Data Processing Agreement (DPA)
Version: 2.2
Effective Date: June 23, 2026
This Data Processing Agreement (DPA) forms part of the agreement between the Customer (Data Controller) and Rembrandt (Data Processor). It defines the processing of personal data, publicly available business data, and Customer-provided first-party data in connection with the Rembrandt Intent Signal Framework platform.
This DPA incorporates by reference the security commitments detailed in Section 12 (Security Measures) of the Rembrandt Terms of Service (https://rembrandtagents.com/terms-of-service).
__LEGAL_SPACER__
Roles and Responsibilities
• Customer: Acts as the Data Controller and determines the purposes and means of processing Customer Personal Data, including first-party CRM, prospect, website engagement, report download, sales activity, and meeting data provided to or connected with the Services.
• Rembrandt (Mindmapp B.V.): Acts as the Data Processor and processes Customer Personal Data on behalf of Customer in accordance with Customer’s documented instructions, this DPA, and the applicable service agreement.
Customer remains responsible for providing privacy notices, establishing a lawful basis, obtaining any required consents, and honoring applicable opt-out or objection rights for Customer-provided first-party data.
__LEGAL_SPACER__
Nature and Purpose of Processing
Rembrandt processes data to deliver AI-powered business intelligence services that identify actionable account-level signals and commercial intent. Signals may be derived from:
• publicly available business sources, including job postings, news, company websites, reports, and other public web content;
• Customer-provided first-party data, including CRM records, prospect and contact data, website engagement, report downloads, sales activity, meeting notes, and meeting transcripts;
• Customer-configured use cases, signal definitions, solution information, and account lists.
The purposes of processing are to generate and improve account-level intent signals, Rembrandt scores, buying journey insights, recommendations, alerts, reports, and GTM workflows for Customer’s internal business purposes.
__LEGAL_SPACER__
Lawful Basis for Processing
Customer is responsible for determining and documenting the lawful basis for processing Customer Personal Data. Depending on the processing activity and jurisdiction, Customer’s lawful basis may include legitimate interests, contract performance, consent, or another lawful basis under applicable data protection laws.
Rembrandt processes Customer Personal Data as a processor on Customer’s documented instructions and does not determine the independent purposes of such processing.
__LEGAL_SPACER__
Types of Personal and Business Data Processed
__LEGAL_SPACER__
Platform User Personal Data
• Authorized user first name, last name, email address, username, and authentication data
• Organization membership, role information, permissions, preferences, and notification settings
• Platform usage and support data required to operate, secure, and improve the Services
__LEGAL_SPACER__
Customer-Provided First-Party Data
Customer may provide, upload, connect, or authorize Rembrandt to retrieve first-party data for signal generation and scoring, including:
• CRM and Prospect Data: Account records, contact records, names, business email addresses, job titles, seniority, departments, account ownership, pipeline stages, opportunity data, notes, and activity history
• Website and Product Engagement Data: Page visits, content views, product or website events, timestamps, inferred interests, and identifiers used by Customer to associate events with accounts or contacts
• Content and Report Engagement: Report downloads, whitepaper downloads, webinar attendance, campaign responses, and related engagement metadata
• Sales and Meeting Data: Meeting metadata, notes, transcripts, summaries, action items, call recordings or transcript-derived text where enabled by Customer, and related sales activity
• GTM Activity Data: Email engagement, replies, bounces, unsubscribes, meetings booked, sequence activity, campaign membership, and opt-out status
Customer-provided first-party data may include Personal Data relating to prospects, Customer’s customers, business contacts, website visitors, meeting participants, and other individuals.
__LEGAL_SPACER__
Publicly Available Business Data
• Job Postings: Company hiring information, job titles, departments, seniority levels, employment details, and related signals
• News Articles: Company announcements, press releases, funding news, partnerships, strategic changes, and related signals
• Web Content: Company websites, annual reports, case studies, whitepapers, thought leadership content, and related signals
• Company Information: Company names, locations, industry classifications, employee counts, business descriptions, and other firmographic information
__LEGAL_SPACER__
Derived Data
• Signal Data: AI-processed signals, buying journey stages, urgency scores, account scores, evidence, recommendations, and commercial intelligence
• Aggregated and Analytics Data: Aggregated usage, performance, and product analytics that do not identify Customer or individuals unless otherwise agreed
Derived data may remain Personal Data where it identifies or can reasonably be linked to an individual.
__LEGAL_SPACER__
Restricted Data
Customer must not provide special categories of personal data, health data, government identifiers, children’s data, payment card data, or other sensitive regulated data unless expressly agreed in writing by Rembrandt.
__LEGAL_SPACER__
Description of Data Processing Activities
__LEGAL_SPACER__
Purpose and Duration
Rembrandt processes data to provide AI-powered prospect intelligence, signal detection, account scoring, GTM recommendations, reporting, and related platform functionality. Processing occurs for the duration of the service agreement and as necessary to provide the Services, comply with legal obligations, and enforce applicable rights.
__LEGAL_SPACER__
Nature and Scope of Processing
• Data Collection and Ingestion: Collection of publicly available business data and ingestion of Customer-provided or Customer-authorized first-party data through platform uploads, CRM integrations, APIs, or other Customer-authorized connections
• Signal Generation and Scoring: Processing data to identify account-level buying signals, improve Rembrandt scores, generate evidence, and produce recommendations
• AI Processing: Use of AI models to classify, summarize, extract, score, and synthesize signals. Where enabled and available, Customer-provided Personal Data used for AI processing is routed through EU-resident AI processing. Where non-EEA subprocessors are used, Rembrandt relies on Standard Contractual Clauses and supplementary safeguards.
• Workflow Orchestration: Use of Inngest Cloud for workflow orchestration, retries, scheduling, and operational metadata. Rembrandt designs Inngest event payloads to contain identifiers and operational metadata rather than raw Customer Personal Data such as full CRM payloads, contact details, meeting transcripts, or notes.
• Observability: Use of self-hosted Langfuse on Rembrandt-controlled AWS infrastructure in eu-central-1 for LLM observability and tracing.
• Data Storage: Storage of Customer data on AWS infrastructure in eu-central-1 with application-level tenant isolation and encryption controls.
• Data Export and Customer-Authorized Connections: Synchronization or export of processed signals, scores, audiences, campaigns, and related data to Customer-authorized systems such as CRM, sales engagement, marketing automation, analytics, or GTM tools.
__LEGAL_SPACER__
Categories of Data Subjects
• Platform Users: Authorized users of the Rembrandt platform
• Business Contacts and Prospects: Individuals associated with Customer accounts, prospects, customers, or target companies
• Website Visitors and Engaged Individuals: Individuals whose engagement with Customer websites, products, reports, campaigns, or events is provided by Customer
• Meeting Participants: Individuals included in meeting metadata, notes, or transcripts provided or authorized by Customer
__LEGAL_SPACER__
Processing Locations
• Primary Infrastructure: AWS eu-central-1 (Frankfurt, Germany)
• Self-Hosted Observability: Langfuse hosted by Rembrandt on AWS eu-central-1
• AI Processing: EU-resident AI processing for Customer-provided Personal Data where enabled and available; otherwise processing may occur through non-EEA subprocessors subject to appropriate safeguards
• Workflow Orchestration: Inngest Cloud, with event payloads limited by design to identifiers and operational metadata where feasible
• Customer-Authorized Third-Party Systems: As configured by Customer, including systems that may be hosted outside the EEA
__LEGAL_SPACER__
Subprocessors
All subprocessors are subject to security and data protection obligations through appropriate contractual arrangements.
Subprocessor
Purpose
Data Access Scope
Location / Transfer Mechanism
AWS
Cloud hosting, compute, database, storage, KMS encryption, networking, and infrastructure services
Platform data, Customer data, logs, backups, and security data
EU (eu-central-1)
OpenAI
AI model processing, classification, summarization, extraction, embeddings, signal generation, and analysis
Public business data and, where enabled, Customer-provided Personal Data for AI processing. Customer-provided Personal Data is routed through EU-resident processing where enabled and available; otherwise SCCs and supplementary safeguards apply
EU-resident processing where enabled; otherwise United States / non-EEA with SCCs
Inngest
Workflow orchestration, scheduling, durable execution, retries, and operational event processing
Workflow identifiers and operational metadata. Raw Customer Personal Data is not intentionally included in Inngest event payloads by design
Cloud service, non-EEA possible; SCCs and supplementary safeguards
SuperTokens
User authentication and session management
Platform user authentication data
EU (Ireland)
Stripe
Payment processing and subscription management
Billing information and usage metrics
EU (Dublin)
Sentry
Error monitoring and application performance
Application logs, error data, and diagnostic metadata
EU
Customer-authorized third-party tools, such as Customer’s CRM, sales engagement, marketing automation, analytics, ABM, or GTM platforms, are not Rembrandt subprocessors when Customer independently contracts with and authorizes those tools. Rembrandt processes exports or synchronizations to such tools on Customer’s documented instructions.
Mastra is used as a software framework within Rembrandt-controlled infrastructure and is not a separate subprocessor.
__LEGAL_SPACER__
Security Measures
Rembrandt implements and maintains appropriate technical and organizational security measures as detailed in Section 12 (Security Measures) of the Terms of Service (https://rembrandtagents.com/terms-of-service), including:
__LEGAL_SPACER__
Data Protection Controls
• Encryption: Customer data encrypted at rest and in transit using industry-standard encryption protocols
• Access Controls: Role-based access control systems with organization-level data isolation, authorizing user access while restricting unauthorized users from accessing information not needed for their role
• Data Minimization: Workflow orchestration events are designed to use identifiers and operational metadata rather than raw Customer Personal Data where feasible
• Monitoring and Logging: Continuous monitoring and logging of system activities to detect and respond to security events, with controls designed to avoid unnecessary Personal Data in logs
• Intrusion Detection: Intrusion detection systems to prevent and identify potential security attacks from users outside the boundaries of the system
__LEGAL_SPACER__
Security Operations
• Incident Response: Operational procedures for managing security incidents and breaches, including timely notification to affected customers within 72 hours of becoming aware of a personal data breach where required by applicable law
• Vulnerability Management: Regular security assessments of systems and infrastructure
• Data Retention and Disposal: Data retention and disposal procedures as outlined in this DPA and in the Privacy Policy (https://rembrandtagents.com/privacy-policy)
__LEGAL_SPACER__
Compliance
• SOC 2 Type II controls implementation and maintenance
• GDPR compliance procedures including data subject rights support and data protection impact assessments where appropriate
• Regular security audits and assessments
__LEGAL_SPACER__
Data Retention
• Platform User Data: Retained as long as necessary to provide the Services, manage accounts, comply with legal obligations, and resolve disputes
• Public Business Data: Retained for as long as Customer actively uses the platform and for up to 7 years for historical analysis unless otherwise agreed
• Customer-Provided First-Party Data: Retained for the duration of the Customer relationship or shorter Customer-configured retention period where available, subject to legal retention obligations
• Raw Meeting Transcripts and Notes: Retained only as long as necessary for the configured processing purpose or Customer-configured retention period where available. Transcript-derived summaries or account-level signals may be retained according to the Signal Data retention period where they do not require retaining the raw transcript.
• Signal Data and Account Scores: Retained for the duration of the Customer relationship plus 2 years for analytics and historical context unless otherwise agreed
• Workflow Metadata: Inngest workflow metadata and event identifiers are retained according to Inngest’s applicable retention terms and Rembrandt’s configuration
• Usage Data: Retained for billing, security, analytics, and service improvement purposes
• Upon Termination: Customer Service Data is deleted or returned in accordance with the service agreement and applicable law, generally within 90 days of contract termination unless retention is legally required
__LEGAL_SPACER__
Data Subject Rights
Rembrandt will support Customer in responding to data subject requests for access, rectification, deletion, portability, restriction, and objection to processing in accordance with applicable data protection laws.
For Customer-provided first-party data, Customer remains responsible for receiving and validating data subject requests. Rembrandt will assist Customer through appropriate technical and organizational measures, including export, deletion, anonymization, or suppression workflows where available.
Data subject requests can be submitted to: privacy@rembrandtagents.com
Rembrandt will respond to verified data subject requests or Customer assistance requests within the timeframes required by applicable law and the service agreement.
__LEGAL_SPACER__
International Data Transfers
• Primary Infrastructure: Rembrandt’s primary application, database, and self-hosted observability infrastructure operate in AWS eu-central-1.
• Customer-Provided Personal Data and AI Processing: Where enabled and available, Customer-provided Personal Data used for AI processing is routed through EU-resident AI processing. Until such routing is enabled for a given workload, or where a non-EEA subprocessor is otherwise used, Rembrandt relies on Standard Contractual Clauses and supplementary safeguards.
• Inngest Cloud: Inngest Cloud may process workflow orchestration metadata outside the EEA. Rembrandt designs Inngest event payloads to avoid raw Customer Personal Data and relies on SCCs and supplementary safeguards for any applicable transfer.
• Customer-Authorized Exports: Customer may authorize Rembrandt to export data to Customer’s own third-party systems. Such transfers are made on Customer’s instructions and may be subject to Customer’s separate agreements and transfer mechanisms with those third-party systems.
• Safeguards: Safeguards include data processing agreements, Standard Contractual Clauses where applicable, transfer impact assessments where required, encryption in transit, access controls, data minimization, and vendor security review.
__LEGAL_SPACER__
Audit and Compliance
__LEGAL_SPACER__
SOC 2 Compliance
• Rembrandt maintains SOC 2 Type II controls and will provide compliance reports upon reasonable request, subject to confidentiality obligations
• Regular security assessments and vulnerability management procedures are maintained
• Independent third-party audits are conducted annually where applicable
__LEGAL_SPACER__
GDPR Compliance
• GDPR compliance procedures include data subject rights support, breach response, vendor review, and transfer safeguards
• Personal data breach notification is provided without undue delay and, where required, within 72 hours of becoming aware of a breach affecting personal data
• Regular reviews of data processing activities, subprocessors, and security measures are maintained
__LEGAL_SPACER__
Audit Rights
• Customers may request security documentation and audit information through privacy@rembrandtagents.com
• Rembrandt will cooperate with supervisory authorities and provide compliance information as required by law
• Upon reasonable notice, Customers may conduct audits subject to confidentiality obligations, security requirements, and non-disruption of the Services
__LEGAL_SPACER__
Customer Instructions and Warranties
Customer instructs Rembrandt to process Customer Personal Data for the purposes described in the service agreement, this DPA, and Customer’s use and configuration of the Services.
Customer represents and warrants that:
• Customer has all necessary rights, notices, lawful bases, consents, and authorizations to provide or make available Customer Personal Data to Rembrandt;
• Customer’s use of the Services, including first-party signal generation, scoring, GTM exports, and connected third-party tools, complies with applicable data protection, marketing, employment, telecommunications, recording, and ePrivacy laws;
• Customer will not provide restricted or sensitive data categories unless expressly agreed in writing by Rembrandt;
• Customer is responsible for configuring integrations, data sources, retention settings, and exports in accordance with Customer’s legal obligations.
__LEGAL_SPACER__
Liability and Indemnification
__LEGAL_SPACER__
Data Protection Liability
• Each party shall be liable for damages caused by its breach of this DPA or applicable data protection laws
• Rembrandt shall not be liable for damages resulting from Customer’s instructions, Customer-provided data, Customer-authorized third-party tools, or Customer’s breach of data protection laws
__LEGAL_SPACER__
Subprocessor Liability
• Rembrandt remains responsible to Customer for the performance of subprocessors’ obligations under this DPA to the extent required by applicable law
__LEGAL_SPACER__
Amendment and Termination
__LEGAL_SPACER__
Amendments
• Rembrandt may update this DPA to reflect changes in security practices, legal requirements, subprocessors, or service capabilities
• Material changes will be communicated to customers with reasonable notice
• Continued use of the Services after notification constitutes acceptance of the updated DPA where permitted by applicable law and the service agreement
__LEGAL_SPACER__
Termination
• This DPA remains in effect for the duration of the service agreement
• Upon termination, data retention and deletion procedures outlined in this DPA apply
• Provisions relating to confidentiality, liability, and data deletion survive termination
__LEGAL_SPACER__
Contact Information
For data protection inquiries, data subject requests, or to report security concerns:
Rembrandt (Mindmapp B.V.)
Data Protection Officer
Weesperstraat 107
1018VN Amsterdam
Netherlands
Email: privacy@rembrandtagents.com
General Inquiries: info@rembrandtagents.com
Last Updated: June 23, 2026
Next Review: June 2027
Acceptance
By using the Rembrandt platform, Customer acknowledges and agrees to the terms of this Data Processing Agreement.