Data Protection Agreement

This Data Protection Agreement ("DPA") forms part of the Terms of Service between Memo Labs, Inc. ("Memo," "Processor," "we," "us," or "our") and the customer ("Controller," "you," or "your") who has subscribed to Memo's services. This DPA governs the processing of Personal Data that you provide to us or that we collect on your behalf through the Memo platform.

By using the Memo platform, you enter into this DPA on behalf of yourself and, to the extent required under applicable data protection laws, in the name and on behalf of your authorized affiliates. This DPA is effective as of the date you first connect a data source or begin using the Memo services.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given in the Terms of Service. For purposes of this DPA:

"Controller" means the entity that determines the purposes and means of the processing of Personal Data , in this context, you, the Memo customer.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Memo on behalf of the Controller under the Terms of Service and this DPA.

"Processing" means any operation performed on Personal Data, whether or not by automated means, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

"Processor" means the entity that processes Personal Data on behalf of the Controller , in this context, Memo Labs, Inc.

"Sub-processor" means any third-party engaged by Memo to process Personal Data on behalf of the Controller.

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and any other applicable data protection or privacy legislation.

2. Scope and Purpose of Processing

Memo processes Personal Data solely for the purpose of providing, maintaining, and improving the Memo platform and related services as described in the Terms of Service ("the Services"). The processing activities include:

Analyzing e-commerce store performance, traffic, and customer behavior data to generate insights, recommendations, and automated optimizations
Processing advertising platform metrics (Meta Ads, Google Ads) to manage and optimize paid media campaigns
Processing customer interaction data to optimize conversion rates, SEO performance, and retention strategies
Storing and retrieving configuration data, brand preferences, and integration credentials as directed by the Controller
Providing customer support, troubleshooting, and platform maintenance

Memo shall not process Personal Data for any other purpose without the Controller's documented instructions, unless required by applicable law.

3. Nature and Categories of Personal Data

The categories of Personal Data processed by Memo depend on the third-party platforms and data sources the Controller chooses to connect. They may include:

Category	Examples
Account and contact data	Name, email address, company name, and billing information of Controller's authorized users
E-commerce store data	Order information, product catalog data, inventory levels, revenue figures, and transaction metadata from connected Shopify stores
Advertising performance data	Campaign metrics, ad spend, impressions, clicks, conversions, and audience data from connected Meta Ads and Google Ads accounts
Website analytics data	Traffic data, session recordings, conversion events, user behavior patterns, and aggregated visitor statistics from connected analytics platforms
Customer interaction data	Email engagement metrics, support ticket information, and CRM data from connected marketing and support platforms
Technical data	IP addresses, browser type, device information, access logs, and API request metadata generated through use of the Services

Memo does not intentionally collect or process sensitive or special categories of Personal Data (as defined under GDPR Article 9) on behalf of the Controller. The Controller agrees not to submit any such data to the Memo platform.

4. Categories of Data Subjects

The Data Subjects whose Personal Data may be processed under this DPA include:

Controller's end customers who visit the Controller's e-commerce store
Controller's employees, contractors, and authorized users of the Memo platform
Visitors to the Controller's website and online properties
Recipients of the Controller's marketing communications

5. Duration of Processing

Memo processes Personal Data for the duration of the Controller's subscription to the Services. Upon termination or expiration of the subscription, Memo will delete or return all Personal Data in accordance with Section 11 (Data Deletion and Return) of this DPA, unless retention is required by applicable law.

6. Processor Obligations

Memo shall:

Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law. In such case, Memo shall inform the Controller of that legal requirement before processing, unless prohibited by law on important grounds of public interest.
Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 9 of this DPA.
Respect the conditions for engaging Sub-processors as set out in Section 7 of this DPA.
Assist the Controller, insofar as possible and taking into account the nature of the processing, by appropriate technical and organizational measures, for the fulfillment of the Controller's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law.
Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Memo.
Notify the Controller without undue delay after becoming aware of a Personal Data breach affecting Controller's data, as described in Section 10.

7. Sub-processors

The Controller provides general written authorization for Memo to engage Sub-processors to support the delivery of the Services. Memo maintains a current list of its Sub-processors, which is available upon request at [email protected]. Current Sub-processors include:

Sub-processor	Purpose	Location
PocketHost (PocketBase)	Database hosting and authentication	United States
Hetzner	Cloud infrastructure hosting (VPS)	Germany / Finland
Cloudflare	Content delivery, DNS, and DDoS protection	Global (including United States and EU)
Google Analytics	Website analytics (marketing site only)	United States
GitHub (Microsoft)	Source code hosting and CI/CD	United States

Memo will inform the Controller of any intended changes concerning the addition or replacement of Sub-processors by updating this DPA and providing email notice to the Controller's registered contact address. The Controller may object to a new Sub-processor within fourteen (14) calendar days of such notice on reasonable data protection grounds. If the objection cannot be resolved, either party may terminate the affected Services without penalty.

Where Memo engages a Sub-processor, Memo shall enter into a written contract with the Sub-processor imposing data protection obligations that are no less protective than those set out in this DPA. Memo remains fully liable to the Controller for the performance of its Sub-processors' obligations.

8. International Data Transfers

Memo processes and stores Personal Data primarily in the United States and the European Union (Germany and Finland, via Hetzner infrastructure). Where Personal Data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to a country not recognized as providing an adequate level of data protection, Memo shall ensure that appropriate safeguards are in place in accordance with Applicable Data Protection Law, including:

EU Standard Contractual Clauses (SCCs) as adopted by the European Commission
The UK International Data Transfer Agreement or UK Addendum to the EU SCCs, as applicable
Any other transfer mechanism recognized under Applicable Data Protection Law

Upon request, Memo will provide the Controller with a copy of the relevant transfer mechanism or safeguards.

9. Technical and Organizational Measures

Memo implements and maintains the following technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access:

9.1 Access Control

Role-based access control (RBAC) with principle of least privilege
Multi-factor authentication for administrative access to production systems
Unique user accounts with strong password policies; no shared accounts
Regular access reviews and prompt revocation upon role change or departure

9.2 Encryption

Encryption in transit: TLS 1.2+ for all data transmitted over public networks
Encryption at rest: AES-256 encryption for stored data where technically supported by infrastructure providers
API keys, tokens, and credentials encrypted at rest and never logged or exposed in plaintext

9.3 Network Security

Firewall rules restricting access to production servers to necessary ports and services only
DDoS protection via Cloudflare
Regular security patch management for all operating systems and dependencies
Network segmentation between production and development environments

9.4 Data Minimization and Segregation

Per-tenant data isolation at the application layer
Data minimization: only data necessary for the Services is collected and processed
Automated data deletion upon account termination in accordance with retention policies

9.5 Organizational Measures

Employee confidentiality agreements covering data protection obligations
Regular security awareness training for personnel with access to production systems
Incident response plan with defined escalation procedures
Vendor security assessments before engaging Sub-processors

10. Data Breach Notification

Memo shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Controller's Personal Data. The notification shall:

Describe the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned
Communicate the name and contact details of Memo's point of contact for further information
Describe the likely consequences of the breach
Describe the measures taken or proposed to be taken by Memo to address the breach, including measures to mitigate its possible adverse effects

Where it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay.

11. Data Deletion and Return

Upon termination or expiration of the Services, and at the Controller's choice (expressed in writing within 30 days of termination), Memo shall either delete or return all Personal Data processed on behalf of the Controller. Memo shall also delete existing copies unless retention is required by applicable law. Deletion shall occur within 90 days of termination.

The Controller acknowledges that certain data may persist in encrypted backups for a limited period (not exceeding 90 days) in accordance with Memo's backup rotation policy, after which it is permanently destroyed.

12. Audit Rights

Upon the Controller's written request and no more than once per calendar year, Memo shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law. This may be satisfied by providing:

A summary of Memo's security controls and certifications
Copies of relevant third-party audit reports (where applicable)
Written responses to a reasonable security questionnaire

Where the information provided is insufficient to demonstrate compliance, the Controller may request an on-site audit at its own expense, conducted by a mutually agreed-upon independent auditor, subject to reasonable notice (minimum 30 days) and during normal business hours. Audits shall not unreasonably disrupt Memo's operations.

13. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set forth in the Terms of Service. Notwithstanding the foregoing, nothing in this DPA limits either party's liability for data breaches resulting from that party's gross negligence or willful misconduct, or to the extent such limitation is prohibited by Applicable Data Protection Law.

14. Relationship with Terms of Service

This DPA supplements and forms an integral part of the Terms of Service. In the event of any conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA shall prevail. Except as expressly modified by this DPA, the Terms of Service remain in full force and effect.

15. Governing Law

This DPA shall be governed by the laws of the State of Delaware, United States, without regard to its conflict of law provisions. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.

16. Contact

For questions about this DPA or to exercise any rights under it, please contact Memo at [email protected].