Effective: 2026-05-01
Caura Innovations Ltd ("Caura") engages the sub-processors listed below to help provide the MemClaw Service. Each sub-processor is bound by a written agreement that imposes data-protection obligations no less protective than those in our Data Processing Addendum.
Change notifications. We provide at least 30 days' prior notice before adding or replacing a sub-processor that Processes Customer Personal Data. To subscribe to updates, email privacy@caura.ai with the subject line "Subprocessor Updates".
| Sub-processor | Legal entity & country | Purpose | Data categories | Transfer mechanism |
|---|---|---|---|---|
| Google Cloud Platform | Google Ireland Ltd (IE) / Google LLC (US) | Primary hosting: Cloud Run (compute), Cloud SQL (PostgreSQL), Memorystore (Redis), Secret Manager, Cloud Logging. Production data resides in us-central1, United States. | All Customer Data, account data, server logs | EU-US Data Privacy Framework + SCCs (Google DPA) |
| OpenAI | OpenAI, L.L.C. (US) | Embeddings and entity-extraction inference on Customer-submitted memory content. | Memory content payloads at inference time | EU-US DPF + SCCs (OpenAI DPA); zero retention on the OpenAI API per OpenAI API data-usage terms |
| Google Vertex AI | Google LLC (US) | LLM inference and embeddings on Customer-submitted memory content — available as an alternate provider to OpenAI and used in the MemClaw Enterprise edition. | Memory content payloads at inference time | Covered by Google DPA (DPF + SCCs) as a Google Cloud service |
| Paddle | Paddle.com Market Ltd (UK) / Paddle Inc (US) | Merchant-of-Record billing: checkout, subscription management, tax collection, chargeback handling. | Buyer name, email, billing address, card metadata (Caura does not receive PAN) | Paddle is the Controller of record for payment data; Caura receives limited billing metadata under Paddle's DPA |
| SendGrid | Twilio Inc (US) | Transactional email delivery — verification, password reset, billing notices. | Recipient email address, subject line, message metadata | EU-US DPF + SCCs (Twilio DPA) |
| GitHub | GitHub, Inc. (US) | Optional federated OAuth sign-in for the MemClaw dashboard. | GitHub username, email, user ID, avatar URL | EU-US DPF + SCCs |
Caura may engage affiliates (entities under common control with Caura) as sub-processors. Any such engagement is subject to the same contractual data-protection obligations and is included in change notifications under Section 6 of the DPA.
Customer Data at rest resides in Google Cloud Platform's us-central1 region (United States). Caura itself is established in Israel, a jurisdiction covered by European Commission adequacy decision 2011/61/EU.