Annex Package
Annex 1: Description of Processing
| Processing Activity 1: Visitor Analytics (Processor) | |
|---|---|
| Field | Description |
| Parties | Customer (Controller) → MUSAY (Processor) |
| Subject Matter | Collection and processing of visitor responses through MUSAY's interactive features (including MyStory) to generate aggregated, de-identified analytics |
| Duration | Duration of the Agreement |
| Nature of Processing | Collection, storage, structuring, analysis, de-identification, aggregation, reporting |
| Purpose | To provide Customer with aggregated, de-identified analytics about visitor engagement, demographics, and sentiment |
| Categories of Data Subjects | Visitors to Customer's institution who engage with MUSAY's interactive features via the MUSAY app or Customer-provided links |
| Categories of Personal Data | User Response Data (demographic info, free-text feedback, ratings); device identifiers; IP addresses; location data (if enabled) |
| Special Categories | None intentionally collected. Free-text responses may incidentally contain sensitive data. MUSAY will delete any special category data inadvertently collected. |
| Retention | Raw User Response Data: life of account (account users) or 36 months (non-account visitors). Processed Values: indefinite (de-identified). Aggregated Data: indefinite. |
| Processing Activity 2: Consented Quote and Contact Data Sharing (Controller to Controller) | |
|---|---|
| Field | Description |
| Parties | MUSAY (Controller — consent collection and transmission) → Customer (independent Controller upon receipt) |
| Subject Matter | Transmission of user-consented free-text quotes (and, where separately consented, contact information) from User Response Data to Customer |
| Duration | As long as Data Subject's consent remains active |
| Nature of Processing | Collection of consent, AI-assisted excerpt selection from free-text responses (for quote sharing), storage, transmission to Customer via secure access mechanism (currently: secure web dashboard; MUSAY may add additional delivery methods subject to equivalent security controls) |
| Purpose | To share individual visitor quotes with the named Customer, at the visitor's request; and/or to enable institution follow-up where the visitor has consented to share contact information |
| Lawful Basis | Data Subject's consent; user-directed disclosure under applicable state privacy laws |
| Categories of Data Subjects | MUSAY users who engage with MUSAY's interactive features for Customer's institution and affirmatively opt in to share quotes and/or contact information |
| Categories of Personal Data | Consented Quote Data: AI-selected free-text excerpts from User Response Data, shared without the Data Subject's name or contact information attached. Consented Contact Data: Data Subject's name and contact information (e.g., email address) for institution follow-up. Either category may be shared independently or together, depending on the Data Subject's consent choices. |
| Special Categories | None intentionally collected. |
| Retention | MUSAY: retained while consent is active; deleted on consent withdrawal + 30 days. Customer: subject to Customer's own retention policies; must delete within 30 days of consent withdrawal notification. Quote-sharing consent and contact-sharing consent may be withdrawn independently. |
| Processing Activity 3: Independent Controller Processing (MUSAY) | |
|---|---|
| Field | Description |
| Parties | MUSAY (independent Controller) |
| Subject Matter | User account management, algorithm improvement, market trend analysis |
| Duration | Life of user account + 90 days; indefinite for De-identified/Aggregated Data |
| Nature of Processing | Storage, analysis, algorithm training, de-identification, aggregation |
| Purpose | Manage user accounts; develop and improve analytics algorithms; conduct market and user trend analysis across institutions |
| Lawful Basis | Legitimate interests (GDPR Article 6(1)(f)); contract performance (Article 6(1)(b)) for account management |
| Categories of Data Subjects | MUSAY app users |
| Categories of Personal Data | Account information (name, email, username); User Response Data; usage data |
| Retention | Account data: life of account + 90 days. Raw User Response Data for algorithm improvement: 36 months. De-identified/Aggregated Data: indefinite. |
Annex 2: Technical and Organizational Measures
| Technical and Organizational Measures (TOMs) | |
|---|---|
| Category | Measure |
| Encryption | TLS 1.2+ for data in transit; AES-256 encryption at rest for all databases and backups containing Personal Data |
| Access Control | Role-based access control (RBAC); principle of least privilege; multi-factor authentication (MFA) for all administrative access; unique user IDs |
| Network Security | Firewalls; intrusion detection/prevention systems; network segmentation between production and development environments |
| Vulnerability Management | Regular vulnerability scanning (at least quarterly); annual penetration testing by qualified third party; timely patching of critical vulnerabilities |
| Logging and Monitoring | Audit logging of access to Personal Data; centralized log management; real-time alerting for anomalous activity; logs retained for 12 months |
| Physical Security | Cloud infrastructure provider data centers with SOC 2 Type II certification (or equivalent); physical access controls; environmental controls |
| Business Continuity | Regular data backups; documented disaster recovery plan; recovery time objective (RTO) of 24 hours; recovery point objective (RPO) of 24 hours |
| Employee Security | Background checks for personnel with access to Personal Data; annual security awareness training; confidentiality agreements |
| Incident Response | Documented incident response plan; designated incident response team; tabletop exercises at least annually |
| Data Minimization | Collection limited to data necessary for stated purposes; automated de-identification pipeline severing identity links from Processed Values |
| Consent Record Integrity | Tamper-evident storage of consent records (user ID, Customer ID, session ID, timestamp, consent status, withdrawal status); audit trail for consent lifecycle events |
Annex 3: Sub-Processor List
| List of Sub-Processors Active at Execution | |||
|---|---|---|---|
| Sub-Processor | Processing Activity | Location | Date Added |
| Google LLC | Cloud hosting and data storage, Usage analytics | United States | May 2023 |
| Anthropic PBC | AI/NLP processing for MyStory conversations and excerpt selection | United States | December 2025 |
| PostHog, Inc. | Application analytics | United States | April 2024 |
| Customer.io, Inc. | Transactional email delivery (keepsake emails) | United States | January 2026 |
| Algolia | Friend search, content search (processes user queries) | United States (primary cluster); additional locations for operational processing | July 2023 |
Current list maintained at:
MUSAY's trust center
Annex 4: International Data Transfer Mechanisms (Dormant)
Status: This Annex is dormant and imposes no obligations unless activated per DPA Section 10.2.
This Annex becomes effective if and when MUSAY offers Services directed at Data Subjects located in the European Economic Area, United Kingdom, or Switzerland, or otherwise becomes subject to the GDPR, UK GDPR, or Swiss FADP. A Sub-Processor's incidental processing of operational data outside the United States does not, by itself, activate this Annex. The provisions below are pre-drafted so that activation requires no renegotiation of the DPA.
4.1 EU SCCs
The Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) are incorporated by reference.
- Module 2 (Controller to Processor): Applies to transfers of Personal Data where Customer (Controller) instructs MUSAY (Processor) to process User Response Data.
- Module 1 (Controller to Controller): Applies to transfers of Consented Quote Data where MUSAY (Controller — consent and transmission) transfers to Customer (independent Controller upon receipt).
4.2 Clause Selections
- Clause 7 (Docking Clause): Included
- Clause 9(a) (Sub-Processors): Option 2 — General written authorization
- Clause 11 (Redress): Optional clause included
- Clause 13 (Supervision): The supervisory authority of the EU Member State in which the data exporter is established, or where the data exporter is not established in the EU, the supervisory authority of the EU Member State in which the data importer's EU representative is established
- Clause 17 (Governing Law): Option 1 — the law of [EU Member State — to be selected upon activation]
- Clause 18(b) (Forum): Courts of [EU Member State — to be selected upon activation]
4.3 EU-US Data Privacy Framework
Upon activation, MUSAY shall evaluate whether DPF self-certification is appropriate as a primary transfer mechanism and notify Customer of its determination.
4.4 UK International Data Transfer Addendum
The UK Addendum (as issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018) is incorporated by reference and supplements the EU SCCs for transfers from the United Kingdom.
4.5 Swiss Addendum
To the extent required for transfers from Switzerland, the applicable modifications to the EU SCCs as required by the Swiss Federal Data Protection Act (nFADP) shall apply.
