Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between Get Engram LLC (“Processor”) and the entity agreeing to the Engram Terms of Service (“Controller”). This DPA supplements the Terms of Service and applies to the extent the Processor processes Personal Data on behalf of the Controller under GDPR, CCPA/CPRA, or equivalent data protection laws.

1. Definitions

• Personal Data — any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
• Processing — any operation performed on Personal Data, including collection, storage, retrieval, erasure, and destruction.
• Sub-processor — a third party engaged by the Processor to process Personal Data on behalf of the Controller.
• Data Subject — the individual to whom Personal Data relates.

2. Scope and Purpose of Processing

The Processor processes Personal Data solely to provide the Engram service as described in the Terms of Service. The categories of data processed include:

• Account data — email address, organization name.
• Conversation data — message content stored via the Engram API, along with vector embeddings generated for semantic search.
• Usage data — API call counts, timestamps, and tier-related usage metrics.

The Processor does not control the content of conversations stored by the Controller. The Controller is responsible for ensuring a lawful basis exists for any Personal Data included in stored conversations.

3. Obligations of the Processor

1. Process Personal Data only on documented instructions from the Controller, including with respect to transfers outside the EEA.
2. Ensure that persons authorized to process Personal Data have committed to confidentiality.
3. Implement appropriate technical and organizational security measures, as described in Trust & Compliance.
4. Not engage another processor without prior written authorization of the Controller (see Section 6).
5. Assist the Controller in responding to Data Subject rights requests (access, rectification, erasure, portability, restriction, objection).
6. Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities where required.
7. Delete or return all Personal Data at the end of the service relationship, unless retention is required by applicable law.
8. Make available all information necessary to demonstrate compliance and allow for audits.

4. Security Measures

The Processor maintains the following technical and organizational measures:

• Encryption in transit — TLS 1.3 on all endpoints. The .app TLD enforces HSTS preload.
• Encryption at rest — AES-256 via Cloudflare D1 and Vectorize.
• Tenant isolation — all queries scoped by organization_id at the database and vector index level.
• API key security — keys stored as SHA-256 hashes; plaintext shown once at creation.
• PII redaction — automatic scrubbing of secrets, API keys, and common PII patterns before storage.
• Access control— production infrastructure access limited to authorized personnel via Cloudflare's IAM.

5. Data Subject Rights

The Processor provides the following mechanisms to fulfill Data Subject rights:

• Right to access / portability — GET /api/export returns a complete JSON export of all stored data.
• Right to erasure — DELETE /api/account deletes the organization and all associated data including vector embeddings. Individual conversations can be deleted via delete_conversation.
• Right to rectification — the Controller can delete and re-create conversations with corrected content.

6. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors:

The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object to a new sub-processor by notifying the Processor in writing within 14 days of notification. If the objection cannot be resolved, the Controller may terminate the agreement.

7. Data Breach Notification

The Processor will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. The notification will include:

• The nature of the breach and categories of data affected.
• The approximate number of Data Subjects affected.
• The measures taken or proposed to address the breach.
• Contact details for follow-up ( security@getengram.app).

8. International Transfers

Personal Data may be transferred to and processed in the United States by the Processor and its sub-processors. These transfers are made pursuant to the EU-U.S. Data Privacy Framework, Standard Contractual Clauses (SCCs), or another lawful transfer mechanism as applicable.

9. Data Retention and Deletion

Personal Data is retained for the duration of the service agreement. Upon termination or at the Controller's request, the Processor will delete all Personal Data within 30 days unless retention is required by applicable law. The Controller can initiate immediate deletion via the DELETE /api/account endpoint.

10. Audit Rights

The Processor will make available all information reasonably necessary to demonstrate compliance with this DPA. The Controller may conduct an audit (or appoint an independent auditor) with reasonable prior notice and during normal business hours. The Processor may charge reasonable costs for audits that are excessive or duplicative.

11. Term and Termination

This DPA remains in effect for as long as the Processor processes Personal Data on behalf of the Controller. It terminates automatically when the Terms of Service expire or are terminated.

12. Governing Law

This DPA is governed by the laws of the State of Delaware, USA, without regard to conflict of law provisions. For Data Subjects in the EEA, the provisions of GDPR take precedence over any conflicting terms.