This Data Processing Agreement (“DPA”) forms part of the Terms of Service between MemoryCrow and the customer (“Customer”) and applies where MemoryCrow processes personal data on the Customer’s behalf in providing the Service. If your organization requires a countersigned copy, contact team@memorycrow.com.
1. Roles of the parties
For personal data the Customer adds to, or generates within, the Service, the Customer is the controller and MemoryCrow is the processor. For billing, our merchant of record Kelviq acts as an independent controller of payment data.
2. Scope and instructions
MemoryCrow processes personal data only to provide the Service and on the Customer’s documented instructions, including as set out in the Terms, this DPA, and the Customer’s configuration of the Service. We will inform the Customer if, in our opinion, an instruction infringes applicable data-protection law.
3. Confidentiality
We ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations.
4. Security
We implement appropriate technical and organizational measures, including encryption in transit and at rest, tenant isolation, permission-scoped access enforced at retrieval, least-privilege controls, and audit logging of sensitive operations. Restricted knowledge is never widened through synthesis.
5. Sub-processing
The Customer authorizes MemoryCrow to engage sub-processors to process personal data. A current list is maintained at Sub-processors. We bind each sub-processor by written terms no less protective than this DPA, remain responsible for their performance, and give the Customer prior notice of new sub-processors with a reasonable opportunity to object.
6. International transfers
Where personal data is transferred across borders, we rely on appropriate safeguards, such as the EU Standard Contractual Clauses or an equivalent transfer mechanism.
7. Data subject requests
Taking into account the nature of the processing, we assist the Customer with appropriate technical and organizational measures to respond to data subject requests (access, correction, deletion, portability, restriction, and objection). The Service also provides self-serve forget and erase tools.
8. Personal data breach
We notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s data, with the information reasonably available to us.
9. Deletion and return
On termination, we delete or return Customer personal data within a commercially reasonable period, except where retention is required by law. Forget is reversible; erase is permanent and logged for compliance.
10. Audits
We make available the information necessary to demonstrate compliance, including third-party audit reports (such as SOC 2, when available), and allow audits subject to reasonable confidentiality and scheduling.
11. Liability
Liability under this DPA is subject to the limitations of liability set out in the Terms of Service.
Annex — Details of processing
- Subject matter: provision of the MemoryCrow memory layer.
- Duration: the term of the agreement between the parties.
- Nature and purpose: storing, organizing, synthesizing, and recalling Customer knowledge with permission controls and citations.
- Categories of data subjects: the Customer’s workspace members and any individuals referenced in the content the Customer adds.
- Categories of personal data: account and contact details, and the content and knowledge the Customer adds to memory, which may include personal data the Customer chooses to include.
- Special categories: not intended. The Customer should not add special-category data unless it is properly authorized to do so.