neumind

DPA · Processor Terms · Last updated 21 April 2026

Data Processing Agreement

Processor Terms governing how Neumind processes personal data on behalf of Customer organisations.

1. Definitions

1.1 For the purposes of this DPA:

• “Data Protection Laws” means all applicable laws and regulations relating to data protection, privacy, and the processing of Personal Data, including, where applicable, the UK GDPR (the retained EU law version of the General Data Protection Regulation), the EU GDPR (Regulation (EU) 2016/679), the Data Protection Act 2018, and any laws implementing or supplementing the foregoing, as well as the Privacy and Electronic Communications Regulations (PECR) and other applicable privacy laws.
• “Personal Data”, “Controller”, “Processor”, “Data Subject”, “Processing”, “Personal Data Breach”, and “Special Category Data” shall have the meanings given to them in the applicable Data Protection Laws. “Customer Personal Data” means any Personal Data processed by Neumind on behalf of the Customer under the Main Agreement.
• “Customer” (or “Controller”) means the entity that has subscribed to Neumind’s services and which determines the purposes and means of the processing of Personal Data (typically, the Customer is a healthcare provider or organisation using the Neumind Platform for its patients).
• “Neumind” (or “Processor”) means Neumind Ltd, the provider of the Platform and services that involve processing Personal Data on behalf of the Customer.
• “Services” means the software-as-a-service platform, applications and related services provided by Neumind to the Customer as described in the Main Agreement (e.g., the Neumind Platform, including the web dashboard for professionals and mobile app for patients/caregivers).
• “Sub-processor” means any third party engaged by Neumind (including any Neumind affiliate, if applicable) that Processes Customer Personal Data as part of the Services. Neumind’s current sub-processors are listed in the public Sub-processors register.
• “UK GDPR” and “EU GDPR” refer to the applicable GDPR regulation in the UK and EU respectively. “Standard Contractual Clauses” or “SCCs” refer to the standard data protection clauses adopted by the EU Commission or UK’s ICO for international transfers of Personal Data, as applicable.

1.2 This DPA is subject to the terms of the Main Agreement and is effective for the term of the Main Agreement (including any transition or wind-down period) unless replaced by an updated DPA. In case of any conflict, this DPA will prevail with regard to the protection of Personal Data.

1.3 The details of Processing under this DPA (subject matter, nature, purpose, duration, categories of data, etc.) are outlined in Annex 1 to this DPA. Both parties agree to the contents of Annex 1, which may be updated from time to time by written agreement to reflect changes in processing.

2. Roles and Responsibilities

2.1 Controller and Processor. As between the parties, the Customer is the Data Controller and Neumind is the Data Processor with respect to Customer Personal Data that is processed under the Main Agreement. The Customer determines the purpose and means of the processing of Customer Personal Data, and Neumind will process such data only on documented instructions from the Customer, as set out in the Main Agreement and this DPA or as otherwise directed in writing by the Customer (except where otherwise required by applicable law, in which case Neumind shall inform the Customer of that legal requirement before processing, unless prohibited from doing so by law).

2.2 Customer Compliance. The Customer shall, in its use of the Services, comply with its obligations under Data Protection Laws as a Controller. The Customer represents and warrants that it has obtained and will maintain all necessary rights, consents, and notices to allow Neumind to process the Customer Personal Data for the purposes of providing the Services. Customer remains responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Personal Data. The Customer confirms that it is entitled to transfer (or provide access to) the Personal Data to Neumind so that Neumind may lawfully use, process, and transfer the Personal Data on the Customer’s behalf in accordance with this DPA. The Customer shall not instruct Neumind to process any data in a manner that would violate applicable laws.

2.3 Authorisation of Personnel. The Customer will ensure that persons who provide instructions or requests to Neumind on its behalf (e.g. employees or administrators) are authorised to do so. Neumind is entitled to rely on communications from such authorised persons. The Customer shall inform Neumind without undue delay if any instruction is withdrawn or changed.

3. Processor Obligations

Neumind (as Processor) agrees to comply with the following obligations with respect to Customer Personal Data:

3.1 Processing on Instructions. Neumind shall process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country, unless required to do otherwise by applicable law. In such case, Neumind will inform Customer of that legal requirement before processing (unless law prohibits such disclosure). The Main Agreement (including this DPA) constitutes the Customer’s complete and final instructions to Neumind for the processing of Customer Personal Data. Any additional or alternate instructions must be agreed upon separately. If Neumind believes an instruction from Customer violates Data Protection Laws, it will promptly inform the Customer.

3.2 Confidentiality. Neumind shall ensure that all personnel whom it authorises to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Neumind will not disclose Customer Personal Data to any third party unless specifically permitted under this DPA or the Customer instructs otherwise, except as necessary to comply with a lawful government request (in which case Neumind will notify Customer, unless legally prohibited).

3.3 Security Measures. Neumind shall implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the risk, taking into account the state of the art, costs of implementation, nature of the data, and the harm that might result from a breach. Such measures include, at a minimum: encryption of Personal Data at rest and in transit, access controls and authentication measures, regular backups, and security policies for Neumind personnel. Annex 2 (Security Measures) to this DPA describes in more detail the security controls in place. Neumind will regularly test and evaluate the effectiveness of these measures and will continuously improve security as needed to keep pace with industry standards and legal requirements.

3.4 Sub-Processors. Neumind has the Customer’s general authorisation to engage Sub-processors for carrying out specific processing activities on behalf of the Customer, provided that: (i) Neumind maintains an up-to-date list of Sub-processors (available at the public Sub-processors register) and shall notify Customer of any intended addition or replacement of Sub-processors, giving Customer the opportunity to object on reasonable grounds, providing at least 10 days’ prior notice via email or dashboard; (ii) Neumind imposes on each Sub-processor data protection obligations that are at least as protective as those in this DPA, including obligations to process Personal Data only on Neumind’s instructions and to implement appropriate safeguards; and (iii) Neumind remains liable for the Sub-processor’s performance of its data protection obligations. Current key Sub-processors for Neumind include: authentication provider (Auth0), cloud database host (Amazon Web Services), and any other sub-processors listed in the public register and Annex 1. Neumind will provide notice to Customer of significant changes and honour Customer’s right to reasonably object to a new Sub-processor. If Customer has legitimate objections (e.g. the new Sub-processor poses material risk to Personal Data), the parties will work in good faith to address the concern, which may include Customer’s right to terminate the Services if resolution cannot be reached.

3.5 Personal Data Breach. In the event Neumind becomes aware of a Personal Data Breach affecting Customer Personal Data, Neumind shall notify Customer without undue delay, and in any event without undue delay and no later than 72 hours of Neumind becoming aware of the breach. Such notice will include, to the extent available, sufficient information for the Customer to meet any obligations to report or inform Data Subjects or regulators of the breach, including: the nature of the breach, categories and approximate volume of data and Data Subjects affected, likely consequences, and measures taken or proposed by Neumind to address the breach. Neumind will promptly investigate the breach and take reasonable steps to mitigate harm and prevent further incidents. Neumind will cooperate with Customer’s reasonable requests in relation to the breach, including providing information and assisting with any notifications. Neumind’s notification of or response to a breach shall not be construed as an acknowledgment of fault or liability.

3.6 Assistance with Data Subject Rights. Neumind shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil the Customer’s obligations to respond to Data Subject requests to exercise their rights under Data Protection Laws (such as rights of access, rectification, erasure, restriction, portability, and objection). If Neumind receives a request from a Data Subject directly, it will promptly inform the Customer and not respond directly (unless required by law or authorised by Customer). Neumind will reasonably assist Customer in responding to any such request, for example by providing relevant information or enabling functionality for data retrieval or deletion. The Customer shall be responsible for handling and responding to the Data Subject request, and any fees (if applicable) for Neumind’s assistance will be as set out in the Main Agreement or otherwise agreed (Neumind will not charge for minor assistance that is a natural part of the Service).

3.7 Assistance with Compliance. Upon Customer’s request, Neumind shall assist Customer in ensuring compliance with the Customer’s obligations under Articles 32 to 36 of GDPR (or equivalent provisions under UK law), which include: implementing security measures (Art. 32), notifying breaches to supervisory authorities and data subjects (Arts. 33, 34), conducting Data Protection Impact Assessments (Art. 35), and consulting with supervisory authorities (Art. 36). Specifically, Neumind will provide relevant information about its security measures and processing activities to support Customer’s DPIA if needed, and will allow for and contribute to audits as described in Section 3.8. Neumind shall maintain records of processing as required by Article 30(2) GDPR and make them available to competent authorities upon request.

3.8 Audits and Inspections. Neumind shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits (including inspections) by the Customer or an independent auditor mandated by the Customer, in relation to the processing of Customer Personal Data by Neumind. Neumind may satisfy this obligation by providing third-party certifications or audit reports (e.g., ISO 27001, SOC 2 reports) that are relevant to the Services, along with answers to any reasonable customer questionnaires. If a physical on-site audit is required, Customer must give reasonable prior notice (at least 30 days) and conduct the audit during normal business hours in a manner that does not disrupt Neumind’s operations, and each party will bear its own costs. The scope of any audit shall be limited to Neumind’s systems and processes relevant to Customer Personal Data and shall be subject to reasonable confidentiality procedures. Customer shall promptly share with Neumind the results or findings of any audit, and Neumind will address any material findings.

3.9 Deletion or Return of Data. Upon termination or expiry of the Main Agreement (or at an earlier time if requested by Customer), Neumind will, at Customer’s choice, return or delete all Customer Personal Data in its possession or control, except to the extent that Neumind is required by law to retain a copy of certain data. This deletion may be accomplished by secure erasure of data from Neumind systems and backups (with the understanding that certain backups might be retained for a short period and then overwritten in the ordinary course). If return is requested, Neumind will provide the Customer Personal Data in a common machine-readable format. After confirming deletion, Neumind will not retain Customer Personal Data except as required for compliance with legal obligations or for establishment or defence of legal claims. Any retained data will remain protected under the terms of this DPA as long as it is retained.

3.10 No Sale or Use for Own Purpose. Neumind shall not “sell” or “share” Customer Personal Data as defined under applicable US state privacy laws (e.g., CCPA/CPRA) and shall not retain, use, or disclose Customer Personal Data for any purpose other than as specified in the Main Agreement and Customer’s instructions, or as otherwise permitted by law. Neumind will not use Customer Personal Data for Neumind’s own marketing or other commercial purposes, nor will it combine Customer Personal Data with data from other clients except to the extent needed for service functionality or analytics as permitted (and in such cases data will be de-identified or aggregated where possible). Neumind acknowledges and agrees it is acting as a “service provider” to Customer (as that term is defined in CCPA) for any Personal Data subject to such laws.

4. International Data Transfers

4.1 The parties acknowledge that Customer Personal Data may be processed in or transferred to countries outside the UK or European Economic Area (EEA) in connection with the Services (for example, to Sub-processors or Neumind affiliates in third countries). Neumind shall ensure that any such transfer is performed in compliance with Data Protection Laws.

4.2 UK and EEA Transfers. Where the Customer Personal Data originating from the UK or EEA is transferred to a country not deemed by the UK Information Commissioner’s Office or European Commission (as applicable) to provide an adequate level of data protection, the parties will implement appropriate safeguards as required by Chapter V of GDPR. This may include (at Customer’s discretion):

• (a) Standard Contractual Clauses. The parties agree to enter into the relevant Standard Contractual Clauses (SCCs) as promulgated or approved under Data Protection Laws. Specifically: for transfers from the EEA, the EU Commission’s SCCs for Controller-to-Processor (Module Two) or Processor-to-Processor (Module Three), as appropriate, will be deemed incorporated into this DPA; for transfers from the UK, the UK International Data Transfer Addendum (IDTA) or the UK Addendum to EU SCCs (as applicable) issued by the ICO will be incorporated. Neumind may complete and execute these clauses as the “data importer” and Customer (or its Controller affiliates, as applicable) as the “data exporter”. The Annexes of such SCCs shall be populated with the relevant information from Annex 1 and Annex 2 of this DPA. By signing the Main Agreement and this DPA, the parties are deemed to have signed the SCCs where and as applicable, including the election of UK Addendum for UK transfers. Customer may request a populated copy of the completed SCCs/IDTA.
• (b) Alternative Transfer Mechanism. If SCCs are not deemed an appropriate or available mechanism for a given transfer, the parties shall implement any other valid mechanism under Data Protection Laws, such as an International Data Transfer Agreement (for UK) or reliance on an adequacy decision, binding corporate rules, or an exemption, as allowed.

4.3 Additional Safeguards. The parties agree to negotiate in good faith any additional measures or contract modifications that may be required to ensure an equivalent level of protection for the transferred data in accordance with the recommendations of regulators or changes in law (for example, following Schrems II and related guidance for international transfers). Neumind will, upon request, provide information about the locations of its data centres or sub-processors relevant to Customer’s data.

4.4 Disclosure Requests. If Neumind receives any legally binding request (such as a subpoena or order) from a public authority (including law enforcement) for disclosure of any Customer Personal Data, Neumind shall (to the extent permitted by law) promptly notify Customer and reasonably cooperate with Customer’s efforts to redirect the request or object, unless prohibited from doing so. Neumind will not provide access or information unless required by applicable law.

5. Controller Assistance and Mutual Obligations

5.1 Data Protection Impact Assessments. If Customer needs Neumind’s assistance to fulfil Customer’s obligation to carry out a Data Protection Impact Assessment (DPIA) or consult with a supervisory authority under Data Protection Laws, Neumind will provide relevant information and support to the extent reasonably possible (for example, information about the processing and security measures). Any such assistance beyond the standard Service may be billable at reasonable rates if it requires significant effort. Neumind’s DPIA documentation or summaries (if available) may be shared to aid Customer.

5.2 Training and Awareness. Neumind will ensure that its personnel engaged in processing Customer Personal Data are trained and informed about their obligations regarding the security and privacy of Personal Data. The Customer, as Controller, should also ensure that its staff who access the Platform are trained on proper data handling and security practices (for example, not storing patient data outside authorised systems, using strong passwords, etc.).

5.3 Mutual Cooperation. The parties will cooperate in good faith with each other and with any relevant supervisory authority regarding compliance with Data Protection Laws. The Customer has the right to request information and seek clarification from Neumind regarding Neumind’s data protection practices relevant to the Services, and Neumind will provide transparency and timely responses to facilitate such cooperation (subject to reasonable limitations to protect other clients’ data or Neumind’s confidentiality).

5.4 Breach Liability. Each party shall bear its own costs in managing and remedying a Personal Data Breach. In the event a Personal Data Breach is caused by a violation of this DPA by Neumind, Neumind will take reasonable steps to address and remediate the breach. Notwithstanding anything to the contrary, any liability of Neumind arising out of or related to data protection (including this DPA) is subject to the limitations and exclusions of liability in the Main Agreement. The parties acknowledge that the fees for Services take into account this allocation of risk.

6. Jurisdiction-Specific Terms

6.1 UK. For purposes of UK GDPR, references in this DPA to certain EU terms (such as EU supervisory authority, SCCs, etc.) shall be deemed to include the equivalent UK terms (ICO, UK Addendum, etc.) as appropriate. The parties agree that the UK Addendum (version B.1.0) is incorporated into this DPA for any Restricted Transfers from the UK, which shall be deemed signed on the same date as the Main Agreement. The UK Addendum shall be completed using the information from Annex 1 and Annex 2, and selecting the format of the EU SCCs as entered into pursuant to Section 4.2.

6.2 EU/EEA. Neumind will, where required by EU GDPR, appoint an EU representative if it is not established in the EU but is subject to EU GDPR (for example, if Neumind offers services to data subjects in the EU). Neumind will provide the contact details of such representative in its Privacy Notice or upon request. If any provisions required by EU GDPR (such as those in Article 28) are not expressly addressed in this DPA, they are hereby incorporated by reference.

6.3 United States. To the extent Customer Personal Data includes personal information of residents of U.S. states with privacy laws (e.g., California, Virginia, etc.), Neumind agrees that it will act as a Service Provider/Processor with respect to such data. Neumind certifies that it understands and will comply with the restrictions set forth in Section 3.10 (no selling or sharing, etc.) and applicable U.S. privacy laws (such as CCPA) with respect to Customer Personal Data. If the Customer is a Covered Entity under HIPAA and the data involves Protected Health Information (PHI) subject to HIPAA, Neumind is willing to enter into a separate Business Associate Agreement (BAA) to ensure compliance with HIPAA. The Customer is responsible for notifying Neumind if a BAA is required. Neumind’s services are designed to meet high security standards, and Neumind will implement administrative, physical, and technical safeguards in line with HIPAA Security Rule requirements.

6.4 Other Jurisdictions. If the Customer or Neumind is subject to other privacy regulations (such as PIPEDA in Canada, or other national laws), the parties will work together in good faith to comply with those laws. This may involve executing additional addenda or clauses to address country-specific requirements (for instance, data localisation or specific breach notification rules).

7. Miscellaneous

7.1 Governing Law. This DPA is governed by the same law as the Main Agreement, except to the extent that the Standard Contractual Clauses or other mandated terms specify a governing law for those clauses. For example, EU SCCs modules may designate the law of an EU Member State for disputes under the SCCs (commonly Ireland’s law if not otherwise chosen). Subject to that, the parties submit to the jurisdiction stipulated in the Main Agreement for resolving any disputes arising out of or in connection with this DPA.

7.2 Liability and Indemnity. Each party’s liability arising from or in connection with this DPA (including under the SCCs) is subject to the limitations and exclusions of liability set out in the Main Agreement. The parties agree that any regulatory fines or penalties imposed on one party due to the other party’s breach of this DPA or Data Protection Laws shall count toward direct damages (if recoverable) and be subject to any agreed liability cap. No party shall be responsible for paying fines that the other party is imposed by a supervisory authority, except to the extent that such fines resulted from the other party’s breach (in which case an indemnification may be sought if provided by the Main Agreement).

7.3 Term and Termination. This DPA shall continue in force until the later of: (i) termination or expiration of the Main Agreement, or (ii) Neumind’s deletion or return of all Customer Personal Data in accordance with this DPA. Termination of the Main Agreement will trigger termination of this DPA. Clauses that are necessary to interpret or enforce this DPA (such as confidentiality, deletion, and liability provisions) shall survive termination. If Neumind continues to process Personal Data after termination for any lawful retention purposes, it will continue to protect such data in accordance with this DPA.

7.4 Amendments. Except as expressly provided in this DPA, this DPA may only be modified by a written amendment signed by both parties. However, if any provision of this DPA is or becomes invalid under applicable law, or if additional provisions are required by law (for example, new regulatory requirements), the parties agree to work together in good faith to amend this DPA to meet the required standard. Neumind may propose updates to this DPA to comply with law or adjust to new sub-processors or features; such updates will become effective upon signature by both parties (or as otherwise agreed).

7.5 Order of Precedence. In the event of any conflict or inconsistency between this DPA and any other agreements between the parties (including the Main Agreement, or any document referenced therein), the provisions of this DPA shall prevail with regard to the protection of Personal Data. In case of conflict between this DPA and the Standard Contractual Clauses (if applicable), the SCCs shall prevail to the extent of the conflict, as required by law.

7.6 Execution. This DPA may be executed in counterparts or via electronic acceptance (including via a checkbox or electronic signature service) and is effective as of the Effective Date of the Main Agreement or the date of last signature below (whichever is earlier). By executing the Main Agreement, the parties are deemed to have executed this DPA.

---

A1. Annex 1 – Details of Processing

Description of the data processing as required by Article 28 GDPR.

• Subject Matter. Neumind’s provision of its digital rehabilitation Platform and related services to Customer, which involves processing personal data of Customer’s end-users (patients, caregivers) and authorised professional users in order to facilitate brain injury rehabilitation, therapy tracking, and communication.
• Duration of Processing. For the duration of the Main Agreement, and any post-termination period during which Neumind continues to provide transition or data export services, or until deletion of all Personal Data in accordance with this DPA. Certain data may be retained for limited periods after termination solely for legal compliance or backup purposes, as outlined in this DPA.
• Purpose of Processing. To enable the Customer to utilise the Neumind Platform to support patients in rehabilitation. This includes: creating and managing user accounts; delivering therapy exercises, cognitive tools, educational content; tracking patient progress; facilitating communication between professional users, patients, and caregivers; storing user-generated data (journal entries, assessments); and generating analytics or reports for the Customer’s internal use. Neumind processes the data to operate and improve the Platform, provide support, ensure security, and fulfil its obligations under the Main Agreement.
• Nature of Processing. Collection, recording, hosting/storage, retrieval, structuring, transmitting (including to and from end-user devices), display of information to authorised users, and erasure or anonymisation upon request. Processing may include automated functions like personalised content recommendations or notifications. No decision producing legal effects concerning a data subject is made solely by automated means by Neumind (any clinical decisions are made by professional users).
• Types of Personal Data.
  • Identification and Contact Data: e.g. name, email address, phone number, login credentials of Patient Users, Caregiver Users, and Professional Users.
  • Demographic Data: e.g. date of birth, gender, general location (for instance, for time zone or localisation).
  • Health and Rehabilitation Data: e.g. information about the patient’s injury or condition (type of brain injury, date of event), selected cognitive areas of focus, therapy or exercise plans, progress notes, responses to in-app exercises or surveys, and any other health-related information that the patient or professional inputs. This may include Special Category Data (health data such as cognitive assessment results, therapy outcomes) for which appropriate consent is obtained by Customer.
  • Caregiver Input: notes or observations added by caregivers about the patient’s daily activities or condition (if applicable).
  • Usage Data: platform usage logs and analytics (e.g. log-in times, features used, interactions) tied to user IDs; device information (like device type, operating system); and communication metadata (such as message timestamps). Usage Data is primarily used in aggregate or anonymised form for improving the service, but some may be linked to individuals for support or analytics provided to Customer.
  • Support Data: if users contact support, any additional data they provide (which could include personal data such as contact info or descriptions of issues).
  • Neumind does not intentionally process any financial information (no direct payments by patients through the app at this time) or any government identifiers via the Platform. Payment information, if any (for subscriptions), may be handled by third-party payment processors and is outside the scope of typical Customer Personal Data processed by Neumind (though basic subscription status is tracked). Neumind also does not need to process any criminal records or biometric data for the Services (and does not anticipate doing so).
• Categories of Data Subjects.
  • Patient Users: individuals (often brain injury survivors or individuals with neurological conditions) using the app for their rehabilitation, whose personal and health data is processed.
  • Caregiver Users: family members, friends, or support persons who assist a Patient User and have been invited to use the app in a supporting role. Their personal data is minimal (contact info, relation to patient, and any content they input about the patient).
  • Professional Users: healthcare providers, therapists, or other professionals who use the Platform to support Patient Users (their business contact details and professional profile information may be processed, as well as any notes they input about patients). This includes both employees of the Customer and any authorised external practitioners.
  • Other Users: In some cases, there may be “Other Users” such as community forum participants (if a forum exists within the Platform) or peer supporters. These would typically fall under patient or caregiver categories. Additionally, website visitors who are not registered may have their data processed via cookies as per the Privacy Notice (outside core scope of this DPA).
• Special Category Data. The Platform processes health data relating to physical and mental health of patients (e.g., medical history, cognitive function status, therapy progress) which is considered special category (sensitive) personal data under GDPR. The lawful basis for processing such data is determined by Customer (often explicit consent from the patient, or processing by health professionals for provision of care under GDPR Art. 9(2)(h)). Neumind will apply enhanced security to such data (e.g., encryption, access controls) and will not process it for any purpose other than providing the Services. Neumind does not intend to process other special categories like racial or ethnic origin, biometric identifiers, etc., except incidentally if contained in free-text notes input by users.
• Frequency of Processing. Continuous (Customer Personal Data is processed on an ongoing basis throughout the term as users interact with the Platform). Certain data may be processed in batches (e.g. nightly backups, analytics runs).
• Retention Period. Personal Data is retained for as long as the user account is active and for the duration of the Main Agreement. Upon a patient’s deletion or account closure, data can be deleted or exported upon request. By default, Neumind may retain data for 90 days after account deactivation in case of reactivation or as instructed by Customer, after which it will be deleted or anonymised, unless required to retain longer by law or for legitimate business interests (with appropriate safeguards).
• Location of Processing. Primarily in the United Kingdom and EEA. The primary database is hosted in European data centres (e.g., AWS RDS in eu-west-2). Authentication data (user accounts) via Auth0 is also hosted in a European region per Neumind’s configuration. Neumind’s personnel who support the service may be located in the UK. Any transfers outside these areas will be governed by Section 4 of the DPA.

(End of Annex 1)

A2. Annex 2 – Security Measures

The following is a summary of the key technical and organisational security measures implemented by Neumind (Processor) to protect Customer Personal Data.

• Infrastructure Security. Neumind’s Platform is hosted on reputable cloud service providers with strong security practices (e.g., Auth0 for identity management, AWS RDS for databases). Data is stored in data centres that are certified under internationally recognised standards such as ISO 27001, SOC 2, and ISO 27018 (for cloud privacy). Physical security measures at these data centres are certified to ISO 27001, ISO 27018 and SOC 2 and include 24/7 monitoring, access controls, redundancy, and environmental controls.
• Encryption. All Personal Data is encrypted in transit over public networks using industry-standard TLS (HTTPS) encryption. Sensitive data at rest in databases (including personally identifiable information and health data) is encrypted using strong encryption algorithms (e.g., AES-256). Encryption keys are managed securely and rotated as appropriate.
• Access Control and Authorisation. Access to Personal Data within Neumind’s systems is restricted based on the principle of least privilege. Only authorised personnel with a need-to-know have access to production systems or data. Role-based access controls (RBAC) are in place to ensure personnel can only access the minimum data necessary for their role (for example, customer support can access user account data when needed, but not underlying health details unless required). Administrative access to cloud platforms requires multi-factor authentication and is logged. End-users (professionals, patients) can only access data tied to their accounts/permissions (enforced by application-level access controls, e.g., a therapist can only view data of patients they are connected to).
• Personnel Practices. All Neumind employees and contractors with potential access to Personal Data are subject to background checks (where permitted by law) and are bound by confidentiality agreements. Neumind provides training on data protection and information security to its staff at least annually and upon hiring. There are formal security policies covering topics such as data handling, incident response, acceptable use, etc., which employees must acknowledge.
• Application Security. Neumind follows secure development lifecycle practices. Code is reviewed for security issues, and dependencies are kept up-to-date to mitigate vulnerabilities. The Platform undergoes periodic vulnerability scanning and penetration testing (by internal team or external specialists) to identify and address security weaknesses. In-app authentication is handled via secure protocols (Auth0) and supports strong passwords and session management. User passwords are never stored in plaintext (only hashed with a modern algorithm). The Platform includes protections against common web threats (e.g., CSRF tokens, input validation to prevent SQL injection and XSS).
• Monitoring and Logging. Neumind utilises monitoring tools to track access and behaviours in systems. Security logs (for authentication, key actions, errors) are kept and regularly reviewed. Unusual activities (e.g., multiple failed logins, data export spikes) may trigger alerts for investigation. The infrastructure is configured to detect and alert on certain events such as intrusion attempts or anomalies.
• Data Backup and Recovery. Customer Personal Data in the primary database is backed up regularly (with continuous backup or daily snapshots). Backups are encrypted and stored securely. Neumind has disaster recovery plans to restore availability and access to data in a timely manner in case of a physical or technical incident. Recovery procedures are tested periodically to ensure effectiveness (e.g., test restoring from backup).
• Incident Response. Neumind has an incident response plan for security and data breach incidents. Designated personnel (including a security lead or Data Protection Officer) will triage and respond to incidents. The plan includes steps for containment, investigation, user and Customer notification (as per DPA requirements), and remediation. Incidents are documented and post-mortems conducted for significant events to prevent recurrence.
• Testing and Audit. Neumind’s security controls are subject to regular internal audits. Additionally, Neumind may maintain relevant security certifications or undergo third-party audits as required by clients or law. The company addresses any findings from tests or audits promptly.
• Sub-processor Management. Neumind conducts due diligence on its Sub-processors’ security measures. It has Data Processing Agreements in place with each Sub-processor imposing equivalent security and privacy obligations. Sub-processors (like Auth0, Amazon Web Services) are certified and audited regularly. Neumind monitors sub-processor compliance via review of their audit reports or certifications. The current sub-processor list is published at the public Sub-processors register.
• Endpoint and Network Security. Neumind ensures that any endpoints (laptops, devices) used by its developers or staff to access systems are secured with up-to-date anti-malware software, firewalls, full disk encryption, and strong authentication. Remote access to production is limited to VPN or secure tunnels with multi-factor authentication. Internal networks are segmented such that development, testing, and production environments are separated.
• Data Minimisation and Pseudonymisation. Where feasible, Neumind minimises the Personal Data it processes. For example, certain identifying information (like detailed contact info) may be stored in separate systems from health data, linked via unique user IDs. In analytical contexts, data is anonymised or pseudonymised. Derived data or usage analytics are in aggregated form and do not identify individuals. If using production data for testing, data is anonymised or masked.
• Continual Improvement. Neumind’s security team (or responsible personnel) tracks emerging threats and vulnerabilities (for example, via threat intelligence). Security measures are updated in response to new risks, customer requirements, or best practices. Regular management reviews of security posture are conducted, and resources are allocated to address any gaps.

(End of Annex 2)