DATA PROCESSING AGREEMENT (DPA)
Last Updated: February 12, 2026
This Data Processing Agreement ("DPA") applies only if expressly referenced in an Order or other written agreement between you ("Customer") and Mutiny HQ Corporation ("Mutiny"). Where this DPA applies, it forms part of the agreement between the parties (the "Agreement").
1. Definitions and Scope
**"Personal Data"** means any information within Customer Data that relates to an identified or identifiable natural person, as defined under applicable Data Protection Laws. **"Customer Data"** has the meaning set forth in Section 4.1 of the Terms of Service. **"Processing"** means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion. **"Data Protection Laws"** means all applicable laws relating to privacy and data protection, including the EU General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act ("CCPA"). This DPA applies only to the extent that Mutiny processes Personal Data on Customer's behalf in connection with the Services.
2. Roles
Customer is the data controller (or "business" under CCPA), and Mutiny is the data processor (or "service provider" under CCPA). Mutiny will process Personal Data only to provide the Services and as instructed by Customer through the Agreement.
3. Mutiny's Obligations
Mutiny will: - Process Personal Data only as necessary to provide the Services; - Implement appropriate security measures to protect Personal Data; - Notify Customer of any Personal Data breach without undue delay; - Assist Customer (where commercially reasonable) with data subject requests; - Delete or return Personal Data upon termination as set forth in Section 4.7 of the Terms of Service, except where retention is required by law; - Engage subprocessors only in accordance with Section 4 below. - Make available to Customer, upon reasonable request, information necessary to demonstrate compliance with this DPA.
4. Subprocessors
Mutiny may engage third-party subprocessors to process Personal Data. Customer authorizes Mutiny to engage subprocessors listed below: - Amazon Web Services - Cloud Service Provider (USA) - Elastic Cloud - Cloud Service Provider (USA) - Datadog - System Metrics and Logging (USA) - Zendesk - In-application Customer Support (USA) - Confluent - Event Streaming (USA) - StarTree - Analytical Database (USA) - Braintree - Metrics and Logging (USA) - OpenAI - Large Language Model (USA) - Anthropic - Large Language Model (USA) Mutiny will notify Customer of new subprocessors by updating this list and will allow Customer thirty (30) days to object on reasonable data protection grounds.
5. GDPR-Specific Terms
Where GDPR applies, the parties agree to comply with the obligations set forth in the Standard Contractual Clauses (Module Two: Controller to Processor) as adopted by the European Commission.
6. CCPA-Specific Terms
Where CCPA applies: - Mutiny certifies it understands the restrictions on processing Personal Data under CCPA; - Mutiny will not sell Personal Data or retain, use, or disclose it except as permitted in the Terms of Service; - Mutiny will notify Customer if it can no longer meet its CCPA obligations.
Where CCPA applies: - Mutiny certifies it understands the restrictions on processing Personal Data under CCPA; - Mutiny will not sell Personal Data or retain, use, or disclose it except as permitted in the Terms of Service; - Mutiny will notify Customer if it can no longer meet its CCPA obligations.