DATA PROCESSING AGREEMENT

 

At eSIM Copilot, we are committed to protecting your personal data and ensuring transparency around how it is handled. We process a limited set of personal information to deliver our services—such as your name, email address, mobile number (if provided), and eSIM details. Mindszi acts as a Controller for individual accounts and platform operations, and as a Processor for business accounts under the instructions of the customer.

We use trusted subprocessors like AWS, Stripe, and Microsoft Azure in UK/EU regions, and apply strong safeguards such as encryption, access controls, and Standard Contractual Clauses for any data transfers.

Aggregated analytics are anonymised and do not include personal data. You can learn more in our full Data Processing Agreement below.

 

SUMMARY

Personal Data Processed

  • First Name
  • Last Name
  • Email Address
  • MSISDN (mobile number, if provided)
  • ICCID (SIM card identifier) — treated as personal data when linked to an individual
  • Job Title (if provided)
  • Department (if provided)
  • Mobile Plan Order/Assignment Information (if provided)
  • Credit/Debit payment information (if provided)

Roles

  • Controller: Mindszi is the Controller for Individual eSIM Copilot Accounts and for general platform operations (e.g., account security, billing).
  • Processor: Mindszi acts as a Processor for Business Accounts, processing employees’ personal data strictly on behalf of and under the instructions of the Business Customer.

Analytics

  • Mindszi generates aggregated, anonymised analytics that do not include personal data.

Subprocessors and Locations

  • AWS (Platform Cloud Services) — UK/EU
  • Auth0 (Authentication) — EU
  • Stripe (Payment Processing) — UK/EU
  • Microsoft Azure (Teams Specific Cloud Services) — EU/US
  • Datadog (Logging) – EU

Data Transfers

  • Personal data is processed in UK/EU/US regions.
  • Where data is transferred outside the EU/UK, Mindszi uses Standard Contractual Clauses (SCCs) to safeguard such transfers.

Security Measures

  • Encryption at rest and in transit
  • Role-based access controls
  • Regular security audits
  • Incident response plan
  • Data minimisation practices
  • Backup and disaster recovery
 

DPA

This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions (“Agreement”) between Mindszi Technologies Ltd, company number 15524190, of 128 City Road, London, United Kingdom, EC1V 2NX (“Mindszi”, “we”, “us”) and the Customer (“you”). This DPA sets out the terms under which Mindszi processes personal data as a Processor on behalf of the Customer, and separately as an independent Controller for specific platform operations.

1. DEFINITIONS
1.1. “Data Protection Laws” means all applicable data protection and privacy laws, including the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, and the Data Protection Act 2018.
1.2. “Personal Data”, “Data Subject”, “Processing”, “Processor”, “Controller”, and “Supervisory Authority” have the meanings given in the GDPR.
1.3. “Subprocessor” means any third party engaged by Mindszi to process Personal Data.

2. SUBJECT MATTER
2.1. This DPA governs Mindszi’s Processing of Personal Data both: (a) as a Processor, on behalf of the Customer in the course of providing the services described in the Agreement (Business Accounts); and (b) as an independent Controller, where necessary for platform operations, including account security, analytics, billing, and compliance.

3. ROLES OF THE PARTIES
3.1. The parties agree that: (a) For Business Accounts, the Customer is the Controller and Mindszi is the Processor. (b) For Individual Accounts, Mindszi acts as the Controller. (c) For platform-level activities such as account management, billing, fraud detection, and security monitoring, Mindszi acts as an independent Controller.

4. INSTRUCTIONS
4.1. Where acting as a Processor, Mindszi shall only process Personal Data on documented instructions from the Customer unless required by law to act without such instructions.
4.2. The Customer instructs Mindszi to process Personal Data for the purposes described in the Agreement and this DPA.

5. CONFIDENTIALITY
5.1. Mindszi shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality.

6. SECURITY MEASURES
6.1. Mindszi shall implement appropriate technical and organisational measures (“TOMs”) to ensure a level of security appropriate to the risk, including: • Encryption of Personal Data at rest and in transit. • Access control measures. • Incident detection and response procedures. • Regular security assessments.

7. SUBPROCESSING
7.1. The Customer authorises Mindszi to engage Subprocessors for Processing activities.
7.2. Mindszi maintains a list of Subprocessors available at the start of this document.
7.3. Mindszi shall ensure that Subprocessors are bound by written agreements imposing data protection obligations no less protective than this DPA.
7.4. Mindszi shall notify the Customer of any intended changes concerning the addition or replacement of Subprocessors, giving the Customer an opportunity to object.

8. DATA TRANSFERS
8.1. Mindszi shall not transfer Personal Data outside the UK or EEA unless it ensures appropriate safeguards are in place, such as Standard Contractual Clauses (“SCCs”).

9. DATA SUBJECT RIGHTS
9.1. Taking into account the nature of the Processing, Mindszi shall assist the Customer by implementing appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising Data Subjects’ rights.

10. DATA BREACH
10.1. Mindszi shall notify the Customer without undue delay after becoming aware of a Personal Data Breach.
10.2. Such notification shall include all information reasonably required to assist the Customer in complying with its obligations under the GDPR.

11. DELETION OR RETURN OF DATA
11.1. Upon termination of the Agreement, Mindszi shall, at the choice of the Customer, delete or return all Personal Data, unless otherwise required by applicable law.

12. AUDIT RIGHTS
12.1. Mindszi shall make available to the Customer all information necessary to demonstrate compliance with this DPA.
12.2. The Customer may conduct audits, including inspections, provided that: • It provides at least 30 days’ written notice. • Audits are conducted during normal business hours. • Audits do not interfere unreasonably with Mindszi’s business operations.

13. LIABILITY
13.1. Each party’s liability under this DPA is subject to the limitations of liability set forth in the Agreement.

14. GOVERNING LAW
14.1. This DPA shall be governed by and construed in accordance with the laws of England and Wales.

 

 

Contacting us

If you have any questions regarding the information we may hold about you or if you wish to exercise your rights, you may use the following data subject request form to submit your request:
Submit a data access request

If you have any other questions, concerns, or complaints regarding this Policy, we encourage you to contact us using the details below:
hello@mindszi.com

Data protection officer:
Michael Moorfield
hello@mindszi.com

EU representative:
Mindszi Technologies Ltd
hello@mindszi.com

Company address:
Mindszi Technologies Ltd, 128 City Road, London, United Kingdom, EC1V 2NX.

We will attempt to resolve complaints and disputes and make every reasonable effort to honor your wish to exercise your rights as quickly as possible and in any event, within the timescales provided by applicable data protection laws.

This document was last updated on April 18, 2025.