1. Scope
This Addendum forms part of the agreement between Muster (as processor) and the Customer (as controller) for the use of the Muster service. Where the Customer is itself a processor for its own customers, Muster acts as a sub-processor; the same obligations apply, with the Customer's controller's instructions flowing through the Customer.
2. Subject matter and duration
Subject matter:processing of personal data contained in the Customer's tenant during the provision of the Muster service.
Duration: for the term of the underlying agreement, plus any post-termination period required for data export and deletion.
3. Nature and purpose of processing
Hosting, storing, retrieving, transmitting, and otherwise operating on personal data so that the Customer can monitor a shared mailbox, retrieve relevant SharePoint policy evidence, generate AI-assisted draft email answers using Muster's self-hosted language models, send those answers from the connected mailbox (autonomously or, where review mode is enabled, after reviewer approval), and maintain processing logs inside its tenant.
4. Categories of data subjects
- Employees of the Customer who use Muster.
- Employees or contractors who send questions to a connected shared mailbox.
- Reviewers, administrators, and third parties referenced in mailbox content or SharePoint policy documents.
5. Categories of personal data
- Identity data (name, email, phone, role, employer).
- Communication data (incoming employee emails, AI-generated drafts, approved or edited reviewer replies where review mode is enabled, and final outbound answers).
- Policy evidence data (SharePoint document references, retrieved chunks, citations, indexing metadata).
- Operational data (login times, IP, user agent, processing state, reviewer decisions, audit rows).
Special-category data is not collected by default. If the Customer chooses to upload it, the Customer is responsible for ensuring an appropriate lawful basis under Article 9 GDPR.
6. Customer's instructions
Muster will process Customer personal data only on documented instructions from the Customer, which are constituted by the agreement, this Addendum, and the configuration choices the Customer makes inside the product. Muster will inform the Customer if it considers an instruction to infringe applicable data-protection law.
7. Confidentiality
Personnel authorised to process Customer personal data are bound by appropriate confidentiality obligations.
8. Security
- Encryption in transit (TLS 1.2+) and at rest.
- Tenant isolation enforced at the database row level; every domain table carries a non-nullable tenant identifier.
- Least-privilege access for staff; production access is audited.
- Secrets stored in a managed vault; periodic rotation per internal policy.
- Standard SDLC controls: code review, automated tests, dependency scanning.
- Backups with documented retention; periodic restore testing.
A more detailed security overview is available under NDA on request.
9. Sub-processors
Muster engages sub-processors to provide hosting, database, payment, and observability capabilities. Language-model inference runs on self-hosted infrastructure inside Muster's environment, so no third-party AI vendor is engaged as a sub-processor. The current list is published at /subprocessors. Muster will give the Customer at least 30 days notice of any intended addition or replacement of a sub-processor; the Customer may object on reasonable data-protection grounds, in which case the parties will work in good faith to agree a remediation, including the Customer's right to terminate the affected service.
10. Data subject rights
Muster will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligation to respond to requests for exercising data subjects' rights under Articles 15 to 22 GDPR. Where requests are sent directly to Muster, we will refer the data subject to the Customer.
11. Personal data breach
Muster will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer personal data, and will provide information reasonably necessary for the Customer to comply with its own notification obligations.
12. Audits
Muster will make available to the Customer, on reasonable written request, the information necessary to demonstrate compliance with this Addendum, including independent audit reports where available. On-site audits may be agreed with reasonable notice and at the requesting party's cost, conducted in a manner that does not disrupt service to other customers.
13. International transfers
Where personal data is transferred outside the European Economic Area, Muster will ensure an adequate level of protection through Standard Contractual Clauses or another lawful transfer mechanism. The Subprocessors page indicates the location of each sub-processor.
14. Return and deletion
On termination of the underlying agreement Muster will, at the Customer's choice, delete or return all Customer personal data, and delete remaining copies, unless retention is required by applicable law. A 30-day post-termination export window is provided by default.
15. Liability
The liability provisions of the underlying agreement apply to this Addendum. To the extent of any conflict between the underlying agreement and this Addendum on data-protection matters, this Addendum prevails.
16. Contact
Data-protection enquiries: hello@muster.team.