---
title: "Data Protection Impact Assessment (DPIA) | Minds"
canonical_url: "https://getminds.ai/legal/dsfa"
last_updated: 2026-05-30
meta:
  description: "Last Updated: May 30, 2026"
  "og:description": "Last Updated: May 30, 2026"
  "og:title": "Data Protection Impact Assessment (DPIA) | Minds"
  "twitter:description": "Last Updated: May 30, 2026"
  "twitter:title": "Data Protection Impact Assessment (DPIA) | Minds"
---

May 30, 2026·Minds Team

# **Data Protection Impact Assessment (DPIA)**

Last Updated: May 30, 2026

# Data Protection Impact Assessment (DPIA)

**Last Updated: May 30, 2026**

This DPIA pursuant to Art. 35 GDPR evaluates data protection risks of the Minds platform by Art of X UG (haftungsbeschränkt).

## 1. Processing Description

Minds enables customers to create and use synthetic AI personas ("Minds"; previously "Sparks") for simulated panels, research, creative workflows, voice and messaging interactions, API/MCP workflows, and optional integrations.

| Category | Details |
| --- | --- |
| **Data subjects** | Controller employees, invited end users, individuals whose data is entered, and individuals referenced in submitted content, calendar events, messages, calls, or public sources |
| **Data types** | Contact data, credentials, usage data, content (text/images/audio/files/URLs), prompts and outputs, embeddings, API/OAuth tokens, calendar event and attendee metadata, SMS/WhatsApp/voice metadata, technical data, payment data (Stripe) |
| **Locations** | EU primary (DE, SE), USA and other third countries for selected APIs under DPF/SCCs, UK for selected voice services |
| **Retention** | Contract duration + 30 days deletion unless a shorter feature-specific retention, consent revocation, legal retention, or audit/security retention applies |
| **Purpose** | AI platform services, customer-directed simulations, integrations, source collection, messaging/voice, security, and support. NO training of general-purpose models unless expressly opted in where available. |
| **Technology** | LLM APIs (OpenAI, Anthropic, Google), voice services (ElevenLabs, Fish Audio, Deepgram), source/search providers (Tavily, Firecrawl, Apify, Serper, OCR.space), integrations (Google Calendar, Twilio), infra (DigitalOcean Frankfurt, Supabase Stockholm), security (Cloudflare, TLS 1.2+, AES-256). |

## 2. Necessity and Proportionality

- **Legal basis**: Art. 6(1)(b) GDPR (contract), Art. 28 GDPR (processor), Art. 6(1)(a) (consent for analytics)
- **Purpose limitation**: Processing only per DPA. No model training, marketing, or unauthorized sharing.
- **Data minimization**: UUIDs over names, aggregated analytics, automatic deletion
- **Storage limitation**: 30-day deletion after contract end, 30-day backup retention

## 3. Risk Assessment

| Risk | Likelihood | Severity | Residual | Mitigation |
| --- | --- | --- | --- | --- |
| Unauthorized access | Low | High | Low | MFA, RBAC, AES-256, Row-Level Security, scoped and revocable tokens |
| Data breach | Low | High | Low | TLS 1.2+, encrypted backups, Cloudflare, incident process, 48h notification |
| AI training on customer data without instruction | Very Low | High | Very Low | No-training default, opt-in controls, provider contracts, ZDR/no-retention controls where available |
| Cross-tenant leakage | Very Low | Critical | Very Low | Row-Level Security, tenant checks, automated tests |
| Government access (FISA/CLOUD Act) | Low | Medium | Low | EU-primary infra, DPF/SCCs, transfer review, transparency clause |
| Voice, likeness, or cloned-voice misuse | Low | High | Medium | Consent requirements, acceptable-use restrictions, logging, takedown and suspension rights |
| Calendar/OAuth token misuse | Low | High | Low | Scoped Google Calendar permissions, encrypted token storage, revocation/disconnect flow, webhook cleanup, audit logs |
| Public source extraction of unlawful or sensitive data | Medium | Medium | Medium | User warranties, prohibited-use rules, source logging, minimization, deletion rights, provider controls |
| AI transparency or provenance gap before Article 50 applies | Medium | Medium | Medium | Visible UI labels now, generation metadata, export/provenance readiness work for 2 August 2026 |
| Availability loss | Low | Medium | Low | Daily backups, PITR, RPO 24h, RTO 8h |

## 4. Measures

- **Technical**: TLS 1.2+, AES-256, MFA, RBAC, Row-Level Security, EU infrastructure, Langfuse (EU), scoped API/OAuth tokens, integration audit logs
- **Organizational**: External DPO (Prof. Dr. Norman Uhlmann), NDAs, training, 48h incident response
- **Contractual**: DPAs with all sub-processors, ZDR guarantees, SCCs, 14-day change notice, FISA transparency

## 5. Consultation

**DPO**: Prof. Dr. Norman Uhlmann, h3ko Innovations GmbH, Pappelallee 64, 16359 Biesenthal, Germany. [privacy@getminds.ai](https://getminds.ai/mailto:privacy@getminds.ai)

**Art. 36**: Prior consultation not required (residual risk not "high").

**Review**: Annually, on significant changes, or on supervisory authority request.

---

**Art of X UG (haftungsbeschränkt)** | Köpenicker Straße 145, 10997 Berlin | [privacy@getminds.ai](https://getminds.ai/mailto:privacy@getminds.ai)