Effective Date: December 6, 2025 • Version 1.0
This Data Processing Agreement establishes that you are the Controller of your data and DON Systems is only a Processor that handles data solely to provide the Service. We process data only during compression and retrieval operations — we do not store, train on, or access your original content beyond what's necessary to deliver memory compression functionality.
This Data Processing Agreement ("DPA") forms part of the Terms of Service and/or the applicable order form or written agreement between Customer and DON Systems LLC ("DON Systems"). This DPA applies only to the extent DON Systems processes Personal Data on behalf of Customer in the course of providing the Service.
If there is any conflict between this DPA and the Terms of Service, this DPA controls with respect to the subject matter of processing.
Customer is the "Controller" (or "Business," as applicable) of Personal Data included in Customer Content submitted to the Service. DON Systems is the "Processor" (or "Service Provider/Processor," as applicable) that processes such Personal Data on Customer's behalf.
Each party will comply with applicable data protection laws to the extent they apply to that party's role.
Capitalized terms not defined in this DPA have the meanings given in the Terms of Service. "Personal Data," "Processing," "Controller," "Processor," and related terms have the meanings given in applicable data protection law, including the GDPR where relevant.
"Customer Content" includes embeddings, compressed or collapsed representations, metadata, and graph relationships submitted to or generated by the Service in the course of providing memory compression and retrieval.
DON Systems processes data ONLY to provide the Service: storing, compressing, retrieving, and maintaining memory representations. We do not access, analyze, or store your original content beyond what's required for these operations.
DON Systems will process Personal Data only to provide, maintain, secure, and support the Service, including:
DON Systems will process Personal Data only on Customer's documented instructions. Customer's documented instructions include Customer's use of the Service, configurations and settings selected by Customer, and written instructions communicated through support channels that are consistent with the Terms and this DPA.
If DON Systems believes that an instruction violates applicable law, DON Systems will inform Customer unless prohibited by law.
DON Systems will ensure that personnel authorized to process Personal Data are subject to confidentiality obligations and receive appropriate training regarding confidentiality and security.
DON Systems will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. Those measures include:
Customer acknowledges that security is a shared responsibility. Customer remains responsible for security of systems under its control, including embedding generation practices, metadata hygiene, credential management, access controls, and client-side key storage.
We will NEVER use your Customer Content (including any Personal Data) to train, fine-tune, or improve machine learning models without your explicit written consent. Your data stays yours.
DON Systems will not use Customer Content, including Personal Data contained within Customer Content, to train, fine-tune, or improve machine learning models or foundation models for general use without Customer's express consent. If DON Systems seeks to use Customer Content for any model training purpose, it will do so only pursuant to a separate written agreement or an explicit consent mechanism that clearly describes the scope, duration, and purpose of such use.
This section does not restrict DON Systems from using de-identified or aggregated operational telemetry to maintain and improve the Service's reliability, security, and performance, provided such telemetry is not used to reconstruct Customer Content.
Customer authorizes DON Systems to engage subprocessors to process Personal Data as necessary to provide the Service. DON Systems will impose data protection obligations on subprocessors consistent with this DPA and remains responsible for their performance with respect to processing under this DPA.
As of the effective date, DON Systems' subprocessors for the hosted Service are described in Annex 3.
If DON Systems adds or replaces a subprocessor, it will provide notice consistent with the Terms and/or Privacy Policy. If Customer reasonably objects to a new subprocessor on data protection grounds, the parties will work in good faith to resolve the objection. If the objection cannot be resolved, Customer may terminate the affected portion of the Service without penalty for the remaining prepaid term, if any, as Customer's sole and exclusive remedy for that objection (unless otherwise agreed in writing).
Taking into account the nature of processing, DON Systems will provide reasonable assistance to Customer to enable Customer to respond to data subject requests where Customer cannot fulfill such requests independently through the Service.
If DON Systems receives a request directly from a data subject relating to Customer's Personal Data, DON Systems will, where legally permitted, direct the request to Customer and will not respond except as required by law.
DON Systems will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. DON Systems will provide information reasonably necessary for Customer to meet breach notification obligations, to the extent such information is available.
Customer acknowledges that an incident affecting service availability is not necessarily a Personal Data Breach unless it results in unauthorized access, disclosure, or loss of confidentiality or integrity.
To the extent Personal Data is transferred from the EEA/UK/Switzerland to a country not recognized as providing adequate protection, the parties will implement an appropriate transfer mechanism, such as Standard Contractual Clauses and/or the UK Addendum, as applicable. If Customer requires execution of SCCs, Customer may request them through support@donsystems.com.
Upon reasonable written notice and not more than once per year (unless required by law or following a material security incident), Customer may request information reasonably necessary to confirm DON Systems' compliance with this DPA. DON Systems may satisfy such requests by providing security summaries, written responses, or relevant third-party assessments where available, rather than permitting on-site audits.
Any on-site audit must be mutually agreed, conducted during normal business hours, subject to confidentiality, and must not unreasonably interfere with DON Systems operations or compromise security or confidentiality of other customers.
Upon termination, we will return or delete your Personal Data at your request. We do not retain your data beyond what's needed for export/recovery and standard backup rotation.
Upon termination of the Service, DON Systems will, at Customer's option and subject to the Service's capabilities and applicable law, return or delete Personal Data processed under this DPA. Unless otherwise specified in a signed agreement, DON Systems will delete Customer Content from active systems within a commercially reasonable period following termination, typically after a short post-termination window that allows export and recovery. Residual copies may remain in backups until overwritten pursuant to backup retention schedules.
Liability under this DPA is subject to the limitations of liability set forth in the Terms of Service or applicable master agreement, unless prohibited by applicable law.
If there is a conflict between this DPA and the Terms of Service, this DPA controls with respect to processing of Personal Data. If there is a conflict between this DPA and an order form or signed master agreement that explicitly governs data processing, the signed agreement controls.
Privacy and data protection inquiries: support@donsystems.com
Subject: "DPA Request" or "Privacy Request"
DON Systems LLC
3955 Watsonia Glen Dr.
El Dorado Hills, CA 95763
Subject Matter: Customer Content submitted to DMP, including embeddings, compressed or collapsed representations, associated metadata (such as timestamps, tenant identifiers, and conversation identifiers), and graph relationships formed for retrieval. Processing also includes limited operational telemetry necessary to provide and secure the Service.
Duration: Processing continues for the duration of Customer's subscription or agreement, plus any post-termination retention period required for export/recovery and backup rotation, as described in the Privacy Policy or applicable agreement.
Nature and Purpose: To provide persistent memory services, including storage, compression, retrieval, navigation, tenant isolation, authentication, operational logging for reliability and security, and customer support.
Data Subjects: Customer's end users, employees, contractors, or other individuals whose data Customer chooses to encode or reference through embeddings or metadata.
Categories of Personal Data: Depends on Customer's use. May include identifiers if Customer encodes them, and may include information embedded or inferable through embeddings and metadata. The Service does not require Customer to submit original text.
Special Categories: Special categories of data are not intended to be processed under the default Service and are prohibited unless explicitly agreed in writing.
DON Systems maintains measures designed to protect confidentiality, integrity, and availability of Personal Data. These measures include:
DON Systems may update these measures over time to improve security and resiliency, provided changes do not materially reduce overall protection.
As of the effective date, DON Systems uses the following subprocessors in connection with the hosted Service:
DON Systems may update this list from time to time in accordance with notice provisions in the Terms and/or Privacy Policy.