Data Processing Agreement

Definitions

For the purposes of this DPA, the following terms have the meanings set forth below:

• "Data Controller" means the entity that determines the purposes and means of processing Personal Data. In the context of this agreement, the Controller is the customer using REM Labs services.
• "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller. REM Labs acts as the Data Processor.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under the EU General Data Protection Regulation (GDPR) and applicable data protection laws.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and erasure.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Supervisory Authority" means the independent public authority responsible for monitoring the application of data protection laws.

Scope of Processing

The Processor shall process Personal Data only to the extent necessary to provide the REM Labs memory infrastructure services as described in the applicable service agreement. The scope of processing includes:

• Nature of processing: Storage, retrieval, indexing, and consolidation of memory data submitted via the REM Labs API.
• Purpose of processing: To provide persistent memory infrastructure services, including memory storage, recall, search, and the Dream Engine memory consolidation pipeline.
• Types of Personal Data: Any Personal Data contained within memory objects submitted by the Controller through the API, which may include names, identifiers, preferences, conversation context, and other data as determined by the Controller.
• Categories of Data Subjects: End users of the Controller's applications and services, employees, contractors, or other individuals whose data the Controller submits to the service.
• Duration of processing: For the term of the service agreement, plus any retention period required by law or as configured by the Controller.

The Processor shall not process Personal Data for any purpose other than those specified in this DPA and the service agreement, unless required by applicable law.

Data Processor Obligations

The Processor agrees to the following obligations with respect to the processing of Personal Data:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization.
• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing.
• Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller.
• Assist the Controller in ensuring compliance with obligations related to the security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation.
• At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires storage.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits.
• Immediately inform the Controller if, in the Processor's opinion, an instruction infringes applicable data protection law.

Security Measures

The Processor implements and maintains the following technical and organizational security measures:

• Encryption at rest: All stored data is encrypted using AES-256. Customer-managed encryption keys are available on the Enterprise tier.
• Encryption in transit: All data transmitted between the Controller and the Processor is encrypted using TLS 1.3.
• Access control: Role-based access control (RBAC) with four levels: Owner, Admin, Editor, and Viewer. API keys are hashed with SHA-256 and never stored in plaintext.
• Audit logging: Every API operation is logged with timestamp, authenticated user, action performed, and resource affected. Logs are immutable and exportable.
• Network security: SSRF protection, DNS rebinding protection, rate limiting, HSTS, Content Security Policy, and Cross-Origin Resource Policy headers.
• Data isolation: Full namespace isolation ensures that data from different Controller accounts or projects cannot be accessed across boundaries.
• Backup and recovery: Automated backups every 6 hours using SQLite WAL mode with S3-compatible storage. Cross-region replication available on Enterprise tier.
• Vulnerability management: Regular dependency scanning, penetration testing (scheduled Q3 2026), and security patch management.

A detailed description of security measures is available in the Security Whitepaper.

Sub-processors

The Processor uses the following sub-processors for the provision of services. A live, more detailed list is published at /subprocessors:

• Vercel, Inc. -- Static site hosting and global edge CDN. Location: Global edge / United States.
• Supabase, Inc. -- Primary memory database (Postgres + pgvector). Location: United States (us-east-1).
• Railway Corp. -- Application compute and background workers. Location: United States.
• Cloudflare, Inc. -- DDoS protection and DNS. Location: Global anycast.
• OpenAI, L.L.C. -- Embeddings and Dream Engine synthesis. API inputs not used for training or retained beyond the immediate request. Location: United States.
• Anthropic, PBC -- Optional synthesis model. API inputs not used for training. Location: United States.
• Google LLC -- OAuth 2.0 for console login. Location: Global.
• Stripe, Inc. -- Billing and subscription management. Never receives memory content. Location: United States.

The Processor shall notify the Controller at least 14 days before the addition or replacement of any sub-processor that processes Personal Data, giving the Controller the opportunity to object to such changes on reasonable data-protection grounds. The current sub-processor list is published at /subprocessors and also available upon request at legal@remlabs.ai.

When engaging sub-processors, the Processor shall impose the same data protection obligations as set out in this DPA by way of a contract or other legal act, providing sufficient guarantees that appropriate technical and organizational measures are implemented.

Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under applicable data protection law, including:

• Right of access: Data Subjects may request access to their Personal Data. The Controller can retrieve all data associated with a Data Subject via the API using namespace and tag queries.
• Right to rectification: Personal Data can be updated via the standard API update endpoints.
• Right to erasure: The Controller can delete specific memories or all data associated with a Data Subject via the API delete endpoints. Deletion is permanent and propagates to backups within 6 hours.
• Right to restrict processing: The Controller can use namespace isolation and memory locking to restrict processing of specific data.
• Right to data portability: Full data export is available at any time via the API in JSON, CSV, or raw SQLite format.
• Right to object: The Controller can cease processing at any time by removing data or suspending API access.

The Processor shall respond to Controller requests regarding Data Subject rights without undue delay and in any event within 30 days of receipt.

Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

• Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach.
• Provide the Controller with sufficient information to meet the Controller's obligations to report the breach to the relevant Supervisory Authority and affected Data Subjects.
• Include in the notification: the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences of the breach, and the measures taken or proposed to address the breach.
• Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.
• Document all Personal Data breaches, including the facts relating to the breach, its effects, and the remedial action taken.

The notification obligation does not apply where the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Data Return and Deletion

Upon termination or expiration of the service agreement, or upon the Controller's written request:

• The Processor shall, at the Controller's election, return all Personal Data to the Controller in a machine-readable format (JSON, CSV, or SQLite) or delete all Personal Data.
• Deletion shall be completed within 30 days of the request or termination, including all copies in backup systems.
• The Processor shall certify in writing that all Personal Data has been deleted or returned, as applicable.
• The Processor may retain Personal Data to the extent required by applicable law, in which case the Processor shall inform the Controller of any such requirement and limit the processing to only what is required by law.

During the service period, the Controller may export all data at any time using the API export functionality or the admin dashboard, ensuring full data portability.

International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor shall ensure that:

• The transfer is to a country that has been deemed to provide an adequate level of data protection by the European Commission, or
• Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) as approved by the European Commission, or
• The Controller has opted for EU data residency or self-hosted deployment, in which case Personal Data remains within the EEA.

Enterprise tier customers may select EU data residency to ensure all data processing occurs within the European Economic Area. Self-hosted deployments provide full control over data location.

Term and Termination

This DPA shall remain in effect for the duration of the service agreement between the Processor and the Controller. The obligations of the Processor with respect to the protection of Personal Data shall survive the termination of this DPA for as long as the Processor retains any Personal Data.

Either party may terminate this DPA by providing written notice if the other party materially breaches any provision of this DPA and fails to cure such breach within 30 days of receiving written notice.

Upon termination, the provisions of Section 8 (Data Return and Deletion) shall apply.

Audit Rights

The Controller shall have the right to audit the Processor's compliance with this DPA. The Processor shall:

• Make available all information necessary to demonstrate compliance with the obligations set forth in this DPA.
• Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
• Provide audit reports, certifications, or summaries of independent third-party audits (such as SOC 2 Type II reports, when available) upon request.

Audits shall be conducted with reasonable prior notice and shall not unreasonably interfere with the Processor's business operations.