UltraMemory — Sub-processors
UltraMemory, operated by LogicLabsAI LLC, a Georgia, USA limited liability company ("UltraMemory", "we", "us", "our"), provides Ultra-Memory (styled "UltraMemory"), a standalone, multi-tenant, billable agent-memory service for Hermes Agent users and any MCP (Model Context Protocol) client. The Service stores, recalls, consolidates, and gates AI "memories" on behalf of customers and is exposed via a REST API (https://api.ultramemory.us) and an MCP Streamable-HTTP endpoint (the /mcp path, HTTPS only). This page lists the third parties we engage to help us deliver the Service.
1. What a sub-processor is
A sub-processor is a third-party service provider that UltraMemory engages to process personal data on our behalf in connection with the Service. For the data customers store and recall through the Service ("Memory Content"), the customer is the controller and UltraMemory acts as a processor; a sub-processor is therefore a party further down that chain (a "sub-processor" under data-protection law). For our own account, billing, and security/audit data, UltraMemory acts as an independent controller, and the same vendors may support those activities.
We remain responsible to our customers for the performance of the sub-processors we engage. Where we engage a sub-processor, we put in place a written agreement imposing data-protection obligations that are no less protective than those we owe our customers, and we remain liable for the sub-processor's processing to the extent required by applicable law.
This page lists all current sub-processors and operational vendors for the Service. We maintain a single production environment hosted on Amazon Web Services in region us-east-1 (United States).
2. Notice of changes, how to subscribe, and your right to object
We are committed to transparency about the parties that support the Service. Our commitments are:
- Advance notice. We will provide at least 30 days' prior notice before adding or replacing a sub-processor that processes Memory Content or other customer personal data.
- How to subscribe to updates. To receive notice of changes to this list, subscribe via ****. You may also check this page, which shows a "last updated" date at the bottom.
- Right to object. If you have a current subscription to the Service, you may object to a new or replacement sub-processor on reasonable data-protection grounds by contacting us at privacy@ultramemory.us within the notice period. We will work with you in good faith to address the objection — for example, by making reasonable efforts to offer an alternative. If we cannot resolve the objection, you may, as your remedy, terminate the affected portion of the Service in accordance with your agreement and the applicable Data Processing Addendum (DPA).
This page supplements, and does not replace, the notice and objection terms in your agreement and DPA. Where this page and your signed DPA differ, the DPA controls.
3. Roles in brief
- Memory Content (the data you store/recall via the Service): you are the controller; UltraMemory is the processor; the parties below process it (or do not) as indicated. Only AWS (at rest) and Voyage AI (for embedding generation) ever receive Memory Content.
- Account, billing, and security/audit data: UltraMemory is an independent controller and engages the parties below to support those functions.
4. Core data commitments
These commitments apply across all of the parties listed below:
- No training on Memory Content. We do not use Memory Content to train, retrain, or improve any machine-learning or AI model, and we do not permit our sub-processors to use Memory Content to train, retrain, or improve their models. Voyage AI receives Memory Content text solely to compute the vector embeddings returned to the Service and does not use it to train its models.
- No sale or sharing of personal data. We do not sell personal data and do not "share" personal data for cross-context behavioural advertising, as those terms are defined under the California Consumer Privacy Act, as amended by the CPRA. We do not disclose Memory Content or other customer personal data for any advertising purpose. Sub-processors are engaged as service providers / processors and are contractually restricted to processing personal data only on our documented instructions and for the limited purposes described below.
- Limited recipients of Memory Content. Of all parties listed, only AWS (which hosts all data at rest) and Voyage AI (which receives Memory Content text to compute embeddings) ever process Memory Content. No other listed party receives Memory Content.
5. Current sub-processors
| Sub-processor | Purpose | Data processed | Location | Status |
|---|---|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure that hosts the entire Service. AWS sub-services used: compute (EC2); primary database (RDS PostgreSQL + pgvector); cache (ElastiCache / Valkey); object storage (S3); load balancing and web application firewall (ALB / WAFv2); key management (KMS); secrets management (Secrets Manager); audit logging (CloudTrail); monitoring (CloudWatch); notifications (SNS); content delivery (CloudFront); TLS certificates (ACM); networking (VPC). | Hosts all customer data at rest, including Memory Content, vector embeddings, playbook/calibration data, account and authentication identity, tenant/subscription metadata, billing events, and audit logs. | United States (us-east-1) | LIVE |
| Voyage AI | Text embedding generation. Memory Content text is transmitted to Voyage to compute the vector embeddings (voyage-3.5, 1024-dimensional) used for semantic recall. This is the only sub-processor besides AWS that receives Memory Content. Voyage does not use Memory Content to train its models. | Memory Content text (sent to compute embeddings). | United States | LIVE |
| Supabase, Inc. | Authentication and identity management (brokers Google sign-in for customers and operators). Does NOT receive Memory Content. | Account and authentication identity: email address and external identity subject. | United States | LIVE |
| Google LLC | OAuth 2.0 sign-in identity provider (email / basic profile), brokered via Supabase. Does NOT receive Memory Content. | Sign-in identity (email and basic profile). | United States | LIVE |
| Stripe, Inc. | Payment processing and subscription billing. Stripe never receives Memory Content — only billing data. Card / payment data is handled solely by Stripe and is never stored by UltraMemory. | Billing contact and subscription status. (Card/payment data is collected and handled solely by Stripe; UltraMemory never receives or stores it.) | United States / EU | ACTIVATING (currently a no-op billing seam being switched to live Stripe) |
| Sentry (Functional Software, Inc.) | Application error monitoring. Configured to send no request bodies, no Memory Content, and no PII (authorization headers and cookies are scrubbed). | Application error/diagnostic data only (no Memory Content, no PII). | United States | OPTIONAL — enabled only when configured |
| Cloudflare, Inc. | Authoritative DNS for ultramemory.us (DNS only). Operational vendor — not in the customer-data path. | DNS resolution data only; no Memory Content or customer personal data. | Global anycast | LIVE |
| GitHub, Inc. (a Microsoft company) | Source-code hosting and CI/CD automation. Operational vendor — not a processor of customer personal data. | Does NOT process customer personal data or Memory Content. | United States | LIVE |
6. Notes on data handling
- Memory Content path. Of the parties above, only AWS (which hosts all data at rest) and Voyage AI (which receives Memory Content text to compute embeddings) ever process Memory Content. No other listed party receives Memory Content. Neither AWS nor Voyage uses Memory Content to train its models.
- Stripe. Stripe processes billing data only (billing contact and subscription status). Card and payment data is handled solely by Stripe and is never stored by UltraMemory. Stripe never receives Memory Content.
- GitHub and Cloudflare are operational vendors that support how we build and route to the Service. They are not in the customer-data path: Cloudflare provides DNS only, and GitHub hosts source code and runs CI/CD without processing customer personal data or Memory Content. We list them here for transparency.
- No sale or sharing. We do not sell or "share" (for cross-context behavioural advertising) personal data, and none of the parties above is engaged for any advertising purpose. See Section 4 for the full commitment.
- International transfers. Primary processing is in the United States (AWS us-east-1). Where personal data is transferred from the EEA, the UK, or Switzerland, transfers are safeguarded under the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK IDTA / Addendum, incorporated by reference where applicable.
7. Questions
Questions about this list, or requests to subscribe to change notices, can be sent to privacy@ultramemory.us. Data-protection and contractual matters may also be directed to legal@ultramemory.us or dpo@ultramemory.us. Postal address: 5229 Leecroft Drive, Sugar Hill, GA 30518.
Last updated: June 22, 2026