Data Processing Addendum
Last updated: January 27, 2026
This Data Processing Addendum ("DPA") supplements the Momental Terms of Service or Master Service Agreement (the "Agreement") between Avery Intelligence, Inc. d/b/a Momental ("Processor") and the Customer organization ("Controller").
1. Definitions
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person (GDPR Article 4(1)) |
| Processing | Any operation performed on Personal Data (GDPR Article 4(2)) |
| Data Subject | The identified or identifiable person to whom Personal Data relates |
| Sub-processor | A third party engaged by Momental to process Personal Data on behalf of Customer |
| Data Breach | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data |
2. Scope
Subject Matter. Processing of Personal Data for the duration of the Agreement to provide AI-powered strategic alignment services.
Purposes
| Purpose | Description |
|---|---|
| Account management | Authentication, team management, role-based access |
| Knowledge processing | Ingestion, embedding, and storage of organizational knowledge |
| AI analysis | Conflict detection, retrieval-augmented generation, document processing |
| Communication | Chat interactions, voice features, notifications |
| Audit and compliance | Activity logging, security monitoring |
Categories of Personal Data
| Category | Examples |
|---|---|
| Identifiers | Name, email address, user ID |
| Professional information | Job title, department, team membership |
| Communication content | Messages, documents, meeting notes uploaded by users |
| Usage data | Platform interactions, feature usage, timestamps |
| Derived data | Knowledge atoms, AI-generated summaries, conflict analysis |
Data Subjects: Customer employees, contractors, stakeholders referenced in uploaded content, and third parties referenced in organizational knowledge.
3. Processor Obligations
Lawful Processing. Momental will:
- Process Personal Data only on documented instructions from Customer
- Not process Personal Data for any purpose other than providing the Services
- Inform Customer if an instruction infringes applicable data protection law
Confidentiality. All persons authorized to process Personal Data are bound by confidentiality obligations.
Security Measures
| Measure | Implementation |
|---|---|
| Encryption at rest | AES-256 |
| Encryption in transit | TLS 1.2+ (TLS 1.3 enabled) |
| Tenant isolation | Database-level and application-level controls ensure one team cannot access another team's data |
| Access control | Role-based access control (owner / admin / member / viewer / guest) |
| AI data handling | Anthropic automatically deletes API inputs and outputs within 30 days. No customer data used for model training. |
| Audit logging | Comprehensive event logging with immutable backup |
| Rate limiting | Distributed rate limiting (team / user / IP) |
| Token security | Secure token validation |
| Output validation | AI response scanning for prompt injection, data exfiltration, unsafe content |
| Infrastructure | SOC 2 and ISO 27001 certified cloud infrastructure, United States |
4. Sub-processors
Momental uses the sub-processors listed at momentalos.com/security. Momental will:
- Not engage a new sub-processor without providing 30 days' prior written notice to Customer
- Impose equivalent data protection obligations on all sub-processors
- Remain liable for sub-processor performance
If Customer objects to a new sub-processor within 30 days of notification, Momental will work with Customer to find an alternative. If no resolution is possible, Customer may terminate the affected services.
5. Data Subject Rights
Momental will assist Customer in responding to Data Subject requests:
- Access (Article 15) — Data export via platform or API
- Rectification (Article 16) — Users can edit data in-platform
- Erasure (Article 17) — Hard-delete endpoint removes all user data
- Portability (Article 20) — JSON export of all user data
- Restriction (Article 18) — Processing restriction upon verified request
- Objection (Article 21) — Cease processing upon verified objection
Momental will provide reasonable assistance to Customer with data protection impact assessments (Article 35) and prior consultations with supervisory authorities (Article 36) where required.
6. Data Breach Notification
Momental will:
- Notify Customer without undue delay (within 72 hours) upon becoming aware of a Data Breach
- Provide: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach
- Cooperate with Customer and take reasonable steps to mitigate
7. International Transfers
Personal Data is processed in the United States. For transfers from the EEA/UK, Momental relies on:
- EU Standard Contractual Clauses (Module 2: Controller to Processor)
- UK International Data Transfer Agreement (IDTA)
- Supplementary measures as documented in our Transfer Impact Assessment
In the event of a government request for Customer Personal Data, Momental will notify Customer (unless legally prohibited), challenge overbroad requests, and provide only the minimum data legally required.
8. Audits
Customer may audit compliance with this DPA by:
- Reviewing security documentation and certifications
- Requesting completion of a security questionnaire
- Conducting or commissioning an audit (30 days' notice, during business hours, no more than once per year)
9. Retention and Deletion
| Data Type | Retention |
|---|---|
| Active workspace data | Duration of Agreement |
| Audit logs | 7 years (regulatory compliance requirements) |
| Session tokens | 30 days |
| Deleted user data | Hard-deleted upon request |
Upon termination, Momental will:
- Return or delete all Customer Personal Data within 30 days, at Customer's election
- Provide a final data export upon request (before deletion)
- Certify deletion in writing upon request
Audit logs may be retained for up to 7 years for compliance purposes.
10. Liability
Liability under this DPA is subject to the limitations set out in the Agreement.
11. Governing Law
This DPA is governed by the laws governing the Agreement, unless required otherwise by applicable data protection law.
12. Execution
This DPA is effective upon Customer's acceptance of the Terms of Service. No separate signature is required. Customer may request a countersigned copy by contacting [email protected].
Contact
Avery Intelligence, Inc.
1300 El Camino Real, Suite 100 #66
Menlo Park, CA 94025
Data Protection: [email protected]
DPA Execution: [email protected]
Security: [email protected]