Mondrio Inc. Data Processing Agreement

Effective Date: Upon execution of this Agreement or, for self-serve customers, upon acceptance of the Terms of Service

Last Updated: February 2026

Parties

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement between Customer and Mondrio (such as a Cloud Service Agreement) (the "Principal Agreement") between:

Customer (the "Controller")

and

Mondrio Inc., a Delaware corporation with its registered office at 8 The Green, STE B, Dover, DE 19901, United States of America (the "Processor" or "Mondrio")

(together, the "Parties")

Recitals

(A) The Controller acts as a Data Controller with respect to Personal Data.

(B) The Controller wishes to engage Mondrio to provide AI-powered pricing recommendation services as described in the Principal Agreement, which involve the Processing of Personal Data.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of applicable Data Protection Laws, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "EU GDPR") and the United Kingdom General Data Protection Regulation (the "UK GDPR").

(D) The Parties wish to lay down their rights and obligations with respect to the Processing of Personal Data.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Definitions

Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

  1. "Applicable Data Protection Laws" means the EU GDPR and, to the extent applicable, the data protection or privacy laws of any other country, including national laws implementing or supplementing the EU GDPR, the UK GDPR (as defined in section 3(10) of the United Kingdom Data Protection Act 2018), and the Swiss Federal Act on Data Protection ("FADP").
  2. "Controller Personal Data" means any Personal Data Processed by Mondrio on behalf of Controller pursuant to or in connection with the Principal Agreement.
  3. "Data Transfer" means: (a) a transfer of Controller Personal Data from the Controller to Mondrio; or (b) an onward transfer of Controller Personal Data from Mondrio to a Subprocessor, or between two establishments of Mondrio, in each case, where such transfer would be prohibited by Applicable Data Protection Laws without appropriate safeguards.
  4. "EEA" means the European Economic Area.
  5. "GDPR" means, as applicable, the EU GDPR and/or the UK GDPR.
  6. "EU GDPR" means EU General Data Protection Regulation 2016/679.
  7. "UK GDPR" means the EU GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
  8. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Controller Personal Data transmitted, stored, or otherwise Processed.
  9. "Services" means the AI-powered pricing recommendation services and related offerings provided by Mondrio under the Principal Agreement.
  10. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by European Commission Implementing Decision (EU) 2021/914, as amended or replaced from time to time.
  11. "Subprocessor" means any third party appointed by or on behalf of Mondrio to Process Personal Data on behalf of the Controller in connection with this DPA.

1.2 GDPR Terms

The terms "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Processing", and "Supervisory Authority" shall have the same meaning as in the EU GDPR, and their cognate terms shall be construed accordingly.

1.3 Interpretation

In this DPA, unless the context requires otherwise: (a) references to sections are to sections of this DPA; (b) headings are for convenience only and shall not affect interpretation; and (c) if there is any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

2. Processing of Controller Personal Data

2.1 Processor Obligations

Mondrio shall:

  1. Comply with all Applicable Data Protection Laws in the Processing of Controller Personal Data;
  2. Process Controller Personal Data only on the documented instructions of the Controller, unless required to do so by applicable law to which Mondrio is subject, in which case Mondrio shall, to the extent permitted by applicable law, inform the Controller of that legal requirement before Processing; and
  3. Immediately inform the Controller if, in Mondrio's opinion, an instruction from the Controller infringes Applicable Data Protection Laws.

2.2 Controller Instructions

The Controller instructs Mondrio to Process Controller Personal Data to the extent necessary to provide the Services in accordance with the Principal Agreement. The details of the Processing are set forth in Schedule 1 (Details of Processing).

2.3 Controller Obligations

The Controller represents and warrants that:

  1. It has complied and will continue to comply with all Applicable Data Protection Laws in respect of its Processing of Personal Data and any Processing instructions it issues to Mondrio;
  2. It has all necessary rights, consents, and legal bases to provide Controller Personal Data to Mondrio for Processing in accordance with this DPA; and
  3. It will not provide Mondrio with any Personal Data that Mondrio is not authorized to Process under the Principal Agreement.

3. Mondrio Personnel

Mondrio shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to Controller Personal Data, ensuring in each case that:

  1. Access is strictly limited to those individuals who need to access the relevant Controller Personal Data as strictly necessary for the purposes of the Principal Agreement;
  2. All such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; and
  3. All such individuals have received appropriate training on their data protection responsibilities.

4. Security

4.1 Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Mondrio shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate:

  1. The pseudonymization and encryption of Personal Data;
  2. The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  3. The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
  4. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

4.2 Risk Assessment

In assessing the appropriate level of security, Mondrio shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

4.3 SOC 2 Compliance

Mondrio is SOC 2 Type II certified and maintains a security program audited against the SOC 2 trust services criteria (security, availability, processing integrity, confidentiality, and privacy). Our current security status and compliance reports are available at trust.mondrio.io.

4.4 Data Location

Controller Personal Data is processed and stored on Google Cloud Platform. Default infrastructure is hosted in the United States (us-central1). EU data residency (Belgium, europe-west1) is available for customers on the EU plan. Database services are provided by MongoDB Atlas in the same region as the customer's selected data residency (United States or Belgium). AI processing uses Google Vertex AI (EEA) for EU-plan customers and Gemini API (United States) for all other customers. Authentication is provided by WorkOS in the United States (limited to authentication credentials; no Customer Content is processed by WorkOS). Data residency selection is specified in the Principal Agreement.

5. Subprocessing

5.1 Authorized Subprocessors

The Controller provides general authorization for Mondrio to engage Subprocessors to Process Controller Personal Data. A current list of Subprocessors is maintained at trust.mondrio.io. As of the date of this DPA, Mondrio's key Subprocessors are:

SubprocessorServiceLocation
MongoDB AtlasDatabase servicesUnited States or Belgium, depending on customer data residency selection
Google Cloud PlatformCloud hosting and infrastructureUnited States or Belgium, depending on customer data residency selection
Google Vertex AIAI processing (EU-plan customers)Belgium (europe-west1)
Gemini API (Google AI)AI processing (non-EU customers)United States
WorkOSAuthenticationUnited States

5.2 Subprocessor Obligations

Where Mondrio engages a Subprocessor:

  1. Mondrio shall enter into a written agreement with the Subprocessor that imposes data protection obligations no less protective than those imposed on Mondrio under this DPA;
  2. Mondrio shall remain fully liable to the Controller for the performance of the Subprocessor's obligations; and
  3. Mondrio shall conduct appropriate due diligence on each Subprocessor to ensure it is capable of providing the level of protection for Controller Personal Data required by this DPA.

5.3 Changes to Subprocessors

Mondrio shall notify the Controller of any intended changes concerning the addition or replacement of Subprocessors by updating the list at trust.mondrio.io. The Controller may subscribe to notifications of Subprocessor changes at trust.mondrio.io. The Controller may object to such changes within 30 days of the change being posted on reasonable grounds relating to data protection. If the Controller objects, the Parties shall work together in good faith to find a mutually acceptable resolution. If no resolution is reached within 30 days after the objection, the Controller may terminate the affected Services by providing written notice to Mondrio.

6. Data Subject Rights

6.1 Assistance with Requests

Taking into account the nature of the Processing, Mondrio shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligations to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws.

6.2 Data Subject Requests

Mondrio shall:

  1. Promptly notify the Controller if it receives a request from a Data Subject under any Applicable Data Protection Law in respect of Controller Personal Data; and
  2. Not respond to that request except on the documented instructions of the Controller or as required by applicable law, in which case Mondrio shall, to the extent permitted by applicable law, inform the Controller of that legal requirement before responding.

7. Personal Data Breach

7.1 Notification

Mondrio shall notify the Controller without undue delay (and in any event within 72 hours) upon Mondrio becoming aware of a Personal Data Breach affecting Controller Personal Data, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Applicable Data Protection Laws.

7.2 Breach Information

Such notification shall include, to the extent known:

  1. A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
  2. The name and contact details of Mondrio's point of contact from whom more information can be obtained;
  3. The likely consequences of the Personal Data Breach; and
  4. A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

7.3 Cooperation

Mondrio shall cooperate with the Controller and take reasonable commercial steps as directed by the Controller to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

Mondrio shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities that the Controller reasonably considers to be required by Articles 35 or 36 of the EU GDPR (or equivalent provisions of any other Applicable Data Protection Law), in each case solely in relation to Processing of Controller Personal Data by Mondrio and taking into account the nature of the Processing and information available to Mondrio.

9. Deletion or Return of Controller Personal Data

9.1 Upon Termination

Upon termination or expiration of the Principal Agreement, Mondrio shall, at the Controller's election:

  1. Return all Controller Personal Data to the Controller in a commonly used format; or
  2. Delete all Controller Personal Data.

Mondrio shall complete such return or deletion within 30 days of the effective date of termination. The Controller may request an export of Controller Personal Data prior to termination.

9.2 Sub-processor Retention

After Mondrio completes its deletion of Controller Personal Data, certain Subprocessors may retain residual data as follows:

  • MongoDB Atlas: Data deleted promptly upon Mondrio's deletion instruction; encrypted backups purged within approximately 30 days thereafter.
  • Google Cloud Platform: Secrets and stored data deleted promptly upon Mondrio's deletion instruction; system logs retained for 30–90 days per GCP's standard log retention policy, then automatically purged.
  • Google Vertex AI: Transient processing only; no Controller Personal Data is stored by Vertex AI after processing is complete.

9.3 Certification

Upon request, Mondrio shall provide written certification to the Controller that it has fully complied with this Section 9.

9.4 Retention for Legal Compliance

Mondrio may retain Controller Personal Data to the extent required by applicable law, provided that Mondrio shall ensure the confidentiality of such Controller Personal Data and shall only Process such Controller Personal Data as necessary for the purpose specified in the applicable law requiring its retention.

10. Audit Rights

10.1 Audit Information

Mondrio shall make available to the Controller on request all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws.

10.2 Audits

Mondrio shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the Processing of Controller Personal Data, subject to:

  1. Reasonable advance notice of at least 30 days (except in the case of an audit required by a Supervisory Authority or following a Personal Data Breach);
  2. The auditor entering into appropriate confidentiality undertakings;
  3. The audit being conducted during normal business hours and in a manner that minimizes disruption to Mondrio's operations; and
  4. The Controller bearing the costs of any such audit.

10.3 SOC 2 Reports

Mondrio maintains SOC 2 Type II certification and shall provide the Controller, upon request and subject to confidentiality obligations, with copies of relevant SOC 2 Type II reports or equivalent third-party audit reports as evidence of Mondrio's compliance with its security obligations under this DPA.

11. Data Transfers

11.1 Transfer Restrictions

Mondrio shall not transfer Controller Personal Data to countries outside the EEA, United Kingdom, or Switzerland unless appropriate safeguards are in place as required by Applicable Data Protection Laws.

11.2 Transfer Mechanisms

Where Controller Personal Data is transferred from the EEA, United Kingdom, or Switzerland to a country not deemed to provide an adequate level of protection, the Parties shall ensure that the Personal Data is adequately protected by:

  1. Standard Contractual Clauses approved by the European Commission;
  2. The UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses (as described in Section 11.5);
  3. Swiss Standard Contractual Clauses or the Swiss Addendum (as described in Section 11.6); or
  4. Other lawful transfer mechanisms approved under Applicable Data Protection Laws.

11.3 Incorporation of Standard Contractual Clauses

To the extent that the transfer of Controller Personal Data requires execution of the Standard Contractual Clauses, the Parties agree that the SCCs (Commission Implementing Decision (EU) 2021/914) are hereby incorporated into this DPA by reference. Module Two (Controller to Processor) shall apply. The SCCs are completed as follows:

  1. Clause 7 (Docking clause): The optional docking clause is included.
  2. Clause 9(a) (Use of sub-processors): OPTION 2 (General written authorization) applies. Mondrio shall inform the Controller of any intended changes to the list of Subprocessors with a 30-day objection period, as described in Section 5.3.
  3. Clause 11 (Redress): The optional language is not included.
  4. Clause 13 (Supervision): The competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs.
  5. Clause 17 (Governing law): The SCCs shall be governed by the laws of Ireland.
  6. Clause 18(b) (Choice of forum and jurisdiction): Disputes shall be resolved before the courts of Ireland.
  7. Annex I.A (List of Parties): The Controller is the data exporter. Mondrio is the data importer. Contact details are as set forth in the Principal Agreement and this DPA.
  8. Annex I.B (Description of Transfer): As set forth in Schedule 1 of this DPA.
  9. Annex I.C (Competent Supervisory Authority): The competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs.
  10. Annex II (Technical and Organizational Measures): As set forth in Schedule 2 of this DPA.
  11. Annex III (List of Sub-processors): As set forth in Section 5.1 of this DPA and maintained at trust.mondrio.io.

11.4 Supplementary Safeguards

In addition to the SCCs, Mondrio implements the following supplementary safeguards for international data transfers. The only current transfer to a country without an adequacy decision is authentication credentials processed by WorkOS in the United States; no Customer Content is included in this transfer.

Technical Measures:

  1. All Controller Personal Data is encrypted in transit using TLS 1.2 or higher;
  2. All Controller Personal Data is encrypted at rest using AES-256 or equivalent encryption; and
  3. Access to Controller Personal Data is controlled through role-based access controls and multi-factor authentication.

Organizational and Contractual Measures:

  1. Mondrio will promptly notify the Controller of any government access request relating to Controller Personal Data, unless legally prohibited from doing so;
  2. Mondrio warrants that it has no reason to believe that applicable laws prevent it from fulfilling its obligations under the SCCs; and
  3. Mondrio will promptly notify the Controller if it can no longer comply with the SCCs, in which case the Controller shall be entitled to suspend the transfer and/or terminate the DPA.

11.5 UK Addendum

To the extent that Controller Personal Data is transferred from the United Kingdom, the UK Addendum to the EU Standard Contractual Clauses (issued by the UK Information Commissioner under Section 119A(1) of the Data Protection Act 2018, as updated from time to time) is hereby incorporated by reference.

11.6 Swiss Addendum

To the extent that Controller Personal Data is transferred from Switzerland, the SCCs incorporated in Section 11.3 shall also apply to such transfers, with the following modifications:

  1. References to the "GDPR" shall be read as references to the Swiss FADP;
  2. References to "EU" or "Member State" shall not be read to exclude Switzerland;
  3. References to the "competent supervisory authority" shall mean the Swiss Federal Data Protection and Information Commissioner; and
  4. The SCCs shall be governed by the laws of Switzerland for transfers subject to the FADP.

12. Liability

Limitations of liability set forth in the Principal Agreement or Terms of Service shall apply to claims arising under this DPA, except to the extent that such limitation is prohibited by Applicable Data Protection Laws. Nothing in this DPA shall limit either Party's liability to Data Subjects under Applicable Data Protection Laws.

13. DPA Execution and Acceptance

13.1 Self-Serve Customers

Customers who access and use Mondrio's Product under the Terms of Service agree to this DPA by using the Product to process Personal Data governed by Applicable Data Protection Laws. By using the Product in such manner, Customer accepts this DPA as if it had been individually executed.

13.2 Enterprise Customers

Customers who have entered into a separate written agreement with Mondrio (such as a Cloud Service Agreement) may execute this DPA separately as referenced in their Principal Agreement.

14. General Terms

14.1 Confidentiality

Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA confidential and must not use or disclose that information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; or (b) the relevant information is already in the public domain through no fault of the receiving Party.

14.2 Notices

All notices and communications given under this DPA must be in writing and will be sent to:

For Mondrio:

Mondrio Inc.
8 The Green, STE B
Dover, DE 19901
United States of America
Email: privacy@mondrio.io

For the Controller:

The address set forth in the Principal Agreement or as otherwise notified in writing.

14.3 Governing Law and Jurisdiction

  1. This DPA is governed by the laws of the State of Delaware, without regard to its conflict of laws provisions, except where Applicable Data Protection Laws require otherwise.
  2. Any dispute arising in connection with this DPA that the Parties cannot resolve amicably shall be submitted to the exclusive jurisdiction of the courts located in Delaware, provided that this shall not affect the rights of Data Subjects or Supervisory Authorities under Applicable Data Protection Laws.
  3. For the avoidance of doubt, the governing law and jurisdiction provisions of the SCCs (Sections 11.3, 11.5, and 11.6) apply independently to the SCCs and are not overridden by this Section 14.3.

14.4 Term

This DPA shall remain in effect for as long as Mondrio Processes Controller Personal Data on behalf of the Controller.

14.5 Amendments

This DPA may only be amended in writing signed by both Parties or, for self-serve customers, by updated terms posted to Mondrio's website with notice as described in the Terms of Service.

Schedule 1: Details of Processing

1. Subject Matter and Duration of Processing

Mondrio will Process Controller Personal Data for the duration of the Principal Agreement to provide the AI-powered pricing recommendation Services described therein.

2. Nature and Purpose of Processing

Mondrio will Process Controller Personal Data as necessary to provide AI-powered pricing recommendation services, including:

  1. Ingestion and analysis of pricing and product data uploaded by Controller;
  2. Generation of AI-powered pricing recommendations via Google Vertex AI;
  3. Storage and display of results within the Product;
  4. User authentication and access management; and
  5. Maintaining usage logs for security, support, and Product performance purposes.

3. Categories of Data Subjects

Data Subjects may include:

  • Controller's employees and authorized users of the Product;
  • Individuals whose Personal Data may be incidentally contained in pricing datasets uploaded by Controller (e.g., customer names associated with pricing records).

4. Categories of Personal Data

Personal Data may include:

  • Contact information of authorized users (name, email address, job title);
  • Account credentials (managed via authentication provider);
  • Pricing and product data that may incidentally contain Personal Data (e.g., customer names, business contact details associated with pricing records);
  • Usage logs (IP addresses, timestamps, features accessed); and
  • Any other Personal Data submitted by or on behalf of the Controller to the Services.

5. Special Categories of Personal Data

The Controller shall NOT submit special categories of Personal Data (as defined in Article 9 of the EU GDPR) to the Services. Mondrio's Product is designed for pricing and product data and is not intended to process special categories of Personal Data. If the Controller inadvertently submits special category data, the Controller shall notify Mondrio promptly.

6. Frequency of Transfer

Continuous, for the duration of the Principal Agreement.

7. Retention Period

As set forth in Section 9 of this DPA: Mondrio deletes Controller Personal Data within 30 days after termination. Sub-processor retention as described in Section 9.2.

Schedule 2: Technical and Organizational Measures

Mondrio implements the following technical and organizational measures to protect Controller Personal Data:

1. Encryption

  • Data encrypted in transit using TLS 1.2 or higher.
  • Data encrypted at rest using AES-256 or equivalent.

2. Access Controls

  • Role-based access controls for all systems processing Controller Personal Data.
  • Multi-factor authentication required for access to production systems.
  • Principle of least privilege applied to all access grants.

3. Infrastructure Security

  • Core infrastructure hosted on Google Cloud Platform in the United States (us-central1) or Belgium (europe-west1), depending on customer's data residency selection.
  • Database services on MongoDB Atlas in the United States or Belgium (WESTERN_EUROPE region), depending on customer's data residency selection.
  • Network segmentation and firewall protections.
  • Periodic vulnerability scanning, with penetration testing conducted as part of the SOC 2 program.

4. Monitoring and Logging

  • Centralized logging of access and changes to Controller Personal Data.
  • Automated alerting for suspicious activity.

5. Business Continuity

  • Automated backups.
  • Disaster recovery procedures documented.

6. Personnel Security

  • Background checks where required by applicable law.
  • Data protection training for employees with access to Controller Personal Data.
  • Confidentiality obligations in employment contracts.

7. Incident Response

  • Documented incident response plan.
  • Notification procedures aligned with Section 7 of this DPA.

8. Vendor Management

  • Due diligence conducted on Subprocessors before engagement.
  • Contractual obligations requiring equivalent data protection standards.

9. SOC 2 Compliance

Mondrio is SOC 2 Type II certified. Our current security status and compliance reports are available at trust.mondrio.io.

This Data Processing Agreement is entered into as of the date last signed below or, for self-serve customers, as of the date the Customer first uses the Product to process Personal Data governed by Applicable Data Protection Laws.