Legal

Data Processing
Agreement

Effective: April 2026  ·  Incorporated into the Terms of Service

1Overview

This Data Processing Agreement ("DPA") governs the processing of personal data by Mnemexa ("Processor") on behalf of the customer ("Controller") in connection with the Mnemexa API platform and services.

Mnemexa acts as a data processor when processing personal data that you, as the data controller, submit via the API. We process this data solely on your instructions and in accordance with applicable data protection law, including the GDPR and, where applicable, UK GDPR and other regional laws.

This DPA is incorporated into and forms part of the Mnemexa Terms of Service. By using Mnemexa, you agree to this DPA. For enterprise DPA execution, contact privacy@mnemexa.com.

2Definitions

In this DPA, the following terms have the meaning given to them under applicable data protection law:

  • Personal Data — any information relating to an identified or identifiable natural person.
  • Processing — any operation performed on personal data, including storage, retrieval, and deletion.
  • Controller — the customer who determines the purposes and means of processing personal data.
  • Processor — Mnemexa, which processes personal data on behalf of the Controller.
  • Sub-processor — a third party engaged by Mnemexa to process personal data.
  • Data Subject — the individual to whom personal data relates.
  • Standard Contractual Clauses (SCCs) — the standard data protection clauses adopted by the European Commission.

3Roles and Responsibilities

3.1 Customer as Controller

You are the data controller for all personal data you submit to the Mnemexa API. You are responsible for ensuring you have a lawful basis for processing, providing required notices to data subjects, and complying with your own data protection obligations under applicable law.

3.2 Mnemexa as Processor

Mnemexa processes personal data only on your documented instructions, as set out in this DPA and the Terms of Service. We will not process personal data for any purpose other than providing the services, unless required by applicable law.

4Details of Processing

ItemDetails
Subject matterProvision of the Mnemexa memory API platform
DurationFor the term of the customer's subscription
Nature of processingStorage, retrieval, deduplication, importance scoring, and categorisation of memory entries
PurposeEnabling AI agents to store and retrieve contextual memory on behalf of the Controller
Types of personal dataAny personal data contained in API payloads submitted by the Controller
Categories of data subjectsCustomers, users, employees, or any individuals whose data the Controller submits via the API

5Processor Obligations

Mnemexa undertakes to:

  • Process personal data only on the Controller's documented instructions.
  • Ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations.
  • Implement and maintain appropriate technical and organisational security measures as described in Section 8.
  • Not engage sub-processors without prior authorisation (general authorisation granted per Section 6).
  • Assist the Controller in responding to data subject rights requests to the extent technically feasible.
  • Assist with security, breach notification, data protection impact assessments, and prior consultation obligations.
  • Delete or return all personal data upon termination of the services, as described in Section 10.
  • Provide all information necessary to demonstrate compliance with this DPA.

6Sub-processors

The Controller provides general authorisation for Mnemexa to engage sub-processors. Mnemexa will inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. Current sub-processors include:

Sub-processorPurposeLocation
Cloud infrastructure providerHosting, compute, and database servicesEU / US
OpenAILLM processing for importance scoring, deduplication, and reasoning featuresUS
PaddlePayment processing and billingUK / US

All sub-processors are bound by data processing terms offering an equivalent level of protection to this DPA.

7International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA) or UK, Mnemexa will ensure the transfer is subject to appropriate safeguards, including Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by the European Commission, or equivalent mechanisms recognised under applicable law.

For enterprise customers requiring executed SCCs, contact privacy@mnemexa.com.

8Security Measures

Mnemexa implements the following technical and organisational measures:

  • Encryption in transit: TLS 1.3 for all API communications.
  • Encryption at rest: AES-256 for all stored data.
  • Access controls: API key authentication, role-based access, least-privilege principles.
  • PII detection: Automated filters blocking passwords, API keys, credit card numbers, and SSNs before storage.
  • Infrastructure security: Regular vulnerability assessments, security monitoring, and patch management.
  • Personnel: Confidentiality obligations and security training for all staff with data access.
  • Incident response: Documented procedures for detecting, reporting, and responding to security incidents.

Full technical details are available at mnemexa.com/security.

9Breach Notification

In the event of a personal data breach affecting your data, Mnemexa will notify you without undue delay and in any event within 72 hours of becoming aware of the breach, to the extent this is feasible. Notification will include:

  • A description of the nature of the breach, including categories and approximate number of data subjects and records concerned.
  • The contact details of our data protection contact.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to address the breach.

To report a potential security incident: security@mnemexa.com

10Deletion and Return of Data

Upon termination or expiry of the services, Mnemexa will, at the Controller's election:

  • Delete all personal data within 30 days of termination; or
  • Return personal data in a machine-readable format (JSON) upon request made within 30 days of termination.

Billing records are retained for up to 7 years for legal and tax compliance. Anonymised usage metrics may be retained indefinitely.

11Audit Rights

Mnemexa will provide all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or a mandated auditor, subject to reasonable notice (minimum 30 days) and agreement on scope and confidentiality. Mnemexa may satisfy audit obligations by providing up-to-date third-party audit reports or certifications where available.

12Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Mnemexa Terms of Service. Nothing in this DPA limits either party's liability for death or personal injury caused by negligence, or for fraud or fraudulent misrepresentation.

13Contact

For all data protection enquiries, DPA execution requests, and data subject rights requests:

Privacy & DPA
privacy@mnemexa.com
Security Incidents
security@mnemexa.com