Data processing scope
TaxMind processes personal data on behalf of the Customer solely to provide the Services as described in the Terms. Processing is limited to the categories of data and subjects necessary for those purposes.
This DPA outlines how TaxMind processes customer data in compliance with GDPR and international privacy regulations. It supplements our Terms of Service for customers acting as data controllers.
TaxMind processes personal data on behalf of the Customer solely to provide the Services as described in the Terms. Processing is limited to the categories of data and subjects necessary for those purposes.
The Customer is the Data Controller; TaxMind is the Data Processor. Each party is responsible for compliance with the applicable provisions of GDPR and other data protection laws relevant to its role.
TaxMind implements appropriate technical and organizational measures including AES-256 encryption at rest, TLS 1.3 in transit, multi-factor authentication, role-based access control, and continuous monitoring. A full list is maintained in our security documentation.
TaxMind engages a limited set of vetted subprocessors to deliver the Services (e.g., cloud infrastructure, bank connectivity providers, transactional email). A current list is published and Customers receive notice of material changes with the right to object.
Customer data is primarily processed within the European Economic Area. Where transfers outside the EEA occur, they rely on Standard Contractual Clauses or other approved transfer mechanisms with supplementary safeguards.
TaxMind assists the Customer in fulfilling data subject requests, conducting impact assessments, and responding to regulator inquiries, taking into account the nature of processing and information available.
TaxMind notifies affected Customers without undue delay after becoming aware of a personal data breach, providing all information reasonably required to meet their own notification obligations.
Upon termination, TaxMind deletes or returns Customer personal data within 30 days, except where retention is required by applicable law.