Data Processing Agreement
Last updated: 7/16/2026
This Data Processing Agreement ("DPA") supplements the MoldMind Terms of Service (the "Agreement") and governs MoldMind LLC's processing of personal data on your behalf. By accepting the Agreement and using the Service, you (the "Customer") and MoldMind LLC ("MoldMind") enter into this DPA. Capitalized terms not defined here have the meanings given in the Agreement.
1. Parties and Roles
Controller: Customer (the inspection firm, independent inspector, or organization owner who has registered an Account with MoldMind).
Processor: MoldMind LLC, 2389 Main Street, Suite 100, Glastonbury, CT 06033, United States.
To the extent MoldMind processes any personal data for its own purposes (such as account registration, billing, and Service security), MoldMind is the controller for that processing and Section 13 of this DPA applies. This DPA otherwise governs MoldMind's processing as a processor on the Customer's behalf.
2. Subject Matter, Duration, Nature, and Purpose
Subject matter. Personal data processed by MoldMind in the course of providing the Service to the Customer.
Duration. The term of the Customer's Subscription, plus the post-termination retention and deletion periods described in Sections 11 and 12.
Nature and purpose. Hosting, storing, processing, transforming, generating Output from, and otherwise handling personal data as necessary to deliver the Service, generate AI-assisted Output and Reports, secure the Service, and comply with applicable law.
Categories of personal data: account and profile data; inspection field data (photos, voice memos, lab reports, scanned forms, hand-written notes, moisture readings); property and occupant data; report content; communications; device and log data. See the Privacy Policy, Section 2, for the full list.
Categories of data subjects: Customer's Inspectors and other authorized personnel; the property owners, occupants, and other natural persons identified in inspection field data; Customer's clients to whom Reports are delivered.
3. Customer Instructions
MoldMind will process personal data only on documented instructions from the Customer, including with regard to transfers of personal data to a third country. The Agreement, this DPA, and the Customer's use of the Service configuration options constitute the Customer's complete and final documented instructions to MoldMind for the processing of personal data. Additional or alternative instructions require a written amendment signed by both parties (or, for emergency or one-off instructions, written agreement via email).
MoldMind will inform the Customer promptly if, in MoldMind's opinion, an instruction from the Customer infringes applicable data-protection law; MoldMind may suspend the relevant processing (other than as required by law) until the issue is resolved.
4. Customer Responsibilities
The Customer represents and warrants that:
- It has all necessary rights, consents, and lawful bases under applicable law to upload the personal data into the Service and to instruct MoldMind to process it as contemplated by the Agreement;
- It has provided all notices and obtained all rights required under applicable law from data subjects and, where applicable, from data subjects' employers or other controllers;
- The personal data and the Customer's processing instructions comply with applicable law; and
- The Customer is responsible for the accuracy, quality, and legality of the personal data it uploads.
5. Confidentiality of Processing
MoldMind ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations (whether contractual or statutory) and receive training on data protection. Access to personal data is limited to those personnel who need access to perform their duties.
6. Security — Technical and Organizational Measures (TOMs)
MoldMind implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to data subjects. These measures include those described in Annex II to this DPA, summarized below:
- Encryption in transit using modern, industry-standard transport encryption protocols and ciphers;
- Encryption at rest using modern, industry-standard encryption (currently AES-256 or equivalent) provided by the underlying database and storage providers;
- Access controls: role-based access, least-privilege provisioning, multi-factor authentication on administrative accounts, periodic access review, deprovisioning on employee role change or departure;
- Network controls: rate limiting, web application firewall via hosting provider, isolation of production credentials from development environments, secret rotation policy;
- Audit logging of authentication events, administrative actions, and security-relevant operations, with retention per Section 11 of the Privacy Policy;
- Vulnerability management: dependency monitoring, security review of code changes that touch authentication, authorization, or data flow, prompt patching of critical issues;
- Backups: MoldMind-operated weekly database snapshots pruned on a rolling schedule (currently approximately eight (8) weeks), plus an append-only disaster-recovery media mirror of uploaded files (photos, audio, documents, branding, and report PDFs) that is not currently subject to automatic expiry; all backups are encrypted at rest and access-restricted;
- Incident response: documented procedures for detection, containment, eradication, recovery, and notification (see Section 9);
- Vendor governance: written data-protection agreements with each sub-processor, periodic review of sub-processor security posture.
MoldMind may update the TOMs from time to time, provided that any update does not materially diminish the overall level of security.
7. Data Subject Rights
MoldMind will, taking into account the nature of the processing, assist the Customer through appropriate technical and organizational measures, insofar as possible, to fulfill the Customer's obligation to respond to data-subject requests under applicable law, including:
- Right of access (Art. 15 GDPR / CCPA right to know) — in-Service export of Customer Content is available via Settings → Account → Export;
- Right to rectification (Art. 16 GDPR) — the Customer can edit Customer Content directly in-Service or contact MoldMind for assistance;
- Right to erasure (Art. 17 GDPR / CCPA right to delete) — the Customer can delete Accounts and Customer Content via the Service; MoldMind's deletion pipeline is described in Section 12;
- Right to restrict processing (Art. 18 GDPR) — on written instruction via privacy@moldmindai.com, MoldMind will restrict the relevant processing as soon as reasonably practicable where technically feasible;
- Right to data portability (Art. 20 GDPR / CCPA right to portability) — available via the in-Service export;
- Right to object (Art. 21 GDPR) — directed to the Customer as the controller; MoldMind will assist on written instruction;
- Right to withdraw consent (where processing is consent-based) — directed to the Customer as the controller; MoldMind will cease the affected processing on receipt of the Customer's instruction.
If a data subject contacts MoldMind directly with a rights request relating to personal data MoldMind processes as a processor, MoldMind will redirect the data subject to the Customer and notify the Customer.
8. Sub-Processors
The Customer provides general authorization to MoldMind to engage sub-processors to process personal data, subject to this Section 8.
Current sub-processors. The current list is published at /subprocessors and incorporated into this DPA by reference.
Notification of changes. MoldMind will notify the Customer of any intended addition or replacement of sub-processors at least thirty (30) days before the change takes effect, via the material-change notification mechanism described in the Agreement and Privacy Policy (email + in-Service banner) or via update to /subprocessors.
Right to object. The Customer may object to a new sub-processor on reasonable data-protection grounds by notifying MoldMind in writing within thirty (30) days of the notification. If the Customer objects and MoldMind cannot offer a commercially reasonable alternative within a further thirty (30) days, the Customer's sole remedy is to terminate the entire Subscription on written notice; no refund of prepaid fees is owed in connection with such termination unless we elect otherwise in our sole discretion.
Sub-processor obligations. MoldMind enters into written agreements with each sub-processor that impose data-protection obligations substantively equivalent to those in this DPA, to the extent applicable to the sub-processor's role. MoldMind remains liable to the Customer for the performance of each sub-processor's data-protection obligations.
9. Breach Notification
MoldMind will notify the Customer without undue delay after becoming aware of any unauthorized acquisition or access to personal data MoldMind processes on the Customer's behalf that compromises the security, confidentiality, or integrity of that personal data (a "Personal Data Breach"). Where applicable law specifies a notification deadline (for example, GDPR Article 33's seventy-two (72) hour deadline for controller-to-regulator notification, which the Customer applies to its regulators), MoldMind will use reasonable efforts to provide the Customer with the information necessary to meet that deadline.
The notification will include, to the extent then known:
- The nature of the Personal Data Breach, including the categories and approximate number of data subjects and records concerned;
- The likely consequences of the breach;
- The measures MoldMind has taken or proposes to take to address the breach and mitigate its possible adverse effects;
- A point of contact for further information.
Where information is not available at the time of initial notification, MoldMind will provide it as soon as practicable. MoldMind will reasonably cooperate with the Customer in any required notifications to data subjects, regulators, or other authorities.
10. International Data Transfers
MoldMind processes personal data primarily in the United States. Where personal data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country that the European Commission, the UK Information Commissioner's Office, or the Swiss Federal Data Protection and Information Commissioner has not deemed to provide an adequate level of protection:
- The Standard Contractual Clauses approved by the European Commission Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller-to-Processor), are incorporated into this DPA by reference and apply to the transfer. Where MoldMind onward-transfers personal data to a sub-processor outside an adequate jurisdiction, Module Three (Processor-to-Processor) SCCs apply as between MoldMind and the sub-processor.
- For UK-origin transfers, the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office (Version B1.0) is incorporated and supplements the SCCs.
- For Swiss-origin transfers, the SCCs apply as adapted by the Swiss FDPIC, including the substitution of "Swiss Federal Data Protection Act" for "GDPR" where appropriate.
Docking clause. Where the SCCs require selections, the parties select: the optional docking clause in Clause 7 is incorporated; the option in Clause 9(a) is Option 2 (general written authorization) with the thirty (30) day notification period described in Section 8 of this DPA; the option in Clause 11(a) does not include the independent dispute-resolution body; the governing law in Clause 17 is the law of Ireland; the forum in Clause 18 is the courts of Ireland. Annex I to the SCCs is populated with the parties' details in this DPA (Section 1) and the categories of personal data and data subjects in Section 2; Annex II is populated with the TOMs in Section 6 and Annex II below; Annex III is populated with the sub-processor list at /subprocessors.
Supplementary measures. In addition to the SCCs, MoldMind applies encryption in transit and at rest, role-based access controls, audit logging, contractual restrictions on sub-processors, and a documented process for evaluating and challenging government-access requests (see Privacy Policy Section 10).
A copy of the executed SCCs (with the selections described above) is available on request via legal@moldmindai.com.
11. Records of Processing and Audit
MoldMind maintains records of processing activities as required by Article 30(2) GDPR.
MoldMind will make available to the Customer, on reasonable written request, the information necessary to demonstrate compliance with its obligations under this DPA, including the most recent applicable third-party audit reports of its sub-processors where available.
The Customer may, no more than once per twelve (12) month period and on at least thirty (30) days' prior written notice, request an audit limited to information reasonably necessary to demonstrate compliance with this DPA. The audit must be conducted during MoldMind's normal business hours, must not unreasonably interfere with MoldMind's operations, must respect the confidentiality of MoldMind's other customers, and is at the Customer's expense. Where a regulator with binding authority requires a more extensive audit, the parties will discuss reasonable accommodation.
12. Deletion and Return of Personal Data
On termination or expiration of the Customer's Subscription, the Customer may export Customer Content via the in-Service export during the read-only window described in the Agreement (Section 19) and the Privacy Policy (Section 14).
After the read-only window closes (if any), MoldMind will delete personal data processed on the Customer's behalf from production systems within a reasonable period, typically not more than thirty (30) days, except to the extent retention is required by law or for the establishment, exercise, or defense of legal claims. MoldMind maintains its own operational backups for disaster recovery: (a) weekly database snapshots pruned on a rolling schedule (currently approximately eight (8) weeks), after which the data in an expired snapshot is no longer recoverable; and (b) an append-only media mirror of uploaded files (photos, audio, documents, branding, and report PDFs) that is not currently subject to automatic expiry. As a result, copies of personal data may persist in these disaster-recovery backups beyond deletion from production systems. These backups are access-restricted, encrypted at rest, and used solely to restore the Service following data loss; personal data in the database snapshots is deleted as the snapshot retention window expires.
Where applicable law requires return rather than deletion, MoldMind will return the personal data in a structured, commonly used, machine-readable format on the Customer's written request submitted before deletion.
13. MoldMind as Controller
To the extent MoldMind processes personal data of the Customer's Inspectors, administrators, or billing contacts for MoldMind's own controller purposes — such as account registration, billing, Service security, fraud prevention, and direct communications to those individuals — that processing is governed by the Privacy Policy and is not subject to the processor obligations in Sections 3, 7, and 8 of this DPA. The breach notification obligation in Section 9 applies regardless of role.
14. CCPA and Similar US Laws
MoldMind acts as a "service provider" to the Customer within the meaning of the California Consumer Privacy Act (as amended by the California Privacy Rights Act) and equivalent statutes (including the Connecticut Data Privacy Act, the Colorado Privacy Act, the Virginia Consumer Data Protection Act, and similar laws). MoldMind:
- Will not sell or share personal information (as those terms are defined under applicable law);
- Will not retain, use, or disclose personal information for any purpose other than the business purposes specified in the Agreement, this DPA, and the Privacy Policy;
- Will not retain, use, or disclose personal information outside the direct business relationship between MoldMind and the Customer;
- Will not combine personal information received from the Customer with personal information received from other sources, except as permitted under applicable law (for example, to detect security incidents);
- Will notify the Customer if MoldMind determines it can no longer meet these obligations and will reasonably cooperate to remediate the issue;
- Will assist the Customer in responding to consumer rights requests in accordance with Section 7.
The Customer represents that it has provided all required notices and obtained any consents required by applicable US privacy law before instructing MoldMind to process personal information.
De-identified data. The obligations in this Section 14 apply to "personal information" as defined under the applicable statute. Aggregated and de-identified data is not "personal information," "personal data," or "deidentified" subject to those obligations once it no longer identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household. As described in Section 8 of the Agreement (Aggregated and De-identified Data), MoldMind creates, owns, and may use such de-identified data for any lawful purpose; that activity is outside the scope of MoldMind's "service provider" obligations and is not a "sale" or "share" of personal information. MoldMind maintains commercially reasonable measures intended to prevent re-identification and does not attempt to re-identify de-identified data except as permitted to test those measures.
15. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, including the aggregate cap and exclusions of indirect damages. Nothing in this DPA limits either party's liability where applicable law prohibits such limitation.
16. Conflict; Order of Precedence
In the event of any conflict between (a) this DPA, (b) the Agreement, and (c) the SCCs, the order of precedence with respect to processing of personal data is: SCCs first (where they apply), then this DPA, then the Agreement.
17. Term and Termination
This DPA remains in effect for as long as MoldMind processes personal data on the Customer's behalf and through the deletion and return obligations in Section 12. The obligations in Sections 5 (Confidentiality), 9 (Breach), 11 (Records), 12 (Deletion), and 15 (Liability) survive termination.
18. Governing Law
This DPA is governed by the laws of the State of Connecticut (without regard to its conflict-of-laws principles), except that the SCCs, where they apply, are governed by the law identified in the SCCs themselves (Section 10).
19. Contact
MoldMind LLC 2389 Main Street, Suite 100 Glastonbury, CT 06033 United States
Annex I — Description of Processing
Parties: Identified in Section 1.
Categories of data subjects: Identified in Section 2.
Categories of personal data: Identified in Section 2 and Privacy Policy Section 2.
Sensitive data (if any): Where the Customer uploads occupant complaint information that includes health-related descriptions, this may constitute sensitive data under applicable law. The Customer is responsible for ensuring it has the lawful basis required for such uploads.
Frequency of transfer: Continuous, for the duration of the Subscription.
Nature of processing: Identified in Section 2.
Purpose of processing: Identified in Section 2.
Retention period: Identified in Sections 11 and 12 and the Privacy Policy Section 11.
Sub-processors: Identified at /subprocessors.
Annex II — Technical and Organizational Measures
The TOMs in Section 6 of this DPA constitute Annex II to the SCCs where the SCCs apply.
Annex III — Sub-Processors
The list at /subprocessors constitutes Annex III to the SCCs where the SCCs apply.