Data processing addendum DPA

Last modified: Aug 16, 2025

Parties: Team Memory LLC (“Processor”) and the customer identified in an order form or service agreement (“Controller”).

1) Scope & Instructions

Processor processes personal data only on documented instructions from Controller to provide the Service (including ingesting authorized Slack/Teams data and generating Q&A artifacts) and as required by law.

2) Security

Processor implements appropriate technical and organizational measures (encryption in transit, access controls, backups, monitoring). Processor will ensure personnel with access to personal data are bound by confidentiality obligations.

3) Subprocessors

Controller authorizes Processor to use subprocessors. Current subprocessors include:

  • DigitalOcean/Laravel Forge (hosting/ops)
  • Stripe (payments), SendGrid (email),
  • Google Analytics &
  • Mixpanel (analytics),
  • Sentry (error logging),
  • OpenAI & Hugging Face (AI processing),
  • and other vendors reasonably necessary to provide the Service.

Processor will flow down equivalent protections and will notify Controller of material changes via the Service or email.

4) Assistance

Processor will assist Controller with reasonable requests to fulfill data subject rights and with security and compliance obligations, taking into account the nature of processing.

5) Breach Notification

Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting Controller data.

6) International Transfers

Where applicable, Processor enters SCCs with non‑EEA subprocessors and implements additional safeguards as needed.

7) Return/Deletion

Upon termination, Processor will delete or return personal data in its possession, subject to legal retention obligations and standard backup cycles.

8) Audits

Upon reasonable advance notice, Processor will make available information necessary to demonstrate compliance and, where required, allow for audits under confidentiality.

9) Liability

Each party’s liability under this DPA is limited as set forth in the Terms, subject to mandatory law.