MINDFORT PLATFORM TERMS OF SERVICE
Last updated: 12/02/2025
These MindFort Terms of Service (this “Agreement”) govern your or the company or entity on whose behalf you entered this Agreement (“Customer”) use of the Services as made available by MindFort AI, Inc. (“MindFort”). MindFort and Customer may be referred to herein collectively as the “Parties” or individually as a “Party”.
AGREEMENT TO TERMS AND CONDITIONS.
This Agreement is effective, and you as the Customer agree to be bound by this Agreement on the date you first click a button titled [“Sign Up.”] (the “Effective Date”). If you are accepting this Agreement on behalf of Customer, you represent and warrant that you have the authority to bind Customer to the terms and conditions of this Agreement.
THE SERVICES ARE DESIGNED TO ATTACK AND IDENTIFY VULNERABILITIES IN TARGET PROPERTIES. USE OF THE SERVICES ON TARGET PROPERTIES WITHOUT PERMISSION IS STRICTLY PROHIBITED BY THIS AGREEMENT.
DEFINITIONS.
“AUP” means the Acceptable Use Policy found at [link to Acceptable Use Policy], which forms part of this Agreement.
“Authorized Users” means employees, agents, consultants, contractors, or vendors authorized by Customer to use the Services.
“MindFort IP” means the Services, the underlying software provided in conjunction with the Services, agents, AI models, algorithms, interfaces, technology, databases, tools, know-how, processes and methods used to provide or deliver the Services and Documentation and Aggregate Data (as defined below), all improvements, modifications or enhancements to, or derivative works of, the foregoing (regardless of inventorship or authorship), and all Intellectual Property Rights in and to any of the foregoing.
“Documentation” means the documentation relating to the Services if and as provided by MindFort to Customer (including any revised versions thereof), which may be updated from time to time upon notice to Customer.
“Intellectual Property Rights” means patent rights (including, without limitation, patent applications and disclosures), inventions, copyrights, trade secrets, know-how, data and database rights, mask work rights, and any other intellectual property rights recognized in any country or jurisdiction in the world.
“Services” means autonomous penetration testing and security assessment activities performed by MindFort’s AI Agents, including all related features, functionalities, and access to the MindFort platform.
“Target Property” means the specific website, web application, computer system, network, program, or device designated by the Customer for the Services.
PRIVACY NOTICE. Please review MindFort’s Privacy Notice, available at https://mindfort.ai/privacy which also governs how MindFort collects, uses and shares Customer’s and Authorized Users’ information.
ACCESS AND USE.
Services. Subject to the terms and conditions of this Agreement, MindFort hereby grants Customer a limited, non-exclusive, non-transferable (except in compliance with Section 13(b)) right to use (and permit Authorized Users to and use) the Services in accordance with the Documentation and the terms of this Agreement.
Use Restrictions. Customer will not and will not permit any person or entity (including, without limitation, Authorized Users) to, directly or indirectly: (i) use the Services in any manner beyond the scope of rights expressly granted in this Agreement; (ii) modify or create derivative works of the Services or Documentation, in whole or in part; (iii) decipher, reverse engineer, disassemble, decompile, decode, or otherwise attempt to derive or gain improper access to any software component of the Services or any components, models, algorithms or AI systems used to provide the Services, in whole or in part, or engage in any of the adversarial attacks set forth in the NIST AI 100-2 E2025 publication available at https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-2e2025.pdf; (iv) frame, mirror, sell, resell, rent or lease use of the Services to any other person or entity or otherwise allow any person or entity to use the Services for any purpose other than for the benefit of Customer in accordance with this Agreement; (v) use the Services, Output or Documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any Intellectual Property Right or other right of any person or entity or that violates any applicable law; (vi) interfere with, or disrupt the integrity or performance of, the Services or any data or content contained therein or transmitted thereby; (vii) access or search the Services (or download any data or content contained therein or transmitted thereby) through the use of any engine, software, tool, agent, device or mechanism (including spiders, robots, crawlers or any other similar data mining tools) other than software or Services features provided by MindFort for use expressly for such purposes; (viii) use the Services, Documentation or any other MindFort Confidential Information for benchmarking or competitive analysis with respect to competitive or related products or services or to develop, commercialize, license or sell any product, service or technology that could, directly or indirectly, compete with the Services; (ix) use the Services or any Output in a manner that violates the OpenAI Usage Policies located at https://openai.com/policies/usage-policies or any other such usage policies as applicable; (x) utilize the Services (including any AI models or derivatives thereof), Documentation or Output to train, improve or have trained or improved an AI model (e.g., engage in “model scraping” or “model distillation”); (xi) use the Services in a manner that violates the AUP; or (xii) submit any Target Property as a target for the Services, unless Customer is the verified legal owner or possesses explicit, written authorization to submit the Target Property.
Authorized Users. Customer may permit Authorized Users to use the Services in accordance with the Documentation and the terms of this Agreement, provided that Customer is responsible for all acts or omissions by its Authorized Users in connection with their use of the Services and their compliance with the terms and conditions of this Agreement, including, without limitation, with Customer’s obligations and the restrictions set forth in Section 4(b). Customer will, and will require all Authorized Users to, use all reasonable means to secure user names and passwords, hardware and software used to access the Services in accordance with customary security protocols, and will promptly notify MindFort if Customer knows or reasonably suspects that any user name and/or password has been compromised.
Ownership of MindFort IP. Subject to the limited rights expressly granted hereunder, MindFort reserves and, as between the Parties will solely own, the MindFort IP and all rights, title and interest in and to the MindFort IP. No rights are granted to Customer hereunder (whether by implication, estoppel, exhaustion or otherwise) other than as expressly set forth herein.
Feedback. From time to time Customer or its employees, contractors, representatives may provide MindFort with suggestions, comments, feedback or the like with regard to the Services (collectively, “Feedback”). Customer hereby grants MindFort a perpetual, irrevocable, royalty-free and fully-paid up license to use and exploit all Feedback in connection with MindFort’s business purposes, including, without limitation, the testing, development, maintenance and improvement of the Services. For clarity, Feedback is not considered Confidential Information (as defined below).
Third-Party Services. Certain features and functionalities within the Services may allow Customer and its Authorized Users to interface or interact with third-party services, products, technology and content (collectively, “Third-Party Services”). MindFort does not provide any aspect of the Third-Party Services and is not responsible for any compatibility issues, errors or bugs in the Services or Third-Party Services caused in whole or in part by the Third-Party Services or any update or upgrade thereto. Customer is solely responsible for maintaining the Third-Party Services and obtaining any associated licenses and consents necessary for Customer to use the Third-Party Services in connection with the Services.
Risk of Use. Customer acknowledges that the Services may identify vulnerabilities in the Target Properties, and due to the unpredictable nature of AI, the Target Properties may be negatively impacted by the Services, and data may be collected, in a manner not anticipated by the Parties. Customer acknowledges that its use of the Services is at its own risk. Customer shall be responsible for its and its Authorized Users’ use of the Services, including without limitation any submission of unauthorized Target Property(ies) for the Service and any effect of the Services on any Target Property and any Customer Materials.
FEES AND USAGE CREDITS. Customer shall pay MindFort the non-refundable fees set forth on MindFort’s pricing page (the “Fees”) for a subscription to access the Services during the Term and for credits toward token usage for the Services, as set forth below. Customer will receive credits based on the subscription tier selected and Fees paid by Customer. Please see MindFort’s pricing page at https://mindfort.ai/pricing for details, including the calculation of recurring costs, tiers, and credit allotments. MindFort will track and report Customer’s consumption of credits on a monthly basis. If Customer’s consumption of credits during any applicable Term exhausts the number of credits allotted for the Fees paid by Customer, Customer musts purchase additional credits before further use of the Services. Credits expire at the end of the Initial Term, or Renewal Term, as applicable, with no refund or credit for unused credits, and no rollover of credits to a subsequent Renewal Term.
MindFort will charge Customer’s selected payment method (such as a credit card) for any Fees on the applicable payment date, including any applicable taxes. If MindFort cannot charge Customer’s selected payment method for any reason (such as expiration or insufficient funds), Customer remains responsible for any uncollected amounts, and MindFort will attempt to charge the payment method again as Customer may update its payment method information. If Customer fails to make any payment when due, MindFort may suspend Services until all payments are made in full. Customer is responsible for all sales, use, ad valorem and excise taxes, and any other similar taxes, duties and charges of any kind imposed by any federal, state, multinational or local governmental regulatory authority on any amount payable by Customer to MindFort hereunder, other than any taxes imposed on MindFort’s income.
CUSTOMER MATERIALS. Customer hereby grants MindFort a non-exclusive, worldwide, royalty-free right and license to use, reproduce, display, perform and modify the Customer Materials for (i) the purpose of hosting, operating, developing, improving and providing the Services (including for training/retraining any models associated with the Services) and (ii) for the purpose of creating or developing Aggregate Data. As between Customer and MindFort, Customer owns and retains all right, title and interest in and to all Customer Materials. “Customer Materials” means all information, data, content and other materials, in any form or medium, that is submitted, posted, collected, transmitted or otherwise provided by or on behalf of Customer through the Services or to MindFort in connection with Customer’s use of the Services, but excluding, for clarity, Aggregate Data and any other information, data, data models, content or materials owned or controlled by MindFort and made available through or in connection with the Services. “Aggregate Data” means any data that is derived or aggregated in deidentified form from (i) any Customer Materials; or (ii) Customer’s and/or its Authorized Users’ use of the Services, including, without limitation, any usage data or trends with respect to the Services.
Input and Output. The Services may generate output for Customer (each, “Output”) in response to: (i) the penetration testing on the Target Properties conducted by the Services; or (ii) Customer interactions or prompts uploaded or submitted to influence the Output or Services (collectively, “Input”). As between you and MindFort to the extent permitted by applicable law and subject to Section 4(d), Customer owns and is responsible for all Input that Customer provides. Customer may not sell or share for commercial benefit or purposes Output to any third parties. MindFort may use and modify Input and Output to enforce any applicable acceptable use policies or usage policies to comply with applicable law.
CONFIDENTIAL INFORMATION.
Confidentiality. “Confidential Information” means any information that one Party (the “Disclosing Party”) provides to the other Party (the “Receiving Party”) in connection with this Agreement, whether orally or in writing, that is designated as confidential or that reasonably should be considered to be confidential given the nature of the information and/or the circumstances of disclosure. For clarity, the Services and the Documentation will be deemed Confidential Information of MindFort. The Receiving Party will not use or disclose any Confidential Information of the Disclosing Party except as necessary to perform its obligations or exercise its rights under this Agreement; provided that MindFort may use and modify Confidential Information of Customer in deidentified form for purposes of developing and deriving Aggregate Data. The Receiving Party may disclose Confidential Information of the Disclosing Party only: (i) to those of its employees, contractors, agents and advisors who have a bona fide need to know such Confidential Information to perform under this Agreement and who are bound by written agreements with use and nondisclosure restrictions at least as protective of the Confidential Information as those set forth in this Agreement, or (ii) as such disclosure may be required by the order or requirement of a court, administrative agency or other governmental body, subject to the Receiving Party providing to the Disclosing Party reasonable written notice to allow the Disclosing Party to seek a protective order or otherwise contest the disclosure. The terms and conditions of this Agreement will constitute Confidential Information of each Party but may be disclosed on a confidential basis to a Party’s advisors, attorneys, actual or bona fide potential acquirers, investors or other sources of funding (and their respective advisors and attorneys) for due diligence purposes.
Exclusions. Confidential Information will not include any information that: (i) is or becomes generally known to the public through no fault or breach of this Agreement by the Receiving Party; (ii) is rightfully known by the Receiving Party at the time of disclosure without an obligation of confidentiality; (iii) is independently developed by the Receiving Party without access to or use of any Confidential Information of the Disclosing Party that can be evidenced in writing; or (iv) is rightfully obtained by the Receiving Party from a third-party without restriction on use or disclosure.
PUBLICITY. Either Party may, with the other Party’s prior written consent (which will not be unreasonably withheld), use or refer to the other Party’s name, trademarks, service marks, or logos in any marketing materials, business development activities, press releases or other publicity-related matter for the purpose of marketing, publicizing or promoting a Party’s business.
REPRESENTATIONS AND WARRANTIES; DISCLAIMER.
Mutual Representations. Each Party represents and warrants to the other Party that: (i) it has full power and authority to enter into this Agreement; and (ii) the execution, delivery and performance of this Agreement by it have been duly authorized by all necessary actions and do not violate its organizational documents.
Customer Additional Representations. Customer further represents and warrants that (i) MindFort’s access and/or use of the Target Property(ies) and Input in accordance with this Agreement will not violate any applicable laws or regulations or infringe or violate any intellectual property or other rights of any third party or cause a breach of any agreement or obligations between Customer and any third-party; (ii) Customer has all the necessary rights to submit the Target Property(ies) and Input to the Services and neither the Target Property(ies), Input, nor Customer’s use and provisions of the Target Property(ies) or Input to be made available through the Services will infringe, misappropriate or violate a third party’s Intellectual Property Rights, rights of publicity or privacy, or result in the violation of any applicable law or regulation. Customer accepts and assumes all operational responsibility for the use of the Service, including the risk of all consequences arising from penetration testing, data access, or impact on Target Properties.
Disclaimer. THE SERVICES AND OUTPUT ARE PROVIDED “AS IS,” WITHOUT WARRANTY OF ANY KIND. WITHOUT LIMITING THE FOREGOING, WE EXPLICITLY DISCLAIM ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT AND NON-INFRINGEMENT, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE. MINDFORT MAKES NO WARRANTIES TO CUSTOMER REGARDING THE SERVICES, INCLUDING, WITHOUT LIMITATION, ANY WARRANTY AGAINST INADVERTENT DATA LOSS, PERFORMANCE DEGRADATION, OR OTHER IMPACT TO TARGET PROPERTY(IES) RESULTING FROM THE SERVICES. We make no warranty that the Services or Output will meet your requirements or be available on an uninterrupted, secure, or error-free basis. We make no warranty regarding the quality, accuracy, timeliness, truthfulness, completeness or reliability of any information or content on the Services or Output.
Similarity, Accuracy and Appropriateness of Output. Due to the nature of machine learning, Output may not be unique and the Services may generate the same or similar output for MindFort or a third party. Customer’s ownership of Output as set forth in Section 6(b) does not extend to other MindFort customers’ output. GIVEN THE PROBABILISTIC NATURE OF MACHINE LEARNING, THE SERVICES MAY IN SOME SITUATIONS PRODUCE OUTPUT THAT IS INACCURATE, INCORRECT, OFFENSIVE OR OTHERWISE UNDESIRABLE. THE ACCURACY, QUALITY AND COMPLIANCE WITH APPLICABLE LAW OF THE OUTPUT IS DEPENDENT UPON AND COMMENSURATE WITH THAT OF THE TARGET PROPERTY AND INPUT PROVIDED AND YOUR COMPLIANCE WITH THIS AGREEMENT, AND NOTWITHSTANDING ANYTHING ELSE SET OUT HEREIN MINDFORT WILL NOT HAVE ANY LIABILITY OR RESPONSIBILITY TO YOU OR ANY OTHER PERSON OR ENTITY FOR ANY LOSS OR DAMAGES RELATING TO OR ARISING FROM THE TARGET PROPERTY, INPUT, OUTPUT OR THEIR USE. You will evaluate the content, nature and accuracy of any Output as appropriate for the applicable use case, including by using human review of the Output.
TERM AND TERMINATION.
Term. This Agreement shall commence on the Effective Date and will remain in effect for one (1) month (the “Initial Term”). Following the Initial Term, this Agreement will renew for additional periods of one (1) month (each, a “Renewal Term,” and together with the Initial Term, the “Term”), unless either Party provides notice of non-renewal prior to the end of the Initial Term or the then-current Renewal Term.
Termination. Either Party may terminate this Agreement, effective on written notice to the other Party, if the other Party materially breaches this Agreement, and such breach remains uncured thirty (30) days after the non-breaching Party provides the breaching Party with written notice of such breach. Further, either Party may terminate this Agreement for its convenience at any time, by a Party giving the other Party 30 days’ notice.
Survival. This Section 10(c) and Sections 1, 2, 4(b), 4(c), 4(e), 5, 6, 7, 9, 10(d), 11, 12 and 13 survive any termination or expiration of this Agreement.
Effect of Termination. Upon expiration or termination of this Agreement: (i) the rights granted pursuant to Section 4(a) and Section 8 will terminate; and (ii) Customer will return or destroy, at MindFort’s sole option, all MindFort Confidential Information in its possession or control, including permanent removal of such MindFort Confidential Information (consistent with customary industry practice for data destruction) from any storage devices or other hosting environments that are in Customer’s possession or under Customer’s control, and at MindFort’s request, certify in writing to MindFort that the MindFort Confidential Information has been returned, destroyed or, in the case of electronic communications, deleted. No expiration or termination will affect Customer’s obligation to pay all Fees that may have become due or otherwise accrued through the Effective Date of expiration or termination, or entitle Customer to any refund.
LIMITATION OF LIABILITY.
Limitation of Liability. EXCEPT FOR (I) ANY INFRINGEMENT OR MISAPPROPRIATION BY ONE PARTY OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, (II) OR BREACH OF CUSTOMER’S PAYMENT OBLIGATIONS, NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF INCOME, DATA, PROFITS, REVENUE OR BUSINESS INTERRUPTION, OR THE COST OF COVER OR SUBSTITUTE SERVICES, ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT.
Total Liability. IN NO EVENT WILL MINDFORT’S TOTAL CUMULATIVE LIABILITY TO CUSTOMER OR ITS AUTHORIZED USERS ARISING FROM ALL CLAIMS UNDER OR RELATED TO THIS AGREEMENT, EXCEED THE FEES ACTUALLY PAID BY CUSTOMER TO MINDFORT IN THE TWELVE(12) MONTH PERIOD IMMEDIATELY PRECEDING THE FIRST EVENT GIVING RISE TO THE APPLICABLE CLAIM MADE UNDER OR RELATED TO THIS AGREEMENT, LESS ALL AMOUNTS PAID BY MINDFORT TO CUSTOMER FOR ALL PAST CLAIMS OF ANY KIND MADE UNDER OR RELATED TO THIS AGREEMENT, REGARDLESS OF THE LEGAL OR EQUITABLE THEORY ON WHICH THE CLAIM OR LIABILITY IS BASED, AND WHETHER OR NOT MINDFORT WAS ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
INDEMNIFICATION.
Indemnification by MindFort. Subject to Section 12(a), MindFort will defend Customer against any claim, suit or proceeding brought by a third-party (“Claims”) alleging that Customer’s use of the Services infringes or misappropriates such third party’s Intellectual Property Rights, and will indemnify and hold harmless Customer against any damages and costs awarded against Customer or agreed in settlement by MindFort (including reasonable attorneys’ fees) resulting from such Claim.
Exclusions. MindFort’s obligations under Section 12(a) will not apply if the underlying Claim arises from or as a result of: (i) Customer’s breach of this Agreement, negligence, willful misconduct or fraud; (ii) any Customer Materials or Input; (iii) Customer’s failure to use any enhancements, modifications, or updates to the Services that have been provided by MindFort; (iv) modifications to the Services by anyone other than MindFort; or (v) combinations of the Services with software, data or materials not provided by MindFort.
Indemnification by Customer. Except to the extent the claim is covered by MindFort’s express indemnity set forth in Section 12(b), Customer will defend, indemnify and hold harmless MindFort from and against any damages and liabilities (including court costs and reasonable attorneys’ fees) awarded in a final judgment against MindFort, and amounts agreed to in settlement with respect to each of the foregoing, to the extent arising from a Claim against MindFort that: (i) the Input, or its use by MindFort in accordance with this Agreement infringes, misappropriates or violates a third-party’s Intellectual Property Rights, or rights of publicity or privacy, or result in the violation of any applicable law or regulation; (ii) is based on Customer’s or an Authorized User’s use of the Services, including without limitation any submission of unauthorized Target Property(ies) for the Service or any effect of the Services on the Target Properties; (iii) is based on the manufacture, sale, distribution or marketing of any Customer’s products or services; or (iv) is based on a breach of Section 4(b) by Customer.
GENERAL.
Entire Agreement. This Agreement, including its exhibits, is the complete and exclusive agreement between the Parties with respect to its subject matter and supersedes any and all prior or contemporaneous agreements, communications and understandings, both written and oral, with respect to its subject matter. This Agreement may be amended or modified only by a written document executed by duly authorized representatives of the Parties.
Assignment. Neither Party may assign or transfer this Agreement, by operation of law or otherwise, without the other Party’s prior written consent. Any attempt to assign or transfer this Agreement without such consent will be void. Notwithstanding the foregoing, MindFort may assign or transfer this Agreement to a third party that succeeds to all or substantially all of MindFort’s business and assets relating to the subject matter of this Agreement, whether by sale, merger, operation of law or otherwise. Subject to the foregoing, this Agreement is binding upon and will inure to the benefit of each of the Parties and their respective successors and permitted assigns.
Notices. All notices required to be sent hereunder will be in writing (email being sufficient) and will be deemed to have been given when mailed by United States Postal Service Priority Express Mail, with delivery confirmation, postage prepaid, or sent by email, and if sent by email, on the date the email was sent without a bounce back message if sent during normal business hours of the receiving party, and on the next business day if sent after normal business hours of the receiving party.
Relationship of the Parties. Nothing in this Agreement will be construed to create a partnership, joint venture or agency relationship between the Parties. Neither Party will have the power to bind the other or to incur obligations on the other’s behalf without such other Party’s prior written consent.
Waiver. Either Party’s failure to enforce any provision of this Agreement will not constitute a waiver of future enforcement of that or any other provision. No waiver of any provision of this Agreement will be effective unless it is in writing and signed by the Party granting the waiver.
Severability. If any provision of this Agreement is held invalid, illegal or unenforceable, that provision will be enforced to the maximum extent permitted by law, given the fundamental intentions of the Parties, and the remaining provisions of this Agreement will remain in full force and effect.
Export Regulation. Customer will comply with all applicable export, sanctions and foreign corruption laws and regulations of the United States (“Trade Laws”) to ensure that the Services are not: (i) exported or re-exported directly or indirectly in violation of Trade Laws; or (ii) used for any purposes prohibited by the Trade Laws. Governing Law; Jurisdiction. This Agreement will be governed by and construed in accordance with the laws of the State of California without giving effect to any principles of conflict of laws that would lead to the application of the laws of another jurisdiction. The Parties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in the Northern District of California and the Parties irrevocably consent to the personal jurisdiction and venue therein.
U.S. Government End Users. The Services were developed solely at private expense and are “commercial products”, “commercial items”, or “commercial computer software” as defined in the Federal Acquisition Regulation 2.101 and other relevant government procurement regulations including agency supplements. Any use, duplication, or disclosure of the Services by or on behalf of the U.S. government is subject to restrictions as set forth in this Agreement as consistent with federal law and regulations. If these terms fail to meet the U.S. Government’s needs or are inconsistent in any respect with federal law, Customer will immediately discontinue its use of the Services.
DATA PROCESSING ADDENDUM
This Data Processing Addendum (including its Exhibits) (this “DPA”) forms part of and is subject to the terms and conditions of the MindFort Self-Service Platform Terms of Service (the “Agreement”) by and between you or the entity on whose behalf you entered into the Agreement (“Customer”) and MindFort AI, Inc. (“MindFort”). All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement. MindFort and Customer may be referred to herein collectively as the “Parties” or individually as a “Party”. If and to the extent any language in this DPA or any of its Exhibits conflicts with the Agreement, this DPA shall control.
Definitions. For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.
“Customer Personal Data” means Personal Data included in the Target Property, Customer Materials, Input, or otherwise Processed by MindFort on behalf of Customer under the Agreement.
“Data Protection Laws” means the privacy and data protection laws, rules, and regulations applicable to a Party’s Processing of Customer Personal Data under the Agreement. “Data Protection Laws” may include, but are not limited to, the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act) (“CCPA”); the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; other comprehensive U.S. state privacy laws; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time).
“Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.
“Process” or “Processing” means any operation or set of operations that is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection; recording; organization; structuring; storage; adaptation or alteration; retrieval; consultation; use; disclosure by transmission, dissemination, or otherwise making available; alignment or combination; restriction; erasure; or destruction.
“Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, or alteration of, or the unauthorized disclosure of or access to, Customer Personal Data attributable to MindFort.
“Services” means the services that MindFort performs under the Agreement.
“Subprocessor” means a vendor, service provider or other entity that MindFort has engaged to Process Customer Personal Data on its behalf in connection with the Services.
Processing Terms for Customer Personal Data.
Documented Instructions. MindFort shall Process Customer Personal Data to provide the Services in accordance with the Agreement, this DPA, and any instructions agreed upon by the Parties. If applicable law requires that MindFort Process Customer Personal Data for other purposes, MindFort shall inform Customer of that legal requirement before engaging in such Processing, unless that law prohibits such information on important grounds of public interest.
Authorization to Use Subprocessors. Customer grants MindFort a general, ongoing authorization to engage Subprocessors with respect to the Services. Customer acknowledges that Subprocessors may further engage their own Subprocessors.
MindFort and Subprocessor Compliance. MindFort shall (i) enter into a written agreement with Subprocessors that imposes data protection requirements for Customer Personal Data on such Subprocessors that are consistent with this DPA; and (ii) remain responsible to Customer for the Subprocessors’ failure to perform their obligations with respect to the Processing of Customer Personal Data.
New and Updated Subprocessors. MindFort will offer an email-update subscription at [•]; additions or replacements to our Subprocessor list will be notified to subscribed Customers and notice is deemed given on such dispatch. MindFort shall allow Customer ten (10) days to object. If Customer has legitimate objections to the appointment of any new Subprocessor, the Parties shall work together in good faith to resolve the grounds for the objection.
Confidentiality. Any person authorized to Process Customer Personal Data shall be subject to a duty of confidentiality, contractually agree to maintain the confidentiality of such information, or be under an appropriate statutory obligation of confidentiality.
Personal Data Inquiries and Requests. MindFort shall provide reasonable assistance to Customer as required by applicable Data Protection Laws in response to any requests from individuals exercising their rights in Customer Personal Data granted to them under applicable Data Protection Laws.
Data Protection Assessment, Data Protection Impact Assessment, and Prior Consultation. MindFort shall provide reasonable assistance and information to Customer as required by applicable Data Protection Laws where, in Customer’s judgment, the type of Processing performed by MindFort requires a data protection assessment, data protection impact assessment, and/or prior consultation with the relevant data protection authorities. Customer shall reimburse MindFort for all non-negligible costs MindFort incurs in performing its obligations under this Section 2.7.
Demonstrable Compliance. MindFort shall provide information reasonably necessary to demonstrate compliance with this DPA as required by applicable Data Protection Laws upon Customer’s reasonable request.
California-Specific Terms. To the extent that MindFort’s Processing of Customer Personal Data is subject to the CCPA, this Section 2.9 shall also apply. Customer discloses or otherwise makes available Customer Personal Data to MindFort for the limited and specific purpose of enabling MindFort to provide the Services to Customer in accordance with the Agreement and this DPA. MindFort shall (i) comply with its applicable obligations under the CCPA; (ii) provide the same level of protection as required under the CCPA; (iii) notify Customer if it can no longer meet its obligations under the CCPA; (iv) not “sell” or “share” (as such terms are defined by the CCPA) Customer Personal Data; (v) not retain, use, or disclose Customer Personal Data for any purpose (including any commercial purpose) other than to provide the Services under the Agreement or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and MindFort; and (vii) unless otherwise permitted by the CCPA, not combine Customer Personal Data with Personal Data that MindFort (a) receives from, or on behalf of, another person, or (b) collects from its own, independent consumer interaction. MindFort will permit Customer, upon reasonable request, to take reasonable and appropriate steps to ensure that MindFort Processes Customer Personal Data that is subject to this Section 2.9 in a manner consistent with the obligations of a “business” under the CCPA by requesting that MindFort attest to its compliance with this Section 2.9. Following any such request, MindFort will promptly provide that attestation or an explanation of why it cannot provide it. If Customer reasonably believes that MindFort is engaged in unauthorized Processing of Customer Personal Data that is subject to this Section 2.9, Customer will notify MindFort of such belief, and the parties will work together in good faith to remediate the allegedly violative Processing activities, if necessary.
Service Optimization. Where permitted by Data Protection Laws, MindFort may Process Customer Personal Data (i) for its internal uses to build or improve the quality of the Services; (ii) to prevent, detect, or investigate Security Incidents; or (iii) to protect against malicious, deceptive, fraudulent, or illegal activity.
Aggregation and De-Identification. MindFort may (i) compile aggregated and/or de-identified information in connection with providing the Services provided that such information cannot reasonably be used to identify Customer or any data subject to whom Customer Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes.
Information Security Program. MindFort shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data.
Security Incidents. Upon becoming aware of a Security Incident, MindFort shall provide written notice without undue delay and within the time frame required under applicable Data Protection Laws to Customer. Where possible, such notice will include all available details required under applicable Data Protection Laws for Customer to comply with its own notification obligations to government authorities and/or individuals affected by the Security Incident.
Cross-Border Transfers of Customer Personal Data.
Cross-Border Transfers of Customer Personal Data. Customer authorizes MindFort and its Subprocessors to transfer Customer Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.
EEA, Swiss, and UK Standard Contractual Clauses. If Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Customer to MindFort in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by Module Two’s obligations in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Standard Contractual Clauses”) as supplemented by Exhibit A attached hereto, the terms of which are incorporated herein by reference. Each Party’s execution of the Agreement shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.
Audits and Assessments. Where Data Protection Laws afford Customer an audit or assessment right, Customer (or its appointed representative) may carry out an audit or assessment of MindFort’s policies, procedures, and records relevant to the Processing of Customer Personal Data. Any audit or assessment must be (i) conducted during MindFort’s regular business hours; (ii) done with reasonable advance notice to MindFort; (iii) carried out in a manner that prevents unnecessary disruption to MindFort’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit or assessment shall be limited to once per year, unless an audit or assessment is carried out at the direction of a government authority with jurisdiction over the Processing of Customer Personal Data.
Customer Personal Data Deletion. At the expiry or termination of the Agreement, MindFort shall delete all Customer Personal Data (excluding any backup or archival copies, which shall be deleted in accordance with MindFort’s data retention schedule), except where MindFort is required to retain copies under applicable laws, in which case MindFort will isolate that Customer Personal Data and restrict any further Processing of it except to the extent required by applicable laws.
Customer’s Obligations. Customer represents and warrants that (i) it has complied and will comply with Data Protection Laws; (ii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Customer Personal Data as contemplated by the Agreement; and (iii) MindFort’s Processing of Customer Personal Data in accordance with the Agreement will not violate Data Protection Laws or cause a breach of any agreement or obligations between Customer and any third party.
Processing Details.
Subject Matter. The subject matter of the Processing is the Services pursuant to the Agreement.
Duration. The Processing will continue until the expiration or termination of the Agreement.
Categories of Data Subjects. Data subjects whose Customer Personal Data will be Processed pursuant to the Agreement.
Nature and Purpose of the Processing. The purpose of the Processing of Customer Personal Data by MindFort is the performance of the Services.
Types of Customer Personal Data. Customer Personal Data that is Processed pursuant to the Agreement.
Account Data. MindFort may Process Personal Data about Customer’s authorized users’ use of the Services (“Account Data”) in accordance with its Privacy /Notice available at https://www.mindfort.ai/ (as updated from time to time). Account Data is not Customer Personal Data.
Signature. Each Party’s acceptance of the Agreement shall be considered acceptance of this DPA.
EXHIBIT A TO THE DATA PROCESSING ADDENDUM
This Exhibit A forms part of the DPA and supplements the Standard Contractual Clauses. Capitalized terms not defined in this Exhibit A have the meaning set forth in the DPA.
The parties agree that the following terms shall supplement the Standard Contractual Clauses:
Supplemental Terms. The parties agree that (i) a new Clause 1(e) is added to the Standard Contractual Clauses, which shall read as follows: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses, which shall read as follows: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must notify data exporter of any new subprocessors in accordance with Section 2.4 of the DPA; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).
Annex I. Annex I to the Standard Contractual Clauses shall read as follows:
A. List of Parties:
Data exporter: Customer.
Address: As set forth in Customer’s account page.
Contact person’s name, position, and contact details: As set forth in Customer’s account page.
Activities relevant to the data transferred under these Clauses: The Services.
Role: Controller.
Data importer: MindFort.
Address: [insert]
Contact person’s name, position, and contact details: [insert]
Activities relevant to the data transferred under these Clauses: The Services.
Role: Processor.
B. Description of the Transfer:
Categories of data subjects whose personal data is transferred: The categories of data subjects whose personal data is transferred under the Clauses including, but not limited to, users of the Services.
Categories of personal data transferred: The categories of personal data transferred under the Clauses including, but not limited to:
Identification and business contact data (e.g., name, email address)
Usage and telemetry data (e.g., IP address, URLs, API calls, feature utilization, clickstreams)
Log data provided to MindFort by Customer in furtherance of the Services
Payload data provided to MindFort by Customer in furtherance of the Services
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: The Services are not intended to process sensitive data, and sensitive data is not required to deliver the Services to Customer. Notwithstanding the foregoing, when Customer controls the data sent to MindFort, or in specific services engagements (e.g., forensic investigations requiring analysis of the underlying data), MindFort may process sensitive data on behalf of Customer. The nature and scope of the special categories of sensitive data that is transferred may not be known until after the Processing has taken place but may include: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): Personal Data is transferred in accordance with the standard functionality of the Services, or as otherwise agreed upon by the Parties.
Nature of the processing: The Services.
Purpose(s) of the data transfer and further processing: The Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain Personal Data in accordance with the DPA.
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing: The subject matter, nature, and duration are identified above.
C. Competent Supervisory Authority: The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the supervisory authority is the Irish Data Protection Commission, and if this is not possible, then the supervisory authority is as otherwise agreed by the Parties consistent with the conditions set forth in Clause 13.
D. Clarifying Terms: The Parties agree that (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Clauses will be provided upon data exporter’s written request; (ii) the measures data importer is required to take under Clause 8.6(c) of the Clauses will only cover data importer’s impacted systems; (iii) the audit described in Clause 8.9 of the Clauses shall be carried out in accordance with Section 6 of the DPA; (iv) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Clauses will be limited to the termination of the Clauses; (v) unless otherwise stated by data importer, data exporter will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Clauses; (vi) the information required under Clause 15.1(c) of the Clauses will be provided upon data exporter’s written request; and (vii) notwithstanding anything to the contrary, data exporter will reimburse data importer for all costs and expenses incurred by data importer in connection with the performance of data importer’s obligations under Clause 15.1(b) and Clause 15.2 of the Clauses without regard for any limitation of liability set forth in the Agreement.
Annex II. Annex II of the Standard Contractual Clauses shall read as follows:
Data importer shall implement and maintain technical and organizational measures designed to protect Personal Data in accordance with the DPA. Such measures shall include:
Measures of pseudonymization and encryption of Personal Data (as appropriate);
Measures designed to ensure ongoing confidentiality, integrity, availability, and resilience of the Services that process Personal Data;
Measures designed to ensure the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures designed to ensure the security of the Processing of Personal Data;
Measures for user identification and authorization.
Measures designed to protect Personal Data during transmission;
Measures designed to protect Personal Data during storage;
Measures designed to ensure the physical security of locations at which Personal Data are Processed (as appropriate);
Measures for events logging (as appropriate);
Measures regarding system configuration, including default configuration (as appropriate);
Measures regarding internal IT and IT security governance and management;
Measures regarding certification/assurance of the Services (as appropriate);
Measures designed to ensure data minimization for Personal Data (as appropriate);
Measures designed to ensure data quality (as appropriate, and to the extent within data importer’s control);
Measures for data retention of Personal Data;
Measures for accountability regarding the Processing of Personal Data; and
Measures for allowing data portability and ensuring erasure of Personal Data.
Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the DPA.
Annex III. A new Annex III shall be added to the Standard Contractual Clauses and shall read as follows:
The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.
Table 1: The start date in Table 1 is the effective date of the DPA. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.
Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to, including the Appendix Information, effective as of the effective date of the DPA.
Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.
Table 4: The parties agree that Importer may end the UK Addendum as set out in Section 19.
ACCEPTABLE USE POLICY
This Acceptable Use Policy (“AUP”) identifies prohibited uses of the Services made available to you under the Terms of Service. MindFort may update the AUP from time to time. We do not allow the Services to be used for the following:
Unauthorized Cyber Operations and Malicious Hacking. This includes using the Services, or allowing the Services to be used, to:
Submit, test, scan, or attack any domain, IP address, application, or network for which you do not possess verified legal ownership or explicit, written authorization from the owner;
Engage in any form of cyberattack, cyber espionage, or unauthorized intrusion against any system, network, or data, including conduct that constitutes a “cyberattack” under applicable law or involves the deployment of agents with or without meaningful human oversight that results in damage or disruption to computer systems;
Create, upload, or distribute malware, viruses, ransomware, worms, Trojan horses, or any other malicious code intended to disrupt, damage, or gain unauthorized access to computer systems.
Use the Services to generate or facilitate attacks to intentionally degrade the performance of MindFort’s or any third party’s infrastructure.
Deceptive or misleading activities. This includes using the Services to, or allowing the Services to be used, to:
Impersonate a human by presenting results as human-generated, or misrepresent the source of vulnerability findings, including submitting Output to bug bounty programs, leaderboards, or compliance bodies as “human-generated” work without disclosing the use of automated AI agents;
Engage in coordinated inauthentic behavior or disinformation campaigns
Engage in phishing, spoofing, or social engineering campaigns intended to deceive natural persons;
Generate deceptive or misleading comments or reviews;
Plagiarize or engage in other forms of academic or professional dishonesty.
Abusive or fraudulent activities. This includes using the Services to, or allowing the Services to be used, to:
Attempt to override or circumvent safety filters or intentionally direct the product or service to act in a manner that contravenes our policies (including this AUP)
Engage in any model inversion, model stealing, or prompt injection attacks, or other attacks set forth in NIST AI 100-2 E2025 available at https://csrc.nist.gov/pubs/ai/100/2/e2025/final;
Promote or facilitate the generation or distribution of spam;
Generate content for fraudulent activities, scams, phishing or malware;
Compromise security or gain unauthorized access to computer systems or networks, including spoofing and social engineering;
Violate any natural person’s rights, including privacy rights as defined in applicable privacy law;
Track or monitor an individual without their consent;
Inappropriately use confidential or personal information;
Interfere with or negatively impact MindFort’s products or services;
Utilize Input or Output to train or have trained an AI model (e.g., “model scraping” or “distillation”).
Illegal, malicious or highly regulated activities. This includes using the Services to, or allowing the Services to be used, to:
Provide instructions on how to create or facilitate the exchange of illegal substance or goods;
Encourage or provide instructions on how to engage in or facilitate illegal services such as human trafficking or prostitution;
Design, market or distribute weapons, explosives or other dangerous materials;
Provide instructions on how to commit, facilitate or encourage any type of crime.
Activities with a high risk of economic harm. This includes using the Services to, or allowing the Services to be used, to:
Engage in multi-level marketing or pyramid schemes;
Gamble or bet on sports;
Engage in payday lending activities;
Automate determinations about the eligibility of individuals for financial products, creditworthiness, public assistance services or decisions regarding eligibility for housing, including leases and home loans;
Automate determinations about the admissibility of individuals to educational institutions, or the employability of individuals or other employment determinations.
Violent, hateful or threatening activities. This includes using the Services to, or allowing the Services to be used, to:
Further violent extremism;
Describe, encourage, support or provide instructions on how to commit violent acts against persons (including self-harm), animals or property;
Encourage hate speech or discriminatory practices that could cause harm or adverse impact to individuals or communities based on their protected attributes, such as race, ethnicity, religion, nationality, gender, sexual orientation or any other identifying trait.
Encourage or engage in any form of self-harm;
Shame, humiliate, bully, celebrate the suffering of or harass individuals.
Child sexual exploitation or abuse activities. We strictly prohibit and will report to relevant authorities and organizations where appropriate any activity or content that exploits or harms children or describes, encourages, supports or promotes any form of child sexual exploitation or abuse in addition to Child Sexual Abuse Material (CSAM).
If your business is using or deploying the Services as part of an automated service where your customers or end users interact directly with the Services (e.g., via a chatbot), you must disclose to your customers or end users that they are interacting with an AI system rather than a human. You shall exercise commercially reasonable efforts to prevent any use of the Services by your customers or end users that does not so comply with this AUP.
If you have any questions about whether your activity or use case is permitted or prohibited by this AUP, please email us at founders@mindfort.ai.
Legal