Data Processing Addendum.
How MintWire processes personal data as a processor on behalf of business customers under the GDPR. This DPA forms part of our Terms of Service and complements the Privacy Policy.
Effective date: 30 June 2026.
1. Scope and roles
This Data Processing Addendum (“DPA”) is entered into between MintWire Tech OÜ (registry code 11151989, Peterburi tee 90f, 13816 Tallinn, Estonia) (“MintWire”, “Processor”) and the customer that uses the service (“Customer”, “Controller”). It governs MintWire’s processing of Personal Data that MintWire processes on the Customer’s behalf in order to provide the service (“Service Data”). For Service Data the Customer is the controller (or a processor acting for its own controller) and MintWire is the processor. MintWire’s processing of account, billing and website-visitor data as a controller is described in the Privacy Policy and is not the subject of this DPA.
2. Definitions
“GDPR” means Regulation (EU) 2016/679. “Personal Data”, “processing”, “controller”, “processor”, “data subject”, “personal data breach” and “supervisory authority” have the meanings given in the GDPR. “Applicable Data Protection Law” means the GDPR and any other data-protection law applicable to the processing. “Subprocessor” means a third party engaged by MintWire to process Service Data. “SCCs” means the Standard Contractual Clauses in Commission Implementing Decision (EU) 2021/914.
3. Processing details
The subject matter, duration, nature and purpose of the processing, the types of Personal Data and the categories of data subjects are set out in Annex 1.
4. Processing on instructions and lawful basis
MintWire will process Service Data only on the Customer’s documented instructions, including the instructions embodied in the Terms, this DPA, the configuration the Customer chooses, and its use of the service, unless required to act otherwise by EU or member-state law (in which case MintWire will inform the Customer, unless that law prohibits it). MintWire will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law. The Customer is responsible for the lawfulness of the Service Data and of its instructions, including having a valid legal basis. In particular, for prospect and recipient records the Customer uploads or generates (whose data subjects are third parties), the Customer warrants that it has a lawful basis and has met any applicable ePrivacy, direct-marketing and legitimate-interest-balancing requirements.
5. Confidentiality
MintWire ensures that persons authorised to process Service Data are bound by confidentiality and process the data only as needed to provide the service.
6. Security
MintWire implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking account of the state of the art and the nature of the data, as described in Annex 2. MintWire may update these measures provided the level of protection is not materially reduced.
7. Subprocessors
The Customer gives MintWire general authorisation to engage Subprocessors to process Service Data. Current Subprocessors are listed in Annex 3. MintWire imposes data-protection obligations on each Subprocessor that are substantially the same as those in this DPA, and remains responsible to the Customer for a Subprocessor’s performance. MintWire will give the Customer at least 30 days’ prior notice before a new or replacement Subprocessor begins processing Service Data (by updating Annex 3 and, where the Customer has subscribed to notifications, by email). The Customer may object on reasonable data-protection grounds within that period. If an objection cannot be resolved, the Customer may stop using the affected feature or terminate the affected subscription, and MintWire will refund any pre-paid, unused fees for the terminated portion on a pro-rata basis.
8. International transfers
Where MintWire or a Subprocessor transfers Service Data outside the European Economic Area, it does so on the basis of an adequacy decision or appropriate safeguards under the GDPR. Where the SCCs are the safeguard, the Module Two (controller-to-processor) SCCs are incorporated into this DPA by reference and apply to the transfer, with MintWire acting as data importer and the Customer as data exporter; where the Customer is itself a processor, Module Three applies. For the SCCs: the optional docking clause applies, the audit and subprocessor terms of this DPA apply, the governing law is that of Estonia, and the competent supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon). A signed copy of the SCCs is available on request at hello@mintwire.tech.
9. Assistance to the Customer
Taking into account the nature of the processing and the information available to it, MintWire will assist the Customer, by appropriate technical and organisational measures and insofar as possible, in fulfilling the Customer’s obligations to respond to data-subject requests and to comply with its obligations under Articles 32 to 36 GDPR (security, breach notification, data-protection impact assessments and prior consultation).
10. Data subject requests
The service provides features that allow the Customer to access, correct, delete and export Service Data. If MintWire receives a request from a data subject relating to Service Data, it will, where permitted, direct the data subject to the Customer and will not respond directly except on the Customer’s instructions.
11. Personal data breach
MintWire will notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting Service Data. The notice will include, to the extent then known: the nature of the breach and the categories and approximate number of data subjects and records concerned; the likely consequences; and the measures taken or proposed in response — so the Customer can meet its own obligations under Articles 33–34 GDPR.
12. Audits
MintWire will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. On reasonable prior request (normally 30 days), no more than once in any 12-month period and at the Customer’s expense, MintWire will contribute to an audit of its compliance — in the first instance by providing existing reports, certifications or completed security questionnaires. An on-site inspection by the Customer or an independent auditor it mandates will be permitted only where a documented compliance concern remains unresolved, subject to confidentiality and conducted so as not to compromise the security or data of other customers.
13. Return and deletion
On termination of the service, MintWire will, at the Customer’s choice, delete or return Service Data and delete existing copies normally within 30 days, unless EU or member-state law requires storage. Routine backups are deleted or overwritten on their ordinary cycle (normally within about 35 days).
14. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service.
15. Conflict and governing law
In the event of a conflict between this DPA and the Terms regarding the processing of Service Data, this DPA prevails. This DPA is governed by the same law as the Terms (Estonia), without prejudice to mandatory data-protection law.
Annex 1 — Details of processing
Subject matter: provision of the MintWire service (AI Receptionist and Prospecting Autopilot) to the Customer. Duration: for the term of the Customer’s subscription, plus any limited post-termination return/deletion and backup-expiry period. Nature and purpose: hosting, processing, triage, AI-assisted drafting and answering, voice call handling, booking, and storage of Service Data to deliver the features the Customer enables. Types of Personal Data: identifiers and contact details (names, email addresses, phone numbers), the content of communications (chat messages, form submissions, inbound emails, call audio and, where the voice features are used, summaries or transcripts), prospect and contact records the Customer uploads or generates — whose data subjects are third parties processed only on the Customer’s instruction — and any other Personal Data the Customer includes in its knowledge base or messages. The Customer should not submit special-category data unless agreed in writing. Categories of data subjects: the Customer’s callers, website visitors, leads, prospects, customers and other contacts, and the Customer’s own staff users.
Annex 2 — Technical and organisational measures
MintWire applies measures appropriate to the risk, including: logical isolation of each business’s data from other tenants; access controls and least-privilege access for personnel; encryption of data in transit; use of reputable infrastructure providers; segregation of customer-facing AI replies from internal triage notes; routing of sensitive steps to a human; and operational logging and monitoring. Measures are reviewed and may be improved over time; the level of protection will not be materially reduced.
Annex 3 — Subprocessors
Last updated: 30 June 2026. The current Subprocessors engaged to process Service Data, by function, are:
- Vercel — application hosting and content delivery.
- Supabase — database and authentication.
- Stripe — payment processing (account/billing data).
- Anthropic — AI model processing for drafting and answering. Anthropic does not train its models on data sent through its API in the ordinary course.
- Twilio — telephony and phone numbers for the voice feature.
- Vapi — voice assistant orchestration for the voice feature.
- Resend — transactional email delivery.
- Amazon Web Services — inbound email infrastructure and related processing.
- Google — calendar integration, where the Customer connects it.
This list may change as the service evolves; we will update this Annex and give prior notice of changes as set out in section 7. An up-to-date copy is also available on request at hello@mintwire.tech.
Contact
MintWire Tech OÜ · Peterburi tee 90f, 13816 Tallinn, Estonia · hello@mintwire.tech.
