Data processing addendum

Customer is the controller (or processor) of personal data submitted to the Mnemos service. Mnemos is the processor (or sub-processor) and processes personal data only on the documented instructions of Customer, including instructions reflected in the parties' agreement and any configured product settings.

This DPA applies to personal data Mnemos processes on behalf of Customer as part of providing the service. It does not apply to information Mnemos processes as a controller (for example marketing communications with Customer's personnel) — that processing is described in our /legal/privacy policy.

Subject matter: provision of the Mnemos service, including AI interview capture, knowledge graph storage and retrieval, AI search, and SOP generation. Duration: for the term of Customer's subscription plus any post-term period required to delete or return personal data as set out below.

Nature and purpose: hosting, storing, retrieving, analyzing, transmitting, and otherwise processing personal data to provide the service.

Data subjects: Customer's employees, contractors, partners, and any other individuals whose personal data Customer chooses to include in Customer Data.

Categories of personal data: identifiers, contact information, employment information, voice recordings and transcripts, system and integration metadata, and any additional categories Customer chooses to include. Customer is responsible for the choice of categories.

Mnemos will: process personal data only on Customer's documented instructions; ensure persons authorized to process personal data are under a duty of confidentiality; implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk; assist Customer in responding to data subject requests and in meeting GDPR security, impact assessment, and breach obligations.

Mnemos will notify Customer of a personal data breach affecting Customer Data without undue delay and in any event within 72 hours of becoming aware of the breach, providing the information required for Customer to meet its notification obligations.

Customer authorizes Mnemos to engage sub-processors to provide the service. The current list of sub-processors is maintained at /trust. Mnemos will provide Customer with notice of any new sub-processor or material change at least 30 days before that change takes effect.

Customer may object to a new sub-processor on reasonable data protection grounds during that 30-day notice period. If the objection cannot be resolved, Customer may terminate the affected service for the impacted workspace as Customer's sole remedy.

Mnemos remains liable for the acts and omissions of its sub-processors as if performed by Mnemos.

Where Mnemos transfers personal data outside the European Economic Area, the United Kingdom, or Switzerland to a country not recognized as providing an adequate level of protection, Mnemos will rely on the Standard Contractual Clauses adopted by the European Commission (and the UK addendum where applicable), incorporated by reference into this DPA, and will implement supplementary measures appropriate to the transfer.

Enterprise Customers may elect region pinning (US-East, US-West, or EU-West). Where elected, Mnemos will not store Customer Data outside the elected region except as strictly necessary to deliver the service and only with Customer's prior written authorization.

Mnemos implements and maintains the security measures described at /security and in our SOC 2 Type II report, including: encryption in transit and at rest, tenant isolation via row-level security, ACL inheritance from source systems, customer-managed keys (on Enterprise), permission-aware AI retrieval, comprehensive audit logging, and regular independent penetration testing.

Mnemos will not materially decrease the overall security of the service during the term of Customer's subscription.

Mnemos will, taking into account the nature of the processing, provide reasonable assistance to enable Customer to respond to requests from data subjects to exercise their rights under applicable data protection law. Mnemos provides admin tooling to support these requests where the requested data is within the service.

Mnemos will promptly notify Customer of any data subject request received directly by Mnemos and not respond to the data subject except as required by law or as instructed by Customer.

Customer may audit Mnemos's compliance with this DPA on reasonable prior notice, no more than once per year except in cases of legitimate cause. To minimize disruption, Mnemos will first make available its SOC 2 Type II report, penetration test letters of attestation, and standardized questionnaire responses, which will satisfy the audit obligation for most Customers.

At Customer's choice, on termination of the subscription, Mnemos will return or delete Customer Data within 30 days, except where retention is required by applicable law. Customer can export Customer Data using the admin export at any time during the term.

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the underlying agreement. Nothing in this DPA limits a data subject's rights or remedies under applicable law.

Where the CCPA applies, the parties acknowledge that Mnemos is a service provider with respect to Customer Data and will not sell or share personal information, retain, use, or disclose personal information for any purpose other than the specific purpose of performing the service, or combine personal information received from Customer with personal information from other sources except as expressly permitted by the CCPA.

In the event of a conflict between this DPA and the underlying agreement, this DPA prevails to the extent of the conflict on matters of data protection.