Data Processing Agreement

Under our Data Processing Agreement, the Client acts as the Data Controller, determining the purposes and means of processing personal data. ReadingMinds.AI acts as the Data Processor, processing data solely on behalf of and under the documented instructions of the Client.

This arrangement ensures that you retain full ownership and control over your research data at all times, while ReadingMinds provides the technical infrastructure and AI capabilities to process it securely.

ReadingMinds processes the following categories of data on your behalf:

• Interview transcripts: real-time speech-to-text transcriptions generated during AI-moderated research sessions.
• Emotion and sentiment signals: derived behavioral and emotional indicators extracted from interview content to support qualitative analysis.
• Respondent metadata: limited demographic or contextual information provided by the Client for segmentation purposes (e.g., age range, role, region). No direct personal identifiers are stored unless explicitly configured.

Audio streams are processed in real-time for transcription and are not stored after the session concludes. Only transcripts and derived signals are retained.

All platform data is hosted on Amazon Web Services (AWS) in the US-East (Virginia) region. Data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher.

Database backups are encrypted and stored in the same AWS region. Access to production data is restricted to authorized personnel through role-based access controls, multi-factor authentication, and VPN-only network access.

Client-controlled retention: You determine how long your research data is retained within the platform. Data can be exported or deleted at any time through the ReadingMinds dashboard or by contacting our support team.

Right to deletion: In compliance with GDPR's “right to be forgotten” and similar regulations, ReadingMinds facilitates permanent data deletion upon request. Once deletion is initiated, all associated transcripts, derived signals, and metadata are purged from production systems within 30 days and from backup systems within 90 days.

Data export: We recommend exporting your data before requesting deletion, as this process is irreversible. Export formats include JSON and CSV.

ReadingMinds engages a limited set of vetted third-party subprocessors to deliver platform functionality. Each subprocessor is bound by data processing terms at least as protective as those in our DPA.

A complete, up-to-date list of subprocessors, including their purpose, data scope, and hosting location, is available on our Subprocessors page. Clients are notified 30 days prior to any subprocessor changes.

For transfers of personal data outside the European Economic Area (EEA), ReadingMinds relies on the following legal mechanisms:

• Standard Contractual Clauses (SCCs): as approved by the European Commission, incorporated directly into our DPA.
• EU-U.S. Data Privacy Framework: ReadingMinds is preparing for certification under the EU-U.S. Data Privacy Framework to provide an additional lawful transfer mechanism.

Supplementary technical measures, including encryption in transit and at rest, access controls, and audit logging, further protect data during and after transfer.

ReadingMinds implements comprehensive technical and organizational security measures, including:

• Encryption: AES-256 at rest, TLS 1.2+ in transit across all services and data stores.
• Access controls: role-based access control (RBAC), single sign-on (SSO) integration, and multi-factor authentication (MFA) for all internal systems.
• Audit logs: comprehensive logging of all data access and administrative actions, retained for a minimum of 12 months.
• Penetration testing: regular third-party penetration testing and vulnerability assessments, with findings remediated on a risk-prioritized basis.
• Incident response: documented incident response procedures with notification to affected clients within 72 hours of confirmed breach.

For a detailed overview of our security practices, visit the Security & Compliance page.