DiagnosticMind
Assessments Scorecards Audit Engine
Manifesto Method About
Insights Contact
EN PT
Processor terms for SaaS customers

Data Processing Addendum

Last updated: 11 July 2026 · Version 1.1

DiagnosticMind operates in regulated sectors where compliance is the baseline, not the achievement. This page exists to make the operating reality of how this platform processes data on behalf of customers legible — not to perform compliance theatre. The detail below is the actual protocol.

On this page

  1. Parties and scope
  2. Definitions
  3. Subject matter and duration
  4. Nature, purpose, categories
  5. Customer obligations (controller)
  6. Provider obligations (processor)
  7. Sub-processors
  8. International transfers
  9. Audit rights
  10. Personal Data Breach notification
  11. Termination, deletion, return
  12. Liability
  13. Changes to this DPA
  14. Governing law and venue
  15. Annex: Technical and organisational measures

01Parties and scope

This Data Processing Addendum (the DPA) governs the processing of personal data by Paulo Fernando Marques Ramada, Empresário em Nome Individual (the Provider, also referred to as DiagnosticMind), on behalf of the customer subscribing to the DiagnosticMind SaaS audit platform (the Customer), under Article 28 of Regulation (EU) 2016/679 (the GDPR).

Provider (Processor)Paulo Fernando Marques Ramada, Empresário em Nome Individual, trading as DiagnosticMind. NIF 193385902. Portugal.
Customer (Controller)As identified on the signature page of the executed DPA.
ServiceDiagnosticMind SaaS audit platform — audit.diagnosticmind.eu
Data protection contactprivacy@diagnosticmind.eu
General contactcontact@diagnosticmind.eu

This DPA applies whenever the Customer uploads, enters, or otherwise causes personal data to be processed within the SaaS audit platform. The Customer is the controller; the Provider is the processor.

The downloadable PDF version of this DPA is bit-identical to the content of this page. Drift between the two would be a contract risk and is operationally prohibited.

Signing mechanism. At launch, the DPA is signed via download-and-return: the Customer downloads the PDF, signs it, and returns a countersigned copy. An e-signature flow (Signable or DocuSign integration) is committed for Q3 2026. The same DPA terms apply to both mechanisms.

Download the DPA as PDF

02Definitions

Terms used in this DPA have the meaning given in Article 4 GDPR. In particular:

  • Personal Data — any information relating to an identified or identifiable natural person processed by the Provider on behalf of the Customer in the SaaS audit platform.
  • Processing — any operation performed on Personal Data, including collection, storage, retrieval, modification, disclosure, and erasure.
  • Sub-processor — any third party engaged by the Provider to assist in the Processing of Personal Data.
  • Personal Data Breach — a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

03Subject matter and duration

Subject matter: Processing of Personal Data uploaded by the Customer to the SaaS audit platform in the course of conducting audits, generating reports, and managing audit programmes.

Duration: For the term of the Customer's subscription to the SaaS audit platform, plus the post-termination retention period defined in Section 11.

04Nature, purpose, categories

4.1 Nature and purpose of Processing

Hosting, storage, retrieval, processing, AI-assisted analysis, and presentation of audit content entered by the Customer; transmission of audit reports to Customer-designated recipients; provision of the SaaS audit platform's full feature set in accordance with the Customer's subscription tier.

4.2 Categories of data subjects

  • Customer's employees and authorised users of the SaaS audit platform
  • Audited individuals named or referenced in audit content uploaded by the Customer
  • Third parties named or referenced in audit content uploaded by the Customer

4.3 Categories of Personal Data

  • Account data: email addresses, names (if provided), session tokens, IP addresses
  • Audit content: findings, evidence, non-conformities, corrective actions, names of audited individuals, third-party data referenced in audits
  • Any other Personal Data the Customer chooses to upload to the SaaS audit platform

Special category data (Article 9 GDPR): not intentionally collected by the platform's design. If the Customer chooses to upload special category data within audit content, the Customer is responsible for the Article 9 lawful basis and must inform the Provider in writing in advance.

05Customer obligations (controller)

The Customer warrants that:

  • It has a lawful basis for the Processing it instructs the Provider to perform.
  • It has provided required information to data subjects under Articles 13 and 14 GDPR.
  • It will not upload special category data without prior written notice to the Provider.
  • It will not instruct the Provider to perform Processing that violates GDPR or other applicable data protection law.
  • It maintains its own technical and organisational measures for the security of Personal Data outside the SaaS audit platform.

06Provider obligations (processor)

The Provider shall:

  • Process Personal Data only on documented instructions from the Customer, including with regard to international transfers, unless otherwise required by Union or Member State law (in which case the Provider will inform the Customer of that legal requirement before Processing, unless that law prohibits such information on grounds of public interest).
  • Ensure that personnel authorised to process Personal Data are bound by confidentiality.
  • Implement the technical and organisational measures documented on the Security page, which forms part of this DPA by reference.
  • Engage sub-processors only on the conditions in Section 7.
  • Assist the Customer in responding to requests from data subjects exercising their rights under Articles 15 to 22 GDPR, taking into account the nature of the Processing.
  • Assist the Customer with security obligations, breach notification, data protection impact assessments, and prior consultation with the supervisory authority, taking into account the nature of the Processing and the information available to the Provider.
  • At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of services, in accordance with Section 11.
  • Make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits in accordance with Section 9.

07Sub-processors

General authorisation. The Customer grants the Provider general authorisation to engage the sub-processors listed below for the Processing of Personal Data.

Provider Service Region Transfer mechanism DPA
Cloudflare, Inc. Workers, D1, KV, R2, Pages, Web Analytics (cookieless) Global edge (US HQ) SCC + EU-US Data Privacy Framework cloudflare.com
Anthropic, PBC Claude API (Sonnet 4.6) — AI inference for assessment narratives, audit suggestions, expert chat US SCC + EU-US Data Privacy Framework anthropic.com
Resend, Inc. Transactional email (magic links, assessment results) US SCC + EU-US Data Privacy Framework resend.com

Change notification. The Provider will notify the Customer by email of any intended addition or replacement of sub-processors at least 30 days in advance, giving the Customer the opportunity to object on reasonable, documented grounds related to the protection of Personal Data. If the Customer objects and the parties cannot reach agreement, the Customer may terminate the affected services with pro-rata refund of prepaid fees.

Sub-processor flow-down. The Provider imposes data protection obligations on each sub-processor that are no less protective than those in this DPA. The Provider remains fully liable to the Customer for the performance of each sub-processor's obligations.

08International transfers

Personal Data may be transferred to the United States to the sub-processors listed in Section 7. Such transfers rely on:

  • The European Commission's Standard Contractual Clauses (Module 2 — controller to processor, with Module 3 onward transfer where the sub-processor engages further sub-processors), incorporated by reference; and
  • The EU-US Data Privacy Framework, where the sub-processor is DPF-certified.

Transfer impact assessment material is available to the Customer on request.

The EU-US Data Privacy Framework remains valid following the EU General Court's ruling of 3 September 2025 (Latombe v Commission, T-553/23); an appeal to the Court of Justice of the EU is pending (C-703/25 P). The Standard Contractual Clauses are the primary transfer mechanism relied upon, with the Data Privacy Framework as a supplement, so transfers remain lawful independently of the appeal.

09Audit rights

The Customer is entitled to audit the Provider's compliance with this DPA up to one (1) time per year, on 30 days written notice, during business hours, and in a manner that does not unreasonably disrupt the Provider's operations.

The Customer bears the cost of the audit, except where the audit reveals material non-compliance with this DPA, in which case the Provider shall reimburse the Customer's reasonable, documented audit costs.

The Customer agrees that the Provider may satisfy audit requirements by providing recent third-party audit reports, sub-processor certifications, and the documented technical and organisational measures, where these adequately address the Customer's audit scope.

10Personal Data Breach notification

The Provider shall notify the Customer of any Personal Data Breach affecting Customer data without undue delay and within 48 hours of awareness.

The notification shall include, to the extent then known:

  • Nature of the breach, including categories and approximate number of data subjects and records concerned
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and to mitigate possible adverse effects
  • Contact point for further information

The Provider shall cooperate with the Customer's investigation and provide reasonable assistance in fulfilling the Customer's notification obligations under Articles 33 and 34 GDPR.

11Termination, deletion, return

Upon termination of the Customer's subscription:

  1. 30-day recovery grace period — the Customer's data is preserved and the account can be reactivated upon the Customer's written request.
  2. Day 31 onwards: deletion phase — Personal Data is deleted from the production systems within an additional 30 days. Total elapsed time from termination to full deletion: 60 days.
  3. Backups — Personal Data may persist in Cloudflare D1 point-in-time-recovery backups for up to 30 additional days, after which it is unrecoverable. Backup data is not accessible operationally and is overwritten on the rolling PITR window.

The Customer may request return of Personal Data in machine-readable format (JSON/CSV export) at any point during the 30-day recovery grace period.

The Provider shall provide written confirmation of deletion upon request.

12Liability

The Provider's liability under this DPA is governed by the main service agreement between the parties. In the absence of a separate liability framework, total liability for any claim arising from this DPA is limited to the fees paid by the Customer to the Provider in the 12 months preceding the event giving rise to the claim, except where such limitation is prohibited by GDPR or other mandatory law (in particular Article 82 GDPR — the right of data subjects to compensation).

ENI implication. Every commitment in this DPA is a personal commitment of Paulo Fernando Marques Ramada with unlimited personal liability. There is no corporate veil. This is acknowledged consciously and is the basis for the conservative approach to scope and obligations elsewhere in this document.

13Changes to this DPA

The Provider may update this DPA to reflect operational, regulatory, or legal changes. Material changes — meaning changes that materially affect the Customer's rights or the Provider's obligations — will be notified by email to existing paid customers at least 30 days in advance. The Customer's continued use of the SaaS audit platform after the effective date constitutes acceptance.

If the Customer objects to a material change, the Customer may terminate the affected services with pro-rata refund of prepaid fees.

14Governing law and venue

This DPA is governed by the laws of Portugal and the GDPR. The competent courts of Portugal have exclusive jurisdiction over any dispute arising from this DPA, without prejudice to the rights of data subjects to lodge complaints with their supervisory authority or to seek judicial remedy under Articles 77 to 79 GDPR.

15Annex: Technical and organisational measures

The technical and organisational measures applied by the Provider to protect Personal Data are documented on the Security page and form part of this DPA by reference. Highlights for processor-side measures:

  • HTTPS enforced with HSTS preload (1-year max-age, includeSubDomains, preload-ready)
  • Encryption at rest by Cloudflare default for D1, KV, R2
  • Passwordless authentication (magic links — no stored passwords)
  • Multi-factor authentication committed for SaaS users by Q3 2026
  • Session tokens — 7-day rolling lifetime
  • Audit trail — IP retention 90 days for SaaS account activity
  • Backup — Cloudflare D1 point-in-time recovery, 30 days rolling
  • Recovery objectives — RTO 24 hours, RPO 24 hours; annual documented disaster recovery test
  • Vulnerability management — critical CVEs patched within 30 days; quarterly routine review
  • Incident response — 72-hour notification to supervisory authority and affected customers per Articles 33–34
Last updated 11 July 2026 · Version 1.1 Privacy · Data Processing · AI Governance · Security
DiagnosticMind
Assessments Scorecards Audit Engine
Manifesto Method About
Newsletter Contact
© 2026 DiagnosticMind
Privacy Data Processing AI Governance Security