The Parties are as identified in Annex A(1) of this DPA.
Table 2 (Selected SCCs): The version of the EU SCCs to which this IDTA is appended applies, as configured in Section 8.3 above.
Table 3 (Appendix Information): The Annex I.A, I.B, and II information is as set forth in Annexes A and C of this DPA.
Table 4 (Ending the IDTA): Either party may end the IDTA as set out in Section 19 of the IDTA.
8.5 Swiss Data
For Personal Data subject to the Swiss Federal Act on Data Protection (FADP), the EU SCCs apply as configured in Section 8.3, with the following modifications: (i) references to "Regulation (EU) 2016/679" are interpreted as references to the FADP; (ii) the supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland; (iii) Clause 17 shall be governed by the laws of Switzerland where the transfer is subject solely to the FADP; and (iv) Clause 18 shall be amended to provide jurisdiction in the courts of Switzerland.
9. LIMITATION OF LIABILITY
Customer's and Provider's remedies and liability arising out of or in relation to this DPA (including any Standard Contractual Clauses) are subject to the limitations of liability set forth in the Agreement. For the avoidance of doubt, nothing in this DPA limits the rights a Data Subject may have against either party arising from a breach of the Standard Contractual Clauses.
10. FINAL PROVISIONS
10.1 Third-Party Beneficiaries
Data Subjects are the sole third-party beneficiaries of the Standard Contractual Clauses. There are no other third-party beneficiaries to this DPA, unless specified in the Agreement.
10.2 Governing Law and Jurisdiction
This DPA is governed by the governing law and jurisdiction provisions of the Agreement, unless otherwise required by applicable Data Protection Legislation or the Standard Contractual Clauses.
10.3 Scope
The processing of information other than Personal Data for the Permitted Purposes does not fall within the scope of this DPA.
10.4 Term
This DPA remains in effect for the term of the Agreement and until Provider ceases to Process Personal Data on behalf of Customer following termination or expiration of the Agreement.
10.5 Order of Precedence
In the event of any conflict between this DPA and the Agreement, this DPA shall control with respect to data protection and privacy matters. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall control.
ANNEX A
DESCRIPTION OF THE PROCESSING ACTIVITIES
Annex A(1): List of Parties
Annex A(2): Description of Transfer
Annex A(3): Competent Supervisory Authority
With respect to EU Personal Data, the competent supervisory authority shall be determined in accordance with applicable GDPR provisions based on Customer's establishment.
ANNEX B
APPROVED SUB-PROCESSORS
The following Sub-processors are authorized to Process Personal Data in connection with Provider's delivery of the Services. Provider will update this list and provide notice of changes as described in Section 7 of this DPA. The current version of this list is maintained at https://www.mutinyhq.com/dpa
ANNEX C
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
Provider maintains the following technical and organizational measures to protect Personal Data:
Access Controls
Role-based access controls (RBAC) restricting access to Personal Data to authorized personnel with a need to know;
Multi-factor authentication (MFA) required for access to production systems;
Unique user IDs for all personnel with access to Personal Data;
Periodic access reviews and revocation of access upon termination of employment or change of role.
Encryption
Data in transit: encrypted using TLS 1.2 or higher;
Data at rest: encrypted using AES-256 or equivalent industry-standard encryption;
Encryption keys managed through AWS KMS
Network and Infrastructure Security
Firewalls, network segmentation, and intrusion detection/prevention systems;
Regular vulnerability scanning and penetration testing;
Logging and monitoring of access to production systems and Personal Data;
Incident response plan maintained and tested regularly.
Physical Security
Personal Data is hosted in data centers with industry-standard physical security controls, including badge access, CCTV, and environmental controls;
Provider's primary infrastructure is hosted on AWS, which maintains SOC 2 Type II and ISO 27001 certifications.
Organizational Measures
Written information security policy maintained and reviewed annually;
Data protection and security training provided to all employees;
Background checks conducted on employees with access to Personal Data, to the extent permitted by law;
Provider has achieved or is pursuing the following certifications: SOC 2 Type II
Business Continuity and Disaster Recovery
Regular backups of Personal Data with tested restoration procedures;
Business continuity and disaster recovery plans maintained and tested annually;
Recovery time objective (RTO) and recovery point objective (RPO) of RTO 4 hours, RPO 1 hour.
AI-Specific Measures
Enterprise-tier agreements in place with all AI sub-processors, restricting use of Customer data for model training by default;
Prompt and output data processed through AI sub-processors is not persisted by those sub-processors beyond the minimum required for the API response;
AI model outputs reviewed for security and compliance risks prior to production deployment.
Data Deletion and Destruction
Personal Data deleted upon termination of the Agreement is overwritten or destroyed using industry-standard secure deletion methods (e.g., NIST SP 800-88 or equivalent) such that it cannot reasonably be recovered or reconstructed;
Where physical media containing Personal Data is decommissioned, such media is destroyed or sanitized in a manner that prevents recovery of the data;
Deletion procedures apply to all copies of Personal Data held by Provider, including backup copies, subject to any legally mandated retention periods as described in Section 2.6 of this DPA.