Data Processing Addendum
Last updated: 2026‑05‑10
This Data Processing Addendum (the "DPA") is part of the Terms of Service between Mainframe Computer, Inc. ("Mainframe", "we") and the Customer using the Service ("you"). It applies when Mainframe processes Customer Personal Data on your behalf.
1. Roles
For Customer Personal Data, you are the controller or business and Mainframe is your processor or service provider. If you are a processor acting for another controller, you confirm your instructions to Mainframe are authorized by that controller.
This DPA does not apply where Mainframe acts as a controller, such as for account, billing, security, marketing, and aggregated de‑identified telemetry described in the Privacy Policy.
2. Processing instructions
Your instructions are the Terms, this DPA, your order form or written agreement, and the settings and actions you and your Authorized Users take in the Service. Mainframe will process Customer Personal Data only to:
- provide, secure, support, and improve the Service for you;
- improve Mainframe's AI features, prompts, evals, generation quality, model routing, and models through Data contribution, excluding biometric and likeness materials unless you give separate, specific written permission;
- generate Outputs and run agent workflows at your direction;
- enforce the Acceptable use rules;
- comply with law.
Mainframe will promptly tell you if we believe an instruction violates applicable data protection law, unless the law prohibits us from doing so.
3. Confidentiality and security
Mainframe will treat Customer Personal Data as your confidential information. Personnel who process Customer Personal Data are bound by confidentiality obligations.
Mainframe will maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data, including encryption in transit and at rest, role‑based access, audit logging, secrets management, and vendor review. You are responsible for configuring the Service securely and managing your Authorized Users.
If we confirm a security incident affecting Customer Personal Data, we will notify the affected Workspace Admin without undue delay and, where feasible, within 72 hours of confirmation. We will provide information reasonably needed for you to meet your own notification obligations.
4. Subprocessors
You authorize Mainframe to use the subprocessors listed in the Privacy Policy. Mainframe will require each subprocessor to protect Customer Personal Data under written terms at least as protective as this DPA for the services it performs.
Mainframe will give 30 days' notice before authorizing a new subprocessor to process Customer Personal Data. To subscribe to subprocessor change notices, email help@mainframe.app. You may object during the notice period. If the parties cannot resolve the objection, you may stop using the affected part of the Service and terminate the affected order.
5. Assistance
Taking into account the nature of the Service and the information available to us, Mainframe will reasonably assist you with:
- data subject requests;
- data protection impact assessments and regulator consultations;
- security incident notifications;
- deletion, return, and export of Customer Personal Data through the Service or available support channels.
6. Deletion and return
During the subscription term, you may access, export, and delete Customer Personal Data through the Service where the feature is available. After termination or Workspace deletion, Mainframe will delete Customer Personal Data as described in the Privacy Policy, except to the extent retention is required by law, backups, security, dispute resolution, or enforcement. Any retained data remains subject to this DPA.
7. Audits
Mainframe will make available reasonable information about its security and privacy practices on request. If that information is not enough to verify compliance with this DPA, you may request written answers to reasonable audit questions no more than once every 12 months, under appropriate confidentiality obligations.
8. International transfers
If Customer Personal Data protected by EU, UK, or Swiss data protection law is transferred to a country without an adequacy decision, the parties incorporate the applicable Standard Contractual Clauses and UK International Data Transfer Addendum by reference:
- EU transfers: EU SCC Module Two applies where you are a controller and Mainframe is a processor; Module Three applies where you are a processor and Mainframe is a subprocessor.
- UK transfers: the UK Addendum applies to the EU SCCs.
- Swiss transfers: references to GDPR are interpreted as references to Swiss data protection law where needed.
For the SCCs, you are the data exporter and Mainframe is the data importer; the governing law and forum are the jurisdictions required by the SCCs. Annex I and II are populated by the Terms, Privacy Policy, this DPA, and any applicable order form.
Where Mainframe or a subprocessor is certified under the EU‑U.S. Data Privacy Framework, UK Extension, or Swiss‑U.S. Data Privacy Framework, Mainframe may also rely on that certification.
9. US state privacy laws
For personal information subject to US state privacy laws, Mainframe will act as your processor or service provider and will not:
- sell or share Customer Personal Data;
- retain, use, or disclose Customer Personal Data outside the direct business relationship except as permitted by law;
- combine Customer Personal Data with personal data from other sources except as permitted by law.
Mainframe will maintain de‑identified data in de‑identified form and will not attempt to reidentify it except to test or validate de‑identification or as otherwise permitted by law.
10. Processing details
| Topic | Details |
|---|---|
| Data subjects | Authorized Users; people depicted or heard in Customer Content; people referenced in prompts, videos, comments, GitHub events, or other Customer Content. |
| Categories of Customer Personal Data | Customer Content and metadata, including videos, audio, images, prompts, Outputs, comments, voice samples, avatar images, brand assets, integration events, audit logs, and workspace settings. |
| Sensitive data | Customer controls what it submits. Customer Content may include biometric data, likeness data, special category data, or other sensitive data; regulated HIPAA / PCI / GLBA data is prohibited unless covered by a separate written agreement. |
| Nature and purpose | Hosting, storage, playback, AI generation, agent execution, sharing, authentication, security, abuse prevention, support, billing support, service operation, and AI improvement through Data contribution (excluding biometric and likeness materials unless separately authorized). |
| Duration | For the term of the Terms and for the retention periods in the Privacy Policy. |
11. Contact
For DPA questions or requests, email help@mainframe.app.
Mainframe Computer, Inc., 36 E. 23rd St. #4F, New York, NY 10010, United States.