Data Governance Policy

Last Updated: January 2026

This policy describes how Mitochondria architecturally governs data — beyond legal compliance. It reflects our commitment to client ownership, transparency, and responsible AI.

1. Governance Philosophy

Mitochondria designs agentic systems with:

Data minimisation
Client ownership by default
Explicit accountability at every layer
Auditability and traceability
Security by design

We believe governance is not a constraint on AI — it is what allows AI to operate in production.

2. Entities

This policy applies to services provided by:

Mitochondria Ventures B.V. Keizersgracht 391A 1016EJ Amsterdam, The Netherlands

Kutumbakam Ventures LLP 1101, Nandan Probiz Pune 411045, Maharashtra, India

The applicable contracting entity is specified in the relevant Order Form or Statement of Work.

3. Client Data Ownership

All client data remains the exclusive property of the client.

Mitochondria:

Does not aggregate client data across engagements
Does not reuse data across clients
Does not derive proprietary datasets from client inputs
Does not claim any rights to client data or outputs

Upon termination, client data remains in the client's systems. Mitochondria does not retain copies except where explicitly agreed in the Order Form or required by law.

4. Transient Processing Architecture

Data is processed in memory where feasible
No persistent storage by Mitochondria unless contractually required
No internal data mastering or replication
Client systems remain the source of truth
Security and operational logs may contain limited metadata for audit and compliance purposes

5. No Training on Client Data

Client data is never used to:

Train models
Fine-tune models
Improve shared intelligence across clients
Benchmark against other clients

ATP is model-agnostic and client-isolated. Each deployment operates independently.

6. Roles and Responsibilities

Client Role

Data Controller (EU GDPR, UK GDPR) / Data Fiduciary (DPDP Act)
Determines what data is processed and why
Responsible for consent collection, privacy notices, and lawful basis
Maintains compliance with applicable laws in their jurisdiction

Mitochondria Role

Data Processor (EU GDPR, UK GDPR, DPDP Act)
Processes data only according to client instructions
Implements technical and organisational security measures
Supports client compliance obligations

A Data Processing Addendum (DPA) is available upon request and forms part of the agreement for enterprise clients.

7. Intra-Group Processing

Mitochondria operates through two affiliated entities:

Mitochondria Ventures B.V. (Netherlands)
Kutumbakam Ventures LLP (India)

Where Mitochondria Ventures B.V. is the contracting entity, development, engineering, and operational support may be provided by Kutumbakam Ventures LLP.

In such cases:

Kutumbakam LLP acts as a sub-processor
Processing is governed by intra-group data protection agreements
EEA–India transfers are protected by EU Standard Contractual Clauses (SCCs)
UK–India transfers are protected by the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
Personnel are bound by equivalent confidentiality and security obligations
Access is granted on a need-to-know, role-based basis

Where Kutumbakam Ventures LLP is the contracting entity, all processing occurs within that entity unless otherwise specified in the Order Form.

8. Access Controls

Role-based access with least-privilege enforcement
Client-controlled credentials where applicable
Access reviewed periodically
Immediate revocation upon termination or personnel change

9. Encryption and Security

Encryption in transit (TLS 1.2 or higher)
Encryption at rest where storage is contractually required
Secure key management practices
No unencrypted transmission of client data

10. Auditability and Traceability

ATP supports:

Action logs for all automated decisions
Decision traceability (why the system acted)
Escalation records (when and why humans were invoked)
Timestamps and user attribution

Audit scope and retention are defined per engagement in the Order Form.

11. Human-in-the-Loop

Mitochondria systems are designed with explicit human oversight:

Defined thresholds for autonomous action
Escalation paths for uncertain or high-stakes decisions
Client control over which decisions require human approval
All escalations logged and reviewable

12. Termination and Kill Switches

Clients may request termination of processing at any time
Processing ceases immediately upon termination request
Access is revoked without delay
Mitochondria does not retain data except where explicitly agreed or required by law
Kill switches are built into all production deployments

13. Incident Response

In the event of a security incident affecting client data:

Clients are notified without undue delay
Where EU GDPR or UK GDPR applies, we support notification timelines including the 72-hour requirement
Containment and remediation procedures are initiated immediately
Full cooperation in investigation is provided
Detailed incident report is delivered
Regulatory notification obligations under EU GDPR, UK GDPR, and DPDP Act are supported

14. Third-Party Integrations

Where ATP integrates with client systems or third-party services:

Client maintains accounts and credentials with third parties
Mitochondria processes data through client-authorised integrations only
No data sharing with unauthorised third parties
Client is responsible for compliance with third-party terms

15. Standards Alignment

Mitochondria aligns its controls with:

EU General Data Protection Regulation (GDPR)
UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018
India Digital Personal Data Protection Act, 2023 (DPDP Act)
ISO/IEC 27001 principles

Formal certification may be pursued as part of enterprise readiness. Current status is available upon request.

16. Policy Updates

This policy is reviewed annually and updated as necessary. Material changes are communicated to active clients.

17. Contact

For data governance queries, please contact us.