logo
Login
Start Your Free Trial
Back to Sign Up

Data Processing Agreement

Last updated: January 21, 2026

1. Introduction and Definitions

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", "Data Controller") and Mosaix ("Processor", "we", "us", "our"). This DPA governs the processing of personal data by Mosaix on behalf of the Customer.

Definitions:

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data, including collection, storage, use, and deletion
  • Data Subject: The individual to whom the personal data relates
  • GDPR: General Data Protection Regulation (EU) 2016/679

2. Scope and Purpose of Processing

Mosaix will process personal data only as necessary to provide the competency management platform services, including:

  • User account management and authentication
  • Competency framework creation and management
  • Assessment administration and results tracking
  • Development planning and progress monitoring
  • Platform analytics and performance improvement
  • Customer support and communication

3. Types of Personal Data

The categories of personal data processed may include:

  • Identity Data: Name, employee ID, job title, department
  • Contact Data: Email address, phone number
  • Assessment Data: Competency levels, assessment results, development goals
  • Usage Data: Platform activity, login history, feature usage
  • Technical Data: IP address, browser type, device information

4. Data Subjects

The personal data processed under this DPA relates to the following categories of data subjects:

  • Employees of the Customer organization
  • Contractors and temporary staff
  • Platform administrators and users
  • Authorized representatives of the Customer

5. Processor's Obligations

Mosaix undertakes to:

  • Process personal data only in accordance with documented instructions from the Customer
  • Ensure that persons authorized to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures to ensure data security
  • Engage sub-processors only with prior written authorization from the Customer
  • Assist the Customer in responding to data subject rights requests
  • Delete or return all personal data upon termination of services, unless required to retain by law
  • Make available all information necessary to demonstrate compliance with GDPR obligations

6. Security Measures

Mosaix implements industry-standard security measures to protect personal data, including:

  • Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
  • Access Controls: Role-based access control and multi-factor authentication
  • Network Security: Firewalls, intrusion detection, and regular security audits
  • Monitoring: 24/7 system monitoring and logging of access events
  • Incident Response: Documented procedures for detecting and responding to security incidents
  • Regular Testing: Penetration testing and vulnerability assessments
  • Compliance: ISO 27001 and SOC 2 Type II certifications

7. Sub-Processors

Mosaix may engage the following categories of sub-processors to assist in providing the services:

  • Cloud Infrastructure Providers: For hosting and data storage
  • Email Service Providers: For transactional emails and notifications
  • Analytics Providers: For platform analytics and performance monitoring
  • Customer Support Tools: For managing support requests

A current list of sub-processors is available upon request. Mosaix will provide notice of any changes to sub-processors and the Customer may object to such changes.

8. International Data Transfers

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA). Where such transfers occur, Mosaix ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by the European Commission
  • Additional security measures as required by applicable law

9. Data Subject Rights

Mosaix will assist the Customer in fulfilling data subject requests, including:

  • Right of Access: Provide data subjects with access to their personal data
  • Right to Rectification: Correct inaccurate or incomplete personal data
  • Right to Erasure: Delete personal data when no longer necessary
  • Right to Restriction: Restrict processing in certain circumstances
  • Right to Portability: Provide data in a structured, machine-readable format
  • Right to Object: Allow data subjects to object to processing

10. Data Breach Notification

In the event of a personal data breach, Mosaix will notify the Customer without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:

  • Description of the nature of the breach
  • Categories and approximate number of affected data subjects and records
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects

11. Audit Rights

The Customer has the right to audit Mosaix's compliance with this DPA. Mosaix will make available to the Customer all information necessary to demonstrate compliance and will allow for and contribute to audits, including inspections, conducted by the Customer or an authorized auditor.

12. Data Retention and Deletion

Upon termination of the services or upon Customer request, Mosaix will:

  • Delete or return all personal data in Mosaix's possession within 30 days
  • Delete existing copies unless EU or Member State law requires storage
  • Provide written certification of deletion upon request

13. Liability and Indemnification

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service. The Customer agrees to indemnify Mosaix against any claims arising from the Customer's instructions to process personal data in violation of applicable data protection laws.

14. Term and Termination

This DPA takes effect on the date the Customer first uses the Mosaix platform and continues until the termination of the Terms of Service. The provisions of this DPA that by their nature should survive termination will survive, including obligations related to data deletion and confidentiality.

15. Governing Law

This DPA is governed by the same law as the Terms of Service. Any disputes arising from this DPA will be resolved in accordance with the dispute resolution provisions in the Terms of Service.

16. Contact Information

For questions regarding this Data Processing Agreement or data protection matters, please contact our Data Protection Officer at privacy@mosaix.ai