--- title: "Data Protection Impact Assessment (DPIA) | Minds" canonical_url: "https://getminds.ai/legal/dsfa" last_updated: 2026-03-25 meta: description: "Last Updated: March 25, 2026" "og:description": "Last Updated: March 25, 2026" "og:title": "Data Protection Impact Assessment (DPIA) | Minds" "twitter:description": "Last Updated: March 25, 2026" "twitter:title": "Data Protection Impact Assessment (DPIA) | Minds" --- March 25, 2026·Minds Team # **Data Protection Impact Assessment (DPIA)** Last Updated: March 25, 2026 # Data Protection Impact Assessment (DPIA) **Last Updated: March 25, 2026** This DPIA pursuant to Art. 35 GDPR evaluates data protection risks of the Minds platform by Art of X UG (haftungsbeschränkt). ## 1. Processing Description Minds enables customers to create synthetic AI personas ("Minds"; previously "Sparks") for simulated panels, research, and interactions. | Category | Details | | --- | --- | | **Data subjects** | Controller employees, invited end users, individuals whose data is entered | | **Data types** | Contact data, credentials, usage data, content (text/images/audio), technical data, payment data (Stripe) | | **Locations** | EU primary (DE, SE), USA (LLM APIs with ZDR), UK (voice) | | **Retention** | Contract duration + 30 days deletion | | **Purpose** | AI platform services only. NO training of general-purpose models. | | **Technology** | LLM APIs (OpenAI, Anthropic, Google) with Zero Data Retention. Voice: ElevenLabs, Fish Audio, Deepgram. Infra: DigitalOcean Frankfurt, Supabase Stockholm. Security: Cloudflare, TLS 1.2+, AES-256. | ## 2. Necessity and Proportionality - **Legal basis**: Art. 6(1)(b) GDPR (contract), Art. 28 GDPR (processor), Art. 6(1)(a) (consent for analytics) - **Purpose limitation**: Processing only per DPA. No model training, marketing, or unauthorized sharing. - **Data minimization**: UUIDs over names, aggregated analytics, automatic deletion - **Storage limitation**: 30-day deletion after contract end, 30-day backup retention ## 3. Risk Assessment | Risk | Likelihood | Severity | Residual | Mitigation | | --- | --- | --- | --- | --- | | Unauthorized access | Low | High | Low | MFA, RBAC, AES-256, Row-Level Security | | Data breach | Low | High | Low | TLS 1.2+, encrypted backups, Cloudflare, 48h notification | | AI training on customer data | Very Low | High | Very Low | ZDR contracts, no-training clause | | Cross-tenant leakage | Very Low | Critical | Very Low | Row-Level Security, automated tests | | Government access (FISA/CLOUD Act) | Low | Medium | Low | EU-primary infra, DPF/SCCs, transparency clause | | Voice data misuse | Low | Medium | Low | Controller-instruction only, DPAs, deletion on termination | | Availability loss | Low | Medium | Low | Daily backups, PITR, RPO 24h, RTO 8h | **Overall: Low to Medium.** US LLM sub-processor risks mitigated by ZDR, SCCs, DPF. ## 4. Measures - **Technical**: TLS 1.2+, AES-256, MFA, RBAC, Row-Level Security, EU infrastructure, Langfuse (EU) - **Organizational**: External DPO (Prof. Dr. Norman Uhlmann), NDAs, training, 48h incident response - **Contractual**: DPAs with all sub-processors, ZDR guarantees, SCCs, 14-day change notice, FISA transparency ## 5. Consultation **DPO**: Prof. Dr. Norman Uhlmann, h3ko Innovations GmbH, Pappelallee 64, 16359 Biesenthal, Germany. [privacy@getminds.ai](https://getminds.ai/mailto:privacy@getminds.ai) **Art. 36**: Prior consultation not required (residual risk not "high"). **Review**: Annually, on significant changes, or on supervisory authority request. --- **Art of X UG (haftungsbeschränkt)** | Goethestr. 59, 10625 Berlin | [privacy@getminds.ai](https://getminds.ai/mailto:privacy@getminds.ai)