Data Processing Agreement

A Data Processing Agreement ("DPA") is a legally binding contract required by Article 28 of the EU General Data Protection Regulation (EU GDPR). It must be in place whenever one organisation, the Data Controller, engages another organisation, the Data Processor, to process personal data on its behalf.

MindFriend AB, as a Swedish technology company operating under EU GDPR, occupies two distinct roles simultaneously.

As a Data Controller, MindFriend determines the purposes and means of processing personal data collected from Clients and Professionals. In this role, MindFriend must have DPAs in place with every third-party service it uses that touches personal data, called Sub-processors.

As a Data Processor for Professionals, when MindFriend facilitates the booking connection between a Client and a Professional, MindFriend processes certain Client personal data on behalf of the Professional who is providing clinical services. In this role, this DPA governs what MindFriend can and cannot do with that data.

Failure to have a compliant DPA in place is a direct violation of Article 28 EU GDPR and can result in fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher. More importantly, it is a fundamental requirement for earning the trust of both Clients and Professionals.

This Part A governs the processing of Client personal data by MindFriend on behalf of Professionals who use the Platform to deliver clinical services. In this context, the Professional is the Data Controller and MindFriend is the Data Processor.

Data Controller: The individual mental health Professional, including psychologist, psychiatrist, therapist, counsellor, or other registered practitioner, registered on the MindFriend Platform who has accepted the Professional Listing Agreement.

Data Processor: MindFriend AB, incorporated in Sweden, operating the Platform at www.mindfriend.com.

This Part A applies automatically and without further action from the date the Professional completes registration on the Platform.

MindFriend processes Client personal data submitted through the Platform on behalf of Professionals solely to facilitate the booking, scheduling, and communication infrastructure that supports the delivery of Provider Services.

The processing carried out by MindFriend on behalf of Professionals includes collecting and storing Client account information to enable booking, processing and storing Session booking records, transmitting Client communications through messaging and chat tools, processing payment transaction data, and storing booking history to support the Professional-Client relationship on the Platform.

MindFriend processes this data only to the extent necessary to provide the Platform’s booking and communication functionality. MindFriend does not process clinical notes, therapy records, or session content. These are the sole responsibility of the Professional.

Categories of personal data include identity data, contact data, booking data, communication data, and special category data voluntarily disclosed by the Client when searching for or messaging a Professional through the Platform.

Categories of data subjects include Clients who register on the MindFriend Platform to search for and book appointments with Professionals.

MindFriend processes Client personal data on behalf of each Professional for the duration of the Professional’s active registration on the Platform. Upon termination of the Professional’s listing, MindFriend will retain data only for periods required by applicable law and its own data retention policy, after which data will be securely deleted or anonymised.

MindFriend will process Client personal data only on documented instructions from the Professional as Controller, as set out in this DPA and the Professional Listing Agreement, and not for any other purpose.

MindFriend will ensure that all personnel authorised to process Client personal data are subject to binding confidentiality obligations, either by contract or statutory duty.

MindFriend will implement and maintain appropriate technical and organisational security measures to protect Client personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with Article 32 EU GDPR.

Current security measures include encryption of personal data in transit and at rest, role-based access controls, multi-factor authentication for staff with access to production systems, regular vulnerability assessments and penetration testing, incident response and breach notification procedures, and PCI DSS-compliant payment processing via Stripe and/or Revolut.

MindFriend will not engage any new Sub-processor to process Client personal data without providing the Professional with prior written notice and an opportunity to raise a reasonable objection within 14 days.

MindFriend will impose on all Sub-processors data protection obligations equivalent to those in this DPA and remains liable to the Professional for the acts and omissions of its Sub-processors.

MindFriend will provide reasonable assistance to enable Professionals to respond to Client data subject rights requests under EU GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.

MindFriend will notify the Professional without undue delay and in any event within 72 hours of becoming aware of any personal data breach involving Client personal data processed under this DPA.

MindFriend will provide reasonable assistance to the Professional in carrying out data protection impact assessments and consulting the relevant supervisory authority where required under Article 36 EU GDPR.

Upon termination of the Professional’s listing, MindFriend will, at the Professional’s written request, either securely delete or return all Client personal data processed on the Professional’s behalf, unless retention is required by applicable law.

MindFriend will make available to the Professional all information reasonably necessary to demonstrate compliance with this DPA and permit audits or inspections with reasonable notice and no more than once per year.

The Professional, as Data Controller, must ensure there is a lawful basis for processing Client personal data through the Platform and that Clients have been properly informed of such processing through a compliant privacy notice or Notice of Privacy Practices.

The Professional must provide MindFriend with documented processing instructions that comply with EU GDPR.

The Professional must ensure that any special category data, including health and mental health information, disclosed through the Platform is collected with explicit Client consent.

The Professional must comply with all applicable data protection laws, including EU GDPR, in connection with clinical data and records held outside the Platform.

The Professional must handle all data subject rights requests that relate to clinical care records directly, without relying solely on MindFriend.

This Part B sets out the obligations that MindFriend, as Data Controller, imposes on all third-party service providers, called Sub-processors, who process personal data on MindFriend’s behalf.

Every Sub-processor engaged by MindFriend must comply with these requirements under a written agreement that imposes obligations at least equivalent to those in this DPA.

MindFriend uses only Sub-processors that provide sufficient guarantees to implement appropriate technical and organisational data protection measures in accordance with Article 28(1) EU GDPR.

Before engaging any new Sub-processor, MindFriend conducts a vendor assessment to verify the Sub-processor’s data protection practices, security certifications, and contractual commitments.

Every Sub-processor engaged by MindFriend must process personal data only on MindFriend’s documented instructions, implement appropriate security measures, not engage further sub-processors without written consent, assist with data subject rights requests, notify MindFriend promptly of any breach, delete or return personal data on termination, and permit audits and inspections as required by MindFriend.

Where any Sub-processor processes personal data outside the European Economic Area, MindFriend ensures that appropriate safeguards are in place in accordance with Chapter V EU GDPR.

Safeguards may include Standard Contractual Clauses approved by the European Commission, adequacy decisions of the European Commission, the EU-US Data Privacy Framework where the receiving entity is certified, and the UK International Data Transfer Agreement or UK Addendum to the EU SCCs for transfers from the UK.

MindFriend’s current international transfer mechanisms are documented in Schedule B alongside the relevant Sub-processor entry.

As Data Controller, MindFriend is responsible for responding to data subject rights requests from Clients and Professionals regarding personal data it controls.

MindFriend will respond to verified requests within one month of receipt, extendable by two further months for complex requests with notice.

MindFriend will provide a mechanism for data subjects to submit rights requests via privacy@mindfriend.com.

Where a rights request relates to data held by a Sub-processor, MindFriend will instruct the Sub-processor to assist within 5 working days of receiving the request.

MindFriend will maintain records of all rights requests received and responses provided.

In the event of a personal data breach affecting data for which MindFriend is the Data Controller, MindFriend will notify the Swedish Authority for Privacy Protection without undue delay and within 72 hours of becoming aware of a breach likely to result in a risk to the rights and freedoms of data subjects.

MindFriend will notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

MindFriend will document all breaches, including those not notified to the supervisory authority, in an internal breach register.

MindFriend will cooperate fully with Sub-processors to contain and investigate any breach and implement remedial measures.

MindFriend requires all Sub-processors to notify MindFriend of any breach involving MindFriend’s data within 24 hours of becoming aware of it.

This DPA is governed by the laws of Sweden and EU GDPR.

The lead supervisory authority for MindFriend AB is the Swedish Authority for Privacy Protection, Integritetsskyddsmyndigheten — IMY, Drottninggatan 29, SE-104 20 Stockholm, www.imy.se.

Data subjects located in other EU member states may also contact their local national data protection authority.

This DPA is effective from the date the relevant underlying agreement is accepted and remains in force for as long as MindFriend processes personal data under that agreement.

Termination of the underlying agreement automatically terminates this DPA, subject to any post-termination data retention obligations set out herein.

Subject matter: Provision of booking, scheduling, communication, and payment facilitation services through the MindFriend Platform.

Duration: For the duration of the Professional’s active registration on the Platform, plus any legally required retention period thereafter.

Nature of processing: Collection, storage, transmission, display, organisation, and deletion of personal data through the Platform’s booking and communication tools.

Purpose of processing: Facilitating the booking of mental health Sessions between Clients and Professionals, enabling communication, processing payments, and sending appointment reminders.

Type of personal data: Identity data, contact data, booking records, chat or message content, payment transaction references, and any health-related information voluntarily disclosed through the Platform.

Categories of data subjects: Clients seeking mental health support who register on the Platform.

Data Controller: The individual Professional registered on the MindFriend Platform.

Data Processor: MindFriend AB, Sweden.

This Schedule lists MindFriend’s current approved Sub-processors who process personal data on MindFriend’s behalf. MindFriend will update this list and notify registered users of any material changes with at least 14 days’ prior notice.

Stripe Payments Europe Ltd.: Payment processing, escrow, and payout to Professionals. Location: Ireland. Transfer mechanism: EEA — no transfer restriction. DPA / Certification: Stripe DPA with EU SCCs Module 2.

Revolut Ltd.: Alternative payment processing and payout. Location: UK / Lithuania. Transfer mechanism: EEA — no transfer restriction. DPA / Certification: Revolut DPA with EU SCCs.

Amazon Web Services or EU hosting provider: Cloud infrastructure, data storage, and Platform hosting. Location: EU, Stockholm or Frankfurt region. Transfer mechanism: EEA — no transfer restriction. DPA / Certification: AWS DPA, ISO 27001, SOC 2.

Video provider, email provider, analytics provider, customer support provider, and ID verification provider entries marked to be confirmed must be completed before platform launch. MindFriend should select EU-hosted providers wherever possible to minimise international transfer complexity.

Encryption and pseudonymisation: All personal data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256 or equivalent industry-standard encryption. Passwords are stored using bcrypt or Argon2 hashing and never in plaintext. Payment data is tokenised by Stripe or Revolut, and MindFriend does not store raw card numbers.

Access controls: Role-based access control limits personal data access to authorised personnel only. Multi-factor authentication is mandatory for all staff with access to production systems. The principle of least privilege is enforced, and all access to personal data is logged and monitored for anomalous activity.

System security: MindFriend performs regular vulnerability scans and penetration testing, automated dependency and security patch management, Web Application Firewall and DDoS protection, and secure software development practices including code review and security testing.

Availability and resilience: The Platform is hosted on redundant EU-region cloud infrastructure with automated failover, regular automated backups, tested restore procedures, and a disaster recovery plan with defined Recovery Time Objective and Recovery Point Objective.

Organisational measures: Staff with access to personal data receive mandatory data protection training. Confidentiality obligations are included in staff and contractor contracts. A Data Protection Officer or designated privacy lead oversees GDPR compliance. Internal policies, procedures, Records of Processing Activities, and incident response procedures are maintained.

Sub-processor management: All Sub-processors are vetted before engagement and contractually bound to equivalent data protection standards. Security certifications are reviewed annually, and Standard Contractual Clauses are executed for international transfers.

MindFriend AB does not need to draft or negotiate a separate DPA with Stripe or Revolut because these companies already publish Article 28-compliant DPAs that MindFriend accepts by using their services.

With Stripe, MindFriend should log in to the Stripe Dashboard, go to Settings > Data Privacy > Data Processing Agreement, review and accept Stripe’s DPA, confirm that EU SCCs Module 2 are included, and download a signed copy for records.

With Revolut, MindFriend should access Revolut’s DPA through the Revolut Business account settings or legal documentation page, accept the DPA covering EU GDPR compliance, and retain a copy for records.

Before integrating any third-party service that will process personal data, MindFriend must obtain and execute a DPA with that provider, add the provider to Schedule B, and notify users if required.

This DPA must be reviewed and updated whenever MindFriend adds a new Sub-processor, changes its processing activities, or when relevant data protection laws are updated.