1. Scope and Purpose

This Data Transfer Impact Assessment ("DTIA") describes how 1mind AI, Inc. ("1mind") protects personal data when it is transferred from jurisdictions outside the United States to 1mind's systems in the United States. This document is designed to help customers and prospective customers evaluate whether engaging 1mind's services meets their obligations under the EU General Data Protection Regulation (GDPR), the UK GDPR, the Australian Privacy Act 1988, Argentina's Personal Data Protection Law (Ley 25.326), Brazil's Lei Geral de Proteção de Dados (LGPD), Singapore's Personal Data Protection Act 2012 (PDPA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the Swiss Federal Act on Data Protection (FADP), and other applicable data protection laws.

1mind provides an AI-powered platform that enables businesses to deploy intelligent digital employees for sales, customer success, and support functions. When 1mind processes personal data on behalf of its customers, it acts as a data processor (or "service provider"). The customer remains the data controller.

1mind's services primarily process business-to-business (B2B) commercial data — not sensitive personal information. The types of data typically processed include:

1.1 Data Subjects and Categories

1mind does not process special categories of any sensitive or financial personal data (e.g., health data, biometric data, data revealing racial or ethnic origin, credit card information, social security numbers, etc.). Any sensitive or financial data which may be input by a user is filtered out and redacted by 1mind. If a customer's use case involves sensitive data, additional safeguards should be discussed with 1mind's privacy team.

2. Transfer Mechanisms

1mind relies on the following legal mechanisms to lawfully transfer personal data from customer jurisdictions to the United States:

2.1 EU–U.S. Data Privacy Framework (DPF)

1mind is certified under the EU–U.S. Data Privacy Framework, as administered by the U.S. Department of Commerce and recognized by the European Commission's adequacy decision of July 10, 2023. Under the DPF, transfers of personal data from the EU/EEA to 1mind in the United States are considered adequate and do not require supplementary measures or a separate DTIA from customers.

1mind's DPF certification can be verified at: dataprivacyframework.gov.

2.2 UK Extension to the EU–U.S. DPF (UK–U.S. Data Bridge)

1mind has opted into the UK Extension to the DPF. The UK–U.S. Data Bridge, effective October 12, 2023, allows personal data to flow from the United Kingdom to DPF-certified organizations in the United States with adequate protection.

2.3 Standard Contractual Clauses (SCCs)

As a supplementary safeguard, 1mind also incorporates the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) into its Data Processing Agreement (DPA). These SCCs serve as a backup transfer mechanism in the event that the DPF is invalidated or suspended.

The SCCs incorporated by 1mind include the June 2021 version (Commission Implementing Decision (EU) 2021/914), with appropriate annexes completed for 1mind's processing activities.

2.4 Canadian Transfers

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) does not prohibit cross-border data transfers outright. Instead, PIPEDA requires that organizations using third-party processors outside Canada ensure a comparable level of protection through contractual means. 1mind's DPA, which includes data protection obligations, sub-processor controls, and security commitments, satisfies this requirement.

Canada has been recognized by the European Commission as providing adequate data protection for commercial organizations subject to PIPEDA, facilitating EU to Canada to U.S. data flows.

2.5 Swiss Transfers

1mind is certified under the Swiss–U.S. Data Privacy Framework. Switzerland's Federal Data Protection and Information Commissioner (FDPIC) has recognized the Swiss to U.S. DPF as providing adequate data protection. EU SCCs (adapted for Swiss law) are maintained as a backup mechanism.

2.6 Australian Transfers

Australia's Privacy Act 1988 and Australian Privacy Principle 8 (APP 8) govern cross-border disclosures of personal information. Under APP 8, an organization that discloses personal information to an overseas recipient must take "reasonable steps" to ensure the recipient handles the information in accordance with the APPs. Importantly, the disclosing Australian entity remains accountable for any acts or practices of the overseas recipient that would breach the APPs.

1mind supports Australian customers' compliance with APP 8 through the following measures:

• Contractual safeguards: 1mind's DPA requires 1mind to process personal data only in accordance with documented instructions, implement appropriate technical and organizational security measures, and comply with data protection standards that are at least substantially similar to the APPs.
• Technical protections: Encryption in transit and at rest, role-based access controls, and data minimization practices ensure personal information of Australian data subjects is protected.
• Sub-processor oversight: 1mind maintains a publicly available sub-processor list and imposes equivalent data protection obligations on all sub-processors. This list can be found here: https://www.1mind.com/sub-processors

Additionally, effective December 10, 2026, APP entities must disclose in their privacy policies the use of automated decision-making that could significantly affect individuals' rights or interests. 1mind will support customers in meeting this transparency obligation to the extent applicable.

2.7 Argentine Transfers

Argentina's Personal Data Protection Law (Ley No. 25.326, the "PDPL") requires that international transfers of personal data only occur when the recipient country provides an adequate level of protection. Argentina maintains an adequacy whitelist of approved jurisdictions (Rule 60-E/2016), which includes EU/EEA member states, the UK, Canada (private sector), Switzerland, and several other countries.

The United States has not historically been on Argentina's adequacy whitelist. However, a significant development occurred in November 2025 when the United States and Argentina announced the Reciprocal Trade and Investment Agreement, under which Argentina committed to recognizing the United States as an adequate jurisdiction for cross-border data transfers, including personal data. Pending formal implementation of this recognition in Argentina's regulatory framework, 1mind relies on the following mechanisms for Argentine data transfers:

• AAIP-Approved Model Contractual Clauses (MCCs): 1mind incorporates model contractual clauses aligned with Resolution 198/2023, issued by Argentina's Agency of Access to Public Information (AAIP), into its data transfer arrangements with Argentine customers. These MCCs are modeled on the EU standard contractual clauses and provide controller-to-processor safeguards.
• Data subject consent: Where applicable, 1mind's customers obtain informed, express consent from Argentine data subjects for the international transfer of their personal data, as required under the PDPL.
• Emerging U.S. adequacy recognition: Once the November 2025 Reciprocal Trade and Investment Agreement is formally implemented, transfers from Argentina to the United States may be permitted on the basis of adequacy, significantly simplifying compliance.

2.8 Brazilian Transfers

Brazil's Lei Geral de Proteção de Dados (LGPD, Law No. 13.709/2018) restricts international transfers of personal data to countries or organizations that provide an adequate degree of data protection, or where specific transfer mechanisms are in place. Brazil's national data protection authority (ANPD) has issued Resolution CD/ANPD No. 19/2024, which establishes the definitive framework for international data transfers under the LGPD.

As of March 2026, the ANPD has not recognized the United States as providing adequate data protection. Accordingly, 1mind relies on the following mechanisms:

• ANPD Standard Contractual Clauses: 1mind incorporates the ANPD-mandated Standard Contractual Clauses (SCCs) into its agreements with Brazilian customers. These Brazilian SCCs were prescribed by Resolution CD/ANPD No. 19/2024 and have been mandatory since August 23, 2025. Importantly, the ANPD requires the use of its own prescribed SCC form — EU SCCs are not recognized as equivalent.
• Language requirements: The ANPD SCCs must be executed in Portuguese (a bilingual English/Portuguese version is acceptable).
• Compliance documentation: 1mind maintains records demonstrating compliance with the ANPD's transfer requirements, including data protection impact assessments where applicable.

2.9 Singaporean Transfers

Singapore's Personal Data Protection Act 2012 (PDPA) governs cross-border transfers of personal data through a "Transfer Limitation Obligation" set out in Section 26. Under this obligation, an organization must not transfer personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the Act, to ensure that the recipient provides a standard of protection that is comparable to the protection under the PDPA.

Critically, Singapore does not maintain an adequacy whitelist of approved countries as the EU does. Instead, the PDPA takes an accountability-based approach: the transferring organization must ensure, through legally enforceable obligations, that the overseas recipient provides comparable protection. Singapore also does not require government notifications or approvals for international data transfers, and there are no data localization requirements under the PDPA.

1mind is designed to support Singaporean customers' compliance with the Transfer Limitation Obligation through the following mechanisms:

• Contractual safeguards (Primary mechanism): 1mind's DPA is intended to impose legally enforceable obligations on 1mind to provide a standard of protection that is at least comparable to the PDPA. The DPA includes specific provisions addressing data processing restrictions, security measures, sub-processor oversight, breach notification, and data subject rights designed to align with the PDPA's requirements under the Personal Data Protection Regulations 2021 (Regulation 10).
• ASEAN Model Contractual Clauses (MCCs): The PDPC recognizes and encourages the use of the ASEAN Model Contractual Clauses as a practical contractual mechanism for cross-border transfers. The PDPC, in collaboration with ASEAN and the EU, published a Joint Guide to ASEAN MCCs and EU SCCs (updated January 31, 2024). 1mind uses the EU SCCs.
• APEC Cross-Border Privacy Rules (CBPR): Singapore participates in the APEC CBPR System and the Privacy Recognition for Processors (PRP) System. Under the PDP Regulations, certification under the APEC CBPR or PRP is recognized as providing legally enforceable obligations that meet the PDPA's comparable protection standard. 1mind evaluates CBPR/PRP certification as an additional compliance pathway.
• Consent: Where applicable, 1mind's customers may obtain consent from Singaporean data subjects for cross-border transfers, provided the individual is informed that the overseas recipient may not be subject to data protection standards comparable to the PDPA.

The PDPC considers several factors when assessing whether comparable protection exists, including: the existence of data protection legislation in the recipient country, regulatory oversight and enforcement mechanisms, the nature and sensitivity of the data, and the contractual safeguards in place.

3. Assessment of the U.S. Legal Regime

A central concern in any data transfer impact assessment is whether the laws of the recipient country could permit government authorities to access personal data in a manner incompatible with the data protection standards of the sending jurisdiction. This section examines the primary U.S. legal authorities relevant to government access to data held by service providers such as 1mind.

3.1 Foreign Intelligence Surveillance Act (FISA) Section 702

FISA Section 702 permits the U.S. government to compel electronic communication service providers to assist in the targeted collection of foreign intelligence information concerning non-U.S. persons located outside the United States. This authority is subject to oversight by the Foreign Intelligence Surveillance Court (FISC) and requires annual certification.

1mind's position:

• 1mind is not an electronic communication service provider (ECSP) as defined under FISA.
• 1mind does not provide email, telephony, or messaging services to the general public.
• 1mind's core service is an AI platform for B2B sales and customer success — not communications infrastructure.
• Based on publicly available transparency reports and the narrow scope of FISA 702, the risk of 1mind receiving a Section 702 directive is assessed as very low.

3.2 Executive Order 12333

Executive Order 12333 authorizes U.S. intelligence agencies to collect foreign intelligence information through various means, including signals intelligence (SIGINT). Unlike FISA 702, EO 12333 does not compel private companies to produce data. Instead, it authorizes intelligence agencies to intercept data in transit (e.g., on undersea cables).

1mind's position:

• EO 12333 does not provide any legal authority to compel 1mind to disclose data.
• 1mind mitigates the risk of in-transit interception through TLS 1.2+ encryption for all data transfers and AES-256 encryption at rest.
• The B2B commercial data processed by 1mind (business contacts, sales conversations) is not a target for foreign intelligence collection.

3.3 CLOUD Act

The Clarifying Lawful Overseas Use of Data (CLOUD) Act allows U.S. law enforcement to compel U.S.-based service providers to produce data stored anywhere in the world, provided that a valid legal process is obtained. This requires a warrant supported by probable cause, a subpoena, or a court order — and the service provider may challenge or move to quash such requests.

1mind's position:

As a processor of primarily B2B commercial data (not content targeted by criminal investigations), 1mind is unlikely to receive CLOUD Act requests. Should 1mind receive such a request, its policy is to: (i) evaluate the legal validity of the request; (ii) challenge overbroad or conflicting requests; (iii) notify the affected customer to the extent legally permissible; and (iv) provide only the minimum data legally required.

3.4 Executive Order 14086 and the DPF Redress Mechanism

Executive Order 14086, signed on October 7, 2022, directly addresses the concerns raised by the CJEU in Schrems II. EO 14086 introduces binding safeguards that require U.S. signals intelligence activities to be:

• Necessary to advance a validated intelligence priority;
• Proportionate, balancing the intelligence need against the privacy impact on all persons, regardless of nationality;
• Subject to oversight by the Privacy and Civil Liberties Oversight Board (PCLOB), Inspectors General, and the Foreign Intelligence Surveillance Court.

EO 14086 also establishes a two-tier redress mechanism: individuals from qualifying countries (including all EU/EEA member states, the UK, and other designated countries) may submit complaints to the Civil Liberties Protection Officer (CLPO) at the Office of the Director of National Intelligence, with appeal rights to the Data Protection Review Court (DPRC), an independent body with binding decision-making authority.

This redress mechanism is a key pillar of the EU–U.S. DPF adequacy decision, the UK–U.S. Data Bridge, and the Swiss–U.S. DPF. It provides an avenue for individuals from these jurisdictions to challenge U.S. government surveillance access to their data.

For customers in Australia, Argentina, Brazil, and Singapore: While EO 14086 currently designates qualifying states for its redress mechanism through an Executive designation process, the safeguards on U.S. intelligence collection (necessity, proportionality) apply universally to all persons regardless of nationality. 1mind's technical and organizational safeguards described in Section 4 provide additional layers of protection for customers in all jurisdictions.

4. Safeguards for Data Transfers

1mind implements comprehensive technical, organizational, and contractual safeguards to protect personal data throughout the data transfer lifecycle:

4.1 Technical Measures

• Encryption in Transit: All data transmitted to and from 1mind's systems is encrypted using TLS 1.2 or higher.
• Encryption at Rest: All stored data is encrypted using AES-256 encryption.
• Access Controls: Role-based access controls (RBAC) and least privilege principles limit data access to authorized personnel on a need-to-know basis.
• Data Minimization: 1mind processes only the personal data necessary to perform its contractual obligations.
• Data Segregation: Customer data is logically segregated by design, preventing unauthorized cross-customer access.
• Logging and Monitoring: Access to personal data is logged and monitored for anomalous activity.
• Transit-Only Processing: AI/voice processing sub-processors (e.g., OpenAI, Cartesia, Eleven Labs, Tavus) operate in a transit-only model — data passes through for real-time processing and is not persisted by the sub-processor.

4.2 Organizational Measures

• ISO 27001 Certification: 1mind maintains ISO 27001 certification for its information security management system.
• ISO 42001 Certification: 1mind maintains ISO 42001 certification for its AI management system, demonstrating responsible AI governance.
• SOC 2 Type II: 1mind undergoes annual SOC 2 Type II audits covering security, availability, and confidentiality.
• Employee Training: All personnel receive regular data privacy and security training.
• Incident Response: 1mind maintains a documented incident response plan with notification timelines aligned with GDPR Article 33, UK GDPR, LGPD, Singapore's PDPA breach notification requirements, and the Australian Notifiable Data Breaches scheme.
• Privacy Program: 1mind's privacy program is overseen by designated personnel responsible for data protection compliance.

4.3 Contractual Measures

• Data Processing Agreement (DPA): 1mind's DPA, embedded within its Terms of Service, includes all GDPR Article 28 requirements and incorporates the EU SCCs (Module 2: Controller-to-Processor).
• Brazilian SCCs: For Brazilian customers, 1mind supports the incorporation of the ANPD-mandated Standard Contractual Clauses as required by Resolution CD/ANPD No. 19/2024.
• Argentine MCCs: For Argentine customers, 1mind supports the incorporation of AAIP-approved Model Contractual Clauses.
• Singapore Transfer Provisions: For Singaporean customers, 1mind's DPA includes contractual obligations meeting the PDPA's "comparable protection" standard under the Transfer Limitation Obligation, aligned with the PDPC's guidance and the ASEAN MCC framework.
• Sub-Processor Agreements: All sub-processors are bound by data protection obligations at least as protective as those in 1mind's DPA.

4.4 Transparency Measures

• Transparency / Warrant Canary: 1mind maintains a transparency page and warrant canary. As of March 2026, 1mind has not received any national security orders, FISA directives, or national security letters. A publicly maintained page is available here: https://www.1mind.com/transparency
• Customer Notification: 1mind's policy is to notify customers of government data access requests to the extent legally permissible.
• Sub-Processor Updates: 1mind publishes its sub-processor list publicly and notifies customers of changes in advance.

5. Sub-Processor Overview

1mind engages sub-processors to deliver its services. Each sub-processor is bound by contractual obligations requiring a level of data protection at least as stringent as 1mind's DPA.

A current list of sub-processors is always available at: 1mind.com/sub-processors.

6. Risk Assessment Summary

6.1 Risk of U.S. Government Access via FISA Section 702

6.2 Risk of U.S. Government Access via EO 12333

6.3 Risk of U.S. Government Access via CLOUD Act

7. Jurisdiction-Specific Summary

The following table summarizes the transfer mechanism, adequacy status, and recommended actions for each of 1mind's customer jurisdictions:

8. Conclusion and Overall Assessment

Based on the analysis in this DTIA, 1mind concludes that transfers of personal data to the United States in connection with 1mind's services can proceed with appropriate safeguards in place.

Key findings:

• DPF Adequacy (EU/EEA, UK, Switzerland): Transfers from the EU/EEA, United Kingdom, and Switzerland benefit from the EU–U.S. Data Privacy Framework, the UK–U.S. Data Bridge, and the Swiss–U.S. DPF, respectively. These adequacy mechanisms mean that customers in these jurisdictions do not need to conduct their own transfer impact assessments for data transferred to 1mind.
• Canada (PIPEDA): Canadian transfers are supported by contractual safeguards consistent with PIPEDA's comparable-protection requirement.
• Australia (Privacy Act 1988 / APP 8): Transfers are supported by 1mind's comprehensive contractual and technical safeguards, enabling Australian customers to satisfy the "reasonable steps" requirement under APP 8. 1mind monitors the development of Australia's whitelist regime.
• Argentina (Ley 25.326): Transfers are supported by AAIP-approved Model Contractual Clauses. The November 2025 U.S.–Argentina Trade Agreement's recognition of U.S. adequacy, once formally implemented, will further simplify compliance.
• Brazil (LGPD): Transfers are supported by the ANPD-mandated Brazilian Standard Contractual Clauses as required under Resolution CD/ANPD No. 19/2024, which have been mandatory since August 23, 2025.
• Singapore (PDPA): Transfers are supported by 1mind's contractual safeguards designed to provide "comparable protection" under the Transfer Limitation Obligation, aligned with the ASEAN MCC framework and the PDPC's guidance. Singapore's accountability-based approach and absence of data localization requirements facilitate compliant transfers where appropriate contractual and technical measures are in place.
• U.S. Legal Regime: The risk of problematic U.S. government access to 1mind's customer data is very low, given that: (a) 1mind is not an electronic communication service provider subject to FISA 702; (b) the B2B commercial data processed by 1mind is not a target for intelligence collection; (c) Executive Order 14086 imposes necessity and proportionality constraints on all SIGINT collection; and (d) 1mind's technical safeguards (encryption, access controls, transit-only processing) further mitigate risk.

1mind's overall risk assessment: Transfers Can Proceed.

This assessment will be reviewed and updated at least annually, or sooner if there are material changes in applicable laws, 1mind's processing operations, or sub-processor arrangements.

9. Additional Resources

For further information about 1mind's data protection practices, please visit:

For questions about this DTIA or 1mind's data protection practices, please contact privacy@1mind.com.