Legal
Data Processing Agreement
Effective date: 1 March 2025 · Last updated: 1 March 2025
Note: This Data Processing Agreement forms part of the Terms of Service between Arion Flow Ltd and the Customer. By using Mnemo, the Customer agrees to the terms of this DPA. Enterprise customers may request a countersigned DPA by contacting legal@arionflow.com.
1. Definitions
Customer / Controller
The organisation that has entered into the Terms of Service with Arion Flow and that determines the purposes and means of processing personal data.
Arion Flow / Processor
Arion Flow Ltd, which processes personal data on behalf of the Controller to deliver the Mnemo service.
Data Protection Legislation
UK GDPR (as defined in the UK Data Protection Act 2018) and, where applicable, EU GDPR (Regulation 2016/679).
Personal Data
Any information relating to an identified or identifiable natural person, as defined in applicable Data Protection Legislation.
Processing
Any operation performed on personal data, including collection, storage, retrieval, use, and deletion.
2. Subject matter and duration
Subject matter: The processing of personal data necessary to provide the Mnemo knowledge management platform and associated services.
Duration: For the term of the Customer's subscription to Mnemo, and thereafter as required to fulfil deletion obligations as specified in this DPA.
Nature of processing: Storage, indexing, retrieval, and display of document content and user activity data via the Mnemo platform.
3. Purpose of processing
Arion Flow processes personal data solely for the purpose of providing the Mnemo service to the Customer, including: user authentication and access management, document storage and indexing, AI-assisted retrieval and response generation, audit logging, and platform support. Arion Flow will not process personal data for any other purpose without the Customer's written instruction.
4. Types of personal data and data subjects
Types of personal data processed:
- ›User account data: name, email address, job title
- ›User activity data: login events, queries submitted, documents accessed, timestamps
- ›Document content: text contained in documents uploaded by the Customer, which may include references to individuals
Categories of data subjects: The Customer's employees, contractors, and clients whose data is contained in uploaded documents.
5. Obligations and rights of the Controller
The Customer (Controller) agrees to:
- ›Ensure that personal data provided to Arion Flow has been collected and may be processed in accordance with applicable Data Protection Legislation
- ›Provide Arion Flow with documented instructions for processing personal data
- ›Ensure that data subjects have been informed of the processing in accordance with their rights
- ›Respond to data subject rights requests in a timely manner
- ›Notify Arion Flow immediately of any security incident relating to the Mnemo platform
6. Obligations of the Processor (Arion Flow)
Arion Flow agrees to:
- ›Process personal data only on the documented instructions of the Customer
- ›Ensure that persons authorised to process personal data are bound by confidentiality obligations
- ›Implement appropriate technical and organisational security measures (see Section 8)
- ›Assist the Customer in complying with data subject rights requests
- ›Delete or return personal data on termination of the agreement (see Section 11)
- ›Provide the Customer with all information necessary to demonstrate compliance with GDPR Article 28
- ›Not transfer personal data outside the UK or EU without appropriate safeguards
7. Sub-processors
Arion Flow uses the following approved sub-processors. The Customer gives general authorisation for Arion Flow to engage these sub-processors:
Supabase Inc.
Database infrastructure and authentication
Stripe Inc.
Payment processing (billing data only)
Vercel Inc.
Application hosting
Arion Flow will notify the Customer at least 30 days in advance of any changes to this sub-processor list. The Customer may object to new sub-processors within 14 days of notification.
8. Security measures
Arion Flow implements the following technical and organisational measures:
- ›Encryption of personal data in transit using TLS 1.2 or higher
- ›Encryption of personal data at rest using AES-256
- ›Row-level data isolation between customers at the database layer
- ›SHA-256 integrity hashing for all stored document blobs
- ›Role-based access control (RBAC) for all platform functions
- ›Comprehensive audit logging of all data access events
- ›Regular security testing and vulnerability assessment
- ›Access to production systems restricted to authorised personnel with MFA
9. Personal data breach notification
In the event of a personal data breach affecting the Customer's data, Arion Flow will notify the Customer without undue delay and in any event within 24 hours of becoming aware of the breach. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed. We will assist the Customer in making any required notifications to supervisory authorities or data subjects.
10. Audit rights
The Customer may audit Arion Flow's compliance with this DPA by submitting a written request. Arion Flow will provide relevant documentation and, where reasonable, facilitate inspections by the Customer or an appointed auditor, subject to reasonable prior notice and confidentiality obligations. Arion Flow may charge for the reasonable costs of facilitating audits.
11. Deletion and return of data on termination
On termination of the Customer's subscription:
- ›The Customer may export their data within 30 days of termination by contacting support@arionflow.com
- ›Arion Flow will securely delete all Customer personal data within 30 days of the end of the export period
- ›Audit logs may be retained for up to 12 months as required for legal compliance
- ›Arion Flow will provide written confirmation of deletion on request
12. Contact
For DPA-related enquiries, data subject rights requests, or to request a countersigned DPA:
legal@arionflow.com