Data Processing Agreement

1. Introduction

This Data Processing Agreement (“DPA”) supplements the Terms of Service and governs the processing of personal data by MentorStack Inc. (“MentorStack,” “we,” “us,” or “our”) on behalf of the customer (“Customer”) in connection with the MentorStack platform. This DPA applies whenever MentorStack processes personal data as a data processor on behalf of Customer as data controller.

2. Definitions

Controller: The entity that determines the purposes and means of processing personal data.
Processor: The entity that processes personal data on behalf of the Controller.
Data Subject: An identified or identifiable natural person whose personal data is processed.
Personal Data: Any information relating to a Data Subject, as defined in GDPR Article 4(1).
Sub-processor: Any processor engaged by MentorStack to carry out processing activities on behalf of Customer.
Processing: Any operation performed on personal data, as defined in GDPR Article 4(2).

3. Scope & Roles

Customer is the Controller of personal data submitted to or processed through the MentorStack platform. MentorStack is the Processor acting on Customer's behalf. MentorStack will process personal data only on Customer's documented instructions, including as set out in this DPA and the Terms of Service, unless required to do so by applicable law. In such a case, MentorStack will inform Customer of that legal requirement before processing, unless the law prohibits such notification.

4. Processing Details

Categories of data subjects

Personal data processed under this DPA relates to the following categories of data subjects: Customer's employees, mentors, mentees, and administrators who use the MentorStack platform under Customer's subscription.

Categories of personal data

Account information: Name, email address, and job title.
Profile data: Skills, interests, goals, and other information provided by users to facilitate mentor-mentee matching.
Usage data: Features used, session activity, timestamps, and engagement metrics.
Communication data: In-app messages, meeting notes, and AI-generated session summaries and agendas.

Purpose of processing

Providing, maintaining, and improving the MentorStack platform in accordance with Customer's subscription agreement and the Terms of Service.

5. Sub-processors

MentorStack engages the following categories of sub-processors to assist in delivering the platform:

Sub-processor	Purpose	Location
Railway	Application and database hosting	United States
Resend	Transactional and notification emails	United States
Stripe	Subscription billing	United States
OpenAI	Session summaries and matching	United States
Google (Google Analytics)	Website usage analytics	United States
Cloudflare	Content delivery and image hosting	Global
Microsoft (Bing)	IndexNow URL submission	United States

A current list of named sub-processors is available on request. MentorStack will provide at least 30 days' written notice before engaging a new sub-processor. Customer may object to the appointment of a new sub-processor by notifying MentorStack in writing within that period. If the parties cannot resolve the objection within 30 days, Customer may terminate the affected services without penalty.

6. Security Measures

MentorStack implements appropriate technical and organisational measures to protect personal data, including:

Encryption in transit using TLS 1.3
Encryption at rest using AES-256
Role-based access controls limiting data access to authorised personnel
Regular security audits and vulnerability assessments
Employee security training and confidentiality obligations
Documented incident response procedures

7. Breach Notification

In the event of a confirmed personal data breach, MentorStack will notify Customer without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include, to the extent available:

The nature of the personal data breach
The categories and approximate numbers of data subjects and records affected
The likely consequences of the breach
Measures taken or proposed to address the breach and mitigate its effects

8. Data Subject Rights

MentorStack will provide reasonable assistance to Customer in fulfilling its obligations to respond to data subject requests, including requests to exercise rights of:

Access to personal data
Rectification of inaccurate data
Erasure (“right to be forgotten”)
Data portability
Restriction of processing
Objection to processing

Where a data subject contacts MentorStack directly with a rights request, MentorStack will redirect that request to Customer without undue delay.

9. DPIA Cooperation

MentorStack will provide reasonable assistance to Customer in carrying out data protection impact assessments (DPIAs) as required under GDPR Article 35, and in prior consultations with supervisory authorities where a DPIA indicates a high residual risk.

10. Audit Rights

Customer may conduct, or commission a third-party auditor to conduct, one audit per calendar year upon at least 30 days' written notice. Audits must be conducted during normal business hours in a manner that does not unreasonably disrupt MentorStack's operations. MentorStack may satisfy its audit obligations by providing Customer with copies of relevant SOC 2 reports, ISO certifications, or equivalent third-party attestations in lieu of a Customer-directed audit.

11. International Transfers

MentorStack is based in the United States. Where personal data originating in the European Economic Area (EEA) or the United Kingdom is transferred to the United States or other countries not recognised as providing an adequate level of data protection, MentorStack relies on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum as appropriate legal transfer mechanisms. See our Privacy Policy for further details on international data transfers.

12. Data Deletion & Return

Upon termination or expiry of the subscription, MentorStack will, at Customer's election, delete or return all personal data processed on Customer's behalf within 30 days, unless applicable law requires retention for a longer period. Anonymised, aggregate data from which no individual can be identified may be retained for legitimate analytics and product improvement purposes.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. MentorStack's aggregate liability for all claims arising out of or related to data processing activities under this DPA will not exceed the liability caps set out in the Terms of Service.

14. Term & Termination

This DPA is effective for the duration of Customer's subscription and any subsequent renewal periods. The DPA will automatically terminate upon expiry or termination of the subscription agreement. Obligations relating to data already processed will survive termination for as long as MentorStack continues to hold that personal data.

15. Contact

For questions about this DPA or data processing activities, contact our privacy team at:

Email: privacy@mentorstack.co

MentorStack Inc.
Toronto, Ontario, Canada