Data Processing Addendum (DPA) — UltraMemory

Service: UltraMemory, operated by LogicLabsAI LLC, a Georgia, USA limited liability company ("UltraMemory", "we", "us", "our")

Effective Date: June 22, 2026

This Data Processing Addendum ("DPA") forms part of, and is subject to, the agreement for the provision of the UltraMemory service between UltraMemory and the customer identified in the applicable order, subscription, or master agreement (the "Customer" and, together with UltraMemory, the "Parties"). The agreement governing the Customer's use of the Service is referred to as the "Main Agreement." This DPA records the Parties' agreement on the processing of Personal Data in connection with the Service.

1. Definitions

1.1. Capitalised terms not defined in this DPA have the meaning given to them in the Main Agreement.

1.2. In this DPA:

(a) "Service" means UltraMemory, a standalone, multi-tenant, billable agent-memory service for Hermes Agent users and any MCP (Model Context Protocol) client, which stores, recalls, consolidates, and gates AI "memories" on behalf of customers, exposed via a REST API at https://api.ultramemory.us and an MCP Streamable-HTTP endpoint at the path /mcp (HTTPS only).

(b) "Memory Content" means the data that the Customer (and its Authorized Users) stores, recalls, or otherwise processes through the Service, together with data derived from it by the Service (including vector embeddings, consolidated memories, playbook entries, and calibration/metamemory records). Memory Content is the most sensitive category of data processed under this DPA and may contain Personal Data about the Customer's own data subjects, as the Customer decides what to store.

(c) "Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under this DPA, including, as applicable: (i) Regulation (EU) 2016/679 ("EU GDPR"); (ii) the EU GDPR as it forms part of the law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 ("UK GDPR") and the UK Data Protection Act 2018; (iii) the Swiss Federal Act on Data Protection ("FADP"); and (iv) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act, and its implementing regulations ("CCPA/CPRA"), and other applicable U.S. state privacy laws (together, "US Privacy Laws").

(d) "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Supervisory Authority", and "Special Categories of Personal Data" have the meanings given in the EU GDPR / UK GDPR. Where US Privacy Laws apply, the equivalent terms "Business", "Service Provider", "Contractor", "Consumer", "Personal Information", "Sell", "Share", and "Process" have the meanings given in the CCPA/CPRA, and: "Controller" includes "Business"; "Processor" includes "Service Provider" and "Contractor"; "Personal Data" includes "Personal Information"; and "Data Subject" includes "Consumer."

(e) "Customer Personal Data" means Personal Data contained within Memory Content that UltraMemory processes on the Customer's behalf as a Processor under this DPA.

(f) "Sub-processor" means any third party engaged by UltraMemory to process Customer Personal Data on UltraMemory's behalf.

(g) "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

(h) "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner (version B.1.0, in force from 21 March 2022) under section 119A of the UK Data Protection Act 2018.

2. Roles and Scope of the Parties

2.1. Roles for Memory Content. With respect to Customer Personal Data contained in Memory Content, the Customer is the Controller (or, where the Customer is itself acting as a processor for a third-party controller, a Processor) and UltraMemory is the Processor (or Sub-processor, as applicable). UltraMemory processes Customer Personal Data solely on behalf of, and in accordance with the documented instructions of, the Customer.

2.2. UltraMemory as an independent Controller. With respect to account, billing, security, and audit data that UltraMemory collects and processes to provide, secure, bill for, and operate the Service (for example: account and authentication identity, tenant and subscription metadata, billing events, audit logs, and request correlation metadata), UltraMemory acts as an independent Controller. UltraMemory's controller-side processing is governed by UltraMemory's Privacy Policy and not by this DPA. This DPA governs only UltraMemory's processing of Customer Personal Data as a Processor.

2.3. Scope. This DPA applies to the processing of Customer Personal Data by UltraMemory in the course of providing the Service under the Main Agreement, for the duration set out in Annex I.

2.4. Customer responsibilities. The Customer is responsible for the accuracy, quality, and legality of Customer Personal Data, for the means by which the Customer acquired it, and for ensuring that it has a lawful basis to provide it to UltraMemory and to instruct the processing described in this DPA, including any required notices to and consents from Data Subjects.

3. Processing of Customer Personal Data

3.1. Documented instructions only (GDPR Art. 28(3)(a)). UltraMemory shall process Customer Personal Data only on the Customer's documented instructions, including with regard to transfers of Customer Personal Data to a third country or an international organisation, unless required to do so by Union, Member-State, or other applicable law to which UltraMemory is subject. Where such a legal requirement applies, UltraMemory shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3.2. Scope of instructions. The Customer's documented instructions are set out in this DPA, the Main Agreement, the description of processing in Annex I, and the Customer's lawful use and configuration of the Service through its features and documentation. The Customer may issue additional written instructions consistent with this DPA and the Main Agreement; UltraMemory may charge a reasonable fee for instructions that fall outside the standard functionality of the Service, and may decline instructions that would breach Data Protection Laws.

3.3. Unlawful instructions. UltraMemory shall inform the Customer if, in its opinion, an instruction infringes Data Protection Laws. UltraMemory is not responsible for determining whether the Customer's instructions are otherwise compliant with laws applicable to the Customer.

3.4. No model training on Customer data. UltraMemory will not use Customer Personal Data, Memory Content, or any data derived from it (including vector embeddings, consolidated memories, playbook entries, and calibration/metamemory records) to train, retrain, fine-tune, or improve any artificial-intelligence or machine-learning model, whether UltraMemory's own or any third party's. This commitment is unqualified: it is not subject to any de-identified, anonymised, or aggregated-data carve-out for model training. UltraMemory processes Memory Content only to operate, secure, and support the Service for the Customer.

4. Personnel Confidentiality (GDPR Art. 28(3)(b))

4.1. UltraMemory shall ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2. UltraMemory shall ensure that access to Customer Personal Data is limited to personnel who need access to perform UltraMemory's obligations under the Main Agreement and this DPA, on a least-privilege basis, consistent with the access controls described in Annex II.

5. Security of Processing (GDPR Art. 28(3)(c) and Art. 32)

5.1. UltraMemory shall implement and maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk presented by the processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. UltraMemory's current technical and organisational measures are set out in Annex II (Technical and Organisational Measures).

5.2. The Customer acknowledges that the measures in Annex II are subject to technical progress and development, and that UltraMemory may update them from time to time, provided that such updates do not materially reduce the overall level of security of the Service.

5.3. Current state of certifications and posture. As of the Effective Date, UltraMemory does not hold a SOC 2, ISO 27001, PCI-DSS, HIPAA, or any other third-party certification or attestation, and nothing in this DPA shall be read to imply that it does. The Service operates in a single Availability Zone (without multi-AZ failover), relying on automated recovery and point-in-time recovery as described in Annex II; UltraMemory makes no availability or uptime commitment in this DPA, and any such commitment exists only if expressly stated in the Main Agreement. The MCP endpoint currently authenticates using bearer tokens (OAuth 2.1 / PKCE is planned but not yet live). These statements are made to ensure the Customer's accurate understanding of the Service's current security posture.

6. Sub-processors (GDPR Art. 28(2), 28(3)(d), and 28(4))

6.1. General authorisation. The Customer grants UltraMemory a general written authorisation to engage Sub-processors to process Customer Personal Data in connection with the Service. UltraMemory's current Sub-processors are listed in Annex III.

6.2. Change notice and right to object. UltraMemory shall give the Customer at least thirty (30) days' prior notice of any intended addition or replacement of a Sub-processor that will process Customer Personal Data, by updating Annex III (or a publicly maintained sub-processor list) and/or by notifying the Customer through the contact mechanism it makes available. The Customer may object to the change on reasonable data-protection grounds by giving written notice within the 30-day notice period.

6.3. Resolution of objections. If the Customer reasonably objects under Section 6.2, the Parties shall work together in good faith to find a commercially reasonable resolution. If no resolution can be reached, the Customer may, as its sole and exclusive remedy, terminate the affected part of the Service that cannot be provided without the objected-to Sub-processor, in accordance with the termination provisions of the Main Agreement. Where the EU SCCs apply, this Section 6.2–6.3 operates in addition to, and does not limit, the Customer's right under Clause 9 of the SCCs to object to a new Sub-processor (in which case UltraMemory may not engage that Sub-processor for the processing of Customer Personal Data subject to the SCCs).

6.4. Flow-down of obligations. UltraMemory shall impose on each Sub-processor, by a written contract or other legal act, data-protection obligations that are no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of Data Protection Laws.

6.5. Continued liability. UltraMemory remains fully liable to the Customer for the performance of each Sub-processor's data-protection obligations where the Sub-processor fails to fulfil them.

6.6. Recipients of Memory Content. The Customer acknowledges that, of the Sub-processors listed in Annex III, only Amazon Web Services, Inc. (which hosts all Customer data at rest) and Voyage AI (to which Memory Content text is transmitted to compute vector embeddings for semantic recall) receive Memory Content. The other listed Sub-processors do not receive Memory Content, as further described in Annex III.

7. Assistance with Data-Subject Rights (GDPR Art. 28(3)(e))

7.1. Taking into account the nature of the processing, UltraMemory shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction of processing, data portability, and objection) and the equivalent rights of Consumers under US Privacy Laws.

7.2. If UltraMemory receives a request directly from a Data Subject or Consumer relating to Customer Personal Data, UltraMemory shall, unless legally prohibited, promptly inform the Customer and shall not respond to the request itself other than to direct the individual to the relevant Customer-Controller, except on the Customer's documented instructions.

7.3. The Customer acknowledges that, because UltraMemory does not log or store client IP addresses or User-Agent strings (see Annex II), and because UltraMemory processes Memory Content on behalf of the Customer, the Customer is the appropriate point of contact for Data-Subject requests concerning Memory Content. The Customer can access, correct, and request deletion of Memory Content through the functionality of the Service and through requests made to UltraMemory as described in Section 9. UltraMemory may charge a reasonable fee for assistance that exceeds the standard functionality of the Service.

8. Assistance with Security, Breach Notification, DPIAs, and Prior Consultation (GDPR Art. 28(3)(f) and Art. 32–36)

8.1. General assistance. Taking into account the nature of processing and the information available to UltraMemory, UltraMemory shall assist the Customer in ensuring compliance with the Customer's obligations under Articles 32 to 36 of the GDPR, namely security of processing, notification of Personal Data Breaches, communication of Personal Data Breaches to Data Subjects, data protection impact assessments, and prior consultation with a Supervisory Authority.

8.2. Breach notification. UltraMemory shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after UltraMemory becomes aware of a Personal Data Breach affecting Customer Personal Data.

8.3. Content of breach notice. UltraMemory's notification shall, to the extent then known and where feasible in phased detail, describe: (a) the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences of the breach; and (c) the measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects. UltraMemory shall provide further information in phases as it becomes available. A notification under this Section is not, and shall not be construed as, an acknowledgement by UltraMemory of any fault or liability.

8.4. No risk assessment by UltraMemory. UltraMemory shall report Personal Data Breaches to the Customer and shall not undertake the assessment of risk to Data Subjects required of the Customer as Controller; that assessment, and any notification to a Supervisory Authority or to Data Subjects, remains the Customer's responsibility.

9. Deletion or Return of Customer Personal Data (GDPR Art. 28(3)(g))

9.1. Export. During the term of the Main Agreement, and during the post-termination retrieval window described below, the Customer may export Memory Content using the functionality of the Service.

9.2. Deletion on termination. Upon termination or expiry of the Main Agreement, and at the Customer's choice to delete or return Customer Personal Data, UltraMemory shall delete Customer Personal Data (including Memory Content and data derived from it, such as vector embeddings and consolidated memories) within thirty (30) days of termination, except for copies that UltraMemory is required to retain by applicable law or that are retained in tamper-evident audit logs or in routine backups that cycle out on their normal schedule (AWS RDS point-in-time recovery, approximately seven (7) days).

9.3. Derived data. For the avoidance of doubt, vector embeddings, consolidated memories, playbook entries, and calibration/metamemory records derived from Customer Personal Data are themselves treated as Customer Personal Data and are deleted on the same basis and within the same period as the source Memory Content from which they are derived.

9.4. Deletion process. The Customer acknowledges that deletion is fulfilled as an operator-executed process within the SLA stated in this Section; the Service does not currently provide fully self-service programmatic per-record erasure tooling.

9.5. Retained copies. Any Customer Personal Data retained under an exception in Section 9.2 remains subject to the confidentiality and security obligations of this DPA for so long as it is retained, and UltraMemory shall not actively process such data for any purpose other than the legal-retention or backup purpose for which it is retained.

9.6. Certification of deletion. Upon the Customer's written request, UltraMemory shall provide written confirmation that deletion has been completed in accordance with this Section, save for any copies retained under an exception in Section 9.2.

10. Audit and Information Rights (GDPR Art. 28(3)(h))

10.1. UltraMemory shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

10.2. Conduct of audits. Any audit shall be conducted: (a) on reasonable prior written notice (and no more than once in any twelve-month period, except where required by a Supervisory Authority, where the Customer reasonably believes a Personal Data Breach has occurred, or following a Personal Data Breach affecting Customer Personal Data); (b) during normal business hours; (c) subject to reasonable confidentiality obligations; and (d) in a manner that does not unreasonably disrupt UltraMemory's business or compromise the security or confidentiality of any other customer's data in the multi-tenant environment. The Customer's right to monitor UltraMemory's compliance under the CCPA/CPRA (Section 11.12) is preserved and is not limited by the frequency cap in this Section.

10.3. Information first. UltraMemory may satisfy the Customer's audit and information requests, in whole or in part, by providing documentation describing its technical and organisational measures (including Annex II), responses to reasonable security questionnaires, and, where and when available, third-party reports or certifications.

11. CCPA / CPRA Service-Provider and Contractor Terms

11.1. Application. This Section applies to the extent UltraMemory processes Personal Information subject to US Privacy Laws on the Customer's behalf. With respect to such Personal Information, UltraMemory acts as a "Service Provider" and "Contractor" and the Customer acts as a "Business," each as defined in the CCPA/CPRA.

11.2. Specified business purpose (Cal. Code Regs. tit. 11 § 7051(a)(1)–(2)). The Customer discloses Personal Information to UltraMemory only for the following limited and specified business purpose(s), which are not described in generic terms: to store, index, compute vector embeddings of, recall, consolidate, and confidence-gate Memory Content on the Customer's behalf, and to secure, maintain, and provide technical support for the Service in connection with that processing, in each case as further described in Annex I. UltraMemory shall process the Customer's Personal Information only for these specified business purpose(s).

11.3. No sale or sharing (§ 7051(a)(3)–(4)). UltraMemory shall not sell or share (each as defined in the CCPA/CPRA) the Customer's Personal Information, and shall not retain, use, or disclose it for any purpose (including any commercial purpose) other than the specified business purpose(s) in Section 11.2, or as otherwise permitted by the CCPA/CPRA and its regulations. UltraMemory receives no monetary or other valuable consideration for the Customer's Personal Information other than the fees for the Service. UltraMemory shall not, and contractually cannot, provide cross-context behavioural advertising using the Customer's Personal Information.

11.4. No retention or use outside the relationship; no combining (§ 7051(a)(5) and § 1798.140(ag)(1)(D)). UltraMemory shall not retain, use, or disclose the Customer's Personal Information outside the direct business relationship between the Parties, and shall not combine the Customer's Personal Information with Personal Information that UltraMemory receives from, or on behalf of, any other person, or that it collects from its own interaction with any Consumer, except as expressly permitted by the CCPA/CPRA and its regulations. UltraMemory enforces tenant isolation as described in Annex II.

11.5. No model training. Consistent with Section 3.4, UltraMemory does not use the Customer's Personal Information (or Memory Content, or any data derived from it) to train, retrain, fine-tune, or improve any artificial-intelligence or machine-learning model.

11.6. Same level of protection; compliance (§ 7051(a)(6)). UltraMemory shall comply with all applicable obligations of the CCPA/CPRA and its regulations, shall provide the same level of privacy protection as is required of a Business under the CCPA/CPRA, and shall implement reasonable security procedures and practices appropriate to the nature of the Personal Information, consistent with Annex II and California Civil Code § 1798.81.5.

11.7. Assistance with Consumer requests. UltraMemory shall enable and assist the Customer in responding to verifiable Consumer requests to know, access, delete, correct, and opt out, by appropriate technical and organisational measures, taking into account the nature of the processing. If UltraMemory receives a Consumer request directly, it shall, in accordance with the Customer's instructions, either act on the Customer's behalf or inform the Consumer that the request cannot be acted upon because it was sent to a Service Provider/Contractor.

11.8. Notification of inability to comply (§ 7051(a)(7)). UltraMemory shall notify the Customer if it determines that it can no longer meet its obligations under the CCPA/CPRA.

11.9. Right to remediate. The Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorised use of Personal Information, including, where applicable, requiring UltraMemory to provide documentation verifying deletion.

11.10. Sub-processor flow-down. Where UltraMemory engages another person to assist it in processing the Customer's Personal Information for a business purpose, UltraMemory shall notify the Customer and shall bind that person, by written contract, to the same CCPA/CPRA obligations as a Service Provider or Contractor, consistent with Section 6.4.

11.11. Certification. UltraMemory certifies that it understands the restrictions set out in this Section 11 and Section 3.4 and the CCPA/CPRA, and that it will comply with them.

11.12. Right to monitor (§ 1798.140(ag)(1)). The Customer may take reasonable and appropriate steps to monitor UltraMemory's compliance with this Section 11 through measures including ongoing manual reviews, automated scans, and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months, coordinated in accordance with Section 10.2.

12. International Transfers

12.1. Primary processing location. The primary processing of Customer Personal Data takes place in the United States, on Amazon Web Services in the region us-east-1.

12.2. EU SCCs. To the extent the processing of Customer Personal Data involves a transfer that is subject to the EU GDPR to a country that does not benefit from an adequacy decision, the EU SCCs (Module Two: Controller to Processor) are incorporated into this DPA by reference and form part of it, with the following selections: (a) Clause 7 (the optional docking clause) applies; (b) under Clause 9, Option 2 (general written authorisation) applies, with the change-notice period set out in Section 6.2; (c) in Clause 11, the optional language permitting Data Subjects to lodge a complaint with an independent dispute-resolution body does not apply; (d) under Clause 17, the SCCs are governed by the law of the Republic of Ireland (Clause 17 requires the law of an EU/EEA Member State, so the governing-law selection in the Main Agreement does not apply to the SCCs); (e) under Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland; and (f) Annexes I.A, I.B, and II of this DPA populate Annexes I and II to the SCCs, and the list of Sub-processors in Annex III of this DPA serves as the Annex III to the SCCs (general authorisation under Clause 9, Option 2). Where the Customer acts as a processor for a third-party controller, Module Three (Processor to Processor) applies in place of Module Two.

12.3. UK transfers. To the extent the processing involves a transfer that is subject to the UK GDPR, the UK Addendum is incorporated into this DPA by reference, with the EU SCCs as the "Approved EU SCCs" forming part of it, and Tables 1 to 3 of the UK Addendum populated by the Annexes of this DPA. As to Table 4 of the UK Addendum, neither Party may end the UK Addendum when the ICO issues a revised Approved Addendum, except that the importer (UltraMemory) may do so in accordance with the UK Addendum.

12.4. Swiss transfers. To the extent the processing involves a transfer subject to the FADP, the EU SCCs apply with the adaptations necessary under the FADP (including references to the GDPR being read as references to the FADP, the term "Member State" being read so as not to deprive Swiss-resident Data Subjects of the right to sue in their place of habitual residence, and the competent authority being the Swiss Federal Data Protection and Information Commissioner).

12.5. Conflict. In the event of any conflict between the SCCs (or UK Addendum) and any other term of this DPA or the Main Agreement, the SCCs (or UK Addendum) prevail with respect to the relevant restricted transfer.

13. Liability and Indemnity

13.1. Each Party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the exclusions and limitations of liability set out in the Main Agreement, and any reference in the Main Agreement to the liability of a Party means the aggregate liability of that Party under the Main Agreement and this DPA together.

13.2. Nothing in this DPA limits or excludes any liability that cannot be limited or excluded under applicable Data Protection Laws, including, where applicable, the liability of the Parties to Data Subjects under the third-party-beneficiary provisions of the SCCs.

13.3. The indemnification provisions (if any) of the Main Agreement apply to this DPA. This DPA does not create any new or additional indemnification obligation beyond those in the Main Agreement, except as expressly required by the SCCs.

14. Order of Precedence

14.1. This DPA supplements the Main Agreement. In the event of a conflict between this DPA and the Main Agreement with respect to the processing of Customer Personal Data, this DPA prevails. In the event of a conflict between this DPA and the SCCs (or UK Addendum) with respect to a restricted transfer, the SCCs (or UK Addendum) prevail. The Annexes form an integral part of this DPA.

15. Term and Termination

15.1. This DPA takes effect on the Effective Date and remains in force for as long as UltraMemory processes Customer Personal Data on the Customer's behalf under the Main Agreement.

15.2. The provisions of this DPA that by their nature should survive termination — including those relating to deletion or return of data (Section 9), confidentiality (Section 4), liability (Section 13), and the obligations applicable to any retained copies (Section 9.5) — survive termination or expiry of the Main Agreement and this DPA.

16. Miscellaneous

16.1. Governing law. This DPA is governed by the laws of the State of Georgia, USA, except where Data Protection Laws or the SCCs require otherwise. For the avoidance of doubt, the governing law of the EU SCCs (and the UK Addendum) is determined under Section 12, not by this Section.

16.2. Contacts. Data-protection matters under this DPA may be addressed to UltraMemory at: privacy@ultramemory.us; legal matters to legal@ultramemory.us; security and breach matters to security@ultramemory.us; and matters for the data protection officer (if appointed) to dpo@ultramemory.us. UltraMemory's postal address is 5229 Leecroft Drive, Sugar Hill, GA 30518.

16.3. Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect.

Annex I — Description of Processing

A. List of the Parties

Data exporter (Controller): The Customer identified in the Main Agreement.

• Name, address, and contact: as set out in the Main Agreement or the applicable order.
• Activities relevant to the data transferred: the Customer's use of the Service to store, recall, consolidate, and gate AI memories on behalf of its own data subjects.
• Role: Controller (or Processor, where the Customer is acting for a third-party controller).
• Signature and date: as recorded in the Main Agreement / applicable order.
• Where the data exporter is established outside the EU/EEA but subject to the GDPR under Article 3(2): EU Article 27 representative —.

Data importer (Processor): UltraMemory, operated by LogicLabsAI LLC, a Georgia, USA limited liability company.

• Address: 5229 Leecroft Drive, Sugar Hill, GA 30518.
• Contact: privacy@ultramemory.us.
• Activities relevant to the data transferred: provision of the UltraMemory agent-memory service (storage, recall, consolidation, and gating of AI memories) via a REST API and an MCP Streamable-HTTP endpoint, hosted on AWS in us-east-1 (United States).
• Role: Processor.
• Signature and date: as recorded in the Main Agreement / applicable order.

B. Description of the Processing

Subject matter. Provision of the UltraMemory agent-memory service, comprising the storage, recall, consolidation, semantic search, and confidence-gating of Memory Content on the Customer's behalf.

Nature and purpose of processing. Receiving, storing, indexing, computing vector embeddings of, recalling, consolidating, and gating Memory Content; generating and storing derived records (embeddings, consolidated memories, playbook entries, calibration/metamemory parameters); and transmitting Memory Content text to the embedding Sub-processor (Voyage AI) to compute vectors for semantic recall — in each case solely to operate, secure, and support the Service for the Customer.

Duration of processing. For the duration of the Main Agreement, plus the post-termination deletion period described in Section 9 (deletion within thirty (30) days of termination, subject to legal-retention and routine-backup exceptions).

Frequency of processing. Continuous, on an as-used basis, for so long as the Customer uses the Service.

Categories of Data Subjects. The Data Subjects whose Personal Data the Customer chooses to include in Memory Content. The Customer determines and controls these categories; they may include, for example, the Customer's end users, customers, contacts, or other individuals referenced in the facts and observations the Customer stores. The Customer is responsible for determining the categories of Data Subjects.

Categories of Personal Data. The categories of Personal Data are determined by the Customer through its use of the Service and may include:

• Memory Content — customer-supplied facts and observations, structured into fields including entity, attribute, value, rationale, source, confidence, scope, and bitemporal validity timestamps. Memory Content may contain Personal Data about the Customer's own Data Subjects; the Customer decides what to store. This is the most sensitive category processed under this DPA.
• Vector embeddings — numeric vectors derived from Memory Content (Voyage voyage-3.5, 1024-dimension) for semantic search, stored in the primary database.
• Playbook entries and calibration/metamemory records — learned trigger/strategy records and confidence-gate parameters and feedback events; tenant-scoped operational data derived from use of the Service.

For completeness, the following data are processed by UltraMemory as an independent Controller (not under this DPA) and are listed here only for transparency: account and authentication identity (email address, external identity subject id, auth provider, admin flag, login timestamps); API keys (stored only as keyed HMAC-SHA256 hashes; the raw key is never stored); tenant and subscription metadata (including Stripe customer/subscription ids, plan tier, status, and period end); billing events (external event ids only; no card data); audit logs (actor, action, object IDs, counts, and gate decisions only — never Memory Content values); and a per-request correlation id. UltraMemory does not log or store client IP addresses or User-Agent strings, and does not collect precise geolocation, device fingerprints, advertising identifiers, biometric data, or payment card numbers, and does not sell or share Personal Data for cross-context behavioural advertising.

Special Categories of Personal Data. The Service is not designed to receive Special Categories of Personal Data (GDPR Art. 9) or other sensitive data. The Customer agrees not to include Special Categories of Personal Data in Memory Content unless the Parties have expressly agreed otherwise in writing and the Customer has implemented any safeguards required for such data.

C. Competent Supervisory Authority

Where the EU SCCs (Module Two or Three) apply, the competent Supervisory Authority is the Supervisory Authority of the EU/EEA Member State determined in accordance with Clause 13 of the SCCs (generally, the Supervisory Authority of the Member State in which the Customer's EU representative is established, or, failing that, the Member State in which the relevant Data Subjects are located). the supervisory authority of the EEA Member State in which the data exporter is established or its EU representative is located (and, for United Kingdom transfers, the UK Information Commissioner's Office). Where the UK GDPR applies, the competent Supervisory Authority is the UK Information Commissioner's Office (ICO). Where the FADP applies, it is the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Annex II — Technical and Organisational Measures

UltraMemory implements and maintains the following technical and organisational measures (TOMs) to protect Customer Personal Data, in line with GDPR Article 32. These measures reflect the current state of the Service and may be updated provided the overall level of security is not materially reduced.

1. Encryption in Transit

• TLS 1.2 or higher is required everywhere.
• Database connections require TLS (sslmode=require).
• Cache transit encryption is enabled.

2. Encryption at Rest

• Data at rest is encrypted using AWS Key Management Service (KMS) customer-managed keys with automatic key rotation.
• A separate, dedicated customer-managed key encrypts the audit-log trail, enforcing separation of duties between data access and audit-record integrity.

3. Tenant Isolation

• A single API-key → tenant resolution chokepoint governs all access.
• PostgreSQL Row-Level Security (FORCE RLS) is enforced on every tenant-scoped table.
• The application connects to the database via a least-privilege, non-owner role.

4. Access Control

• No SSH access; all administration is performed via AWS SSM Session Manager only.
• No public IP addresses on the compute or data tier; resources run in private subnets with least-privilege security groups.
• Human access uses single sign-on with temporary credentials.
• Workload access uses IAM roles; there are zero static, long-lived cloud keys.
• CI/CD authenticates via keyless OIDC.

5. Secrets Management

• All secrets are fetched from AWS Secrets Manager at runtime; no secrets are stored in source code, container images, or .env files.
• The database master password is on automatic rotation.
• API keys are stored only as keyed HMAC-SHA256 hashes; raw keys are never stored.

6. Auditing and Detection

• Multi-region AWS CloudTrail with log-file validation (tamper-evident) writes to a versioned, access-restricted, encrypted bucket.
• Seven CIS-aligned detective alarms raise real-time alerts on: root-account use; unauthorized API calls; console sign-in without MFA; console authentication failures; trail tampering (stop-logging / delete-trail); IAM policy changes; and KMS key disable/delete.
• The application audit log is append-only and immutable at the database layer, and records actor, action, object IDs, counts, and gate decisions only — never Memory Content values — with a per-request correlation id.

7. Application Hardening

• Strict schema validation on every endpoint.
• Per-API-key rate limiting.
• Idempotent writes with content-hash deduplication.
• Append-only database migrations.
• The MCP endpoint is served over Streamable HTTP with Origin validation (anti DNS-rebinding) and HTTPS only.

8. Data Minimisation in Logs

• Memory Content is never written to logs.
• Error monitoring scrubs authentication headers and cookies and transmits no request bodies and no Personal Data.
• Client IP addresses and User-Agent strings are not logged or stored by the application.

9. Availability and Resilience

• Backups via AWS RDS point-in-time recovery (approximately seven (7) days).
• Automated instance recovery.
• The Service currently operates in a single Availability Zone (no multi-AZ failover); resilience relies on the point-in-time recovery and automated recovery described above. UltraMemory makes no high-availability or uptime guarantee in this DPA.

10. Current Limitations (Stated for Accuracy)

• UltraMemory holds no SOC 2, ISO 27001, PCI-DSS, HIPAA, or other certification or attestation.
• AWS GuardDuty, AWS Config, and AWS Security Hub are not currently enabled.
• The MCP endpoint currently uses bearer-token authentication; OAuth 2.1 / PKCE is planned but not yet live.
• Deletion is an operator-executed process; there is no fully self-service programmatic per-record erasure tooling yet.

Annex III — Sub-processors

The Customer grants a general authorisation to the engagement of the following Sub-processors. UltraMemory will provide notice of additions or replacements in accordance with Section 6.

Note on recipients of Memory Content: Of the above, only Amazon Web Services (hosts Customer data at rest) and Voyage AI (receives Memory Content text to compute embeddings) receive Memory Content. The remaining Sub-processors do not receive Memory Content.

End of Data Processing Addendum (DRAFT).