Legal
Data Processing Agreement
Version 1.4, last updated May 05, 2026.
At eSIM Copilot, we are committed to protecting your personal data and ensuring transparency around how it is handled. We process a limited set of personal information to deliver our services — such as your name, email address, mobile number (if provided), and eSIM details. Mindszi acts as a Controller for individual accounts and platform operations, and as a Processor for business accounts under the instructions of the customer.
We use trusted subprocessors primarily in UK/EU regions. Where personal data is transferred outside the UK/EEA - for example, transient AI inference calls to providers in the United States - we rely on EU Standard Contractual Clauses and the UK International Data Transfer Addendum as appropriate transfer safeguards.
Aggregated analytics are anonymised and do not include personal data. You can learn more in our full Data Processing Agreement below.
Summary
Personal Data Processed
- First Name
- Last Name
- Email Address
- MSISDN (mobile number, if provided)
- ICCID (SIM card identifier) — treated as personal data when linked to an individual
- EID (Device eSIM identifier) — treated as personal data when linked to an individual
- Job Title (if provided)
- Department (if provided)
- Mobile Plan Order/Assignment Information (if provided)
- Credit/Debit payment information (if provided)
- Message details and delivery metadata — processed via Mindszi's Twilio account, where applicable
End User and Admin authentication via Auth0
Mindszi uses Auth0, hosted in the EU, for customer authentication. Two login options are supported:
- Email/Password Login — email address and password (securely hashed).
- Social Login (e.g. Google, Apple) — email and provider user ID (and optionally name).
Auth0 acts as a subprocessor under Mindszi's control and is configured for GDPR-compliant data minimisation and access controls.
Roles
- Controller: Mindszi is the Controller for Individual eSIM Copilot Accounts and for general platform operations (e.g., account security, preferences, individual billing).
- Processor: Mindszi acts as a Processor for Business Accounts, processing employees' personal data strictly on behalf of and under the instructions of the Business Customer.
Analytics
Mindszi generates aggregated, anonymised analytics that do not include personal data.
Subprocessors and Locations
| Subprocessor | Purpose | Region |
|---|---|---|
| AWS | Platform Cloud Services | UK/EU |
| Auth0 | End User Authentication on esimcopilot.com | EU |
| Stripe | Payment Processing | UK/EU |
| Microsoft Azure | Azure/Microsoft Bot Framework & Microsoft Entra ID Auth | EU |
| Datadog | Logging | EU |
| Twilio | SMS and Telecom Messaging | UK/EU |
| SendGrid | Email Communications | EU |
| PostHog | Behavioural Product Analytics | EU |
| Slack | Internal Operations (PII filtered) | US |
Optional Subprocessors and Locations
The following sub-processors are only engaged when the AI support tier is enabled. Customers may opt out of the AI tier per their service agreement, in which case data is not processed by these sub-processors.
| Subprocessor | Purpose | Region |
|---|---|---|
| LangChain | LLM Analytics | EU |
| AWS Bedrock | LLM inference for AI tier | EU |
| OpenAI | LLM inference for AI tier | EU |
| Anthropic | LLM inference for AI tier | US |
| Groq | LLM inference for AI tier | US |
AI Model Training
Mindszi does not permit AI sub-processors to use customer content for model training or fine-tuning. This is enforced by:
- Selecting commercial / API tiers from each provider, where training is contractually prohibited (Anthropic) or excluded by default (OpenAI, Groq);
- Not opting into any data-sharing, fine-tuning, or feedback-driven training programs offered by these providers.
Data Transfers
- Personal data is stored at rest in the UK and EU only.
- Some processing activities may involve the transfer of personal data outside the UK / EEA - specifically, AI inference may be transmitted to providers located in the United States (Anthropic, Groq). These transfers are transient; US-based providers do not store prompts or completions at rest beyond standard short-window abuse-monitoring buffers, and under their commercial API terms do not train models on customer content. Mindszi has not opted into any data-sharing or training programs offered by these providers.
- For all transfers of personal data outside the UK or EEA, Mindszi relies on the EU Standard Contractual Clauses (SCCs), and the UK International Data Transfer Addendum where the UK GDPR applies, as appropriate transfer safeguards.
Security Measures
- Encryption at rest and in transit
- Role-based access controls
- Regular security audits
- Incident response plan
- Data minimisation practices
- Backup and disaster recovery
DPA
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions ("Agreement") between Mindszi Technologies Ltd, company number 15524190, of 128 City Road, London, United Kingdom, EC1V 2NX ("Mindszi", "we", "us") and the Customer ("you"). This DPA sets out the terms under which Mindszi processes personal data as a Processor on behalf of the Customer, and separately as an independent Controller for specific platform operations.
1. Definitions
1.1. "Data Protection Laws" means all applicable data protection and privacy laws, including the EU General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and the Data Protection Act 2018.
1.2. "Personal Data", "Data Subject", "Processing", "Processor", "Controller", and "Supervisory Authority" have the meanings given in the GDPR.
1.3. "Subprocessor" means any third party engaged by Mindszi to process Personal Data.
2. Subject Matter
2.1. This DPA governs Mindszi's Processing of Personal Data both: (a) as a Processor, on behalf of the Customer in the course of providing the services described in the Agreement (Business Accounts); and (b) as an independent Controller, where necessary for platform operations, including account security, analytics, billing, and compliance.
3. Roles of the Parties
3.1. The parties agree that:
- (a) For Business Accounts, the Customer is the Controller and Mindszi is the Processor.
- (b) For Individual Accounts, Mindszi acts as the Controller.
- (c) For platform-level activities such as account management, billing, fraud detection, and security monitoring, Mindszi acts as an independent Controller.
4. Instructions
4.1. Where acting as a Processor, Mindszi shall only process Personal Data on documented instructions from the Customer unless required by law to act without such instructions.
4.2. The Customer instructs Mindszi to process Personal Data for the purposes described in the Agreement and this DPA.
5. Confidentiality
5.1. Mindszi shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality.
6. Security Measures
6.1. Mindszi shall implement appropriate technical and organisational measures ("TOMs") to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data at rest and in transit.
- Access control measures.
- Incident detection and response procedures.
- Regular security assessments.
7. Subprocessing
7.1. The Customer authorises Mindszi to engage Subprocessors for Processing activities.
7.2. Mindszi maintains a list of Subprocessors available at the start of this document.
7.3. Mindszi shall ensure that Subprocessors are bound by written agreements imposing data protection obligations no less protective than this DPA.
7.4. Mindszi shall notify the Customer of any intended changes concerning the addition or replacement of Subprocessors, giving the Customer an opportunity to object.
8. Data Transfers
8.1. Mindszi shall not transfer Personal Data outside the UK or EEA unless it ensures appropriate safeguards are in place, such as Standard Contractual Clauses ("SCCs").
9. Data Subject Rights
9.1. Taking into account the nature of the Processing, Mindszi shall assist the Customer by implementing appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Customer's obligation to respond to requests for exercising Data Subjects' rights.
10. Data Breach
10.1. Mindszi shall notify the Customer without undue delay after becoming aware of a Personal Data Breach.
10.2. Such notification shall include all information reasonably required to assist the Customer in complying with its obligations under the GDPR.
11. Deletion or Return of Data
11.1. Upon termination of the Agreement, Mindszi shall, at the choice of the Customer, delete or return all Personal Data, unless otherwise required by applicable law.
12. Audit Rights
12.1. Mindszi shall make available to the Customer all information necessary to demonstrate compliance with this DPA.
12.2. The Customer may conduct audits, including inspections, provided that:
- It provides at least 30 days' written notice.
- Audits are conducted during normal business hours.
- Audits do not interfere unreasonably with Mindszi's business operations.
13. Liability
13.1. Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement.
14. Governing Law
14.1. This DPA shall be governed by and construed in accordance with the laws of England and Wales.
Contacting us
If you have any questions regarding the information we may hold about you or if you wish to exercise your rights, you may use the following data subject request form to submit your request:
If you have any other questions, concerns, or complaints regarding this Policy, we encourage you to contact us using the details below:
Email: help@esimcopilot.com
Data protection officer: Michael Moorfield help@esimcopilot.com
EU representative: Mindszi Technologies Ltd help@esimcopilot.com
Company address: Mindszi Technologies Ltd, 128 City Road, London, United Kingdom, EC1V 2NX.
We will attempt to resolve complaints and disputes and make every reasonable effort to honor your wish to exercise your rights as quickly as possible and in any event, within the timescales provided by applicable data protection laws.
This document was last updated on May 5, 2026.