Data Protection Agreement

Last Update: 30/10/2025

Table of Contents

  • Roles and Responsibilities

  • Nature and Purpose of Processing

  • Types of Personal and Business Data Processed

  • Description of Data Processing Activities

  • Subprocessors

  • Security Measures

  • Data Retention

  • Data Subject Rights

  • International Data Transfers

  • Audit and Compliance

  • Liability and Indemnification

  • Amendment and Termination

  • Contact Information

This Data Processing Agreement (DPA) forms part of the agreement between the Customer (Data Controller) and Rembrandt (Data Processor). It defines the processing of personal and public data in connection with the Rembrandt Intent Signal Framework platform.

This DPA incorporates by reference the security commitments detailed in Section 12 (Security Measures) of the Rembrandt Terms of Service.

Roles and Responsibilities

  • Customer: Acts as the Data Controller and determines the purposes and means of processing personal data.

  • Rembrandt (Mindmapp B.V.): Acts as the Data Processor and processes data on behalf of the Customer in accordance with documented instructions.

Nature and Purpose of Processing

  • Rembrandt processes data to deliver services that identify actionable business signals derived from public domain sources.

  • These signals are used to map companies to specific commercial intent profiles based on predefined criteria within a proprietary framework.

  • The platform provides AI-powered prospect tracking, lead generation, and customer success monitoring through automated signal detection and analysis.

Lawful Basis for Processing

  • Legitimate Interest: Processing is necessary for the legitimate business interest of providing business intelligence services to customers

  • Contract Performance: Processing is necessary for the performance of the service contract with the customer

  • Consent: Where required by applicable law, explicit consent is obtained for specific processing activities

Types of Personal and Business Data Processed

Personal Data:

  • Administrator's first name, last name, email address, and username

  • User authentication data (managed through SuperTokens)

  • Organization membership and role information

  • User preferences and notification settings

  • This data is required to manage the account, user access, and provide personalized services.

Publicly Available Business Data:

  • Job Postings: Company hiring information, job titles, departments, seniority levels, employment details, and more

  • News Articles: Company announcements, press releases, funding news, partnerships, strategic changes, and more

  • Web Content: Company websites, annual reports, case studies, whitepapers, thought leadership content, and more

  • Company Information: Company names, locations, industry classifications, employee counts, business descriptions, and more

  • Signal Data: AI-processed intent signals, buying journey stages, urgency scores, commercial intelligence, and more

Description of Data Processing Activities

Purpose and Duration

Rembrandt processes data to provide AI-powered prospect intelligence and signal detection services. Processing occurs for the duration of the service agreement and as necessary for legitimate business purposes.

Nature and Scope of Processing

  • Data Collection: Automated collection of publicly available business data through API integrations

  • AI Processing: Public data segments are analyzed using OpenAI for signal classification and intent mapping

  • Workflow Orchestration: AI agent workflows are executed and managed through LangGraph Cloud for data processing coordination

  • Data Storage: Processed data is stored securely on AWS infrastructure with application-level data separation

  • Data Export: Processed signals are synchronized to CRM systems and made available through the platform, MCP tools, and public API

Categories of Data Subjects

  • Business Contacts: Individuals associated with target companies (names, job titles, contact information)

  • Platform Users: Authorized users of the Rembrandt platform (authentication data, preferences, usage patterns)

Processing Locations

  • Primary Processing: EU (eu-central-1) for personal data

  • Business Data Processing: EU and US regions as necessary for service delivery

  • Subprocessor Locations: As detailed in Section 5

Subprocessors

All subprocessors are subject to security and data protection obligations through appropriate contractual arrangements.

Subprocessor Purpose Data Access Scope Location AWS Cloud hosting, data storage, and infrastructure services Full platform and user data EU (eu-central-1) OpenAI AI processing for signal classification and analysis Public data segments only, no proprietary framework data United States Stripe Payment processing and subscription management Billing information and usage metrics EU (Dublin) SuperTokens User authentication and session management User authentication data EU (Ireland) Sentry Error monitoring and application performance Application logs and error data EU LangGraph Cloud AI agent workflow orchestration and execution Transient access to processing data (traces retained for 14 days standard, or up to 400 days with extended retention if applicable) United States Prisma Accelerate Database connection pooling and query optimization Temporary query result caching (no permanent data storage) EU

Security Measures

Rembrandt implements and maintains appropriate technical and organizational security measures as detailed in Section 12 (Security Measures) of the Terms of Service, including:

Data Protection Controls

  • Encryption: Customer data encrypted both at rest and in transit using industry-standard encryption protocols

  • Access Controls: Role-based access control systems with organization-level data isolation, authorizing user access while restricting unauthorized users from accessing information not needed for their role

  • Monitoring: Continuous monitoring and logging of system activities to detect and respond to security events

  • Intrusion Detection: Intrusion detection systems to prevent and identify potential security attacks from users outside the boundaries of the system

Security Operations

  • Incident Response: Operational procedures for managing security incidents and breaches, including timely notification to affected customers within 72 hours of becoming aware of any breach

  • Vulnerability Management: Regular security assessments of systems and infrastructure

  • Data Retention and Disposal: Data retention and disposal procedures as outlined in Section 7 of this DPA and in the Privacy Policy

Compliance

  • SOC 2 Type II controls implementation and maintenance

  • GDPR compliance procedures including data subject rights management and data protection impact assessments

  • Regular security audits and assessments

Subprocessor Security

All subprocessors, including AWS, OpenAI, and LangGraph Cloud, are required to maintain security standards consistent with these commitments through appropriate contractual arrangements.

Data Retention

  • Public Data: Retained for as long as the customer actively uses the platform and for up to 7 years for historical analysis

  • Personal Data: Retained only as long as necessary to provide the service or as required by law

  • Signal Data: Retained for the duration of the customer relationship plus 2 years for analytics

  • Usage Data: Retained for billing and service improvement purposes

  • LangGraph Cloud Data: AI agent execution data and tracing information retained for 14 days (standard) or up to 400 days (with extended retention, if applicable)

  • Database Query Cache: Database queries cached for performance optimization

  • Upon Termination: All customer data is deleted within 90 days of contract termination, with secure data destruction procedures

Data Subject Rights

Rembrandt will support data subject requests for access, rectification, deletion, portability, and objection to processing in accordance with applicable data protection laws.

Data subject requests can be submitted to: privacy@rembrandtagents.com

Rembrandt will respond to verified data subject requests within the timeframes required by applicable law (typically 30 days under GDPR).

International Data Transfers

  • Personal Data: Processed exclusively within the EU (eu-central-1 region)

  • Business Data: May be processed outside the EEA through US-based subprocessors (OpenAI, LangGraph Cloud) for legitimate business purposes

  • Standard Contractual Clauses: Not required for personal data as all personal data processing occurs within the EU

  • Safeguards: All international transfers of business data are subject to appropriate safeguards through contractual arrangements with subprocessors

Audit and Compliance

SOC 2 Compliance

  • Rembrandt maintains SOC 2 Type II certification and will provide compliance reports upon reasonable request

  • Regular security assessments and vulnerability management procedures are maintained

  • Independent third-party audits conducted annually

GDPR Compliance

  • GDPR compliance procedures including data subject rights management and data protection impact assessments

  • Data breach notification within 72 hours of becoming aware of any breach affecting personal data

  • Regular reviews of data processing activities and security measures

Audit Rights

  • Customers may request security documentation and audit information through privacy@rembrandtagents.com

  • Rembrandt will cooperate with supervisory authorities and provide compliance information as required by law

  • Upon reasonable notice, customers may conduct audits subject to confidentiality obligations and non-disruption of services

Liability and Indemnification

Data Protection Liability

  • Each party shall be liable for damages caused by its breach of this DPA or applicable data protection laws

  • Rembrandt shall not be liable for damages resulting from Customer's instructions or Customer's breach of data protection laws

Subprocessor Liability

  • Rembrandt remains fully liable to Customer for the performance of subprocessors' obligations under this DPA

Amendment and Termination

Amendments

  • Rembrandt may update this DPA to reflect changes in security practices, legal requirements, or service capabilities

  • Material changes will be communicated to customers with reasonable notice

  • Continued use of the service after notification constitutes acceptance of the updated DPA

Termination

  • This DPA remains in effect for the duration of the service agreement

  • Upon termination, data retention and deletion procedures outlined in Section 7 apply

  • Provisions relating to confidentiality, liability, and data deletion survive termination

Contact Information

For data protection inquiries, data subject requests, or to report security concerns:

Rembrandt (Mindmapp B.V.)

Data Protection Officer

Weesperstraat 107
1018VN Amsterdam
Netherlands

Email: privacy@rembrandtagents.com
General Inquiries: info@rembrandtagents.com

Last Updated: October 30, 2025
Next Review: October 2026

Acceptance

By using the Rembrandt platform, Customer acknowledges and agrees to the terms of this Data Processing Agreement.