Data Processing Agreement (template)

Art. 28 GDPR · Version 1.0 · June 2026

This template covers LongMem acting as a processor for your (the customer's/controller's) personal data. To execute it, contact [email protected]. It summarizes the standard terms; the executed agreement prevails.

1. Parties and roles

Controller: the customer. Processor: 11data ("LongMem"), [email protected]. The processor processes personal data only on the controller's documented instructions (Art. 28(3)(a)) — in LongMem's case, instructions are expressed through API calls and configuration.

2. Subject matter, nature and purpose

Provision of a memory/context API for AI applications: storage, indexing (embeddings + knowledge-graph extraction), retrieval, and lifecycle management of content the controller submits.

3. Duration

For the life of the customer account. On termination, data is deleted (or exported on request first) — see §8.

4. Types of data and data subjects

Data types: whatever content the controller submits (text, files, metadata) — potentially any category, determined by the controller; account email; usage records.
Data subjects: the controller's users and other persons referenced in submitted content, as determined by the controller.

5. Technical and organisational measures (TOMs)

Measure	Implementation
Tenant isolation	Postgres row-level security in FORCE mode on all tenant tables; non-privileged application database role
Credential protection	API keys stored as SHA-256 hashes only; customer-supplied credentials (BYO storage/DB/LLM) encrypted at rest (Fernet)
Transport	TLS for all external traffic
Hosting	EU (Germany, Hetzner); EU-resident object storage
Data minimisation	cookieless analytics (path/referrer only), no content in logs
Residency options	BYO storage, database, and LLM let the controller keep bytes and AI processing on their own infrastructure
Monitoring	uptime checks, per-route metrics, structured error logs (content-free)

6. Sub-processors (Art. 28(2),(4))

The current list is maintained in the privacy policy (Hetzner DE; OpenAI US — avoidable via BYO; Stripe; Resend; Cloudflare). The processor notifies the controller of intended changes and the controller may object on reasonable grounds.

7. Assistance (Arts. 32–36)

The processor assists the controller with data-subject requests (export and erasure are self-service via the API), with security of processing, and with breach notification — undue-delay notice to the controller upon becoming aware of a personal data breach.

8. Deletion and return (Art. 28(3)(g))

Self-service at any time: GET /v1/memory/admin/export (full JSON) and POST /v1/memory/admin/delete-account (irreversible erasure incl. stored files). Backups expire within 30 days.

9. Audit (Art. 28(3)(h))

The processor makes available the information reasonably necessary to demonstrate compliance and allows audits by the controller or a mandated auditor, with reasonable notice and at most annually unless an incident warrants otherwise.

10. Confidentiality

Persons authorised to process the data are bound to confidentiality (Art. 28(3)(b)).