Privacy Policy
Monadux LLC
Effective Date: June 20, 2026
Applies to: Clients and Authorized Users of Monadux's services
1. Introduction
Monadux LLC ("Monadux," "we," "us," or "our") provides professional research intelligence services. This Privacy Policy explains how we collect, use, store, protect, and disclose information in connection with our services. This Policy applies to: (a) business clients and their Authorized Users who engage Monadux for research intelligence services; and (b) visitors to monadux.com.
It does not apply to end consumers whose data may appear within Client Data — those individuals' rights are governed by the applicable client's own privacy notice.
Monadux's primary operations are based in the United States. Clients located outside the United States, or whose Client Data contains personal data of individuals in the European Union, European Economic Area, United Kingdom, Canada, or Australia, should also review the International Addendum to this policy suite, which supplements this Policy with jurisdiction-specific provisions.
2. Information We Collect
2.1 Business Contact Information
When a client engages Monadux, we collect business contact information including: company name, contact person name, business email address, phone number, and billing information. This information is used solely to administer the engagement.
2.2 Client Data
Client Data consists of all information that clients submit or transfer to Monadux for processing. Depending on the data sources a client authorizes, Client Data may include: CRM records (customer names, company names, deal stages, revenue data); product analytics events and usage metrics; customer support tickets and conversation logs; customer reviews and social signals; survey responses and interview transcripts; sales call recordings and transcriptions; and any other structured or unstructured data the client chooses to submit.
Clients are responsible for ensuring that any personal data within Client Data is lawfully collected and that clients have authority to share it with Monadux. Monadux processes Client Data solely as a service provider acting on the client's behalf.
2.3 Account and Profile Data
Where Monadux makes an account portal available, Clients may use it to provide information used to manage their engagement, including Authorized User email addresses, preferred delivery channels, and current business focus parameters, and — where supported — to authorize read-only data connections via OAuth or equivalent. The account portal does not provide access to Monadux's internal research systems or to Deliverables, which are delivered through the channels specified in the Order Form. This information is used solely to administer the engagement.
2.4 Usage and Technical Data
Monadux automatically collects limited technical information from interactions with monadux.com and any client account portal Monadux makes available, including: IP address, browser type, access timestamps, and login activity. This information is used to maintain security, troubleshoot issues, and monitor account access.
Monadux's website is hosted on Framer and uses Framer's built-in, cookieless analytics to measure aggregate, non-identifying site usage; the website does not use third-party advertising or cross-site tracking cookies. Where required by applicable law, Monadux will present a cookie notice and obtain consent before setting any non-essential cookies.
2.5 Communications
If you contact us via email or other channels, we retain records of those communications to respond to your inquiry and improve our services.
3. How We Use Information
Monadux uses collected information for the following purposes: delivering research intelligence services and Deliverables as contracted; applying AI-assisted analysis to Client Data to produce insights; communicating with clients about their engagements, invoices, and service updates; maintaining security, detecting fraud, and enforcing our policies; complying with applicable legal obligations; and improving service performance using anonymized, aggregated metadata (not Client Data).
We do not use Client Data to train AI models, market to client end-consumers, or share insights derived from one client's data with any other client.
4. AI Processing
Monadux uses artificial intelligence, including large language models (LLMs) powered by the Anthropic API, to analyze and synthesize Client Data into Deliverables. Key commitments regarding AI processing: Client Data is processed only to generate Deliverables for that specific client. Monadux does not use Client Data to train, fine-tune, evaluate, benchmark, or otherwise improve any AI model. Anthropic, as Monadux's upstream AI provider, is subject to Anthropic's Commercial Terms of Service, which expressly prohibit Anthropic from training models on customer content. AI-generated outputs may contain errors or inaccuracies. Clients should independently verify material conclusions before making business decisions.
For additional detail, see the AI Processing Disclosure included in this policy suite.
5. How We Share Information
5.1 Service Providers
Monadux may share information with third-party service providers who assist us in delivering the Services, including: the Anthropic API (AI inference), Stripe, Inc. (payment processing), and Zoho Corporation (business email and form-based intake via Zoho Mail and Zoho Forms). All service providers are contractually required to process data only as directed by Monadux and in accordance with applicable law.
5.2 Legal Requirements
Monadux may disclose information if required by applicable law, valid legal process, or governmental request. Where permitted, we will notify the affected client before disclosing and cooperate with any effort to limit the scope of disclosure.
5.3 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of substantially all of Monadux's assets, Client Data may be transferred to the successor entity, subject to the same privacy protections described in this Policy.
5.4 No Sale of Data
Monadux does not sell, rent, or trade Client Data or business contact information to any third party for advertising, marketing, or commercial purposes.
6. Data Retention
Monadux retains Client Data for the duration of the engagement and for sixty (60) days following termination or expiration of the applicable agreement, after which Client Data is securely deleted. Business contact information is retained for the duration of the relationship and for a period of three (3) years following the last engagement, to satisfy recordkeeping obligations.
Clients may request earlier deletion of their Client Data by contacting legal@monadux.com. Monadux will complete deletion within thirty (30) days of receiving a verified request, subject to any legal retention obligations.
7. Data Security
Monadux implements administrative, technical, and physical safeguards appropriate to its size and the sensitivity of the data, designed to protect Client Data against unauthorized access, disclosure, alteration, or destruction. Security measures include: full-disk encryption of data at rest (AES-256); encryption of data in transit using TLS 1.2 or higher; multi-factor authentication on systems used to access Client Data; access limited, on a need-to-know basis, to Monadux and any contractors bound by written confidentiality obligations; encrypted backups; and periodic review of Monadux's security practices.
No security system is impenetrable. Monadux will notify affected clients of any personal data breach involving their Client Data without undue delay after becoming aware of it, as required by applicable law and within the timeframe specified in the Data Processing Addendum.
8. California Privacy Rights (CCPA/CPRA)
Monadux processes personal data on behalf of business clients as a "service provider" under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). In this capacity, Monadux processes personal data only as directed by its business clients and does not sell or share personal information. California residents who are end consumers of Monadux's clients should direct any privacy rights requests to the applicable client, who is the data controller. If you are a California resident who is an Authorized User or a business contact, you may contact us at legal@monadux.com to exercise your rights of access, deletion, or correction.
9. Changes to This Policy
Monadux may update this Privacy Policy from time to time. We will notify current clients of material changes via email at least thirty (30) days before the effective date. Continued engagement with the Services after the effective date constitutes acceptance of the updated Policy. Amendments to this Privacy Policy are governed by the amendment procedure, including Client's objection and termination rights, in Section 12.4 of the Terms and Conditions.
10. Contact
For privacy-related questions, requests, or complaints, contact:
Monadux LLC
Attn: Privacy
St. Paul, Minnesota
Email: legal@monadux.com
Acceptable Use Policy
Monadux LLC
Effective Date: June 20, 2026
1. Purpose
This Acceptable Use Policy ("AUP") governs acceptable and prohibited uses of the professional research intelligence services provided by Monadux LLC. This AUP is incorporated by reference into and forms part of the Terms and Conditions. Violation of this AUP may result in suspension or termination of Services.
2. Permitted Uses
Clients may use the Services and Deliverables for any lawful internal business purpose, except as restricted in Section 3 below and in the Terms and Conditions.
3. Prohibited Uses
Clients may not use the Services or Deliverables to:
3.1 Unlawful Activities
Violate any applicable federal, state, or local law or regulation; infringe any third-party intellectual property, privacy, or other rights; engage in any form of fraud, misrepresentation, or deceptive practice; or facilitate illegal discrimination based on protected characteristics.
3.2 Data and Security Violations
Submit Client Data that includes HIPAA-regulated health data, payment card data, Social Security numbers, biometric identifiers, precise geolocation, or other "sensitive personal information" as defined under applicable privacy law without a separate written agreement authorizing such processing; attempt to reverse engineer, extract, or replicate Monadux's research methodology, AI prompting systems, or analytical frameworks through analysis of Deliverables or otherwise; circumvent, disable, or interfere with any authentication or access controls applicable to any Client account profile Monadux makes available; or share, transfer, or disclose Monadux account credentials to unauthorized parties.
3.3 Harmful Content
Submit data intended to generate content that harasses, defames, threatens, or discriminates against individuals or groups; use Deliverables to make consequential automated decisions about individual people without human review; or use Deliverables in any context involving life-or-death decision making without independent professional validation.
3.4 Competitive and Commercial Misuse
Resell, sublicense, or otherwise commercialize Deliverables to third parties except as expressly permitted in Section 4.2 of the Terms and Conditions; use the Services or Deliverables to build, train, or benchmark a product or service that competes with Monadux's Services; or use Client Data processed by Monadux to train or fine-tune any AI or machine learning model.
4. Client Responsibility for Connected Data Sources
When authorizing Monadux to access third-party data sources (CRM platforms, analytics tools, support systems, etc.) in connection with the Services, Client is responsible for: complying with the terms of service of each third-party platform; ensuring that the connection is authorized by Client's agreements with those platforms; and not authorizing connections to data sources in violation of any contractual, legal, or regulatory restriction.
5. Enforcement
Monadux reserves the right to investigate suspected violations of this AUP. Upon confirming a material violation, Monadux may: issue a written warning and request cure within a specified period; suspend Services pending investigation or cure; terminate Services and the underlying agreement; or report violations to applicable law enforcement authorities where required. Monadux will use reasonable judgment in applying enforcement actions proportionate to the nature and severity of the violation.
Data Processing Addendum
Monadux LLC
Effective Date: June 20, 2026
Incorporated into: Monadux LLC Terms and Conditions
1. Purpose and Scope
This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the Terms and Conditions between Monadux LLC ("Processor") and Client ("Controller"). It governs the processing of personal data by Monadux on behalf of Client in connection with the Services.
This DPA applies to the extent that Client Data contains personal data subject to applicable privacy laws, including the California Consumer Privacy Act (CCPA/CPRA), other applicable U.S. state privacy statutes, and, for international Clients, the laws described in the International Addendum (including the GDPR, UK GDPR, PIPEDA, and the Australian Privacy Act 1988).
2. Roles of the Parties
For purposes of applicable data protection law: Client is the "business" or "data controller" with respect to personal data within Client Data. Monadux is the "service provider" or "data processor" processing personal data on Client's behalf. Monadux processes personal data solely as directed by Client and in accordance with this DPA and the Terms and Conditions. Monadux does not determine the purposes or means of processing personal data within Client Data.
3. Monadux's Processing Obligations
Monadux agrees to: process personal data only on documented instructions from Client, including those set forth in this DPA and the applicable Order Form; inform Client if Monadux believes any instruction infringes applicable law; ensure that personnel authorized to process personal data are subject to confidentiality obligations; implement appropriate technical and organizational security measures as described in Section 7 of the Privacy Policy; assist Client with reasonable requests to fulfill data subject rights under applicable law; delete or return all personal data upon termination of the Services, as described in Section 9 of this DPA and the Privacy Policy; make available information reasonably necessary to demonstrate compliance with this DPA; and not sell, share, retain, use, or disclose personal data for any purpose other than providing the Services, as specified in the Terms and Conditions.
4. CCPA Service Provider Certification
For purposes of the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): Monadux is a "service provider" as defined by the CCPA/CPRA with respect to personal data within Client Data. Monadux will not sell or share personal data received from Client. Monadux will not retain, use, or disclose personal data for any commercial purpose other than providing the Services specified in the Terms and Conditions. Monadux will not retain, use, or disclose the personal data outside of the direct business relationship between Monadux and Client. Monadux will notify Client promptly if it determines that it can no longer meet its obligations under the CCPA/CPRA. Upon notice, Client may take reasonable and appropriate steps to ensure that Monadux uses personal information in a manner consistent with Client's obligations under the CCPA/CPRA, and to stop and remediate any unauthorized use of personal information. Monadux certifies that it understands and will comply with the restrictions in this Section.
5. Sub-Processors
Client authorizes Monadux to engage sub-processors to assist in delivering the Services. Current key sub-processors include:
Anthropic, PBC — AI inference (governed by Anthropic's Commercial Terms, which prohibit training on customer content)
Stripe, Inc. — Payment processing (billing data only)
Zoho Corporation (Zoho Mail, Zoho Forms, and related Zoho services Monadux uses to handle Client Data) — Business email and form-based data intake; may process Client Data that Client transmits to, or that Monadux transmits from, this environment
Deliverables are transmitted to delivery destinations selected and controlled by Client (such as Client's email, Slack, Notion, or Google Workspace). Such Client-selected delivery destinations are Client's own systems and are not Monadux sub-processors.
Monadux will notify Client of any material changes to sub-processors at least thirty (30) days in advance. Monadux remains responsible for the acts and omissions of its sub-processors to the same extent as if Monadux had performed the processing directly.
6. U.S. Client Audit Rights
Client may exercise the following audit rights no more than once per calendar year:
(a) Written Questionnaire: Client may submit a written questionnaire regarding Monadux's data processing practices and security controls. Monadux will respond in writing within thirty (30) days.
(b) Third-Party Certification: If Monadux obtains a SOC 2 Type II, ISO 27001, or equivalent third-party security certification or audit report, Monadux will make such report available to Client upon written request. Availability of a current third-party report satisfies Client's audit right under this Section.
(c) Virtual Audit: Where Client is not satisfied by (a) or (b) above, Client may request a virtual audit of Monadux's data processing practices, conducted at Client's cost. Any such audit requires at least thirty (30) days' advance written notice, is subject to a mutually agreed confidentiality arrangement, and is scoped strictly to Monadux's processing of Client's own data. Monadux may decline to schedule an audit during operationally sensitive periods and may have counsel present.
7. Data Subject Rights Requests
To the extent that Client Data contains personal data subject to data subject rights, Client is responsible for receiving and responding to such requests. If Monadux receives a request directly from an individual relating to Client Data, Monadux will promptly forward the request to Client and will not respond directly without Client's authorization, except as required by law. Monadux will provide reasonable assistance to Client in responding to data subject rights requests.
8. Data Breach Notification
In the event of a personal data breach affecting Client Data, Monadux will notify Client without undue delay and no later than forty-eight (48) hours after Monadux becomes aware of the breach. Notice will include, to the extent then known: the nature of the breach, categories and approximate number of individuals and records affected, likely consequences, and measures taken or proposed to address the breach.
This forty-eight (48) hour timeline applies to all Clients, including where Client Data is subject to GDPR or UK GDPR, and is intended to give Client adequate time to meet any onward notification obligation it may have to a supervisory authority or other party under applicable law.
9. Deletion and Return of Data
Upon expiration or termination of the Services, Monadux will delete Client Data from its systems within sixty (60) days. Upon Client's verified written request during the term, Monadux will delete the specified Client Data within thirty (30) days. In each case, deletion is subject to any legal retention obligations, and Monadux will provide Client with written confirmation of deletion upon request. Where Client elects return rather than deletion, Monadux will, prior to deletion, make the applicable Client Data available to Client in a commonly used electronic format.
10. Amendments
Amendments to this DPA are governed by the amendment procedure, including Client's objection and termination rights, in Section 12.4 of the Terms and Conditions.
AI Processing Disclosure
Monadux LLC
Effective Date: June 20, 2026
1. Purpose
This AI Processing Disclosure explains how Monadux uses artificial intelligence to deliver its research intelligence services. It is incorporated into and forms part of the Terms and Conditions and Privacy Policy.
2. AI Technologies Used
Monadux uses large language models (LLMs) to analyze, synthesize, and summarize Client Data into research Deliverables. At launch, AI inference is powered by the Anthropic API (Claude models). Monadux may add, modify, or replace AI providers as technology and service requirements evolve, and will notify clients of any material changes at least thirty (30) days in advance. Any change of AI provider that involves a new sub-processor is also subject to the sub-processor change-notice procedure in Section 5 of the DPA and, for international Clients, the objection and termination rights in Section 2.3 of the International Addendum.
3. What AI Does in the Services
AI is used in the following ways: synthesizing and summarizing large volumes of qualitative and quantitative Client Data; identifying recurring themes, patterns, sentiment, and anomalies across data sources; generating structured research reports and insight narratives; and categorizing and tagging data for longitudinal tracking across research waves.
All AI-generated outputs are produced by automated systems operating under research methodology frameworks designed by Monadux. Monadux applies human review of Deliverables in accordance with Monadux's methodology before delivery to Client.
4. What AI Does Not Do
AI does not make final business decisions on behalf of Client. AI does not have persistent memory of Client Data between separate engagements. AI-generated outputs are not legal, financial, medical, or professional advice. AI does not access data sources beyond those expressly authorized by Client.
5. No Training on Client Data
Monadux does not use Client Data to train, fine-tune, evaluate, benchmark, or otherwise improve any AI model, for Monadux's benefit or for the benefit of any third party. This prohibition applies regardless of whether Client Data has been anonymized or transformed prior to AI processing.
With respect to Monadux's upstream AI provider, Anthropic's Commercial Terms of Service expressly prohibit Anthropic from training models on customer content submitted through the API. Inputs and outputs processed through the Anthropic API are treated as Customer Content under those terms and are not used by Anthropic for model training purposes. Clients may review Anthropic's current commitments directly at anthropic.com/legal/commercial-terms.
6. AI Output Limitations
AI-generated content may contain errors, hallucinations, outdated information, or misinterpretations. Monadux discloses the following inherent limitations: AI models may produce plausible-sounding but factually incorrect statements; outputs reflect patterns in data as of the time of processing and may not reflect subsequent developments; AI synthesis of qualitative data is probabilistic and nuanced or ambiguous signals may be misrepresented.
Clients should apply independent judgment and domain expertise when acting on AI-generated insights. Monadux's research methodology is designed to mitigate these risks through structured prompting, source citation, and human review of Deliverables in accordance with Monadux's methodology prior to delivery. However, Monadux cannot guarantee the accuracy of AI-generated outputs and disclaims liability for decisions made in reliance on such outputs without independent verification.
7. Data Residency
As configured by Monadux and represented by Anthropic, AI inference processing through the Anthropic API occurs in the United States. Client Data transmitted for AI inference is processed in the U.S. Monadux does not transmit Client Data to AI systems operating outside the United States without Client's prior written consent. Monadux's other sub-processors are identified in Section 5 of the DPA, and the locations and applicable international transfer mechanisms for sub-processors are described in Section 2.5 of the International Addendum.
8. Future Inference Options
Monadux may in the future offer local or private inference options that process Client Data entirely on infrastructure controlled by Monadux or Client, without transmitting data to third-party AI providers. Clients interested in this option should contact Monadux to discuss availability and applicable terms.
9. Updates
This AI Processing Disclosure will be updated as Monadux's AI stack, methodologies, or provider relationships change. Clients will be notified of material updates at least thirty (30) days in advance via the email address on file. Amendments to this Disclosure are governed by the amendment procedure, including Client's objection and termination rights, in Section 12.4 of the Terms and Conditions.
International Addendum
Monadux LLC
Effective Date: June 20, 2026
Supplement to: Monadux LLC Legal Policy Suite
This International Addendum ("Addendum") supplements and modifies the Monadux LLC Legal Policy Suite, including the Terms and Conditions, Privacy Policy, Acceptable Use Policy, Data Processing Addendum, and AI Processing Disclosure (collectively, the "Base Suite"), for Clients located outside the United States. Where there is a conflict between this Addendum and the Base Suite, the terms of this Addendum control with respect to the applicable international Client. All terms defined in the Base Suite have the same meaning in this Addendum unless otherwise specified herein.
This Addendum covers the following jurisdictions:
Section 1 — Scope and Application
Section 2 — European Union and European Economic Area (GDPR)
Section 3 — United Kingdom (UK GDPR and Data Protection Act 2018)
Section 4 — Canada (PIPEDA and CASL)
Section 5 — Australia (Privacy Act 1988 and Australian Privacy Principles)
Section 6 — International Dispute Resolution (all non-U.S. Clients)
Section 7 — General Provisions
This Addendum was prepared with reference to the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) and the UK International Data Transfer Addendum (ICO, March 2022).
1. Scope and Application
1.1 Which Clients This Addendum Applies To
This Addendum applies to any Client that:
(a) is organized or incorporated outside the United States;
(b) primarily operates outside the United States; or
(c) submits Client Data that contains personal data of individuals located in the European Union, European Economic Area, United Kingdom, Canada, or Australia, regardless of where the Client itself is located.
1.2 Relationship to Base Suite
This Addendum is incorporated by reference into the Base Suite and forms part of the overall agreement between Monadux and Client. Clients subject to this Addendum agree to be bound by both the Base Suite and this Addendum. In the event of conflict, this Addendum prevails with respect to matters governed by applicable international law.
1.3 Language
This Addendum is written in English. Where applicable law requires a translation, the English version controls in the event of any inconsistency between the English original and a translated version.
2. European Union and EEA — GDPR
Applies to: Clients processing personal data of individuals located in the EU or EEA
2.1 Scope
This Section 2 applies where Client Data contains personal data of individuals located in the European Union or European Economic Area, and Monadux processes that data on behalf of Client. In this context: Client is the "data controller" as defined in Article 4(7) of the General Data Protection Regulation (EU) 2016/679 ("GDPR"). Monadux is the "data processor" as defined in Article 4(8) of the GDPR. Processing of EU personal data by Monadux is governed by this Section 2, which constitutes the data processing agreement required under Article 28 of the GDPR.
2.2 Lawful Basis for Processing
Client, as data controller, is responsible for ensuring a valid lawful basis exists under Article 6 of the GDPR for each category of personal data it transmits to Monadux. Client represents and warrants that: all personal data transmitted to Monadux has been collected lawfully and with appropriate notice to data subjects; where Client Data includes special categories of personal data under Article 9 GDPR (such as health data, political opinions, or biometric data), Client has obtained explicit consent or identified another valid Article 9 exception and has notified Monadux in writing prior to transmission; and Client will not transmit personal data of children under 16 years of age without prior written agreement from Monadux and confirmation that appropriate consent mechanisms are in place.
2.3 Monadux's Obligations as Processor
In processing EU personal data on Client's behalf, Monadux agrees to: process personal data only on Client's documented instructions, including those set forth in this Addendum and the applicable Order Form, unless required to do so by EU or Member State law, in which case Monadux will inform Client before processing (unless prohibited by law on grounds of public interest); ensure that all Monadux personnel authorized to process EU personal data are subject to binding obligations of confidentiality; implement appropriate technical and organizational measures as required by Article 32 GDPR; not engage any sub-processor without Client's prior written authorization (the sub-processors listed in Section 5 of the Base Suite DPA are hereby pre-authorized, and Monadux will provide at least thirty (30) days' notice of any addition or replacement, giving Client the opportunity to object; if Client reasonably objects on data-protection grounds and the parties cannot resolve the objection within thirty (30) days, Client may terminate the affected engagement and receive a pro-rata refund of any prepaid, unused fees); assist Client in fulfilling its obligations to respond to data subject rights requests under Chapter III of the GDPR; assist Client with its obligations under Articles 32 to 36 GDPR; delete or return all EU personal data to Client upon termination of the Services; and make available to Client all information reasonably necessary to demonstrate compliance with Article 28 GDPR, including allowing for audits or inspections subject to reasonable advance notice and confidentiality obligations.
2.4 Data Subject Rights
Client is the primary point of contact for data subjects exercising their rights under the GDPR. Where Monadux receives a data subject request directly, Monadux will: forward the request to Client within five (5) business days of receipt; not respond to the data subject directly without Client's prior authorization, except where required by applicable law; and provide reasonable technical assistance to Client in fulfilling the request.
2.5 International Transfers of EU Personal Data
Monadux processes EU personal data in the United States. The United States has not received an adequacy decision from the European Commission under Article 45 GDPR. Accordingly, the transfer of EU personal data to Monadux is governed by the Standard Contractual Clauses (SCCs) for the transfer of personal data to third countries, as set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller to Processor). By entering into this Addendum, the parties are deemed to have executed the Module Two SCCs, which are incorporated herein by reference.
The applicable Annex information is as follows:
Annex Element Detail Data exporter Client (as identified in the applicable Order Form) Data importer Monadux LLC, Minnesota, U.S. Data subjects Client's end customers, employees, and other individuals whose personal data appears in Client Data Categories of data As described in Section 2 of the Base Suite Privacy Policy; varies by data sources submitted by Client Special categories None expected; Client must notify Monadux in writing prior to transmitting special category data Processing operations AI-assisted synthesis, analysis, categorization, and report generation as described in the Base Suite Competent supervisory authority The supervisory authority of the EU Member State in which Client's EU establishment is located, or, if none, the Irish Data Protection Commission
Monadux will not transfer EU personal data to any sub-processor located outside the EEA unless: (a) that sub-processor is located in a country with an EU adequacy decision; (b) appropriate SCCs or other approved transfer mechanisms are in place; or (c) Client has provided prior written consent. The Anthropic API, as Monadux's primary AI sub-processor, processes data in the United States under Anthropic's Commercial Terms of Service, which include data processing provisions. Zoho Corporation, as Monadux's sub-processor for business email and form-based intake, also processes data in the United States; where Client Data subject to this Section is processed by Zoho, Monadux will ensure an appropriate transfer mechanism (such as the Standard Contractual Clauses) is in place. Monadux will maintain and make available to Client on request documentation of the transfer mechanisms applicable to each sub-processor.
SCC Module, Options, and Annexes. For the Module Two SCCs incorporated above: the optional docking clause (Clause 7) applies; in Clause 9, Option 2 (general written authorization) applies, with Monadux providing at least thirty (30) days' notice of intended changes to sub-processors; in Clause 11, the optional independent dispute-resolution body does not apply; in Clause 17, the SCCs are governed by the law of Ireland; and in Clause 18(b), disputes arising from the SCCs will be resolved before the courts of Ireland. Notwithstanding Section 6.1 and Section 6.2 of this Addendum and Section 12.1 of the Terms and Conditions, the governing law and forum for the SCCs are as stated in this paragraph. For purposes of the SCC Annexes: Annex I (parties, data subjects, categories of data, and processing operations) is populated by the table set out above in this Section 2.5; Annex II (technical and organizational measures) consists of the security measures described in Section 7 of the Base Suite Privacy Policy; and Annex III (list of sub-processors) consists of the sub-processors identified in Section 5 of the Base Suite DPA.
2.6 Data Protection Impact Assessments
Where Client determines that a DPIA is required under Article 35 GDPR in connection with Monadux's processing of EU personal data, Monadux will provide reasonable assistance to Client in conducting the DPIA, including by making available relevant information about Monadux's processing operations, security measures, and sub-processor arrangements.
2.7 EU Data Protection Representative
Monadux does not currently maintain a designated EU data protection representative under Article 27 GDPR. Monadux will appoint an Article 27 representative before it commences ongoing processing of EU personal data on behalf of any Client where such appointment is required under Article 27, and will update this section accordingly.
2.8 Breach Notification
In the event of a personal data breach affecting EU personal data, Monadux will notify Client without undue delay and no later than forty-eight (48) hours after becoming aware of the breach, to enable Client to meet its seventy-two (72) hour notification obligation to the competent supervisory authority under Article 33 GDPR.
3. United Kingdom — UK GDPR
Applies to: Clients processing personal data of individuals located in the United Kingdom
3.1 Scope
This Section 3 applies where Client Data contains personal data of individuals located in the United Kingdom. Processing of UK personal data is governed by the UK General Data Protection Regulation ("UK GDPR") as retained in UK domestic law by the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018 ("DPA 2018").
3.2 Application of Section 2
The provisions of Section 2 of this Addendum (EU GDPR) apply equally to UK personal data, with the following modifications: references to the GDPR are to be read as references to the UK GDPR; references to the European Commission and EU Member State supervisory authorities are to be read as references to the UK Information Commissioner's Office ("ICO"); and references to EU adequacy decisions are to be read as references to UK adequacy regulations made by the UK Secretary of State.
3.3 International Transfers of UK Personal Data
Monadux processes UK personal data in the United States. The transfer of UK personal data from Client to Monadux is governed by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (IDTA), as issued by the ICO under Section 119A of the DPA 2018 and in force from 21 March 2022. By entering into this Addendum, the parties are deemed to have executed the IDTA, which is incorporated herein by reference. The Table information for the IDTA corresponds to the Annex information set out in Section 2.5 of this Addendum, with the data exporter being the UK-based Client and the competent supervisory authority being the ICO. For the avoidance of doubt, the IDTA and the transfer of UK personal data are governed by the laws of England and Wales, and the Ireland governing-law and forum selections in Section 2.5 do not apply to UK personal data.
3.4 UK Data Protection Representative
Monadux does not currently maintain a designated UK representative under Article 27 UK GDPR. Monadux will appoint a UK representative before it commences ongoing processing of UK personal data on behalf of any Client where such appointment is required, and will update this section accordingly.
3.5 Breach Notification
In the event of a personal data breach affecting UK personal data, Monadux will notify Client without undue delay and no later than forty-eight (48) hours after becoming aware of the breach, to enable Client to meet its seventy-two (72) hour notification obligation to the ICO under Article 33 UK GDPR.
4. Canada — PIPEDA and CASL
Applies to: Clients organized in Canada or processing personal data of Canadian residents
4.1 PIPEDA — Personal Information Protection and Electronic Documents Act
4.1.1 Scope
This Section 4.1 applies where Client Data contains personal information of Canadian residents within the meaning of the Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, or applicable provincial privacy legislation (including Quebec Law 25 / Bill 64, Alberta's PIPA, and British Columbia's PIPA).
4.1.2 Roles
For purposes of PIPEDA and applicable provincial privacy law: Client is the organization that collected personal information from its customers or employees and is responsible for that information. Monadux acts as a third-party service provider processing personal information on Client's behalf. Monadux's processing is limited to the purposes described in the Base Suite and this Addendum.
4.1.3 Accountability and Consent
Client remains accountable for personal information it transfers to Monadux and is responsible for ensuring that: (a) appropriate consent was obtained from individuals for the collection and use of their personal information; (b) the transfer to Monadux is for purposes consistent with the purposes for which the information was collected; and (c) Monadux provides a comparable level of protection to that required of Client under PIPEDA.
4.1.4 Monadux's Obligations
In processing Canadian personal information, Monadux agrees to: process personal information only for the purposes described in the Base Suite and applicable Order Form; implement security safeguards appropriate to the sensitivity of the information, consistent with the security obligations described in the Base Suite Privacy Policy; notify Client without undue delay and no later than forty-eight (48) hours after becoming aware of any unauthorized access to, or disclosure of, Canadian personal information; delete or de-identify Canadian personal information upon termination of the Services; and cooperate with Client in responding to access and correction requests received from Canadian residents.
4.1.5 Quebec Law 25 (Bill 64)
For Clients subject to Quebec's Act respecting the protection of personal information in the private sector (Law 25), Monadux acknowledges that: Client must conduct a Privacy Impact Assessment (PIA) before communicating personal information outside Quebec, including to Monadux in the United States. Monadux will provide reasonable assistance to Client in completing any required PIA, including by making available information about Monadux's security practices, data flows, and sub-processor arrangements. Client is responsible for determining whether the level of protection afforded by Monadux is adequate under Law 25 prior to initiating the transfer.
4.2 CASL — Canada's Anti-Spam Legislation
4.2.1 Scope
Canada's Anti-Spam Legislation (CASL), S.C. 2010, c. 23, regulates commercial electronic messages (CEMs) sent to Canadian electronic addresses. This Section 4.2 applies to any commercial electronic communications Monadux sends to Client's Authorized Users located in Canada in connection with the Services.
4.2.2 Monadux's CASL Commitments
Monadux commits to the following with respect to commercial electronic messages sent to Canadian recipients: Monadux will only send CEMs to Canadian Authorized Users where Monadux has express or implied consent as defined under CASL; all marketing or promotional CEMs will clearly identify Monadux as the sender, include Monadux's mailing address and contact information, and include a functioning unsubscribe mechanism; and Monadux will process unsubscribe requests within ten (10) business days of receipt, as required by CASL.
Transactional and service-related communications (such as delivery of Deliverables, invoices, and security notices) are not subject to CASL's consent requirements and will be sent as necessary to perform the Services.
4.2.3 Client's Responsibility
Client is solely responsible for ensuring that any commercial electronic messages it sends to its own customers or contacts using insights derived from Monadux Deliverables comply with CASL, including obtaining appropriate consent and maintaining consent records.
5. Australia — Privacy Act 1988 and Australian Privacy Principles
Applies to: Clients organized in Australia or processing personal information of individuals in Australia
5.1 Scope
This Section 5 applies where Client is organized in Australia, or where Client Data contains personal information of individuals in Australia within the meaning of the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs") set out in Schedule 1 to that Act, each as amended.
5.2 Roles
For purposes of the Privacy Act and the APPs: Client is the entity that collected the personal information and is the APP entity responsible for it. Monadux acts as an overseas service provider processing personal information on Client's behalf and at Client's direction. Monadux's processing is limited to the purposes described in the Base Suite and this Addendum.
5.3 Accountability and Cross-Border Disclosure (APP 8)
Client acknowledges that, under APP 8 and Section 16C of the Privacy Act, Client as the disclosing entity generally remains accountable for personal information it discloses to Monadux overseas. Client is responsible for: (a) ensuring it has a lawful basis and has provided any required notice or obtained any required consent for the collection and overseas disclosure of the personal information; and (b) satisfying itself that the handling of personal information under this Addendum is consistent with the APPs. Monadux commits to handle personal information received from Client in a manner consistent with the APPs to the extent applicable to its role as a service provider.
5.4 Monadux's Obligations
In processing personal information subject to this Section, Monadux agrees to: process personal information only for the purposes described in the Base Suite and applicable Order Form; implement security safeguards appropriate to the sensitivity of the information, consistent with the security obligations described in the Base Suite Privacy Policy and APP 11; not use or disclose the personal information for direct marketing or for any purpose other than providing the Services; delete or de-identify the personal information upon termination of the Services; and cooperate with Client in responding to access and correction requests received from individuals under APP 12 and APP 13.
5.5 Notifiable Data Breaches
In the event of a data breach affecting personal information subject to this Section, Monadux will notify Client without undue delay and no later than forty-eight (48) hours after becoming aware of the breach, to enable Client to meet its obligations under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act, including any obligation to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of an eligible data breach.
5.6 Spam Act 2003
Any commercial electronic messages Monadux sends to Client's Authorized Users in Australia will comply with the Spam Act 2003 (Cth), including its consent, sender-identification, and unsubscribe requirements. Client is solely responsible for ensuring that any commercial electronic messages it sends to its own customers or contacts using insights derived from Monadux Deliverables comply with the Spam Act 2003.
6. International Dispute Resolution
Applies to: All Clients located outside the United States
6.1 Governing Law
This Addendum and the Base Suite are governed by the laws of the State of Minnesota, United States, without regard to conflict of law principles, except where mandatory provisions of the Client's home jurisdiction apply and cannot be lawfully excluded by contract.
6.2 Binding Arbitration for International Disputes
For Clients located outside the United States, any dispute, controversy, or claim arising out of or relating to the Base Suite, this Addendum, or the breach, termination, or validity thereof (a "Dispute") that cannot be resolved through good-faith negotiation within thirty (30) days of written notice will be finally resolved by binding arbitration administered by JAMS pursuant to its International Arbitration Rules, as in effect at the time of the Dispute. The arbitration will be conducted as follows:
Seat of arbitration: St. Paul, Minnesota, United States
Language: English
Number of arbitrators: One (1), unless either party requests a panel of three (3) for Disputes exceeding $500,000
Governing procedural rules: JAMS International Arbitration Rules
Substantive law: State of Minnesota, as set forth in Section 6.1
Award: Final and binding; judgment may be entered in any court of competent jurisdiction
The New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards (1958) applies to any arbitral award issued under this Section.
6.3 Emergency Relief
Notwithstanding Section 6.2, either party may apply to any court of competent jurisdiction for emergency injunctive or interim relief to prevent irreparable harm pending the constitution of an arbitral tribunal or the resolution of a Dispute, without waiving the right to arbitration.
6.4 Class Action Waiver
To the maximum extent permitted by applicable law, each party waives any right to participate in any class, collective, or representative arbitration or litigation proceeding. All Disputes must be brought in an individual capacity only. Nothing in this Section 6 limits any data subject's right to lodge a complaint with a competent supervisory authority or to pursue a judicial remedy as provided under applicable data protection law or the Standard Contractual Clauses.
6.5 Costs
The costs of arbitration, including arbitrator fees, will be borne equally by the parties unless the arbitral tribunal determines that a different allocation is warranted by the circumstances. Each party bears its own legal fees and expenses unless the tribunal awards otherwise.
7. General Provisions
7.1 Precedence
In the event of any conflict between this Addendum and the Base Suite, this Addendum controls with respect to: (a) the processing of personal data governed by the GDPR, UK GDPR, PIPEDA, applicable provincial privacy law, or the Australian Privacy Act 1988 and Australian Privacy Principles; and (b) the resolution of Disputes involving non-U.S. Clients. In all other respects, the Base Suite controls.
7.2 Severability
If any provision of this Addendum is held to be invalid, illegal, or unenforceable under applicable law, the remaining provisions continue in full force and effect. The invalid provision will be modified to the minimum extent necessary to make it enforceable, consistent with the intent of the parties.
7.3 Updates
Monadux may update this Addendum to reflect changes in applicable law, regulatory guidance, or standard contractual clauses issued by competent authorities. Monadux will provide at least thirty (30) days' written notice of material updates. Continued engagement with the Services after the effective date of an update constitutes acceptance of the updated Addendum. Amendments to this Addendum are governed by the amendment procedure, including Client's objection and termination rights, in Section 12.4 of the Terms and Conditions.
7.4 Effective Date and Execution
This Addendum is effective as of the date Client first submits Client Data for processing or executes an Order Form, whichever is earlier. No separate signature is required; agreement to the Base Suite constitutes agreement to this Addendum for Clients to whom it applies by operation of Section 1.1.
7.5 Contact for International Privacy Matters
For privacy-related questions, data subject rights requests, or regulatory inquiries from international Clients, contact:
Monadux LLC
Attn: Privacy — International
Email: legal@monadux.com