| Item | Details |
|---|---|
| 1. Parties | Data Exporter (Controller/Customer): The entity identified as the ‘Customer’ in the Agreement and this DPA. Address and Contact Details: As specified in the Agreement. Contact Person / DPO (if any): As specified in the Agreement. Role: Controller. Data Importer (Processor/Molin AI): Molin AI Ltd. Address: As set forth in the Agreement. Contact Email: [email protected] Role: Processor. |
| 2. Subject Matter of Processing | Processing of Customer Personal Data by Molin AI on behalf of Customer for the purpose of providing and supporting the Services under the Agreement, and any related technical or operational support activities expressly instructed by Customer. |
| 3. Duration of Processing | Processing continues for the term of the Agreement and any post-termination period reasonably required to delete, return, or securely isolate Customer Personal Data in accordance with Section 10 of this DPA. |
| 4. Nature and Purpose of Processing |
|
| 5. Categories of Data Subjects |
|
| 6. Categories of Personal Data |
|
| 7. Sensitive or Special Categories of Data | Molin AI does not intentionally process special categories of data (Article 9 GDPR). Customer shall avoid transmitting such data unless expressly agreed in writing with appropriate safeguards. |
| 8. Frequency of Processing / Transfers | Continuous during the operation of the Services. |
| 9. Retention and Deletion | Customer Personal Data is retained for the duration of the Agreement and deleted or returned per Section 10. Backups are deleted within standard retention cycles unless otherwise required by law. |
| 10. Sub-Processing and Onward Transfers | Molin AI may engage approved Sub-Processors bound by equivalent data-protection obligations. A current list is available on Sub-processor page. Transfers outside the EEA/UK/Switzerland occur only under lawful transfer mechanisms (see Section 12 of this DPA). |
| 11. Technical and Organizational Measures | Molin AI maintains TOMs to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. See Annex 2 for details (e.g., encryption, access control, monitoring, incident response). |
| 12. Competent Supervisory Authority |
|
- Governance and Policies: Molin AI maintains an Information Security Policy, Access Control Policy, and Business Continuity Policy reviewed at least annually.
- Training and Awareness: All personnel receive mandatory privacy and security training, including secure-coding and phishing-resilience modules.
- Vendor Risk Management: Prior to onboarding Sub-processors, Molin AI assesses their security posture.
- Access to production systems is role-based and limited to authorized personnel on a need-to-know basis.
- Multi-Factor Authentication (MFA) is mandatory for all privileged accounts.
- Passwords follow strong-credential rules (≥ 16 characters, complexity requirements) and are managed via a centralized identity provider.
- Access rights are reviewed at least every 180 days and immediately revoked upon role change or termination.
- Failed login attempts trigger account lockout (at more than 5 consecutive incorrect password attempts), all access events are logged and monitored.
- In Transit: All data transmitted via HTTPS with TLS 1.2 or higher (default TLS 1.3), AES-256 encryption, SHA-2 signatures.
- At Rest: Customer Data encrypted using AES-256-GCM within Cloudflare-managed storage.
- Key Management: Encryption keys stored and rotated securely with limited personnel access, subject to MFA and audit logging.
- Pseudonymization: When feasible, identifiers are separated or masked for diagnostic and analytics uses.
- Customer Data is hosted in secure Cloudflare data centers in the EU and U.S.
- Molin AI maintains no on-premise servers; all operations use virtualized cloud instances for redundancy and resilience.
- Systems are hardened per CIS benchmarks and patched promptly.
- Change management processes ensure peer review, version control, automated testing, and rollback plans for all releases.
- Vulnerability scans and third-party penetration tests are performed regularly.
- Intrusion-prevention systems and network firewalls protect external interfaces; anomalous activity triggers alerts.
- Data collection is limited to the purposes of processing (or the data that the Customer chooses to provide).
- Security measures are in place to provide only the minimum amount of access (least privilege) necessary to perform required functions.
- Upon termination or expiry of this DPA, Molin AI will (at Customer’s election) delete or return to Customer all Customer Personal Data as per Section 10 of this DPA.
- 24×7 on-call incident response with documented escalation paths.
- Security events are logged, triaged, and investigated; containment and remediation occur under defined SLAs.
- Customers are notified without undue delay after confirmation of a Personal Data Breach.
- Post-incident reviews identify corrective actions and drive continuous improvement.
- Redundant architecture and automated backups ensure availability.
- Disaster Recovery (DR) plan tested periodically in coordination with cloud provider capabilities.
- Objective: restore service and access to Customer Data within commercially reasonable timeframes after disruption.
- Regular security assessments and internal audits validate control effectiveness.
- External SOC 2 / ISO 27001-aligned audits are conducted annually.
- Documentation of all processing activities maintained.
- Molin AI adheres to the principles of “privacy by design and default.”
- Implementation of ISO 27001 standards and participation in relevant certification programs are ongoing.
- Table 1 (Parties): Exporter is the Customer (and its relevant Affiliates, if applicable). Importer is Molin AI. Contact details are as specified in the Agreement or in Annex 1 (Details of Processing).
- Table 2 (Selected SCCs, Modules, Clauses): Approved SCCs – Commission Implementing Decision (EU) 2021/914. Modules – Module 2 (controller to processor) and Module 3 (processor to processor) for Customer Personal Data; Module 1 (controller to controller) for Account Data where Molin acts as an independent controller.
- Table 3 (Appendix / Annex Information): Annex I(A)-(B) – Parties and description of transfers (Annex 1 of this DPA); Annex I(C) – ICO as competent authority; Annex II – Technical and Organizational Measures (Annex 2 of this DPA); Annex III – Sub-processors per the Sub-processor Page (or Annex 3, if applicable).
- Table 4 (ICO Revision Mechanism): Selection – Importer and Exporter (both parties). Either party may terminate the UK Addendum before the effective date of a revised Approved Addendum if that revision would cause a substantial and disproportionate increase in cost or risk, consistent with the ICO mechanism.
- References to ‘Regulation (EU) 2016/679’ are read as references to the UK GDPR and the Data Protection Act 2018.
- References to ‘EU/Union/Member State’ are read as references to the UK or UK law.
- Clause 13(a) and Annex I, Part C (EU authority) do not apply; the ICO acts as the competent supervisory authority.
- Clause 17 (governing law): England and Wales; Clause 18 (forum): courts of England and Wales; data subjects may also bring proceedings in any competent UK jurisdiction.
- Onward transfers: Clause 8.8(i) (Modules 2/3) is read to permit onward transfers to countries with UK adequacy regulations (Section 17A of the Data Protection Act 2018); Clause 8.7(i) (Module 1) similarly applies.
- Footnotes to the EU SCCs do not form part of this UK Addendum unless expressly required by the UK Addendum.
- Annex I(A)-(B): Populated by Annex 1 (Details of Processing) to this DPA.
- Annex I(C): ICO as competent authority (UK GDPR).
- Annex II: Populated by Annex 2 (Technical and Organizational Measures).
- Annex III: Sub-processors per Molin AI’s Sub-processor Page or Annex 3 (if included).