Data Governance Policy

Last Updated: May 2026

This policy describes how Mitochondria architecturally governs data — beyond legal compliance. It reflects our commitment to client ownership, transparency, and responsible AI.

1. Governance Philosophy

Mitochondria designs agentic systems with:

  • Data minimisation

  • Client ownership by default

  • Explicit accountability at every layer

  • Auditability and traceability

  • Security by design

We believe governance is what allows AI to operate in production.

2. Entities

This policy applies to services provided by:

  • Mitochondria Ventures B.V.

  • Kutumbakam Ventures LLP

The applicable contracting entity is specified in the relevant Order Form or Statement of Work.

3. Client Data Ownership

All client data remains the exclusive property of the client.

Mitochondria:

  • Does not aggregate client data across engagements

  • Does not reuse data across clients

  • Does not derive proprietary datasets from client inputs

  • Does not claim any rights to client data or outputs

Upon termination, client data remains in the client's systems. Mitochondria does not retain copies except where explicitly agreed in the Order Form or required by law.

4. Transient Processing Architecture

  • Data is processed in memory where feasible

  • No persistent storage by Mitochondria unless contractually required

  • No internal data mastering or replication

  • Client systems remain the source of truth

  • Security and operational logs may contain limited metadata for audit and compliance purposes

5. No Training on Client Data

Client data is never used to:

  • Train models

  • Fine-tune models

  • Improve shared intelligence across clients

  • Benchmark against other clients

Mitochondria’s AI Systems are model-agnostic and client-isolated. Each deployment operates independently.

6. Roles and Responsibilities

Client Role

  • Data Controller (EU GDPR, UK GDPR) / Data Fiduciary (DPDP Act)

  • Determines what data is processed and why

  • Responsible for consent collection, privacy notices, and lawful basis

  • Maintains compliance with applicable laws in their jurisdiction

Mitochondria Role

  • Data Processor (EU GDPR, UK GDPR, DPDP Act)

  • Processes data only according to client instructions

  • Implements technical and organisational security measures

  • Supports client compliance obligations

A Data Processing Agreement is executed with all Clients processing personal data of regulated Data Subjects or Data Principals, and forms part of the agreement. The form of agreement corresponds to the regulatory regime applicable to the engagement.7. Intra-Group Processing

Mitochondria operates through two affiliated entities:

  • Mitochondria Ventures B.V. (Netherlands)

  • Kutumbakam Ventures LLP (India)

Where Mitochondria Ventures B.V. is the contracting entity, development, engineering, and operational support may be provided by Kutumbakam Ventures LLP.

In such cases:

  • Kutumbakam LLP acts as a sub-processor

  • Processing is governed by intra-group data protection agreements

  • EEA–India transfers are protected by EU Standard Contractual Clauses (SCCs)

  • UK–India transfers are protected by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs

  • Transfers of Personal Data from India are made in accordance with Section 16 of the DPDP Act and any restrictions notified by the Central Government from time to time

  • Personnel are bound by equivalent confidentiality and security obligations

  • Access is granted on a need-to-know, role-based basis

Where Kutumbakam Ventures LLP is the contracting entity, all processing occurs within that entity unless otherwise specified in the Order Form.

8. Access Controls

  • Role-based access with least-privilege enforcement

  • Client-controlled credentials where applicable

  • Access reviewed periodically

  • Immediate revocation upon termination or personnel change

9. Encryption and Security

  • Encryption in transit (TLS 1.2 or higher)

  • Encryption at rest where storage is contractually required

  • Secure key management practices

  • No unencrypted transmission of client data

10. Auditability and Traceability

Mitochondria’s AI Systems support:

  • Action logs for all automated decisions

  • Decision traceability (why the system acted)

  • Escalation records (when and why humans were invoked)

  • Timestamps and user attribution

The audit scope and retention are defined for each engagement in the Order Form.

11. Human-in-the-Loop

Mitochondria systems are designed with explicit human oversight:

  • Defined thresholds for autonomous action

  • Escalation paths for uncertain or high-stakes decisions

  • Client control over which decisions require human approval

  • All escalations logged and reviewable

12. Termination and Kill Switches

  • Clients may request termination of processing at any time

  • Processing ceases immediately upon termination request

  • Access is revoked without delay

  • Mitochondria does not retain data except where explicitly agreed or required by law

  • Kill switches are built into all production deployments

13. Incident Response

In the event of a security incident affecting client data:

  • Clients are notified without undue delay

  • We support notification timelines required by applicable law, including the 72-hour requirement under EU GDPR and UK GDPR, and the timelines specified under the DPDP Act and the rules made thereunder for notification to the Data Protection Board of India and to affected Data Principals

  • Containment and remediation procedures are initiated immediately

  • Full cooperation in the investigation is provided, and a detailed incident report is delivered

14. Third-Party Integrations

Where Mitochondria’s AI Systems integrate with client systems or third-party services:

  • Client maintains accounts and credentials with third parties

  • Mitochondria processes data through client-authorised integrations only

  • No data sharing with unauthorised third parties

  • Client is responsible for compliance with third-party terms

15. Standards Alignment

Mitochondria aligns its controls with:

  • EU General Data Protection Regulation (GDPR)

  • UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018

  • India Digital Personal Data Protection Act, 2023 (DPDP Act)

  • ISO/IEC 27001:2022, to which Kutumbakam Ventures LLP is certified. Where Mitochondria Ventures B.V. is the contracting entity, the information security controls applicable to the engagement are inherited from this certification through intra-group data protection agreements

16. Policy Updates

This policy is reviewed annually and updated as necessary. Material changes are communicated to active clients.

17. Contact

For data governance queries, please contact us.