Data Processing Agreement (DPA)

Standard Data Processing Agreement according to Art. 28 GDPR

Version: 2.2.0 Date: July 15, 2025 Effective: Immediately

🚀 Create Your DPA in 2 Minutes

Create your individual Data Processing Agreement online:

Preamble

This Data Processing Agreement (DPA) governs the processing of personal data by Memoro GmbH as a processor on behalf of the customer (controller) in accordance with Art. 28 of the General Data Protection Regulation (GDPR).

1. Subject Matter and Scope

1.1 Subject Matter

This DPA regulates the rights and obligations of the contracting parties in connection with the processing of personal data by Memoro as a processor.

1.2 Scope of Application

This agreement applies to all activities where Memoro processes personal data on behalf of the customer. This includes in particular:

• The provision and use of the Memoro App
• The processing of voice recordings and their transcription
• The creation of AI-generated summaries (Memories)
• The storage and management of user data

2. Responsible Parties

2.1 Controller (Data Controller)

Customer/User of Memoro Services (Company name and contact details are individually recorded at contract conclusion)

2.2 Processor (Data Processor)

Memoro GmbH Münzgasse 19 78462 Konstanz, Germany Phone: +49 176 444 343 85 Email: [email protected] Managing Director: Till Schneider

3. Nature and Purpose of Processing

3.1 Type of Processing

Memoro processes the following types of personal data:

• Voice Recordings: Audio files from meetings, notes, conversations
• Transcriptions: Textual conversion of voice recordings
• Metadata: Timestamps, device information, language
• User Data: Email address, name, usage data
• AI Analyses: Summaries, task lists, insights

3.2 Purpose of Processing

Processing is carried out exclusively for the following purposes:

• Transcription of voice recordings
• AI-assisted analysis and summarization
• Provision of app functionalities
• Storage and management of user data
• Technical support and error analysis

3.3 Categories of Data Subjects

• Users of the Memoro App (customers)
• Persons mentioned or recorded in voice recordings
• Members of team workspaces (Spaces)

4. Duration of Processing

Processing takes place for the duration of the customer’s use of Memoro services and for the legally required retention periods.

5. Obligations of the Processor

5.1 Processing According to Instructions

Memoro processes personal data exclusively on documented instructions from the customer. Instructions are given through:

• Use of app functions by the customer
• Settings and configurations in the app
• Written instructions via email to [email protected]

5.2 Confidentiality

All Memoro employees with access to personal data are bound to confidentiality and have received appropriate training.

5.3 Technical and Organizational Measures (TOMs)

Memoro implements comprehensive technical and organizational measures according to Art. 32 GDPR:

Encryption:

• TLS 1.3 for data transmission
• AES-256 for data storage
• End-to-end encryption for sensitive data

Access Control:

• Role-based access management (RBAC)
• Two-factor authentication (2FA)
• Automatic session timeouts

Infrastructure:

• EU servers (primarily Frankfurt, Germany)
• ISO 27001 certified data centers
• Regular security audits

Data Backup:

• Daily automatic backups
• Geo-redundant storage
• Point-in-time recovery

Complete Documentation:

Detailed TOMs are available:

• Online Document: Technical and Organizational Measures

5.4 Support for the Customer

Memoro supports the customer with:

• Compliance with GDPR obligations
• Responding to data subject requests
• Data protection impact assessments
• Reporting data breaches

6. Sub-processors

6.1 Approved Sub-processors

The customer consents to the engagement of the following sub-processors:

6.2 Changes to Sub-processors

Memoro informs the customer at least 30 days before engaging new or replacing existing sub-processors via email. The customer may object within 14 days.

6.3 Equivalent Obligations

Memoro binds all sub-processors to the same data protection obligations as set out in this DPA.

7. Rights of Data Subjects

7.1 Support for Data Subject Requests

Memoro supports the customer in fulfilling data subject rights:

• Right of Access (Art. 15 GDPR): Export of all user data
• Right to Rectification (Art. 16 GDPR): Changes in app settings
• Right to Erasure (Art. 17 GDPR): Complete data deletion within 30 days
• Right to Restriction (Art. 18 GDPR): Temporary suspension of processing
• Right to Data Portability (Art. 20 GDPR): Export in structured JSON format
• Right to Object (Art. 21 GDPR): Cessation of processing

7.2 Response Time

Memoro responds to requests within 5 business days and supports the customer in complying with the 30-day deadline according to GDPR.

8. Data Security

8.1 Notification of Data Breaches

In the event of a data breach, Memoro informs the customer immediately, at the latest within 24 hours, and provides the following information:

• Nature of the breach
• Affected data categories and number of affected persons
• Likely consequences
• Measures taken
• Contact person for further information

8.2 Documentation

Memoro documents all data breaches according to Art. 33 para. 5 GDPR.

9. Deletion and Return of Data

9.1 After Contract Termination

Upon termination of the contractual relationship, Memoro deletes or returns all personal data at the customer’s choice, unless there is a legal retention obligation.

9.2 Deletion Periods

• Immediate Deletion: Upon cancellation by the customer
• 30-Day Retention: For recovery purposes (upon request)
• Backup Deletion: Within the next backup cycle (max. 90 days)

9.3 Confirmation

Memoro confirms complete deletion in writing.

10. Control and Audit Rights

10.1 Audits

The customer has the right to verify compliance with data protection provisions:

• Provision of evidence upon request
• Access to relevant documentation
• Conducting audits (after prior notice)

10.2 Certifications

Memoro provides the customer with the following evidence:

• ISO 27001 certifications of data centers
• SOC 2 Type II reports of sub-processors
• Data protection impact assessments upon request

11. Liability and Warranty

11.1 Liability

Liability is governed by the legal provisions of GDPR, in particular Art. 82 GDPR.

11.2 Damages

In case of violations of this DPA, Memoro is liable for proven damages up to the amount of the customer’s annual fee.

12. Contract Duration and Termination

12.1 Duration

This DPA enters into force at the start of use of Memoro services and applies for the duration of the business relationship.

12.2 Termination

• Ordinary Termination: With termination of the main contract
• Extraordinary Termination: In case of serious violations of the DPA
• Objection: Upon rejection of a new sub-processor

13. Severability Clause

Should individual provisions of this contract be or become invalid, the validity of the remaining provisions shall remain unaffected.

14. Applicable Law and Jurisdiction

14.1 Applicable Law

This DPA is governed by the law of the Federal Republic of Germany.

14.2 Jurisdiction

The exclusive place of jurisdiction is Konstanz, Germany.

Contact for Data Protection Questions

Data Protection Officer: Email: [email protected] Phone: +49 176 444 343 85 Address: Memoro GmbH, Münzgasse 19, 78462 Konstanz, Germany

Individual DPA for Enterprise Customers

For enterprise customers with special requirements, we offer individually customized data processing agreements.

Contact for Individual DPA: Email: [email protected] Phone: +49 176 444 343 85

We are happy to create a customized DPA that takes your specific requirements into account:

• ✓ Individual security measures
• ✓ Extended SLAs
• ✓ Special audit rights
• ✓ On-premise options
• ✓ Dedicated servers

Memoro GmbH Münzgasse 19 78462 Konstanz, Germany

Status: January 12, 2025 | Version 1.0.0