Memraiq
Data Processing Addendum
1. Scope and applicability
This Data Processing Addendum ("DPA") applies when Memraiq, operated by Ri-Tech, processes personal data on behalf of a customer organisation in the course of providing the Memraiq platform services.
This DPA supplements the Terms of Service and applies where applicable data protection laws require a data processing agreement between the parties. Where there is a separately executed enterprise agreement, the terms of that agreement take precedence over this DPA in the event of conflict.
2. Roles
Data controller: The customer organisation that subscribes to Memraiq and determines the purposes and means of processing personal data uploaded to or generated within the platform.
Data processor: Ri-Tech, acting on the instructions of the customer to operate the platform and process data on the customer's behalf.
3. Processing activities
Ri-Tech processes the following categories of data on behalf of the customer:
Document content
Text extraction, chunking, embedding, and knowledge graph construction for retrieval
User account data
Authentication, access control, member management, and transactional emails
Conversation history
Storage and retrieval of chat history scoped to the customer workspace
API usage logs
Billing where applicable, abuse prevention, security, internal reliability monitoring, and support — not customer-facing cost or component health analytics
Duration: Processing continues for the duration of the customer's subscription and for up to 90 days after termination (to allow for backup purge cycles).
4. Customer instructions
Ri-Tech processes personal data only on the documented instructions of the customer, as expressed through:
- —Actions performed within the platform (uploading documents, inviting members, document ingestion and indexing)
- —Configuration settings (model selection, workspace settings)
- —These Terms of Service and this DPA
- —Any separately executed enterprise agreement
If Ri-Tech is required by applicable law to process personal data in a way that conflicts with customer instructions, we will notify the customer to the extent permitted by law before proceeding.
5. Security measures
Ri-Tech maintains the following technical and organisational security measures:
—Passwords hashed with bcrypt at rest
—API keys encrypted with Fernet symmetric encryption
—JWT authentication with 15-minute token expiry
—httpOnly refresh tokens with 30-day TTL
—All data in transit encrypted over HTTPS/TLS
—Role-based access control at organisation level
—No cross-tenant data access at any layer
—Workspace-scoped data isolation in all storage layers
—Access controls for platform admin functions
—Structured logging for security event audit
6. Sub-processors
Ri-Tech uses the following sub-processors to deliver the platform. Customer acknowledges and authorises use of these sub-processors by accepting this DPA:
| Sub-processor | Role | Location |
|---|---|---|
| Supabase | Application database and file storage | AWS (region configurable) |
| Qdrant Cloud | Vector storage for semantic search | Configurable |
| Neo4j Aura | Knowledge graph database | Configurable |
| Anthropic | LLM inference (Claude models) | United States |
| OpenAI | Embeddings and LLM inference | United States |
| Paystack | Payment and subscription billing | Nigeria / Global |
| Resend | Transactional email delivery | United States |
Ri-Tech will notify customers at least 14 days before adding a new sub-processor that processes personal data. Customers may object in writing to a new sub-processor. If the objection cannot be resolved, either party may terminate the subscription with 30 days' notice.
7. Data subject rights
Ri-Tech will assist the customer in responding to data subject requests where technically feasible:
- —Access requests: data subject data can be exported from workspace settings
- —Deletion requests: documents, conversations, and user accounts can be deleted by organisation admins
- —Correction requests: account information can be updated in profile settings
- —Portability: workspace document exports are available from the platform
For requests that require Ri-Tech's involvement beyond what the customer can self-serve, contact hello@memraiq.com. We will respond within 30 days.
8. Breach notification
In the event of a personal data breach, Ri-Tech will notify the affected customer without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will include: the nature of the breach, categories of data involved, approximate number of individuals affected, likely consequences, and measures taken or proposed to address the breach.
9. Data location and deletion
Data is stored primarily on Supabase (AWS, region configurable) for application data and files, Qdrant Cloud for vectors, and Neo4j Aura for graph data. Enterprise customers may request specific regional configurations.
On termination of the subscription or receipt of a deletion request:
- —Customer data is deleted from production systems within 30 days
- —Backup copies are purged within 90 days
- —Ri-Tech will confirm deletion in writing on request
10. Audit rights
Enterprise customers may request the following to support their compliance obligations:
- —Security documentation and architecture overview
- —Written responses to security questionnaires
- —Sub-processor list with last-updated date
- —Confirmation of security measures applicable to their data
Audit requests should be submitted to hello@memraiq.com. On-site audits are not supported for Free or Pro plans; they may be arranged for Enterprise customers under a separate agreement.
11. Contact
For DPA-related enquiries, data subject assistance, or breach notification, contact hello@memraiq.com.