Legal

Data processing
agreement.

This DPA outlines how TaxMind processes customer data in compliance with GDPR and international privacy regulations. It supplements our Terms of Service for customers acting as data controllers.

Last updated: January 14, 2026
01

Data processing scope

TaxMind processes personal data on behalf of the Customer solely to provide the Services as described in the Terms. Processing is limited to the categories of data and subjects necessary for those purposes.

02

Roles of the parties

The Customer is the Data Controller; TaxMind is the Data Processor. Each party is responsible for compliance with the applicable provisions of GDPR and other data protection laws relevant to its role.

03

Security measures

TaxMind implements appropriate technical and organizational measures including AES-256 encryption at rest, TLS 1.3 in transit, multi-factor authentication, role-based access control, and continuous monitoring. A full list is maintained in our security documentation.

04

Subprocessors

TaxMind engages a limited set of vetted subprocessors to deliver the Services (e.g., cloud infrastructure, bank connectivity providers, transactional email). A current list is published and Customers receive notice of material changes with the right to object.

05

International transfers

Customer data is primarily processed within the European Economic Area. Where transfers outside the EEA occur, they rely on Standard Contractual Clauses or other approved transfer mechanisms with supplementary safeguards.

06

Customer rights and assistance

TaxMind assists the Customer in fulfilling data subject requests, conducting impact assessments, and responding to regulator inquiries, taking into account the nature of processing and information available.

07

Breach notification

TaxMind notifies affected Customers without undue delay after becoming aware of a personal data breach, providing all information reasonably required to meet their own notification obligations.

08

Deletion and return

Upon termination, TaxMind deletes or returns Customer personal data within 30 days, except where retention is required by applicable law.