← HippocortexLegal

Data Processing Agreement

Last updated: 14 March 2026

1. Parties and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between:

  • Data Controller ("Controller"): The customer who uses the Hippocortex Services and determines the purposes and means of processing personal data through the Services.
  • Data Processor ("Processor"): OPENGATE TECHNOLOGY LTD., a private limited company registered in England and Wales (company number 17056279), with its registered office at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ.

This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the Hippocortex Services, in compliance with Article 28 of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018.

This DPA applies automatically to all customers who use the Services to process personal data. Enterprise customers may request a separately executed version of this DPA.

2. Definitions

In this DPA, the following terms have the meanings given below. Terms not defined here have the meanings given in the GDPR or the Terms of Service:

"Personal Data"has the meaning given in Article 4(1) of the GDPR: any information relating to an identified or identifiable natural person.
"Processing"has the meaning given in Article 4(2) of the GDPR: any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, and erasure.
"Data Subject"an identified or identifiable natural person whose personal data is processed.
"Sub-processor"a third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.
"Customer Data"all data submitted by the Controller to the Services, including events, memories, artifacts, and any metadata, which may include Personal Data.
"Data Breach"a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

3. Processing Details

The details of the processing carried out under this DPA are as follows:

Subject matter:Provision of memory infrastructure services for AI agents, including event capture, knowledge compilation, and context synthesis.
Duration:For the term of the Service agreement plus 30 days for data export, plus up to 90 days for complete deletion from backups.
Nature and purpose:Receiving, validating, queuing (via Redis), persisting (to PostgreSQL), indexing, compiling into knowledge artifacts, and retrieving agent event data to provide memory and context synthesis capabilities.
Types of Personal Data:As determined by the Controller's use of the Services. May include: names, contact information, identifiers, or any other personal data included in agent event payloads by the Controller.
Categories of Data Subjects:As determined by the Controller's use of the Services. May include: end users interacting with the Controller's AI agents, employees, contractors, or other individuals whose data is processed through agent interactions.

4. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Terms of Service and the Controller's use of the API constitute the Controller's instructions for processing.
  • Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organisational security measures as described in Section 7 of this DPA and our Security Policy.
  • Not engage another processor (sub-processor) without prior specific or general written authorisation of the Controller. In the case of general authorisation, the Processor shall inform the Controller of any intended changes and provide the opportunity to object.
  • Assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR (access, rectification, erasure, restriction, portability, objection).
  • Assist the Controller in ensuring compliance with the obligations relating to security of processing, notification of data breaches, data protection impact assessments, and prior consultation with supervisory authorities (Articles 32 to 36 of the GDPR).
  • At the choice of the Controller, delete or return all Personal Data upon termination of the Services, and delete existing copies unless retention is required by applicable law.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.

5. Controller Obligations

The Controller shall:

  • Ensure that there is a lawful basis for each category of Personal Data submitted to the Services.
  • Provide all necessary notices to Data Subjects regarding the processing of their data through the Services.
  • Be responsible for the accuracy, quality, and legality of all Customer Data submitted to the Services.
  • Comply with all applicable data protection laws in relation to the processing of Personal Data and the use of the Services.

6. Sub-processors

The Controller provides general authorisation for the Processor to engage sub-processors, subject to the following conditions:

The Processor currently uses the following sub-processors:

Neon Inc.USAPostgreSQL database hosting (events, memories, artifacts, account data)
Upstash Inc.USA / EURedis hosting (job queues, rate limiting, ephemeral caching)
Vercel Inc.USA / GlobalWebsite and dashboard hosting, CDN
Stripe Inc.USAPayment processing and subscription management
Clerk Inc.USAAuthentication services for website and dashboard

The Processor shall notify the Controller of any intended changes to the sub-processor list at least 30 days before engagement. The Controller may object to a new sub-processor within 14 days of notification. If the Controller objects and the parties cannot reach agreement, the Controller may terminate the affected Services.

Sub-processors are bound by written agreements that impose data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations.

7. Technical and Organisational Measures

The Processor implements and maintains the following technical and organisational measures to ensure a level of security appropriate to the risk:

  • Encryption in transit: TLS 1.3 for all client-to-server and service-to-service communication.
  • Encryption at rest: AES-256 encryption for all stored data, including databases and backups.
  • Tenant isolation: Logical isolation at database, cache, queue, and application layers. Cross-tenant data access is prevented architecturally through tenant-scoped queries.
  • Access control: API key authentication with scoped permissions (read, write, admin). Keys hashed with SHA-256. Dashboard access secured with JWT and Argon2id password hashing.
  • Rate limiting: Per-key and per-tenant rate limits to prevent abuse and ensure availability.
  • Input validation: Strict schema validation on all API inputs. Parameterised database queries to prevent injection attacks.
  • Monitoring: Continuous health monitoring of all subsystems (PostgreSQL, Redis, workers). Prometheus metrics collection. Configurable alerting for anomalies and degradation.
  • Incident response: Documented incident response procedures with detection, triage, containment, notification, and post-mortem phases.

Full details are available in our Security Policy.

8. Data Breach Notification

In the event of a Data Breach involving Customer Data, the Processor shall:

  • Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, providing:

(a) A description of the nature of the breach, including categories and approximate numbers of Data Subjects and records affected

(b) The name and contact details of the Processor's contact point for further information

(c) A description of the likely consequences of the breach

(d) A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects

  • Cooperate with the Controller in investigating and remediating the breach
  • Take immediate steps to contain the breach and minimise ongoing risk
  • Not notify Data Subjects directly without the Controller's prior written approval, unless required by applicable law

9. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR and allow for and contribute to audits and inspections.

Audits are subject to the following conditions:

  • The Controller must provide at least 30 days' written notice before an audit
  • Audits shall be conducted during normal business hours (Monday to Friday, 9:00 to 17:00 GMT)
  • The Controller may conduct no more than one audit per 12-month period, unless a Data Breach has occurred or a supervisory authority requires an audit
  • The auditor must sign a confidentiality agreement before gaining access to any information
  • The Processor may satisfy audit requests by providing relevant third-party audit reports (e.g., SOC 2 reports) or certifications where available

10. Cross-Border Transfers

The Processor is based in England. Some sub-processors operate in the United States. Where Personal Data is transferred outside the United Kingdom or the European Economic Area, the Processor ensures appropriate safeguards are in place:

  • UK and EU adequacy decisions for the recipient country
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision 2021/914) and the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, as applicable
  • The EU-US Data Privacy Framework and UK Extension, where the sub-processor is certified

The Processor conducts transfer impact assessments for each sub-processor located outside the UK/EEA to verify that the safeguards provide an essentially equivalent level of protection. Copies of the relevant transfer safeguards are available upon request.

11. Return and Deletion of Data

Upon termination of the Services or upon the Controller's written request:

  • The Processor shall make Customer Data available for export through the API for a period of 30 days following termination.
  • After the 30-day export period, the Processor shall delete all Customer Data from active systems within 30 days.
  • Deletion is propagated to all backup and disaster recovery systems within 90 days.
  • The Processor shall provide written confirmation of deletion upon the Controller's request.
  • Data may be retained beyond these periods only where required by applicable law (e.g., tax records, legal holds). The Controller will be informed of such retention and its legal basis.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. The Processor is liable to the Controller for damages caused by processing that does not comply with the GDPR or this DPA. The Processor is exempt from liability if it proves it is not in any way responsible for the event giving rise to the damage.

13. Term and Termination

This DPA takes effect when the Controller begins using the Services and remains in effect for the duration of the Controller's use of the Services. The obligations of the Processor regarding data deletion and return survive termination as described in Section 11.

14. Governing Law

This DPA is governed by the laws of England and Wales, consistent with the governing law provisions of the Terms of Service.

15. Contact

For DPA-related inquiries, sub-processor list requests, or to request a separately executed copy of this DPA:

OPENGATE TECHNOLOGY LTD.

71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

DPA inquiries: dpa@hippocortex.dev

Legal: legal@hippocortex.dev

Data Protection Contact: dpo@hippocortex.dev