Data Processing Agreement
GDPR Article 28 Compliant · Effective Date: 5 April 2026 · Governing Law: New Zealand
For B2B Customers
This DPA applies when you use Parametric Memory to process personal data on behalf of your own end users. It is incorporated by reference into your subscription agreement. To execute a signed DPA for your records, contact legal@parametric-memory.dev.
1. Definitions
- Controller: The entity (you, the Customer) that determines the purposes and means of processing Personal Data.
- Processor: Parametric Memory Limited, which processes Personal Data on the Controller's behalf.
- Data Subject: Any identified or identifiable natural person whose Personal Data is processed.
- Personal Data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on Personal Data (collection, storage, use, disclosure, erasure, etc.).
- Breach of Security: Accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
- Sub-processor: Any party engaged by Parametric Memory to process Personal Data on its behalf.
2. Scope & Role Definition
Customer (as Controller) appoints Parametric Memory (as Processor) to process Personal Data solely in accordance with the subscription agreement and this DPA, and only on documented instructions from Customer. Parametric Memory does not determine the purposes or means of processing — that responsibility rests solely with Customer.
3. Customer's Obligations as Controller
Customer is responsible for establishing a lawful basis for processing each category of Personal Data, providing privacy notices to Data Subjects that include information about processing by Parametric Memory, ensuring Personal Data is accurate and subject to lawful retention schedules, and complying with all applicable data protection law in its jurisdiction.
Customer must not intentionally process special categories of Personal Data (health, biometric, racial/ethnic origin, etc.) without documented lawful basis and prior written agreement with Parametric Memory.
4. Parametric Memory's Obligations as Processor
4.1 Processing on Instructions Only
We process Personal Data only on documented written instructions from Customer, for no other purpose. If we receive an instruction that we believe violates applicable law, we will notify Customer and may refuse to execute the instruction pending clarification.
4.2 Personnel Confidentiality
All personnel with access to Personal Data are bound by legally binding confidentiality obligations that survive termination of employment, and are trained on data protection obligations.
4.3 Security Measures
Parametric Memory implements and maintains:
- Encryption in transit: TLS 1.2 or higher for all data transfer
- Encryption at rest: AES-256 on all DigitalOcean infrastructure
- Access controls: Role-based access control (RBAC); MFA required for system access; access logs retained for 12 months
- Merkle proof integrity: Cryptographic verification of memory atom integrity; tampering is detectable and triggers immediate alerts
- Substrate isolation: Each customer's substrate is logically isolated; cross-tenant data access is architecturally prevented
- Incident response: Security incidents involving Personal Data are escalated and investigated within 24 hours of discovery
- Regular testing: Quarterly penetration testing and vulnerability scans by independent third parties; results available to Customer on request
4.4 Sub-processor Management
Current approved sub-processors (Customer is deemed to have consented):
| Sub-processor | Location | Purpose |
|---|---|---|
| DigitalOcean, Inc. | USA (Virginia) | Cloud infrastructure, compute, storage, backups |
| Stripe, Inc. | USA | Payment processing, billing, fraud prevention |
| Resend, Inc. | USA | Transactional email delivery |
We will provide at least 30 days’ written notice before adding or replacing a sub-processor. Customer may object on reasonable grounds within that period; if unresolved, Customer may terminate the affected service. We remain fully liable for sub-processor compliance.
4.5 Data Subject Rights Assistance
Upon Customer's documented request, we will assist in responding to Data Subject requests within the following timeframes:
- Access (GDPR Art. 15 / CCPA): Provide relevant Personal Data within 10 business days
- Rectification (GDPR Art. 16): Modify or correct inaccurate data on instruction
- Erasure (GDPR Art. 17 / CCPA): Delete or anonymize Personal Data; purge backups within 30 days; provide written confirmation
- Restriction (GDPR Art. 18): Cease active processing while retaining data pending resolution
- Portability (GDPR Art. 20): Provide Personal Data in structured JSON format within 20 business days
- Object (GDPR Art. 21): Notify Customer immediately; cease processing pending instructions
Parametric Memory does not use Personal Data for solely automated decision-making that produces legal or similarly significant effects.
4.6 Breach Notification
Upon discovery of a Breach of Security, we will notify Customer in writing within 72 hours with: description of the breach, categories and approximate number of Data Subjects affected, likely consequences, measures taken to remediate, and contact details for follow-up. We will provide daily updates until resolved.
Customer is responsible for notifying the Competent Authority (data protection regulator) and affected Data Subjects where required by law.
4.7 DPIA Assistance
Upon request, we will provide information about our processing activities, security measures, and retention periods to support Customer's Data Protection Impact Assessment.
4.8 Deletion & Return of Data on Termination
Upon termination, we will at Customer's election: (a) securely delete all Personal Data and memory atoms (including backups) within 30 days, with written certification; or (b) return all Personal Data in structured JSON format within 20 business days. We may retain data as required by law (legal hold, regulatory investigations), and will notify Customer unless prohibited.
4.9 Audit Rights
Customer may conduct one audit per year (or more following an incident), with 10 business days’ written notice. Audits cover security measures, processing records, and access logs. Customer bears the cost of additional audits beyond the annual right. We will address critical findings within 30 days.
5. International Data Transfers
5.1 EU to New Zealand
New Zealand holds an adequacy decision from the European Commission (reaffirmed 2024). Personal Data can transfer from EU Member States to Parametric Memory in New Zealand without additional safeguards under GDPR Article 45.
5.2 Beyond New Zealand (to US Sub-processors)
Transfers to US-based sub-processors are governed by their respective Data Processing Agreements and Standard Contractual Clauses (EU Commission Decision 2021/914), incorporated by reference. SCCs are available in signed form on request.
5.3 UK Transfers
Transfers to New Zealand are permitted under the UK Data Protection Act 2018. Downstream transfers to US sub-processors are governed by UK International Data Transfer Agreement templates.
6. Regulatory Compliance
6.1 GDPR
This DPA complies with GDPR Chapter II, Section 5, including Article 28 (Processor Obligations). Both parties acknowledge that GDPR applies to processing of EU resident Personal Data.
6.2 Australian Privacy Act
Parametric Memory commits to: implementing security consistent with APP 11, assisting with access requests under APP 12, and notifying Customer of Breaches of Security under the Notifiable Data Breaches scheme.
6.3 CCPA/CPRA Service Provider Obligations
Parametric Memory is a “Service Provider” under CCPA/CPRA. We process Personal Information solely on Customer's documented instructions, do not sell or share Personal Information, do not retain or use Personal Information outside the direct business relationship, and do not combine Personal Information with information from other sources except as required to provide the service. See Exhibit A below for the full CCPA Service Provider Addendum.
7. Liability
Parametric Memory is fully liable to Customer for: breaches of confidentiality by our personnel, unauthorized access or disclosure of Personal Data, failure to implement required security measures, failure to honor Data Subject rights, failure to notify of Breaches of Security, and unauthorized sub-processor engagement. Liability for data protection breaches is not capped and is assessed in accordance with applicable law.
8. Term & Termination
This DPA commences on the subscription effective date and continues for the duration of the subscription agreement. Upon termination, we cease processing Personal Data (except as required by law) and delete or return data per Section 4.8.
9. Governing Law
This DPA is governed by New Zealand law. Disputes are subject to NZ courts. Either party may file a complaint with a Competent Authority (data protection regulator) at any time; we commit to cooperating fully with regulatory investigations.
10. Order of Precedence
In the event of conflict: this DPA takes precedence over the Terms of Service, which takes precedence over any other ancillary agreements. This DPA prevails over the Terms of Service with respect to data protection obligations.
Exhibit A — CCPA/CPRA Service Provider Addendum
Parametric Memory certifies that it is a “Service Provider” under Cal. Civ. Code § 1798.140(ag) and CPRA. We:
- Process Personal Information only on documented instructions from Customer
- Do not sell or share Personal Information (Cal. Civ. Code § 1798.140(t) and § 1798.140(ai))
- Do not retain, use, or disclose Personal Information outside the direct business relationship
- Do not combine Personal Information with data received from other customers or sources except as required to provide services
- Ensure sub-contractors agree to the same restrictions
- Certify compliance annually and permit audit on 10 business days’ notice
To execute a signed copy of this DPA and Addendum, contact legal@parametric-memory.dev.
Parametric Memory Limited · New Zealand · legal@parametric-memory.dev