Effective: 2026-05-01
This Data Processing Addendum ("DPA") forms part of the MemClaw Terms of Service or other written agreement (the "Agreement") between:
(1) Caura Innovations Ltd, a company incorporated under the laws of the State of Israel (company number to be inserted; registered office in Israel) ("Caura", "Processor"); and
(2) the Customer identified in the Agreement ("Customer", "Controller").
Each a "Party", together the "Parties".
Terms used but not defined here have the meanings given in the Agreement or, where not defined there, in the GDPR (Regulation (EU) 2016/679) and the UK GDPR. In particular:
"Applicable Data Protection Laws" means (a) the GDPR and any EU member-state implementing laws; (b) the UK GDPR and the UK Data Protection Act 2018; (c) the Protection of Privacy Law 5741-1981 of the State of Israel and regulations thereunder ("PPL"); (d) the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"); and (e) any other data-protection laws applicable from time to time to the Processing of Customer Personal Data under this DPA.
"Customer Personal Data" means Personal Data that Caura Processes on behalf of Customer in the course of providing the Services under the Agreement.
"Personal Data", "Controller", "Processor", "Processing", "Data Subject", "Sub-processor", and "Personal Data Breach" have the meanings given in the GDPR.
"Services" means the MemClaw services described in the Agreement.
"DPF" means the EU-US Data Privacy Framework, together with the UK Extension and the Swiss-US Data Privacy Framework.
"SCCs" means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914/EU (Module Two: Controller to Processor), together with the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office under section 119A of the Data Protection Act 2018 (the "UK Addendum").
2.1 In respect of Customer Personal Data, Customer is the Controller and Caura is the Processor. Where Customer is itself a Processor acting on behalf of a third-party controller, Caura acts as a Sub-processor; Customer represents that it has the necessary authority to engage Caura on the terms of this DPA.
2.2 This DPA applies whenever Caura Processes Customer Personal Data in connection with the Services.
2.3 The duration of Processing is the term of the Agreement plus any post-termination period strictly necessary to return or delete Customer Personal Data under Section 11.
2.4 The subject matter, nature, purpose, categories of data and categories of Data Subjects are set out in Annex I.
3.1 Caura shall Process Customer Personal Data only on the documented instructions of Customer, including with regard to transfers to a third country or an international organisation, unless required to do so by a law to which Caura is subject; in such a case, Caura shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
3.2 The Agreement, this DPA, and Customer's ordinary and documented use of the Services' features constitute Customer's complete and final instructions to Caura.
3.3 Caura shall inform Customer if, in its opinion, an instruction from Customer infringes Applicable Data Protection Laws.
Caura shall ensure that persons authorised to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.1 Caura shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Annex II ("Security Measures"). These measures are designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, such data.
5.2 Customer acknowledges that the Security Measures are subject to technical progress and development. Caura may update or modify the Security Measures from time to time, provided that such updates do not materially diminish the overall level of security of the Services.
6.1 Customer grants Caura a general authorisation to engage Sub-processors to Process Customer Personal Data, subject to this Section 6.
6.2 The current list of Caura's Sub-processors is maintained at memclaw.net/legal/subprocessors and is reproduced in Annex III.
6.3 Caura shall notify Customer of any intended addition or replacement of a Sub-processor with at least 30 days' prior notice (posted at the Sub-processors page and, on written request, by email). Customer may object in writing within that 30-day period on reasonable data-protection grounds. If Customer objects, the Parties will work together in good faith to agree a commercially reasonable alternative. Failing agreement, Customer may terminate the affected portion of the Services by written notice, and Caura will refund pro-rata any pre-paid fees for Services not yet rendered under the affected scope.
6.4 Caura shall impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable to Customer for any failure by a Sub-processor to perform its obligations to the same extent Caura would be liable if performing those obligations itself.
Taking into account the nature of the Processing, Caura shall assist Customer by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of Customer's obligation to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Laws (including the rights of access, rectification, erasure, restriction of Processing, portability, objection, and the right not to be subject to a solely automated decision). If a Data Subject contacts Caura directly, Caura will refer the request to Customer without undue delay.
Caura shall provide reasonable assistance to Customer in meeting Customer's own obligations under GDPR Articles 32 to 36 (security of processing, notification of breaches, data protection impact assessments, and prior consultation), taking into account the nature of the Processing and the information available to Caura.
9.1 Caura shall notify Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting Customer Personal Data.
9.2 The notification shall, to the extent known at the time, describe: the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects and of records concerned; the name and contact details of a point of contact where more information can be obtained; the likely consequences of the Personal Data Breach; and the measures taken or proposed to address the Personal Data Breach, including where appropriate measures to mitigate its possible adverse effects.
9.3 Caura will update Customer as additional information becomes reasonably available.
10.1 Caura is established in Israel, a country that benefits from an adequacy decision of the European Commission (Commission Decision 2011/61/EU). Transfers of Customer Personal Data from the EU/EEA to Caura in Israel therefore do not require additional transfer safeguards.
10.2 Where Caura or a Sub-processor Processes Customer Personal Data outside a jurisdiction with an adequacy determination, the transfer is made under one or more of the following mechanisms, in order of precedence: (a) the transferee's certification under the DPF (and its UK and Swiss extensions as applicable); (b) the SCCs (Module Two, Controller to Processor), together with the UK Addendum where applicable, which are incorporated into this DPA by reference; (c) any other valid transfer mechanism under Applicable Data Protection Laws.
10.3 Where the SCCs apply between the Parties, the Parties agree that:
— Clause 7 (docking) applies.
— Clause 9 (use of Sub-processors): Option 2, general written authorisation, with a 30-day notice period for changes, as set out in Section 6.3.
— Clause 11(a) optional language (independent redress mechanism) does not apply.
— Clause 17 (governing law of the SCCs): the law of Ireland.
— Clause 18 (choice of forum): the courts of Ireland.
— Annex I of the SCCs is populated by Annex I of this DPA; Annex II of the SCCs is populated by Annex II of this DPA; Annex III (if used) is populated by Annex III of this DPA.
10.4 Where the UK Addendum applies, Tables 1 to 3 of Part 1 incorporate by reference the information in the Annexes to this DPA, and Table 4 is completed such that neither Party may end the Addendum under its clause 19.
On termination or expiry of the Agreement, Caura shall, at Customer's election, return or delete Customer Personal Data and delete existing copies, unless Union or Member State law requires storage. Deletion shall be completed within 30 days of the effective date of termination, save that routine backup copies are overwritten on rotation within 90 days and will not be restored except in the event of a disaster.
12.1 Caura shall make available to Customer all information reasonably necessary to demonstrate compliance with its obligations under this DPA and Applicable Data Protection Laws, and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer.
12.2 Customer's audit right under 12.1 is satisfied where Caura provides, upon written request, its then-current security documentation (such as a security whitepaper, SOC 2 Type II report when available, a summary of the most recent penetration test, and relevant Sub-processor audit reports).
12.3 Only where the documentation made available under 12.2 does not reasonably resolve a specific, substantiated concern may Customer request an on-site audit. On-site audits shall be conducted no more than once per 12 months, on at least 30 days' prior written notice, during business hours, in a manner that does not unreasonably interfere with Caura's operations, subject to appropriate confidentiality undertakings, at Customer's cost. Caura may require that audits be conducted by a mutually-acceptable independent auditor.
13.1 To the extent Caura Processes Personal Information governed by the CCPA, Caura is a "service provider" as defined in the CCPA.
13.2 Caura shall not: (a) sell or share Personal Information; (b) retain, use, or disclose Personal Information for any purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA; (c) retain, use, or disclose Personal Information outside the direct business relationship between the Parties; or (d) combine Personal Information received from Customer with personal information received from any other source, except as permitted by section 7050(b) of the CCPA regulations.
13.3 Caura certifies that it understands the restrictions in 13.2 and will comply with them.
Caura shall Process Personal Data in accordance with the PPL and the Privacy Protection (Data Security) Regulations 5777-2017. Caura's database(s) containing Customer Personal Data are classified under those Regulations at a security level commensurate with the volume and categories of data Processed; the current classification is available on request.
The Parties' liability under this DPA is subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA excludes or limits liability that cannot be excluded or limited under Applicable Data Protection Laws.
In the event of a conflict, the order of precedence is: (1) the SCCs (where applicable and to the extent of the conflict); (2) this DPA; (3) the Agreement.
Except as provided in Section 10.3 with respect to the SCCs, this DPA is governed by the laws of the State of Israel, and the competent courts of Tel Aviv-Yafo have exclusive jurisdiction over any dispute arising out of or relating to this DPA.
Data Exporter: the Customer identified in the Agreement, acting as Controller.
Data Importer: Caura Innovations Ltd (Israel), acting as Processor of the Customer Personal Data described below.
Subject matter: provision of the MemClaw memory-storage service.
Duration: the term of the Agreement plus up to 30 days for return or deletion of Customer Personal Data.
Nature and purpose of the Processing: storage of agent memory content; semantic search; entity extraction; inference against LLM and embedding providers; retrieval on request; account authentication; billing-related administration.
Categories of Data Subjects: Customer's authorised users of the Services; end users and other individuals whose personal data Customer elects, in its sole discretion, to submit to the Services.
Categories of Personal Data: any personal data Customer chooses to submit through the Services. Caura does not require particular categories of personal data in order to provide the Services. Customer shall not submit Special Category Data (GDPR Article 9) or government identifiers through the Services unless Customer has implemented commensurate additional safeguards.
Special categories of data: not systematically processed.
Frequency of the transfer: continuous, as initiated by Customer's use of the Services.
Where the SCCs are invoked and Customer is established in the EU/EEA, the competent supervisory authority is that of the EU/EEA Member State in which Customer is established. Where no such authority is designated by Customer, the competent supervisory authority under the SCCs is the Irish Data Protection Commission.
Caura maintains the following measures. Specific implementations may evolve provided that any change does not materially diminish the overall level of security.
1. Infrastructure security. The Services run on Google Cloud Platform. Persistent storage is encrypted at rest using Google-managed encryption keys on Cloud SQL (PostgreSQL), Cloud Storage, and Memorystore (Redis). All external and inter-service traffic is encrypted in transit using TLS 1.2 or later.
2. Tenant isolation. PostgreSQL Row-Level Security (RLS) policies enforce per-tenant isolation on all tables containing Customer data, with the relevant session variable (app.tenant_id) set and validated by the application.
3. Credential protection. End-user passwords are hashed using bcrypt with a per-user salt. API keys are stored as salted hashes and never returned after creation.
4. Access control. Least-privilege IAM on Google Cloud Platform; production access restricted to named engineers with two-factor authentication; break-glass access is logged and reviewed.
5. Authentication. Email + password with bcrypt hashing and rate limiting; optional GitHub OAuth; session tokens rotated on sensitive actions.
6. Network security. Public endpoints are placed behind Google Cloud load balancers and Cloud Armor; rate limiting is applied at the API gateway.
7. Logging and monitoring. Structured application logs are retained centrally on Google Cloud Logging. Authentication-event IP logs are purged after 90 days.
8. Backups. Automated database backups are retained up to 90 days on a rolling basis; backup storage is encrypted at rest. Restore procedures are tested at least quarterly.
9. Change management. Version control; peer-reviewed pull requests; CI with automated tests; immutable deployments to Cloud Run.
10. Personnel. Background checks where legally permitted; contractual confidentiality obligations; security-awareness training; documented offboarding process that revokes access within one business day.
11. Incident response. Documented incident-response runbook; 24×7 on-call rotation; breach notification to Customer within 72 hours of becoming aware (Section 9).
12. Business continuity. Multi-zone deployment within the hosting region; target recovery point objective (RPO) of 24 hours; target recovery time objective (RTO) of 24 hours.
13. Vendor management. Sub-processors are reviewed and contracted under written agreements before onboarding; the public list is maintained at /legal/subprocessors.
14. Return and deletion. Customer-initiated account deletion triggers a purge workflow across production systems within 30 days; backups are overwritten within 90 days on rotation.
The current list of Sub-processors approved to Process Customer Personal Data under this DPA is maintained at memclaw.net/legal/subprocessors and is incorporated into this Annex by reference. Changes are notified in accordance with Section 6.3.