Data Processing Agreement

Last reviewed: September 2025  ·  memosight AdAgent is a product by Decision Foundry

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Memosight, operated by Decision Foundry™ ("Processor" or "Memosight"), and governs the processing of personal data by Memosight on your behalf in connection with the Memosight AdAgent Service.

This DPA applies where and to the extent that Memosight processes personal data that is subject to applicable data protection law, including the EU General Data Protection Regulation (EU GDPR) 2016/679.

1. Definitions

  • Data Transfer: Any movement of personal data between the Controller and Processor, or to a Sub-processor, including across national boundaries.
  • EU GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council, governing the protection of natural persons with regard to the processing of personal data.
  • Controller: The entity that determines the purposes and means of processing personal data (i.e., you, the customer).
  • Processor: The entity that processes personal data on behalf of the Controller (i.e., Memosight / Decision Foundry™).
  • Sub-processor: Any third party engaged by the Processor to assist in processing personal data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person processed under this DPA.

2. Scope and Nature of Processing

Memosight processes personal data strictly as instructed by the Controller in order to provide the Memosight AdAgent Service. The types of personal data processed may include:

  • User account data (names, email addresses)
  • Google Ads campaign performance data associated with user accounts
  • Uploaded documents (media plans) that may contain personal or business data
  • Usage and audit logs

Processing activities include: storage, retrieval, analysis, aggregation, and AI-assisted interpretation of campaign data to generate insights and recommendations for the Controller.

3. Controller Obligations

The Controller warrants and represents that:

  • It has a lawful basis for sharing personal data with Memosight
  • It has obtained all necessary consents or other legal bases required for the processing described in this DPA
  • It will promptly notify Memosight of any data subject requests, regulatory enquiries, or complaints relating to the processing of personal data under this DPA
  • It will ensure its instructions to Memosight comply with applicable data protection law

4. Processor Obligations

Memosight agrees to:

  • Process personal data only on documented instructions from the Controller, except where required by law
  • Ensure that personnel authorised to process personal data are subject to appropriate confidentiality obligations
  • Implement and maintain appropriate technical and organisational security measures as described in Section 6
  • Assist the Controller in fulfilling its obligations regarding data subject rights requests, data breach notifications, and data protection impact assessments
  • Delete or return all personal data to the Controller upon termination of the Service, as directed, within 30 days
  • Provide all information necessary to demonstrate compliance with this DPA and cooperate with audits conducted by the Controller or an authorised auditor

5. Sub-processors

The Controller provides general authorisation for Memosight to engage sub-processors. Current approved sub-processors are:

  • Amazon Web Services (AWS): Cloud hosting, database, storage, and email delivery infrastructure
  • Microsoft Azure / Microsoft 365: Authentication services (Azure AD / OIDC)

Memosight will provide the Controller with at least 30 days' written notice before engaging a new sub-processor or replacing an existing one, giving the Controller the opportunity to object. Sub-processors are bound by data processing obligations substantially equivalent to those in this DPA.

6. Technical and Organisational Security Measures

Memosight implements the following security measures:

  • Alignment with ISO/IEC 27001:2022 information security management principles
  • Annual risk assessments and security reviews
  • Multi-factor authentication for all administrative access
  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest
  • Row-level security (RLS) for multi-tenant data isolation
  • Documented incident response procedures
  • Role-based access controls (RBAC) limiting data access to authorised personnel only

7. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, Memosight will notify the Controller without undue delay after becoming aware of the breach, and in any event within 72 hours where feasible. The notification will include:

  • A description of the nature of the breach
  • The categories and approximate number of data subjects and records concerned
  • Contact details for the data protection point of contact
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

8. Data Subject Rights

Where Memosight receives a request directly from a data subject relating to personal data processed under this DPA, it will promptly forward the request to the Controller. Memosight will provide reasonable assistance to the Controller in responding to such requests, including access, correction, deletion, restriction, and portability requests.

9. Audit Rights

The Controller may audit Memosight's compliance with this DPA upon 30 days' written notice, no more than once per calendar year, at the Controller's cost. Audits must be conducted during business hours, in a manner that minimises disruption to Memosight's operations, and subject to appropriate confidentiality obligations.

10. International Transfers

Where personal data is transferred outside the European Economic Area, Memosight will ensure appropriate safeguards are in place, including, where applicable, use of Standard Contractual Clauses as approved by the European Commission.

11. Term and Termination

This DPA remains in effect for as long as Memosight processes personal data on behalf of the Controller. Upon termination of the Service agreement, Memosight will, at the Controller's election, return or securely delete all personal data within 30 days, unless retention is required by applicable law.

12. Governing Law

This DPA is governed by the laws of the State of New York, United States, consistent with the Terms of Service.

13. Contact

For data protection enquiries relating to this DPA:

Memosight (a product of Decision Foundry™)
New York, NY
Email: privacy@memosight.com
Phone: +1 646 396 0346