Legal · DPA

Data Processing Agreement

Version 1.4 · Last updated 01 July 2026

This Data Processing Agreement (“DPA”) describes how Mindszi Technologies Ltd (“Mindszi”, “we”, “us” or “our”) processes personal data when providing the Mindszi eSIM orchestration and business support system (BSS) platform (“platform”). It forms part of the agreement between Mindszi and each customer that uses the platform (the “Agreement”).

Mindszi acts as a processor for personal data we handle on behalf of business customers under their instructions, and as an independent controller for individual accounts and for operating the platform. This DPA sets out the data protection terms that apply, the categories of personal data processed, the sub-processors we use, and the safeguards in place.

1. Scope and roles of the parties

This DPA applies to the processing of personal data by Mindszi in connection with the platform, and is governed by the UK GDPR, the Data Protection Act 2018 and, where applicable, the EU GDPR.

For business accounts, the customer is the controller and Mindszi is the processor: we process the personal data of the customer’s subscribers and end users on the customer’s documented instructions. For individual accounts and for platform-level activities such as account administration, billing, fraud prevention and security, Mindszi is the controller. Where Mindszi acts as controller, our Privacy Policy governs that processing.

Where there is any conflict between this DPA and the Agreement in relation to the processing of personal data, this DPA prevails.

2. Definitions

Terms used in this DPA have the meanings given below; other capitalised terms have the meaning given in the Agreement or in data protection law.

TermMeaning
Data protection lawsThe UK GDPR, the Data Protection Act 2018 and, where applicable, the EU GDPR and other applicable data protection legislation.
Personal dataAny information relating to an identified or identifiable individual (the data subject).
ProcessingAny operation performed on personal data, such as collection, storage, use, disclosure or deletion.
ControllerThe person who determines the purposes and means of processing personal data.
ProcessorA person who processes personal data on behalf of a controller.
Sub-processorA third party engaged by Mindszi to process personal data in connection with the platform.
TOMsTechnical and organisational measures to protect personal data.
SCCsThe Standard Contractual Clauses, together with the UK International Data Transfer Agreement or Addendum where applicable.

3. Personal data processed

When operating the platform on behalf of a customer, Mindszi processes the following categories of personal data relating to that customer’s subscribers and end users:

  • Identity and contact data: name, email address and telephone number.
  • Subscription and SIM/eSIM identifiers: ICCID, IMSI, MSISDN, EID, profile, plan and order references.
  • Device and network data: device identifiers, IP address, and network, location and roaming information.
  • Usage and traffic data: call detail records (CDRs), data session records and service event logs.
  • Billing and payment data: plan, charges and transaction references. Card payment details are handled by payment processors and are not stored by Mindszi.
  • Support data: records of support requests and related interactions, including message metadata for communications sent through the platform.

The subject matter of the processing is the provision, operation, security and support of the platform; the duration is the term of the Agreement and any retention period the customer specifies. The nature and purpose of the processing are provisioning, rating, billing, fraud prevention, customer support and related platform operations.

4. Sub-processors

The customer authorises Mindszi to engage the sub-processors listed below to process personal data in connection with the platform. Each sub-processor is engaged under written terms that impose data protection obligations no less protective than those in this DPA.

Sub-processorPurpose and region
Amazon Web Services (AWS)Cloud hosting and infrastructure. Primary region United Kingdom (London); EU for resilience.
Auth0 (Okta)Authentication and identity for end users and administrators. EU-hosted, configured for data minimisation.
StripePayment processing. EU / US.
Microsoft AzureSupplementary cloud services. EU / UK.
DatadogMonitoring, logging and observability. EU.
TwilioSMS and messaging. EU / US.
SendGrid (Twilio)Transactional and notification email. EU / US.
PostHogProduct analytics. EU.
SlackOperational notifications and support. EU / US.

4.1 Optional AI sub-processors

The following sub-processors are engaged only where a customer enables AI features. Customers may choose not to enable these features.

Sub-processorPurpose and region
AWS BedrockHosted model inference for AI features. EU / US.
OpenAIAI model inference (commercial API tier, no training on inputs). US.
AnthropicAI model inference (commercial API tier, no training on inputs). US.
GroqAI model inference. US.
LangChainAI orchestration tooling. EU / US.

Mindszi maintains this list current and, where required by the Agreement, gives the customer at least 30 days’ advance notice of any intended addition or replacement of a sub-processor so that the customer may object on reasonable data protection grounds.

5. AI and model training

Where AI features are used, Mindszi does not permit customer personal data or content to be used to train third-party models. This is enforced by selecting commercial API tiers that exclude inputs from model training and by not enrolling in any provider training programmes. Personal data submitted for inference is processed only to return the requested result.

6. Processing instructions

Where Mindszi acts as processor, it processes personal data only on the customer’s documented instructions, including as set out in the Agreement and this DPA, unless required to do otherwise by law, in which case Mindszi will inform the customer before processing (unless the law prohibits it). Mindszi will promptly inform the customer if, in its opinion, an instruction infringes data protection law.

7. Confidentiality

Mindszi ensures that persons authorised to process personal data are bound by appropriate obligations of confidentiality and process personal data only as necessary to perform their duties.

8. Security measures

Mindszi implements and maintains technical and organisational measures appropriate to the risk, including:

  • encryption of personal data in transit and at rest;
  • role-based and least-privilege access controls, and network segregation;
  • logging, monitoring, and detection and response for security incidents;
  • vulnerability and patch management and secure development practices;
  • regular security assessments, staff training and due diligence over sub-processors; and
  • backup and disaster recovery arrangements.

Mindszi operates an information security programme and is undergoing SOC 2 examination. No method of transmission or storage can be guaranteed completely secure, but Mindszi maintains measures appropriate to the risk as required by data protection law.

9. Sub-processing obligations

Where Mindszi engages a sub-processor, it imposes, through a written contract, data protection obligations that are no less protective than those set out in this DPA. Mindszi remains responsible to the customer for the performance of each sub-processor’s obligations.

10. International data transfers

Personal data is stored at rest within the United Kingdom and the EU. Where personal data is transferred outside the UK or EEA (for example transient transfers to a sub-processor located abroad for AI inference, or for resilience), Mindszi relies on a transfer mechanism recognised under applicable data protection law, including transfers to countries covered by adequacy regulations, the SCCs, and the UK International Data Transfer Agreement or Addendum, together with any supplementary measures needed to protect the data.

11. Data subject rights

Taking into account the nature of the processing, Mindszi assists the customer by appropriate technical and organisational measures, insofar as this is possible, to respond to requests from data subjects to exercise their rights under data protection law. Where a data subject contacts Mindszi directly in relation to processing carried out on a customer’s behalf, Mindszi will refer them to the customer as the controller.

12. Personal data breaches

Mindszi notifies the customer without undue delay after becoming aware of a personal data breach affecting personal data processed on the customer’s behalf, and provides the information reasonably necessary to enable the customer to meet its obligations under data protection law, including to notify the relevant supervisory authority and affected data subjects where required.

13. Deletion or return of data

On termination or expiry of the Agreement, Mindszi deletes or returns the personal data it processes on the customer’s behalf, at the customer’s choice, and deletes existing copies unless data protection law requires storage of the personal data.

14. Audit

Mindszi makes available to the customer the information reasonably necessary to demonstrate compliance with this DPA and allows for and contributes to audits, including inspections, conducted by the customer or an auditor it mandates. Audits are conducted on at least 30 days’ written notice, during business hours, no more than once per year unless required by a supervisory authority or following a personal data breach, and subject to reasonable confidentiality and security requirements and without unreasonable disruption to Mindszi’s operations.

15. Liability and governing law

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales, unless the Agreement provides otherwise.

16. Contact us

For questions about this DPA or to exercise data protection rights, please contact us:

  • Data Protection Officer (Michael Moorfield): dpo@mindszi.com
  • Privacy enquiries and rights requests: privacy@mindszi.com
  • General enquiries: hello@mindszi.com
  • Post: Data Protection Officer, Mindszi Technologies Ltd, 128 City Road, London, EC1V 2NX, United Kingdom (company number 15524190)