Data Processing Addendum (summary)

• Controller: the customer — legal entity that uploads and processes employee data on the platform.
• Processor: Moji Mediji d.o.o., Dunajska 165, 1000 Ljubljana, Slovenia, EU.

The Processor operates the Mentor LMS: hosting of user accounts, modules, quizzes, certificates, notifications, events, and related learning data. Processing is carried out strictly on the documented instructions of the Controller and under the Terms of Service.

The DPA is in force for the duration of the subscription. After termination the Processor exports the data on Controller request within 30 days and then deletes it, except where retention is required by law (invoices, tax records).

Data subjects:

• Employees of the Controller
• External contractors invited by the Controller
• Mentors / instructors
• Tenant administrators

Data categories:

• Identification (name, email)
• Role and groups
• Learning progress, quizzes, certificates, XP
• Activity logs, sign-ins
• Content uploaded by the Controller (modules, materials, images)

• Process only on documented Controller instructions.
• Confidentiality — anyone with access is bound to confidentiality.
• Technical and organizational measures (TLS, encryption at rest, multi-tenant isolation, RBAC, audit log, rate limiting, backups).
• Assistance with data subject rights (access, rectification, erasure, portability).
• Assistance with regulatory notifications within 72 hours.
• Return or delete data after termination.
• Written notice at least 30 days before adding or replacing a sub-processor.
• Reasonable cooperation with audit information requests (security documentation, SOC-style questionnaires).

Sub-processors are summarized by category in the Privacy Policy. A current, detailed list of sub-processors with vendor names, locations, and contractual transfer mechanisms is available to paying customers and business contacts on request via legal@getmentor.eu. The Controller may object in writing to a proposed new sub-processor.

Core infrastructure (hosting, database, file storage, cache) is in the EU (Frankfurt). Certain sub-processors may process data outside the EU — notably AI providers when AI features are enabled and certain SSO providers when the tenant explicitly enables SSO sign-in.

AI features can be disabled by the Controller at the tenant level in settings. Without AI, processing remains within the EU.

For transfers outside the EU we rely on the European Commission's Standard Contractual Clauses (SCC) where required by the vendor.

• Multi-tenant isolation (every query scoped by tenantId).
• Role-based access control (RBAC) with granular permissions.
• Audit log for 75+ event types.
• TLS 1.3 in transit, AES-256 at rest (Neon, Vercel Blob).
• Passwords hashed with bcrypt (cost 12).
• Rate limiting and CAPTCHA on exposed endpoints.
• Security HTTP headers (CSP, HSTS, X-Frame-Options, Permissions-Policy).
• Backups / Point-in-Time Recovery via Neon.
• Webhook signature verification (Stripe, RealtimeKit) with Redis idempotency.

For incidents affecting personal data we notify the Controller without undue delay and at the latest within 72 hours of becoming aware. The notification includes incident description, approximate categories / numbers of affected individuals, mitigations, and a contact for follow-up. Report security incidents to security@getmentor.eu.

On termination, we export data on Controller request in a machine-readable format (CSV / JSON) within 30 days. We then delete the data, except where retention is required by law (invoices, 10 years per Slovenian ZDavP-2). Backups are overwritten by the next cycle.

We provide the Controller with reasonable information to fulfil GDPR Art. 28 obligations: security documentation, questionnaire responses, and answers to audit questions over email. Once a year, the Controller may request a review meeting on technical and organizational measures.