Mountainise Inc.  Data Processing Policy

Last Updated: 01/01/2026

At Mountainise Inc., we prioritize the privacy and security of the data we process on behalf of our clients. This Data Processing Policy (the “Policy”) outlines how we collect, use, store, process, and protect personal data in compliance with applicable data protection laws, including SOC2 and General Data Protection Regulation (GDPR).

By engaging with our services, you consent to the data processing practices outlined in this Policy.

1. Introduction

Mountainise provides business and technology consulting services, which may include data analysis, segmentation, reporting, and integration with various platforms such as HubSpot, Salesforce, Pipedrive, and others. As part of our service delivery, we may process personal data on behalf of our clients (the Data Controller), acting as a Data Processor.

This Policy details how we protect and manage personal data in accordance with the highest standards of security and privacy.

2. Scope of Data Processing

Mountainise processes personal data solely for the purposes defined by our client agreements. These purposes may include:

• Data analysis for CRM, marketing automation, and reporting.
• Customer segmentation and targeting to improve marketing strategies.
• Integration of client data with third-party platforms such as Salesforce, HubSpot, and others.
• Data exporting and report generation as requested by the client.

We will not process personal data for any purposes outside of what is outlined in the agreement with our client unless expressly authorized.

3. Data Collection and Types of Data Processed

We collect and process personal data strictly in accordance with the client’s instructions. The types of personal data that may be processed include, but are not limited to:

• Contact Information (name, email address, phone number, etc.).
• Demographic Information (age, gender, location, etc.).
• Business Information (company name, job title, etc.).
• Marketing and transactional data (e.g., purchase history, email interactions).

4. Data Security and Compliance

We are committed to ensuring the confidentiality, integrity, and availability of the personal data we process. To achieve this, we implement appropriate technical and organizational measures to secure the data, which include:

• Encryption: Data is encrypted in transit and at rest.
• Access Controls: We limit access to personal data to only those personnel who require it for processing activities.
• Regular Security Audits: We conduct routine audits and penetration testing to identify and mitigate vulnerabilities.
• SOC2 Compliance: We follow SOC2 compliance standards to ensure best practices in data protection and privacy. Our journey to SOC2 certification is on its way.

5. Data Retention

Personal data will be retained only for as long as is necessary to fulfill the purposes for which it was collected or as required by law. We retain personal data for the duration of the engagement or as otherwise agreed with our clients. Once the retention period expires, personal data will be deleted or anonymized, as per the client’s instructions.

6. Data Subject Rights

In compliance with applicable data protection laws, the following data subject rights apply:

• Right to Access: Individuals have the right to access their personal data processed by Mountainise.
• Right to Rectification: Individuals may request corrections to inaccurate or incomplete personal data.
• Right to Erasure: Individuals may request the deletion of their personal data under certain conditions.
• Right to Portability: Individuals have the right to receive their personal data in a commonly used and machine-readable format.
• Right to Object: Individuals may object to the processing of their personal data for direct marketing purposes or on grounds relating to their particular situation.

Clients and data subjects may exercise these rights by contacting Mountainise at the contact details provided in this Policy.

7. Data Transfers

Mountainise does not transfer personal data to third parties or external systems without the client’s express permission. If such transfers are required (for example, transferring data to a cloud service provider), we will ensure that appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) for international data transfers (as required under GDPR).
• Subprocessor Agreements: We will engage subprocessors only with prior client approval and ensure they adhere to the same data protection obligations as Mountainise.

8. Subprocessors

Mountainise may use subprocessors to assist in fulfilling data processing activities. These subprocessors include cloud service providers, data analytics platforms, and marketing tool integrations. Before engaging any subprocessor, we will ensure that they meet the same data protection standards and are bound by appropriate contractual agreements.

A list of subprocessors will be available to clients upon request.

9. Incident Management and Data Breach Notification

In the unlikely event of a data breach, Mountainise will notify the Client without undue delay. We will provide the Client with relevant details to assist in meeting any legal obligations, including breach notifications to data subjects if required. Our incident management process ensures that all data breaches are investigated, mitigated, and reported according to applicable laws.

10. Data Protection Impact Assessments (DPIAs)

When initiating new processing activities that may impact the privacy rights of data subjects, Mountainise will assist the Client in conducting Data Protection Impact Assessments (DPIAs) to evaluate the risks and implement mitigation measures, where necessary.

11. Audits and Monitoring

Mountainise is committed to transparency and compliance with this Policy. The Client has the right to audit Mountainise’s data processing activities to ensure compliance with this Policy. Any audit will be conducted during regular business hours, with reasonable notice, and in a manner that does not unduly disrupt Mountainise’s operations.

12. Termination of Services

Upon termination of services or the business relationship, Mountainise will:

• Return or delete personal data as per the Client’s instructions, unless retention is required by law.
• Ensure that all data processing activities cease.