# DATA PROCESSING AGREEMENT (DPA) ## Astermind Premium **Last Updated: November 20, 2025** This Data Processing Agreement (“DPA”) governs the processing of personal data in connection with Astermind Premium services provided by **AsterMind AI Corporation** (“Processor”, “we”, “us”, or “our”) to you (“Controller”, “you”, or “your”). **This DPA supplements and forms part of the Terms of Service, Privacy Policy, and End User License Agreement (“EULA”).** It applies whenever you are a Controller of personal data and we act as a Processor on your behalf. --- # 1. DEFINITIONS 1.1. **“Controller”** means the entity that determines the purposes and means of processing personal data. 1.2. **“Processor”** means the entity that processes personal data on behalf of the Controller. 1.3. **“Personal Data”** means any information relating to an identified or identifiable natural person. 1.4. **“Processing”** means any operation performed on personal data, including collection, storage, use, disclosure, or deletion. 1.5. **“Data Subject”** means the natural person to whom personal data relates. 1.6. **“GDPR”** means the General Data Protection Regulation (EU) 2016/679. 1.7. **“Sub-processor”** means a third party engaged by the Processor to process personal data on behalf of the Controller. --- # 2. SCOPE AND APPLICATION ## 2.1. When This DPA Applies This DPA applies when: - You act as a Controller of personal data - We process personal data on your behalf as a Processor - Processing occurs in connection with Astermind Premium services ## 2.2. Limited Processing by AsterMind Astermind Premium is an SDK/library that runs entirely on your systems. We do **not** process your application data, user datasets, or model outputs. We process only minimal personal data for: - **License validation** (stored only during your subscription) - **Account creation and management** - **Support interactions** - **Security, fraud detection, and legal compliance** We do not access or process end-user content of your applications. ## 2.3. Controller Responsibilities You remain solely responsible for: - Determining lawful basis for processing - Complying with GDPR/CCPA and other laws - Obtaining consents where required - Ensuring your use of the Services is lawful --- # 3. PROCESSING DETAILS ## 3.1. Categories of Data Subjects - Your employees, contractors, and authorized users - End users of software you build using the Services - Individuals whose data you upload, store, or process ## 3.2. Categories of Personal Data We may process: ### **Account Data** - Name, email address, company, role - Authentication information ### **License Data** - License keys - Subscription status - Validation timestamps - **Retained only during your active subscription** ### **Technical Data** - IP address - Device or system identifiers - Runtime environment metadata - Error logs (anonymized where possible) ### **Support Data** - Information voluntarily provided in support requests ### **Aggregated / Anonymized Data** - Usage statistics - Non-identifying telemetry ## 3.3. Processing Purposes We process personal data to: - Provide, operate, and maintain the Services - Validate licenses and enforce licensing restrictions - Provide customer support - Detect fraud and security issues - Comply with legal obligations - Improve the Services using anonymized data ## 3.4. Processing Duration - **License and account personal data is retained only for the duration of your active subscription.** - Upon cancellation or non-renewal, retention ends unless longer retention is required by law. - Aggregated/anonymous data may be retained indefinitely. --- # 4. PROCESSOR OBLIGATIONS ## 4.1. Processing Instructions We will: - Process personal data only according to your documented instructions - Not use personal data for unrelated purposes - Notify you if instructions appear unlawful - Assist you in responding to data subject requests ## 4.2. Security Measures We implement appropriate technical and organizational measures, including: - Encryption in transit (TLS 1.2+) - Encryption at rest - Role-based access controls - Multi-factor authentication for internal systems - Regular vulnerability assessments - Incident response procedures - Secure key management - Staff confidentiality and security training ## 4.3. Confidentiality We will: - Ensure personnel are bound by confidentiality obligations - Limit access to personal data to those who need it - Maintain confidentiality even after termination ## 4.4. Data Subject Assistance We will assist you with: - Access requests - Rectification - Erasure requests - Data portability - Objections - Restriction of processing ## 4.5. Personal Data Breach Notification We will: - Notify you **without undue delay**, and in any event within 72 hours - Provide details sufficient for you to meet legal obligations - Support your investigation and remediation efforts --- # 5. SUB-PROCESSORS ## 5.1. Authorization You authorize us to use Sub-processors, provided that: - Each Sub-processor is bound by data protection obligations equivalent to this DPA - We maintain an up-to-date Sub-processor list - We notify you of changes before new Sub-processors are engaged ## 5.2. Current Sub-processors These may include: - Cloud infrastructure providers - Payment processors - License validation services - Customer support platforms - Email service providers ## 5.3. Objection Rights You may object to new Sub-processors on reasonable grounds. If we cannot resolve your objection, you may terminate the affected service. --- # 6. DATA TRANSFERS ## 6.1. International Transfers Personal data may be processed outside the EEA. We will implement appropriate safeguards required by law. ## 6.2. Transfer Mechanisms We rely on: - Adequacy decisions - Standard Contractual Clauses (SCCs) - Other legal transfer mechanisms --- # 7. AUDIT AND COMPLIANCE ## 7.1. Documentation and Cooperation We will: - Maintain records of processing activities - Cooperate with supervisory authorities - Provide compliance documentation upon request ## 7.2. Audit Rights You may request: - SOC2, ISO27001, or similar certifications - Third-party audit summaries - Security documentation On-site audits may be available for enterprise customers under separate terms. --- # 8. DATA RETENTION AND DELETION ## 8.1. Retention - **License data and account data are retained only during your active subscription.** - Data required by law (e.g., tax, invoice records) may be retained longer. ## 8.2. Deletion Upon termination: - We will delete or return personal data within **30 days** - You may request deletion at any time - We may retain anonymized data indefinitely --- # 9. CONTROLLER OBLIGATIONS ## 9.1. Lawful Basis for Processing You are responsible for: - Determining and documenting lawful basis - Obtaining consents where required - Complying with GDPR, CCPA, and other laws ## 9.2. Instructions You agree to: - Provide clear instructions - Not instruct us to process unlawfully ## 9.3. Security You are responsible for: - Securing your own systems - Protecting API keys and license keys - Implementing appropriate access controls - Maintaining your own backups --- # 10. LIABILITY AND INDEMNIFICATION ## 10.1. Liability - Our liability is limited by the Terms of Service - We are not responsible for your unlawful data practices - We are not liable for processing carried out under your instructions ## 10.2. Indemnification You agree to indemnify AsterMind for claims arising from: - Your violation of data protection laws - Your instructions leading to unlawful processing - Failure to obtain valid consents --- # 11. TERMINATION ## 11.1. Effect of Termination Upon termination: - Processing stops - Personal data is deleted or returned - Sections relating to confidentiality, liability, and audits survive termination --- # 12. GOVERNING LAW ## 12.1. Applicable Law This DPA is governed by: - GDPR for EEA data subjects - Applicable local laws for non-EEA processing - The Terms of Service for all other matters ## 12.2. Supervisory Authorities Data subjects may lodge complaints with applicable authorities. We will cooperate with such authorities as required. --- # 13. CONTACT INFORMATION **AsterMind AI Corporation** 706 Scottingham Terrace North Chesterfield, VA 23236 United States Data Protection Officer: **privacy@astermind.ai** Legal: **legal@astermind.ai** Website: **https://astermind.ai** --- # ACKNOWLEDGMENT By using the Services, you acknowledge that you have read, understood, and agree to this Data Processing Agreement. **This DPA supplements the Terms of Service, Privacy Policy, and EULA.** --- *This Data Processing Agreement is effective as of the date above and applies to all processing of personal data performed by AsterMind in connection with the Services.*