Support: info@themightyboards.com · Contact

Get Started
Book a Demo

DPA

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the agreement between The Mighty Boards (“Processor”, “we”, “us”, “our”) and our clients (“Controller”, “you”, “your”) and sets out the terms under which we process personal data on your behalf in connection with the services we provide.

We are committed to ensuring that your data is processed securely, transparently, and in compliance with all applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (GDPR) and any relevant local privacy laws.

2. Subject Matter and Duration

This DPA governs the processing of personal data necessary to deliver board evaluation and governance analytics services offered by The Mighty Boards.
Processing will continue for as long as we provide services under the main agreement or until the data is deleted or returned in accordance with this DPA.

3. Nature and Purpose of Processing

We process personal data solely for:

  • Conducting board performance evaluations and surveys
  • Generating analytics, benchmarking, and insights
  • Providing customer support and account management
  • Enhancing our platform and ensuring data integrity

We do not process data for any other purpose without written instruction from the Controller.

4. Types of Personal Data Processed

Depending on the service, this may include:

  • Names, email addresses, and organizational roles of board members
  • Survey responses and performance data
  • Login credentials (encrypted)
  • Metadata (usage analytics, IP address, device information)

No sensitive data (e.g., racial origin, political opinions, health data) is collected unless explicitly required and authorized.

5. Categories of Data Subjects

  • Board members and executives
  • Committee participants
  • Other individuals designated by the Controller

6. Processor Obligations

The Mighty Boards shall:

  1. Process personal data only in accordance with the Controller’s documented instructions.
  2. Ensure that employees and sub-processors are bound by confidentiality obligations.
  3. Implement appropriate technical and organizational measures (encryption, access control, pseudonymization, backups).
  4. Assist the Controller in responding to data subject requests (access, rectification, deletion).
  5. Notify the Controller without undue delay in the event of a personal data breach.
  6. Maintain a record of all processing activities carried out on behalf of the Controller.

7. Sub-Processors

We may engage trusted third-party service providers (e.g., hosting, analytics, communication tools).
A current list of sub-processors is available upon request.
We ensure each sub-processor provides sufficient guarantees to implement appropriate data protection safeguards.

8. International Data Transfers

If data is transferred outside the EEA/UK, such transfers shall occur only under lawful mechanisms such as:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions approved by the European Commission

9. Data Retention and Deletion

Upon termination of services, all personal data will be deleted or returned to the Controller, unless retention is required by law.
Backups will be securely purged within 31 days.

10. Security Measures

The Mighty Boards implements industry-standard security controls, including but not limited to:

  • Data encryption in transit and at rest
  • Multi-factor authentication
  • Regular security audits and penetration testing
  • Role-based access control

11. Audit and Inspection Rights

The Controller may, upon reasonable notice, request information or conduct audits (onsite or remote) to verify compliance with this DPA.

12. Liability and Indemnity

Each party shall be liable for its respective breaches of this DPA and shall indemnify the other against losses arising from non-compliance with applicable data protection laws.

13. Contact

For all data protection inquiries, please contact our Data Protection Officer (DPO):
📧 info@themightyboards.com