Data Processing Addendum

Where a business customer determines the purpose and means of processing personal data through Memrov, that customer is the controller or business and Memrov acts as processor or service provider. Where Memrov operates direct consumer accounts, Memrov may act as controller for those account operations.

• Memrov processes personal data to provide the contracted services, follow product settings, comply with documented instructions, secure the service, and meet legal obligations.
• Business customers are responsible for having a lawful basis, notices, consents, and rights workflows for data they send to Memrov.

Memrov maintains administrative, technical, and organizational measures designed to protect personal data, including access controls, managed cloud infrastructure, encryption where available, audit logging, scoped credentials, and deletion workflows.

• Memrov may use subprocessors listed on the Subprocessor List to provide the service.
• Memrov remains responsible for subprocessor performance under the applicable agreement.
• Business customers may receive notice and objection rights as described in their signed agreement.

Memrov will provide reasonable assistance for data subject requests, security reviews, impact assessments, deletion, export, and incident response where required by the applicable agreement and law.

At termination or on valid request, Memrov will delete or return personal data according to the product deletion workflow, agreement, and legal retention requirements.

If transfer safeguards are required, the parties will use legally recognized transfer mechanisms, such as standard contractual clauses or other approved safeguards, as applicable.

Memrov will notify affected customers of a confirmed personal data breach without undue delay and provide information reasonably available to support investigation and required notices.