MemNexus is in gated preview — invite only. Learn more
← Back to Trust Center
This is a template document. For executed agreements, contact [email protected].

MemNexus Data Processing Agreement

Document ID: LEGAL-002 Last updated: 2026-04-08 Status: DRAFT -- Pending legal review

STATUS: DRAFT -- Pending legal review. This template is not yet finalized for customer execution. Contact [email protected] for enterprise agreements.

This Data Processing Agreement ("DPA") is entered into between:

  • Controller: [CUSTOMER NAME] ("Customer"), the entity identified in the Master Service Agreement; and
  • Processor: MemNexus ("Processor"), providing the MemNexus AI memory management platform.

This DPA is incorporated by reference into the Master Service Agreement (see master-service-agreement-template.md, LEGAL-001) between Customer and MemNexus (the "Agreement") and supplements the Agreement with respect to the processing of Personal Data.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.

"Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, and destruction.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Data Protection Laws" means all applicable data protection and privacy laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and any applicable national implementing legislation.

"Standard Contractual Clauses" ("SCCs") means the standard contractual clauses for the transfer of personal data approved by the European Commission, as applicable.

"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Subject Matter and Scope of Processing

2.1 Subject Matter

This DPA governs the Processor's processing of Personal Data in connection with the MemNexus Service, as described in the Agreement.

2.2 Duration

Processing will continue for the duration of the Agreement plus the data export period following termination (see Section 10).

2.3 Nature and Purpose of Processing

The Processor processes Personal Data for the following purposes:

  • Providing the MemNexus AI memory management platform, including storage, retrieval, and search of Customer Data
  • Generating AI-based knowledge extractions (entities, facts, patterns, topics) from Customer-submitted content
  • Generating vector embeddings for semantic search functionality
  • User authentication and session management
  • Billing and subscription management
  • Audit logging for security and compliance

2.4 Type of Personal Data

Personal Data processed may include:

| Category | Examples | |---|---| | User identity data | Name, email address, profile picture URL | | Authentication data | SSO tokens, session identifiers (managed by WorkOS; passwords are never stored by MemNexus) | | User-generated content | Memory content, which may contain Personal Data at the user's discretion | | AI-extracted data | Entity names, facts, patterns, and topics extracted from user-generated content | | Usage metadata | IP addresses, API request logs, timestamps | | Billing data | Email address, subscription status (payment details managed by Stripe) |

2.5 Categories of Data Subjects

  • Authorized Users of the Customer's MemNexus organization
  • Individuals whose Personal Data may be included in memory content submitted by Authorized Users

3. Obligations of the Processor

3.1 Processing on Instructions

The Processor will process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Agreement and this DPA constitute the Controller's initial instructions. Additional instructions must be agreed in writing.

If the Processor believes an instruction from the Controller infringes Data Protection Laws, the Processor will promptly inform the Controller.

3.2 Confidentiality

The Processor will ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.

3.3 Security Measures

The Processor will implement and maintain appropriate technical and organizational measures to protect Personal Data, as described in Annex B and in the MemNexus Security Practices document (see security-practices.md).

Current security measures include:

  • Field-level AES-256-GCM-SIV encryption at rest (13 of 14 sensitive field types)
  • Per-user Data Encryption Keys (DEKs) with envelope encryption
  • Azure Key Vault for key management in production
  • TLS 1.2+ for all data in transit (TLS 1.3 for third-party API calls)
  • RBAC with organization-level roles (Owner, Admin, Member)
  • API key authentication with HMAC-SHA256 hashing
  • SSO support (SAML 2.0, OIDC) via WorkOS
  • Append-only audit logging
  • Input validation (Zod schema validation) on all API endpoints
  • Cross-tenant data isolation at the repository layer

3.4 Sub-processor Management

The Processor will not engage a new Sub-processor without providing the Controller at least 30 days' prior written notice, including the identity of the Sub-processor, its processing purpose, and its location.

The current list of Sub-processors is published at subprocessors.md.

The Controller may object to a new Sub-processor within [30] days of receiving notice. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the affected Service by providing written notice.

The Processor will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA. The Processor remains liable for its Sub-processors' compliance.

3.5 Assistance with Data Subject Rights

The Processor will provide reasonable assistance to the Controller in responding to Data Subject requests to exercise their rights under Data Protection Laws. The following table describes the current capabilities available:

| Right | MemNexus Capability | |---|---| | Right of Access (Art. 15) | Self-service data export via GET /api/users/me/export and customer portal | | Right to Rectification (Art. 16) | Users can edit their memories and profile data via the API and portal | | Right to Erasure (Art. 17) | Self-service account deletion with complete data erasure (see data-retention-policy.md) | | Right to Data Portability (Art. 20) | JSON data export via API and portal | | Right to Restriction of Processing (Art. 18) | Currently handled via manual support process (contact [email protected]). Automated capability planned. | | Right to Object (Art. 21) | Currently handled via manual support process (contact [email protected]). Automated capability planned. |

3.6 Assistance with Compliance

The Processor will assist the Controller, at the Controller's cost, in ensuring compliance with the Controller's obligations under Articles 32 to 36 of the GDPR, including:

  • Security of processing (Article 32)
  • Notification of Security Incidents to the supervisory authority (Article 33)
  • Communication of Security Incidents to Data Subjects (Article 34)
  • Data protection impact assessments (Article 35)
  • Prior consultation with supervisory authorities (Article 36)

4. Security Incident Notification

4.1 Notification Timeline

The Processor will notify the Controller of any Security Incident without undue delay and in any event within 72 hours of becoming aware of the incident, in accordance with GDPR Article 33 and the MemNexus Incident Response Plan (see incident-response-plan.md, OPS-003).

4.2 Notification Content

The notification will include, to the extent available:

  • Description of the nature of the Security Incident, including categories and approximate number of Data Subjects affected
  • Name and contact details of the Processor's point of contact
  • Description of the likely consequences of the Security Incident
  • Description of measures taken or proposed to address the Security Incident and mitigate its effects

4.3 Cooperation

The Processor will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.

4.4 Record Keeping

The Processor will maintain a record of all Security Incidents, including their effects and remedial actions taken.

5. Data Transfers

5.1 Processing Location

Personal Data is processed in the United States (Azure US East 2 region). All current Sub-processors are located in the United States (see subprocessors.md).

5.2 Transfer Mechanisms

For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, the parties rely on [APPLICABLE TRANSFER MECHANISM TO BE DETERMINED]:

  • [ ] Standard Contractual Clauses (SCCs) -- Module Two (Controller to Processor), as approved by the European Commission
  • [ ] EU-U.S. Data Privacy Framework certification
  • [ ] [OTHER MECHANISM]

5.3 Standard Contractual Clauses

If SCCs are the applicable transfer mechanism, the SCCs are incorporated by reference into this DPA as Annex C. The following applies:

  • Module Two (Controller to Processor) applies to the transfer of Personal Data from the Controller to the Processor.
  • The governing law of the SCCs is [GOVERNING LAW OF EU MEMBER STATE].
  • Disputes will be resolved before the courts of [JURISDICTION].

5.4 Transfer Impact Assessment

The Processor has assessed the laws and practices of the United States regarding government access to Personal Data and has implemented supplementary measures (encryption at rest and in transit, access controls, audit logging) to ensure an essentially equivalent level of protection.

6. Audits

6.1 Information for Audits

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and the obligations under Article 28 of the GDPR.

6.2 Audit Rights

The Controller (or a qualified third-party auditor appointed by the Controller) may conduct audits of the Processor's processing activities, subject to the following:

  • Audits will be conducted no more than [ONCE PER YEAR] unless a Security Incident or regulatory requirement necessitates an additional audit.
  • The Controller will provide at least [30] days' written notice before an audit.
  • Audits will be conducted during normal business hours and will not unreasonably disrupt the Processor's operations.
  • The Controller will bear the costs of the audit.
  • The auditor will be bound by confidentiality obligations.

6.3 Compliance Reports

As an alternative to an on-site audit, the Processor may provide the Controller with relevant compliance reports, certifications, or third-party audit results (e.g., SOC 2 report, when available) that demonstrate compliance with this DPA.

7. Data Protection Impact Assessment

The Processor will provide reasonable assistance to the Controller in conducting data protection impact assessments (DPIAs) related to the Controller's use of the Service, to the extent required under Article 35 of the GDPR.

8. Data Protection Officer

[PROCESSOR DPO DETAILS TO BE DETERMINED WHEN APPOINTED]

The Controller may contact the Processor regarding data protection matters at: [email protected]

9. Liability

Liability under this DPA is subject to the limitations set forth in the Agreement (see master-service-agreement-template.md, LEGAL-001, Section 9).

10. Deletion or Return of Data on Termination

10.1 Export Period

Upon termination or expiration of the Agreement, the Controller may export all Personal Data for [30] days using the self-service data export functionality (see data-retention-policy.md, Section 5).

10.2 Deletion

After the export period, the Processor will delete all Personal Data in accordance with the Data Retention and Deletion Policy (see data-retention-policy.md):

  • All user data is permanently deleted (memories, entities, facts, topics, patterns, conversations, API keys, user profile)
  • External service data is deleted (WorkOS authentication, Stripe billing)
  • Per-user Data Encryption Keys (DEKs) are deleted, rendering any residual ciphertext in backups unrecoverable
  • A pseudonymized audit record with SHA-256 hashed identifiers (non-reversible) is retained for compliance purposes

10.3 Certification

Upon request, the Processor will provide written certification that Personal Data has been deleted in accordance with this Section.

11. Term

This DPA is effective as of the Effective Date of the Agreement and remains in effect for as long as the Processor processes Personal Data on behalf of the Controller.

Annex A -- Details of Processing

| Item | Description | |---|---| | Subject matter | Processing of Personal Data in connection with the MemNexus AI memory management platform | | Duration | Duration of the Agreement plus data export period | | Nature of processing | Storage, retrieval, search, AI-based extraction, embedding generation, authentication, billing | | Purpose of processing | Provision of the MemNexus Service as described in the Agreement | | Categories of Data Subjects | Customer's Authorized Users; individuals referenced in memory content | | Types of Personal Data | User identity data, authentication metadata, user-generated content, AI-extracted data, usage metadata, billing data | | Sensitive data | None by default. Customer may submit sensitive data in memory content at their own discretion and risk. |

Annex B -- Technical and Organizational Measures

The Processor implements the following measures, as described in detail in security-practices.md:

| Category | Measures | |---|---| | Encryption at rest | AES-256-GCM-SIV field-level encryption (13 of 14 sensitive field types). Per-user DEKs with envelope encryption. Azure Key Vault for KEK management. | | Encryption in transit | TLS 1.2+ on all external connections. TLS 1.3 for third-party API calls. HSTS enabled. | | Access control | RBAC with 3 roles (Owner, Admin, Member). API key authentication with HMAC-SHA256 hashing. SSO (SAML 2.0, OIDC) via WorkOS. | | Data isolation | All queries scoped by userId/organizationId at the repository layer. Cross-tenant access prevented at the application level. | | Audit logging | Append-only, immutable audit trail for authentication events, API key management, and account lifecycle events. | | Input validation | Zod schema validation on all API inputs. | | Development practices | PR-based code review, automated CI/CD, automated testing. | | Infrastructure | Azure Kubernetes Service (AKS) in US East 2. Private container registry. Azure managed disk encryption (SSE-256). | | Monitoring | Application and infrastructure monitoring with configurable alerting. | | Incident response | Documented incident response plan (OPS-003) with severity classification, response procedures, and post-incident review. |

Annex C -- Standard Contractual Clauses

[IF APPLICABLE: The Standard Contractual Clauses (Module Two -- Controller to Processor) as approved by European Commission Implementing Decision (EU) 2021/914 are incorporated by reference. The completed Annexes to the SCCs correspond to the information in Annex A and Annex B of this DPA.]

[APPLICABLE SCCs TO BE ATTACHED UPON LEGAL REVIEW]

Signatures

| | Controller (Customer) | Processor (MemNexus) | |---|---|---| | Name | [NAME] | [NAME] | | Title | [TITLE] | [TITLE] | | Date | [DATE] | [DATE] | | Signature | _________________________ | _________________________ |

Contact: [email protected] | [email protected]