Skip to main content
Mindlapse - The visibility CISOs need. The confidence boards expect.
Last updated: November 27, 2025

Privacy Policy

1. Introduction

Mindlapse SAS (“Mindlapse,” “we,” “us,” “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and otherwise process personal data in connection with our Cyber-GRC Platform and services. This policy applies to all users, including end users, administrators, and any third parties interacting with the Platform.

2. Data Controller and Data Processor Roles

Under the GDPR and applicable data protection laws:

  • Your organization is the “Data Controller” for personal data you input or manage within the Platform.
  • Mindlapse is the “Data Processor” for such data and processes it only as directed by you.
  • Mindlapse is the “Data Controller” for data collected directly from users (e.g., login credentials, support inquiries).

The specific allocation of Data Controller and Data Processor responsibilities is further detailed in the Data Processing Agreement (DPA) executed between your organization and Mindlapse

3. Data We Collect

3.1 Account and User Information

  • Name, email address, job title, and organization.
  • Authentication credentials (usernames and hashed passwords).
  • Account activity logs, including login timestamps and feature usage.

3.2 Platform Data

  • Risk assessments, compliance questionnaires, and third-party evaluations you upload or create.
  • Security control documentation and audit reports.
  • Any other business data you choose to store on the Platform.

3.3 Technical Data

  • IP address, browser type, device information, and access times.
  • Essential cookies (see our Cookie Policy for details).

3.4 Communication Data

  • Support inquiries, help center interactions, and any direct communications with our team.

4. Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract Performance: To deliver Platform services as agreed in your subscription agreement.
  • Legal Compliance: To comply with applicable laws, regulations, and legal obligations.
  • Legitimate Interests: For platform security, fraud prevention, and service improvement (balanced against your rights).
  • Consent: Where you explicitly opt in (e.g., marketing communications).

5. How We Use Your Data

We use personal data for:

  • Delivering and maintaining Platform services.
  • User authentication and account management.
  • Providing customer support and responding to inquiries.
  • Analyzing Platform usage and improving service functionality.
  • Detecting and preventing fraud, security incidents, and misuse.
  • Sending administrative notifications and updates (opt-out available).
  • Legal and regulatory compliance.

6. Artificial Intelligence and Automated Processing

6.1 AI-Powered Features

The Platform uses AI-powered features to assist with risk assessment, compliance evaluation, and questionnaire generation. These features utilize state-of-the-art sovereign AI language models (currently Mistral family models), running exclusively on Mindlapse’s EU infrastructure.

6.2 Data Processing with AI

When you use AI-powered features, your Platform data may be processed by state-of-the-art sovereign AI language models (currently Mistral family models) running on Mindlapse’s EU own infrastructure. Your data is:

  • Processed locally within Mindlapse’s controlled environment.
  • NOT transmitted to Mistral or any external third-party AI service provider.
  • NOT used to train, fine-tune, or improve Mistral or any other AI model.
  • Retained and processed solely for the purpose of providing Platform features.

6.3 AI Output Responsibility

AI-generated outputs (e.g., risk scores, compliance recommendations) are provided solely for informational purposes as decision-support tools. They do not constitute professional advice and MUST be validated by qualified cybersecurity professionals before any action is taken. You expressly acknowledge and accept full responsibility for all decisions and actions based on AI outputs. Mindlapse makes no warranties regarding the accuracy, completeness, reliability, or suitability of AI-generated content and disclaims all liability for decisions made in reliance thereon. Mindlapse does not guarantee the accuracy, completeness, or suitability of AI-generated content for your specific use case.

7. Data Sharing and Disclosure

We do not sell or trade your personal data. We may share it only in the following circumstances:

  • Service Providers: Third-party vendors (hosting, support, help center) under data processing agreements. This includes Featurebase (Estonia, ISO 27001 certified) for support and help center functionality. Featurebase acts as a data processor under Article 28 GDPR, with data hosted exclusively in the EU.
  • Technology Providers: AI model providers (currently Mistral AI) whose models are deployed locally on our infrastructure. These providers have no access to your data; we license their models for on-premise use only.
  • Legal Requirement: When required by law or to comply with legal process.
  • Business Transfer: In case of merger, acquisition, or sale of assets (you will be notified).
  • With Your Consent: When you explicitly authorize sharing with third parties.

8. Data Retention

We retain personal data only as long as necessary to fulfill the purposes described in this Policy, unless longer retention is required by law:

  • Account Data: Retained for 30 days after termination to allow for potential account reactivation. Immediate deletion available upon written request
  • Platform Data: Retained according to your subscription agreement; may be deleted upon request or account termination.
  • Usage Logs: Retained for 12 months minimum, extendable to 24 months upon contractual request for NIS2/DORA compliance
  • Legal Holds: Data may be retained longer to satisfy legal obligations.

9. Cookies

The Platform uses only essential cookies necessary for authentication, security, functionality, and support delivery (including Featurebase). For detailed information about our cookie practices, see our Cookie Policy.

10. Data Security

Mindlapse implements industry-standard security measures to protect your data:

  • Encryption in transit (TLS/SSL) and at rest (AES-256).
  • Access controls and authentication mechanisms.
  • Annual penetration testing and quarterly internal security audits.
  • Data hosted on EU Cloud provider private infrastructure (currently AWS Europe and Scaleway France)
  • While we strive for security, no system is completely risk-free. You are responsible for protecting your credentials

Mindlapse maintains a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to ensure service availability. Our infrastructure is designed for high availability with:

  • Multi-zone redundancy (Currently through AWS Europe, Scaleway)
  • RTO (Recovery Time Objective): 4 hours
  • RPO (Recovery Point Objective): 1 hour
  • Annual BCP/DRP testing

11. Your Rights Under GDPR

If you are in the EU, you have the following rights:

  • Right of Access: Request a copy of your personal data.
  • Right to Rectification: Correct inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your data (“Right to be Forgotten”).
  • Right to Restrict Processing: Limit how we use your data.
  • Right to Data Portability: Receive your data in a structured format.
  • Right to Object: Oppose processing for marketing or legitimate interests.
  • Right to Lodge a Complaint: Contact your local data protection authority.

To exercise these rights, contact us at: dpo@mindlapse.fr. We will respond within 30 days (extendable to 60 days for complex requests). For simple requests (e.g., access, correction), we aim to respond within 10 business days

12. Data Transfers

Your business data is stored exclusively within the European Union (currently AWS Europe, Scaleway France). Support and help center data (via Featurebase) may involve limited technical data transfers to EU and non-EU subprocessors (see Featurebase subprocessor list) under Standard Contractual Clauses. No customer business data is transferred outside the EU. If transfers occur, we ensure compliance with GDPR and other applicable regulations.

For transfers to non-EU countries, we rely on Standard Contractual Clauses, adequacy decisions, or other GDPR-approved mechanisms.

13. Third-Party Links

The Platform may contain links to external websites. We are not responsible for their privacy practices. Please review their privacy policies before sharing personal information.

14. Policy Updates

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or service features. Minor or administrative updates will be communicated via email or Platform notification, and continued use constitutes acceptance. Substantial changes (e.g., new data processing purposes, non-EU data transfers) will require your explicit consent via email confirmation or in-Platform acknowledgment before taking effect.

15. Contact

For privacy questions, data subject requests, or concerns, contact us at:

Email: dpo@mindlapse.ai

Address: Mindlapse SAS, France

16. Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, Mindlapse will:

  • Notify you within 72 hours of becoming aware of the breach (GDPR Article 33)
  • Provide details of the nature of the breach, affected data, potential consequences, and mitigation measures
  • Cooperate fully with any required notifications to supervisory authorities

For NIS2-regulated entities, Mindlapse commits to 24-hour initial notification for incidents affecting essential services.