Mindbody Data Processing Schedule

Last Updated:

This Schedule forms part of the relevant EU and UK Controller to Processor Standard Contractual Clauses as applicable.

Data Exporter and Data Importer

You transfer, and Mindbody receives, Personal Data in relation to the supply of Mindbody Services as set out in the Agreement.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

Data regarding physical health or mental condition, (including allergy and medication data) and other sensitive information as relevant to the Services.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

Processing operations are limited to the extent necessary to provide the Mindbody Services as specified under the Agreement.

Technical and Organizational Measures

  1. Physical Security Controls

    Processor must implement appropriate physical security controls within its premises to prevent unauthorized persons from gaining access to data and systems. For this, Processor has implemented the following measures:

    • Identification card for all members of staff
    • Visitor access procedure
    • Locked entry gates at all external doors
    • Data center access limited to authorized personnel
    • Entry security systems 24x7 (e.g., smart card reader, code locks)
    • Clear-Desk Policy
    • Monitoring devices (e.g., camera)

  2. Access Control

    Processor must prevent unauthorized access to data processing systems. Processor has implemented the following measures for electronic access control:

    • Access control system (User ID and Strong Password)
    • Screen logs that activate after period of inactivity
    • Encryption of data transmitted via unsecure networks
    • Firewalls
    • URL Filtering
    • Penetration testing
    • Automated vulnerability scans
    • Documented Security Incident Response Plan

  3. Authorization Process

    Processor must ensure that authorized members of staff have access only to the data which they require in the course of their work duties and to which they have a right of access and must prevent any unauthorized access outside of the granted permissions. Processor has implemented the following measures:

    • Documented request process for the introduction of new hardware and software
    • Documented authorization process to grant only the minimum access required for each member of staff to perform his/her work duties
    • Regular controls of authorizations granted and change process to reflect termination of employment, contract, agreement, or change of roles
    • Privileged access limited to essential administration personnel
    • Authentication process (User ID and Strong Password)
    • Audit logs for servers, applications and network devices
    • Secured interfaces
    • Disk management
    • Encryption of data transmitted via unsecure networks

  4. Transmission Control

    Processor shall ensure that personal data are protected against any unauthorized reading, modification, copying, or removal during electronic transmission or transport. Measures must be in place to verify to which recipient’s transfers are envisaged. Processor has implemented the following measures during transport, transfer, and transmission or storage on data carriers:

    • Encryption of data transmitted via unsecure networks
    • Encryption of storage media in transport
    • Personal Firewalls

  5. Input Control

    Processor shall ensure that it is possible to verify what personal data were entered into processing systems, modified, or removed, at what time, and by whom. Processor has implemented the following to allow for retrospective review of whether and by whom personal data are entered, modified, or removed:

    • Access logs and analysis
    • Authentication process (User ID and Strong Password)
    • Documented Incident Response Plan

  6. External Parties

    Processor shall ensure that, in the case of sub-contracting personal data will be processed only in accordance with the instructions of the Controller and will maintain:

    • Written contractual arrangements/instructions with all sub-contractors
    • Access controls to restrict access to what is required to perform the specific services

  7. Availability Control

    Processor shall take measures to protect personal data against accidental loss or destruction. Processor has implemented the following measures for availability control:

    • Daily automated Back-up
    • Redundant power feeds
    • Temperature and humidity controls and monitoring
    • Encryption of data transmitted via unsecure networks
    • Antivirus/firewall

  8. Data Segregation

    The data of the Controller are to be separated from the data of other customers and the Processor. Personal data collected for different purposes must be processed separately. Some measures taken by Processor for separation control are:

    • Customer data and systems are separated from internal systems
    • Separation of production and test systems
    • Defined roles and responsibilities including appropriate segregation of duties amongst member of staff