Legal
Data Processing Agreement
Last updated June 11, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between Good Trouble Games, Inc., doing business as Good Trouble Labs (“Good Trouble,” “Processor”) and the customer (“Customer,” “Controller”) for the use of Mido (the “Services”). It governs the processing of personal data Customer submits to the Services.
1. Scope and roles
For data protection laws including the GDPR and UK GDPR, the Customer acts as the controller (or processor on behalf of its own customers) and Good Trouble acts as the processor (or sub-processor). Good Trouble processes personal data only on documented instructions from the Customer, including as set out in this DPA and the agreement.
2. Definitions
“Personal data,” “processing,” “controller,” “processor,” and “data subject” have the meanings given in applicable data protection law. “Customer Content” means the data, including personal data, that Customer submits to the Services.
3. Details of processing
- Subject matter — provision of the Services described in the agreement.
- Duration — the term of the agreement plus any retention period required to wind down or comply with law.
- Nature and purpose — hosting, processing, and analyzing Customer Content to deliver market, competitor, brand, and product insights.
- Types of personal data — account identifiers and any personal data contained in the materials Customer chooses to submit.
- Categories of data subjects — Customer's authorized users and individuals referenced in Customer Content.
4. Processor obligations
Good Trouble will:
- Process personal data only on the Customer's documented instructions;
- Ensure persons authorized to process personal data are bound by confidentiality;
- Implement the security measures described in Section 5;
- Assist the Customer, taking into account the nature of processing, in meeting its obligations regarding security, breach notification, and data protection impact assessments; and
- Not use Customer Content to train Good Trouble's AI models or for any purpose other than providing the Services.
5. Security measures
Good Trouble maintains technical and organizational measures appropriate to the risk, including encryption of data in transit and at rest, access controls on a least-privilege basis, network protection, logging and monitoring, and regular review of its security practices.
6. Sub-processors
The Customer authorizes Good Trouble to engage sub-processors (such as cloud infrastructure and operational vendors) to support the Services. We use established providers that maintain SOC 2 Type II and ISO 27001 certifications and engage each under data protection terms consistent with this DPA. Good Trouble remains responsible for its sub-processors' processing of Customer Content. We will give notice of changes to our sub-processors and an opportunity to object.
7. Data subject rights
Taking into account the nature of the processing, Good Trouble will assist the Customer with appropriate technical and organizational measures to respond to requests from data subjects to exercise their rights under applicable law.
8. Personal data breach
Good Trouble will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Content and will provide information reasonably necessary for the Customer to meet its breach-notification obligations.
9. International transfers
Where processing involves transferring personal data across borders, the parties will rely on an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses, which are incorporated by reference where applicable.
10. Audits
Good Trouble will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable confidentiality and scheduling requirements.
11. Return and deletion
On termination of the Services, Good Trouble will, at the Customer's choice, delete or return Customer Content and delete existing copies, except where retention is required by law.
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the agreement.
13. Governing law
This DPA is governed by the laws of the State of Delaware, United States, without regard to its conflict-of-laws rules. The courts located there will have exclusive jurisdiction, except where prohibited by applicable law.
14. Contact
For questions about this DPA or to exercise rights under it, email privacy@heymido.com.