Data Processing Agreement

Effective: April 19, 2026 Controller: You (the Customer) Processor: Mononio AI Corporation

Need a signed DPA for enterprise compliance?

Contact us to execute a countersigned DPA with your organization's details.

Request Signed DPA →

Contents

  1. Definitions
  2. Scope & Relationship
  3. Processor Obligations
  4. Controller Obligations
  5. Sub-Processors
  6. Data Security Measures
  7. Breach Notification
  8. Data Subject Rights
  9. International Transfers
  10. Audit Rights
  11. Termination & Deletion
  12. Liability

📋 This Data Processing Agreement ("DPA") forms part of the Mononio AI Terms of Service. Where you process personal data of EU/EEA data subjects using the Mononio platform, this DPA governs that processing under GDPR Article 28.

1. Definitions

In this DPA, the following terms have the meanings set out below (and capitalized terms not defined here have the meanings given in the Terms of Service):

Term Definition
Controller The Customer (you), who determines the purposes and means of processing Personal Data using the Service.
Processor Mononio AI Corporation, which processes Personal Data on behalf of the Controller.
Personal Data Any information relating to an identified or identifiable natural person processed through the Service.
Processing Any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
Data Subject Any individual whose Personal Data is processed through the Service (e.g., ad campaign audiences, end customers).
Sub-Processor A third party engaged by Mononio to process Personal Data in connection with providing the Service.
Security Incident Any confirmed unauthorized access, disclosure, alteration, or loss of Personal Data.
GDPR The EU General Data Protection Regulation (2016/679) and any applicable national implementing legislation.
SCCs Standard Contractual Clauses adopted by the European Commission for international data transfers.

2. Scope & Relationship of the Parties

2.1 Scope

This DPA applies to Mononio's processing of Personal Data on behalf of the Customer in connection with the provision of the Mononio AI marketing automation Service.

2.2 Nature of Processing

The categories of Personal Data and data subjects that Mononio may process on behalf of the Customer include:

Data Category Data Subjects Processing Purpose
Ad campaign audience data Customer's ad campaign audiences and customers Targeted advertising, campaign optimization
Customer contact data (CRM/leads) Customer's leads and contacts Email marketing, lead management
Analytics and behavioral data Website visitors, app users Performance analytics, conversion tracking
Account user data Customer's authorized platform users Authentication, access control, audit logging

2.3 Instructions

Mononio will process Personal Data only on documented instructions from the Controller, which includes: (a) the Terms of Service and this DPA; (b) instructions provided through the Service configuration; and (c) written instructions provided by the Controller's authorized users.

2.4 Compliance with Law

Each party is responsible for its own compliance with applicable data protection laws. The Controller is responsible for establishing a valid legal basis for processing and for providing required notices to data subjects.

3. Processor Obligations

Mononio, acting as Processor, commits to the following:

3.1 Processing Restrictions

  • Process Personal Data only on documented instructions from the Controller, except where required by applicable law
  • Not use Personal Data for any purpose other than providing and improving the Service
  • Not sell, rent, or otherwise disclose Personal Data to third parties for their own marketing purposes

3.2 Confidentiality

  • Ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations
  • Limit access to Personal Data to personnel who need access to fulfill Mononio's obligations under the Terms of Service

3.3 Security

Implement and maintain appropriate technical and organizational security measures as described in Section 6 of this DPA.

3.4 Sub-Processors

Engage Sub-Processors only in accordance with Section 5 of this DPA, and remain liable to the Controller for Sub-Processor compliance.

3.5 Assistance

Provide reasonable assistance to the Controller in fulfilling data subject rights requests, security obligations, data protection impact assessments, and regulatory consultations.

3.6 Notification of Conflicting Instructions

Promptly inform the Controller if, in Mononio's opinion, any instruction infringes applicable data protection law.

4. Controller Obligations

The Customer, acting as Controller, commits to the following:

  • Ensure there is a valid legal basis for each type of Personal Data processing under this DPA
  • Provide data subjects with all required privacy notices before their data is processed through the Service
  • Promptly respond to data subject rights requests and inform Mononio if the response requires action on our part
  • Not provide Mononio with Personal Data of children under 13, or under 16 in the EU/EEA
  • Maintain appropriate records of processing activities as required by GDPR Article 30
  • Conduct data protection impact assessments (DPIAs) where required and consult with Mononio as necessary

5. Sub-Processors

5.1 Authorized Sub-Processors

The Controller authorizes Mononio to engage the following sub-processors as of the effective date of this DPA:

Annex I — Sub-Processor List

Sub-Processor Role Data Processed Location
Neon Inc. Database hosting (PostgreSQL) All application data including Personal Data USA (AWS us-east-1)
Render Services, Inc. Application hosting & compute Application logs, request/response data USA (AWS us-east-1)
Cloudflare, Inc. (R2) Object storage (images, assets) Uploaded files, generated creative assets USA
OpenAI, LLC AI language model API Campaign context, content queries (no direct identifiers by default) USA
Anthropic, PBC AI language model API Campaign context, strategic queries (no direct identifiers by default) USA
Together Computer, Inc. AI language model API Content generation requests (no direct identifiers by default) USA
Fal AI, Inc. AI image generation Image generation prompts, brand assets USA
Stripe, Inc. Payment processing Billing information, payment transactions USA

5.2 Changes to Sub-Processors

Mononio will provide at least 30 days' prior written notice (via email or in-app notification) before engaging any new Sub-Processor or making material changes to an existing Sub-Processor's role. The Controller may object to new Sub-Processors by notifying Mononio within 14 days of the notice. If the Controller objects and Mononio cannot accommodate the objection, the Controller may terminate the affected Services with a pro-rata refund.

5.3 Sub-Processor Obligations

Mononio will impose data protection obligations on each Sub-Processor that are no less protective than those set out in this DPA and will remain liable to the Controller for Sub-Processor compliance with these obligations.

6. Data Security Measures

Mononio implements the following technical and organizational security measures:

Annex II — Technical & Organizational Security Measures

Encryption

  • All data encrypted at rest using AES-256-GCM
  • All data in transit encrypted using TLS 1.2 or higher
  • Sensitive credentials (API keys, OAuth tokens) encrypted individually before database storage

Access Controls

  • Role-based access control with principle of least privilege
  • Database row-level security (RLS) policies enforce per-tenant data isolation
  • Multi-factor authentication required for all production system access
  • Production database access restricted to authorized engineering personnel only

Infrastructure Security

  • Application hosted on SOC 2 Type II compliant infrastructure (Render)
  • Database hosted on SOC 2 compliant infrastructure (Neon/AWS)
  • Network isolation with private database networking
  • Automated security patches applied to infrastructure
  • All queries use parameterized statements (SQL injection prevention)

Operational Security

  • Security logs retained for 90 days with anomaly monitoring
  • Sandboxed execution environments for AI agent operations with allowlisted env vars
  • No direct production database modifications outside migration process
  • Regular security reviews of access controls and permissions

Personnel

  • All personnel with data access bound by confidentiality obligations
  • Security training for all staff with access to personal data
  • Background checks conducted for personnel with access to production systems

7. Security Incident & Breach Notification

7.1 Detection & Assessment

Mononio maintains security monitoring systems to detect unauthorized access, anomalous behavior, and potential breaches. Upon detecting a potential Security Incident, Mononio will:

  • Immediately initiate incident response procedures
  • Assess the scope, nature, and impact of the incident
  • Contain and remediate the incident

7.2 Notification Timeline

Upon confirmation of a Security Incident involving Personal Data:

  • Within 48 hours of confirmation: Initial notification to the Controller via email to the account's registered email address
  • Within 72 hours of confirmation: More detailed notification including the information set out below (to the extent available)
  • Ongoing: Regular updates as investigation progresses

7.3 Notification Content

Breach notifications will include, to the extent known:

  • Nature of the Security Incident (type of breach, systems affected)
  • Categories and approximate volume of Personal Data affected
  • Categories and approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate effects
  • Contact details of Mononio's data protection contact

7.4 Cooperation

Mononio will cooperate with the Controller's reasonable requests in connection with investigating and mitigating a Security Incident. The Controller is responsible for making required notifications to data subjects and supervisory authorities under applicable law.

7.5 Incident Contact

Report security incidents or concerns to: security@mononio.ai

8. Data Subject Rights

8.1 Controller Responsibility

The Controller is primarily responsible for responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection) under GDPR and other applicable laws.

8.2 Processor Assistance

Upon receiving a data subject rights request that relates to Personal Data processed by Mononio, Mononio will:

  • Promptly notify the Controller if Mononio receives a request directly from a data subject (within 5 business days)
  • Provide the Controller with commercially reasonable assistance in fulfilling the request
  • Implement technical measures to assist with data exports, corrections, or deletions as instructed by the Controller

8.3 Response Timeline

Mononio will provide assistance within 25 days of a Controller's written request to enable the Controller to meet the 30-day GDPR response deadline.

9. International Data Transfers

9.1 Transfer Mechanism

Mononio AI Corporation is based in the United States. When processing Personal Data originating from the EU/EEA, transfers to the US are governed by:

  • Standard Contractual Clauses (SCCs): Module 2 (Controller to Processor) SCCs pursuant to EU Commission Decision 2021/914 are incorporated into this DPA by reference
  • Annex I (Description of Transfer) is set out in Section 2 of this DPA
  • Annex II (Technical and Organizational Measures) is set out in Section 6 of this DPA

9.2 Sub-Processor Transfers

For transfers to Sub-Processors outside the EEA, Mononio ensures appropriate transfer mechanisms are in place, including SCCs where required.

9.3 UK Data

For transfers of personal data from the United Kingdom, the UK's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs applies where required by UK data protection law.

10. Audit Rights

10.1 Documentation

Mononio will make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in this DPA, including this DPA itself, relevant security certifications, and third-party audit reports.

10.2 Audit Requests

The Controller may request an audit of Mononio's data processing activities no more than once per calendar year, with at least 60 days' prior written notice. Audits:

  • Must be conducted during normal business hours with minimal disruption
  • Will be at the Controller's expense
  • May be satisfied by Mononio providing current third-party audit reports (SOC 2 or equivalent) in lieu of an on-site audit
  • Must be conducted by the Controller or a mutually agreed independent auditor under appropriate confidentiality obligations

10.3 Regulatory Investigations

In the event of a regulatory investigation involving Personal Data processed under this DPA, Mononio will cooperate reasonably with the Controller's response efforts.

11. Termination & Data Deletion

11.1 Effect of Termination

Upon termination of the Terms of Service (whether by either party), Mononio will:

  • Continue to process Personal Data only as required to conclude pending automated processes already in progress
  • Retain Personal Data for 30 days to allow the Controller to export data
  • Securely delete or anonymize all Personal Data after the 30-day retention period, unless required by law to retain certain records

11.2 Data Export

Within the 30-day post-termination period, the Controller may request an export of their data by contacting support@mononio.ai. Mononio will provide exported data in a common, machine-readable format.

11.3 Deletion Certification

Upon request, Mononio will provide written confirmation that all Personal Data has been deleted or anonymized following the retention period, except where retention is required by applicable law.

11.4 Survival

The obligations in this DPA that, by their nature, should survive termination (including confidentiality, security incident notification, and audit provisions) will remain in effect for 3 years following termination.

12. Liability

12.1 Allocation of Liability

Each party is responsible for its own compliance with applicable data protection law. The Controller is responsible for instructing Mononio to process data lawfully; Mononio is responsible for processing according to those instructions and maintaining required security measures.

12.2 Cap

Mononio's aggregate liability under this DPA is subject to the limitations set forth in the Terms of Service. This DPA does not expand or modify the liability caps set out in the Terms of Service.

12.3 GDPR Liability

Where GDPR applies, each party's liability to data subjects shall be governed by applicable provisions of GDPR, including Article 82. The parties agree to cooperate in good faith regarding the allocation of responsibility for any regulatory fines or enforcement actions.

12.4 Indemnification

Each party will indemnify the other against third-party claims, costs, and fines arising directly from that party's breach of its obligations under this DPA, subject to the notice and cooperation requirements set out in the Terms of Service.

12.5 Contact

For DPA-related inquiries, executed DPA requests, or data protection matters:

Legal/DPA legal@mononio.ai
Data Protection Officer dpo@mononio.ai
Security Incidents security@mononio.ai
Address Mononio AI Corporation, Dover, Delaware, USA