Data Processing Agreement
Effective date: April 2026 · Last updated: April 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between the customer organization (“Customer” or “Controller”) and NekoTech Ventures Inc. (“MentorNeko” or “Processor”) for the use of the MentorNeko platform. This DPA sets out the terms under which MentorNeko processes personal data on behalf of the Customer.
1. Definitions
- “Controller” means the Customer organization that determines the purposes and means of processing personal data through the MentorNeko platform.
- “Processor” means NekoTech Ventures Inc. (operating as MentorNeko), which processes personal data on behalf of the Controller.
- “Personal Data” means any information relating to an identified or identifiable natural person that is processed through the platform, including member names, email addresses, profile information, and mentoring-related data.
- “Processing” means any operation performed on personal data, including collection, storage, use, transmission, anonymization, and deletion.
- “Sub-processor” means a third party engaged by MentorNeko to process personal data on behalf of the Controller.
- “Data Subject” means an identified or identifiable natural person whose personal data is processed through the platform (typically organization members).
2. Scope of Processing
MentorNeko processes personal data of the Customer's members solely for the purpose of providing the mentoring platform services, including:
- Storing and managing member profiles, including names, email addresses, profile photos, bios, and dimension-based profile data
- Powering AI-driven mentor-mentee matching using anonymized profile data
- Facilitating program enrollment, session management, and networking introductions
- Sending transactional emails (invitations, authentication, match notifications)
- Generating analytics and reports for organization administrators
- Processing background workflows (match engine runs, introduction scheduling, reminders)
3. Customer Obligations
The Customer, as Controller, is responsible for:
- Ensuring that a lawful basis exists for the processing of personal data (such as legitimate interest or consent)
- Informing data subjects about the processing of their personal data through the platform, including the use of AI-powered features
- Ensuring that all personal data provided to MentorNeko is accurate, relevant, and not excessive
- Responding to data subject rights requests in a timely manner, with MentorNeko's assistance as needed
- Complying with all applicable data protection laws and regulations
4. MentorNeko Obligations
MentorNeko, as Processor, commits to:
- Processing personal data only in accordance with the Customer's documented instructions and for the purposes described in this DPA
- Ensuring that all personnel authorized to process personal data are bound by confidentiality obligations
- Implementing and maintaining appropriate technical and organizational security measures (described in Section 6)
- Assisting the Customer in responding to data subject rights requests (access, correction, deletion, portability)
- Assisting the Customer with data protection impact assessments where required
- Notifying the Customer without undue delay upon becoming aware of a personal data breach (see Section 7)
- Deleting or returning all personal data upon termination of the agreement, at the Customer's choice
5. Sub-processors
MentorNeko engages the following sub-processors to deliver the platform services. Each sub-processor is bound by data processing terms at least as protective as those in this DPA:
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting, edge network, serverless functions, AI Gateway | United States |
| Neon Inc. | Serverless PostgreSQL database | United States (AWS) |
| Cloudflare Inc. | Object storage (R2), CDN | Global |
| Inngest Inc. | Background job orchestration | United States |
| Resend Inc. | Transactional email delivery (magic links, invitations, notifications) | United States |
| Upstash Inc. | Rate limiting, member status caching, vector embeddings | United States (AWS) |
| Anthropic PBC | AI language model (via AI Gateway, ZDR) | United States |
| Google LLC | AI language model (via AI Gateway, ZDR) | United States |
| OpenAI Inc. | AI language model (via AI Gateway, ZDR) | United States |
All AI model providers are accessed exclusively through Vercel AI Gateway with Zero Data Retention (ZDR) enforced. No customer data is stored by or used to train AI models.
MentorNeko will notify the Customer at least 30 days before engaging a new sub-processor or making a material change to an existing sub-processor. A current list of sub-processors is maintained at our Sub-processors page. The Customer may object to a new sub-processor within 15 days of notification. If the objection cannot be resolved, the Customer may terminate the agreement.
6. Security Measures
MentorNeko implements the following technical and organizational measures to protect personal data:
- Encryption: AES-256 encryption at rest and TLS 1.3 encryption in transit for all data
- Tenant isolation: Application-layer tenant isolation with defense-in-depth architecture ensuring no cross-organization data leakage
- Access control: Role-based access control (RBAC) with least-privilege defaults for super admins, org admins, program admins, and members
- Authentication: Passwordless magic link authentication. No passwords are stored or transmitted
- Audit logging: Immutable audit trail for all administrative actions
- AI privacy: Profile anonymization before AI processing and Zero Data Retention on all LLM API calls
- Infrastructure: Hosted on SOC 2 Type II certified infrastructure (Vercel, Neon) with automated backups and point-in-time recovery
- Rate limiting: API rate limiting on all endpoints to prevent abuse
- Incident response: Documented incident response procedures with defined escalation paths
7. Data Breach Notification
In the event of a confirmed personal data breach, MentorNeko will:
- Notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach
- Provide details of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
- Cooperate with the Customer in investigating and remediating the breach
- Assist the Customer in meeting its own breach notification obligations under applicable data protection laws
8. International Data Transfers
MentorNeko's infrastructure is primarily located in the United States. Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical measures (encryption, access controls, anonymization for AI processing) to ensure an adequate level of data protection.
For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on the Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914). Module 2 (Controller to Processor) applies to transfers under this DPA. The SCCs are incorporated by reference and form part of this agreement.
9. Audit Rights
The Customer may request security documentation, including:
- Summaries of third-party security assessments or certifications held by our infrastructure providers
- Documentation of our technical and organizational security measures
- Responses to reasonable security questionnaires
Audit requests should be directed to dpa@mentorneko.com and will be accommodated within a reasonable timeframe. On-site audits may be available for enterprise customers under separate agreement.
10. Term & Termination
This DPA is co-terminous with the main service agreement between the Customer and MentorNeko. It automatically takes effect when the Customer begins using the platform and remains in effect for as long as MentorNeko processes personal data on behalf of the Customer.
Upon termination of the main agreement, MentorNeko will, at the Customer's election, either return or delete all personal data within 30 days, and purge backup copies within 90 days. MentorNeko will provide written confirmation of data deletion upon request.
11. Contact
For questions about this DPA or to exercise any rights under it:
NekoTech Ventures Inc.
Email: dpa@mentorneko.com
Annex 1: Details of Processing
This annex describes the processing activities carried out under this DPA.
Data Subjects
Members of Customer's organization, including mentors, mentees, and networking participants.
Categories of Personal Data
Name, email address, job title, department, profile information (skills, goals, seniority, communication preferences), biographical text, avatar images, match history, session notes, and goal progress.
Sensitive Data
None intentionally collected. Profile dimensions may incidentally capture information related to protected characteristics if configured by the Customer.
Processing Activities
Account provisioning, profile management, AI-powered matching, networking introductions, email notifications, analytics and reporting.
Lawful Basis
Processing is performed on behalf of the Customer (Controller) under Article 6(1)(b) (performance of contract) and Article 28 of GDPR.