This Data Processing Addendum (“DPA”) forms part of the Terms of Service between E2 Partners LLC, operating as mantle, and the customer, and governs the processing of personal data by mantle on behalf of the customer in the course of providing the Services. It is designed to satisfy the requirements of Article 28 of the GDPR and UK GDPR, equivalent provisions under the UAE PDPL, and comparable obligations under other applicable data protection laws.
1. Parties and Scope
This Data Processing Addendum ("DPA") is entered into between E2 Partners LLC, a limited liability company registered in Meydan Free Zone, Dubai, United Arab Emirates, operating under the brand "mantle" ("mantle", "we", "us", or "our"), and the customer identified in the relevant order form, contract, or account registration ("Customer", "you", or "your"). It forms part of, and is incorporated by reference into, the Terms of Service (the "Agreement") between mantle and Customer, and governs the processing of Customer Personal Data by mantle on behalf of Customer in the course of providing the Services.
2. Definitions
Capitalised terms used but not defined in this DPA have the meanings given in the Agreement. - "Customer Personal Data" means Personal Data that is provided by or on behalf of Customer to mantle, or that mantle processes on Customer's behalf, in connection with the Services. - "Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018 ("UK GDPR"), the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL"), the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), and any other applicable data protection or privacy laws. - "Personal Data", "controller", "processor", "data subject", "processing", "supervisory authority", and "personal data breach" have the meanings given in the GDPR or, where applicable, the equivalent terms under the relevant Data Protection Law. - "Services" has the meaning given in the Agreement. - "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision 2021/914 of 4 June 2021, as amended or replaced. - "Sub-Processor" means any third party engaged by mantle to process Customer Personal Data on mantle's behalf in connection with the Services. - "UK IDTA" means the International Data Transfer Addendum to the EU Commission SCCs, issued by the UK Information Commissioner's Office.
3. Roles of the Parties
In respect of Customer Personal Data, Customer is the controller (or, where Customer itself is a processor acting on behalf of a third-party controller, a processor) and mantle is the processor (or sub-processor). Each party will comply with its obligations under applicable Data Protection Laws. This DPA does not alter either party's obligations under applicable Data Protection Laws.
4. Scope and Duration
This DPA applies to any processing of Customer Personal Data by mantle in connection with the Services. It takes effect on the later of the effective date of the Agreement and the date Customer first submits Customer Personal Data to the Services, and continues until mantle no longer processes Customer Personal Data. The subject matter, nature, purpose, duration, categories of data subjects, and categories of Personal Data are set out in Annex 1.
5. Customer Instructions
mantle will process Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required otherwise by a law to which mantle is subject (in which case mantle will, unless prohibited by that law, inform Customer of the legal requirement before processing). The Agreement — including this DPA, Customer's configuration of the Services, and Customer's use of the Services in accordance with the Agreement — constitutes Customer's complete and final processing instructions. Additional instructions that are reasonable and consistent with the Agreement will be agreed between the parties in writing and may be subject to additional fees. mantle will inform Customer if, in its opinion, an instruction infringes applicable Data Protection Laws.
6. Confidentiality
mantle will ensure that any person authorised to process Customer Personal Data on its behalf is subject to appropriate confidentiality obligations (whether contractual or statutory), has access to Customer Personal Data only on a need-to-know basis, and has received appropriate training in their responsibilities under applicable Data Protection Laws.
7. Security Measures
Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of data subjects, mantle will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The measures in place as of the last-updated date are set out in Annex 2. mantle may update these measures from time to time provided that the updates do not materially degrade the overall level of security.
8. Sub-Processors
Customer grants mantle a general authorisation to engage Sub-Processors to process Customer Personal Data in connection with the Services. The Sub-Processors currently engaged by mantle are listed in Annex 3. mantle will: - enter into a written agreement with each Sub-Processor that imposes data protection obligations no less protective than those in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures; - remain fully liable to Customer for the performance of each Sub-Processor's obligations; - give Customer at least thirty (30) days' prior notice of any intended change concerning the addition or replacement of a Sub-Processor that processes Customer Personal Data, by updating the list in Annex 3 on the website and, where Customer has provided contact details for such notices, by email. If Customer has a reasonable, documented data-protection objection to a new or replacement Sub-Processor, Customer will notify mantle in writing within fifteen (15) days of notice of the change. The parties will discuss the objection in good faith and try to resolve it. If the objection cannot be resolved, Customer may terminate the affected Services for convenience as its sole remedy, and mantle will refund any prepaid fees for Services not rendered as of the termination date.
9. Data Subject Rights
Taking into account the nature of the processing, mantle will provide reasonable assistance to Customer, by appropriate technical and organisational measures and insofar as this is possible, in fulfilling Customer's obligations to respond to requests from data subjects exercising their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection. If mantle receives a request directly from a data subject concerning Customer Personal Data, mantle will, unless legally prohibited, promptly forward the request to Customer and will not respond to the request itself except on Customer's instructions or as required by law.
10. Personal Data Breach Notification
mantle will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include, to the extent then known: (a) the nature of the breach, including categories and approximate number of data subjects and records affected; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach and mitigate its possible adverse effects; and (d) a contact point from whom further information may be obtained. Where not all information is available at the time of the initial notification, mantle will provide it in phases as it becomes available. mantle will reasonably cooperate with Customer's investigation, remediation, and notifications in relation to the breach. This obligation does not apply to incidents caused by Customer or its authorised users.
11. Data Protection Impact Assessments and Prior Consultation
Taking into account the nature of the processing and the information available to mantle, mantle will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out under applicable Data Protection Laws in respect of the Services.
12. Return or Deletion of Customer Personal Data
On termination or expiry of the Services, mantle will, at Customer's choice and on written request, either delete or return all Customer Personal Data in mantle's possession or control and delete existing copies, unless retention is required by a law to which mantle is subject. On written request from Customer, mantle will certify its compliance with this obligation. Customer Personal Data contained in routine backups will be deleted in the ordinary course of mantle's backup rotation and remains subject to this DPA until deleted.
13. International Data Transfers
Customer acknowledges that mantle and its Sub-Processors may process Customer Personal Data in countries other than the one in which Customer is established, including the United States and the United Arab Emirates. EEA transfers. Where Customer Personal Data originating from the European Economic Area is transferred to a country that is not the subject of a valid adequacy decision, the SCCs are incorporated into this DPA by reference and take effect on commencement of the relevant transfer, with the following selections: - Module Two (Controller to Processor) applies where Customer is a controller; Module Three (Processor to Processor) applies where Customer is a processor; - Customer is the data exporter and mantle is the data importer; - Clause 7 (docking clause) applies; - In Clause 9(a), Option 2 (general written authorisation) applies with the thirty (30) day notice period set out in Section 8 of this DPA; - In Clause 11(a), the optional independent dispute resolution language is not used; - In Clause 17, the SCCs are governed by the law of the Republic of Ireland; - In Clause 18, the parties agree that the courts of Ireland have exclusive jurisdiction; - Annex I to the SCCs is populated by Annex 1 and Annex 3 to this DPA; Annex II to the SCCs is populated by Annex 2 to this DPA. UK transfers. Where Customer Personal Data originating from the United Kingdom is transferred to a country that is not the subject of a valid UK adequacy regulation, the UK IDTA is incorporated into this DPA by reference, with Table 1 populated by the parties' details above, Table 2 referencing the SCCs as modified by the UK IDTA, and Tables 3 and 4 populated by the corresponding Annexes to this DPA. Swiss transfers. Where Customer Personal Data originating from Switzerland is transferred to a country that does not offer an adequate level of protection under Swiss law, the SCCs apply with the adaptations required under the Swiss Federal Act on Data Protection. PDPL transfers. Where Customer Personal Data originating from the United Arab Emirates is transferred outside the UAE, mantle will rely on the safeguards permitted under the PDPL, including transfers to jurisdictions recognised as providing an adequate level of protection, transfers subject to contractual safeguards comparable to the SCCs, or transfers made with the explicit consent of the data subject.
14. Audits and Compliance Evidence
mantle will make available to Customer, on reasonable written request, information reasonably necessary to demonstrate compliance with this DPA, including by providing summary descriptions of its security controls, attestations or certifications it holds (if any), and written responses to reasonable security and privacy questionnaires. Where information provided under the preceding paragraph is insufficient for Customer to demonstrate compliance with applicable Data Protection Laws, Customer may, on at least thirty (30) days' prior written notice, conduct an audit (including an inspection) of mantle's processing of Customer Personal Data. Audits: (a) may be conducted no more than once in any twelve (12) month period, except following a confirmed personal data breach or where required by a supervisory authority; (b) will be conducted during normal business hours and in a manner that does not unreasonably disrupt mantle's operations; (c) will be subject to reasonable confidentiality obligations; and (d) must be performed by Customer or by an independent auditor mutually agreed by the parties (such agreement not to be unreasonably withheld). Customer bears the cost of any audit unless it reveals a material non-compliance with this DPA.
15. Liability
Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. For the avoidance of doubt, this DPA does not increase a party's aggregate liability beyond the cap set out in the Agreement.
16. Term, Termination, and Survival
This DPA takes effect on the date set out in Section 4 and continues for the duration of the Agreement, provided that its terms continue to apply to Customer Personal Data for as long as mantle processes Customer Personal Data. Sections relating to confidentiality, security, breach notification, return or deletion, liability, and international transfers survive termination of the Agreement for as long as mantle retains any Customer Personal Data.
17. Order of Precedence
In the event of any conflict or inconsistency between this DPA and the Agreement with respect to the processing of Customer Personal Data, this DPA prevails. In the event of any conflict between this DPA and the SCCs or the UK IDTA, the SCCs or the UK IDTA (as applicable) prevail. Nothing in this DPA varies or modifies the SCCs.
18. General
This DPA is governed by and construed in accordance with the laws of the United Arab Emirates, as applied in the Emirate of Dubai, except that the SCCs are governed by the law specified in those clauses and the UK IDTA is governed by the laws of England and Wales. If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect. A failure or delay by either party in exercising any right under this DPA does not operate as a waiver. Notices to mantle under this DPA must be sent to hello@mantleai.dev.
19. Annex 1 — Details of Processing
A. List of parties Data exporter: Customer (the entity identified in the Agreement or account registration), acting as controller (or as processor where Customer acts on behalf of a third-party controller). Data importer: E2 Partners LLC, operating as mantle, Meydan Free Zone, Dubai, United Arab Emirates, acting as processor (or sub-processor). Contact point for data protection: hello@mantleai.dev. B. Subject matter and duration Subject matter: Provision of the Services to Customer as described in the Agreement. Duration: For the term of the Agreement and any period during which mantle retains Customer Personal Data as permitted or required by the Agreement and this DPA. C. Nature and purpose of processing Hosting, storage, retrieval, transmission, entity resolution, context assembly, and delivery of Customer Personal Data solely for the purpose of providing the Services; account and billing management; customer support; security, fraud prevention, and compliance with applicable law. D. Categories of data subjects - Customer's authorised users, administrators, and personnel; - Individuals whose Personal Data is contained in Customer's Connected Sources, which may include Customer's employees, contractors, suppliers, customers, prospects, and other end users. E. Categories of Personal Data - Account and authentication data (names, email addresses, hashed credentials, API tokens, role assignments); - Contact details and professional information (company, job title, communications with mantle); - Billing information (transaction identifiers, amounts, dates; card data is handled directly by Stripe and is not stored by mantle); - Usage and log data (IP addresses, device and browser identifiers, timestamps, request metadata); - Personal Data contained in Customer's Connected Sources, which may include any category of Personal Data that Customer chooses to make accessible to the Services. F. Sensitive or special-category Personal Data mantle does not require Customer to provide special categories of Personal Data (as defined in Article 9 GDPR) or similarly sensitive Personal Data, and has not designed the Services to process such data. Customer will not use the Services to process special-category or similarly sensitive Personal Data unless mantle has expressly agreed in writing (for example, by signing a sector-specific addendum). G. Frequency of processing Continuous for the duration of the Services. H. Retention In accordance with the Privacy Policy and Customer's configuration. On termination, retention is governed by Section 12 of this DPA. I. Competent supervisory authority For the purposes of Clause 13 of the SCCs, the competent supervisory authority is the authority of the EU member state in which Customer's EU representative (or, if none, the EU member state in which most relevant data subjects are located) is established.
20. Annex 2 — Technical and Organisational Measures
mantle implements the following technical and organisational measures (described at a level of detail appropriate for public disclosure; specific implementations may evolve over time without materially degrading overall security). 1. Encryption - Transport encryption using TLS 1.2 or higher for all external network traffic. - Encryption at rest for credentials, OAuth tokens, and other secrets using industry-standard algorithms and key management provided by the hosting platform. 2. Access control and authentication - Role-based access control to operational systems, with the principle of least privilege applied to personnel and Sub-Processors. - Multi-factor authentication required for administrator access to core infrastructure, code repositories, and production configuration. - Prompt revocation of access on termination of engagement or change of role. - Periodic review of access rights. 3. Network and application security - Hosting on the Vercel global edge network, which provides DDoS protection, managed TLS, and content delivery. - Application-layer input validation and output encoding. - Rate limiting and abuse prevention at the edge (Cloudflare Turnstile for public forms) and at the application layer. - Content Security Policy and related security headers on public surfaces. 4. Secrets management - Application secrets stored in the hosting provider's secrets manager and injected at runtime. - No secrets stored in source control; pre-commit and CI checks designed to prevent leakage. 5. Logging, monitoring, and incident response - Collection of application and server logs retained for up to 90 days. - Alerting on error conditions and anomalous activity. - Documented incident response procedure, including personal-data-breach assessment and notification pursuant to Section 10 of this DPA. 6. Personnel - Written confidentiality obligations for all personnel with access to Customer Personal Data. - Security and privacy guidance provided to relevant personnel. 7. Vendor and Sub-Processor management - Written agreements with Sub-Processors containing data-protection obligations consistent with this DPA. - Periodic review of Sub-Processors' security posture and public certifications. 8. Data minimisation and purpose limitation - Collection and processing of Customer Personal Data limited to what is required to provide the Services. - Zero-copy design for Connected Sources: Customer data is read in place where technically feasible, rather than copied into long-term stores operated by mantle. - Transient processing (including in-memory query planning, entity resolution, and context assembly) is not retained beyond what is required to deliver a response and generate operational logs. 9. Physical security - Physical security of the data centres used to deliver the Services is provided by Sub-Processors (including Vercel, Google, Stripe, and Cloudflare) under their respective certifications and controls. 10. Business continuity - Managed hosting with multi-region availability as provided by the hosting provider. - Periodic review of backup and recovery arrangements. 11. Integrity and restoration testing - Infrastructure and deployment defined in code, enabling rebuilds from known-good configuration. - Periodic verification that backup and restore procedures function as intended. 12. Secure software development - Code review on material changes before deployment. - Automated checks for dependency vulnerabilities and secret leakage in CI. - Staged rollout of changes where feasible.
21. Annex 3 — Approved Sub-Processors
The following Sub-Processors are currently engaged by mantle to process Customer Personal Data in connection with the Services. The list is current as of the last-updated date at the top of this DPA. mantle will update this Annex and notify Customers in accordance with Section 8 of this DPA before any new Sub-Processor begins processing Customer Personal Data. 1. Vercel Inc. - Location: United States (global edge network). - Purpose: hosting, content delivery, and cookieless pseudonymous website analytics. - Transfer mechanism: SCCs. 2. Google LLC - Location: United States. - Purpose: Google Sheets (waitlist submissions); Google Ads (gtag.js, conversion measurement, cookies only after user consent); Google Fonts (web font content delivery). - Transfer mechanism: SCCs. 3. Stripe, Inc. - Location: United States. - Purpose: payment processing for credit and subscription purchases. Stripe receives payment details directly at checkout; mantle does not store full card numbers. - Transfer mechanism: SCCs. 4. Cloudflare, Inc. - Location: United States (global edge network). - Purpose: Cloudflare Turnstile — CAPTCHA and anti-abuse protection for public forms. - Transfer mechanism: SCCs.
22. Contact
Questions, DPA signature requests, Sub-Processor objections, data subject rights assistance, and personal data breach inquiries should be directed to: E2 Partners LLC Meydan Free Zone Dubai, United Arab Emirates Email: hello@mantleai.dev