Data Processing Agreement
Effective Date: [DRAFT — Date TBD]
This Data Processing Agreement ("DPA") supplements the Terms of Service between the Customer ("Data Controller") and EquityMultiple, Inc. ("Data Processor" or "Memosa") and governs the processing of personal data by Memosa on behalf of the Customer.
1. Scope
This DPA applies to all personal data processed by Memosa in connection with providing the Memosa platform services as described in the Terms of Service.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data, including collection, storage, analysis, and deletion
- Sub-Processor: A third party engaged by Memosa to process personal data on behalf of the Customer
- Data Subject: An individual whose personal data is processed
3. Processing Details
| Attribute | Description |
|---|---|
| Nature of processing | Document analysis, memo generation, collaboration features |
| Purpose | Providing the Memosa platform services |
| Categories of data subjects | Customer employees, deal counterparties mentioned in documents |
| Types of personal data | Names, email addresses, professional roles, contact information contained in uploaded documents |
| Duration | For the term of the service agreement plus data retention period |
4. Processor Obligations
Memosa shall:
- Process personal data only on documented instructions from the Customer
- Ensure that persons authorized to process personal data have committed to confidentiality
- Implement appropriate technical and organizational security measures
- Assist the Customer in ensuring compliance with data protection obligations
- Delete or return all personal data upon termination, at the Customer's choice
- Make available to the Customer all information necessary to demonstrate compliance
5. Sub-Processors
Memosa engages the following categories of sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Railway (AWS) | Application hosting and infrastructure | United States |
| Pinecone | Vector database for document search | United States (AWS us-west-2) |
| OpenAI | AI model inference for document analysis | United States |
| Anthropic | AI model inference for quality-critical analysis | United States |
| Resend | Transactional email delivery | United States |
Memosa will inform the Customer of any intended changes to sub-processors, providing the Customer an opportunity to object.
6. International Data Transfers
All processing currently occurs within the United States. If data transfers to other jurisdictions become necessary, Memosa will ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses).
7. Data Subject Rights
Memosa will assist the Customer in responding to data subject requests for access, rectification, erasure, restriction, portability, or objection within the timeframes required by applicable law.
8. Security Measures
Memosa implements the security measures described on our Security page, including encryption, access controls, data isolation, and monitoring. These measures are reviewed and updated regularly.
9. Data Breach Notification
In the event of a personal data breach, Memosa will:
- Notify the Customer without undue delay and in any event within 48 hours of becoming aware
- Provide details of the nature of the breach, categories and approximate number of affected records, and measures taken to address the breach
- Cooperate with the Customer in investigating and mitigating the breach
10. Term and Termination
This DPA is effective for the duration of the service agreement. Upon termination, Memosa will delete or return all personal data within 30 days, unless retention is required by applicable law.
11. Contact
For DPA inquiries or to request a countersigned copy:
- Email: legal@memosa.io
- EquityMultiple, Inc.
- [Address TBD]