Data Processing Addendum
Last updated: May 14, 2026
This Data Processing Addendum ("DPA") supplements the Momental Terms of Service or Master Service Agreement (the "Agreement") between Avery Intelligence, Inc. d/b/a Momental ("Processor") and the Customer organization ("Controller").
1. Definitions
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person (GDPR Article 4(1)) |
| Processing | Any operation performed on Personal Data (GDPR Article 4(2)) |
| Data Subject | The identified or identifiable person to whom Personal Data relates |
| Sub-processor | A third party engaged by Momental to process Personal Data on behalf of Customer |
| Data Breach | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data |
2. Scope
Subject Matter. Processing of Personal Data for the duration of the Agreement to provide AI-powered strategic alignment services.
Purposes
| Purpose | Description |
|---|---|
| Account management | Authentication, team management, role-based access |
| Knowledge processing | Ingestion, embedding, and storage of organizational knowledge |
| AI analysis | Conflict detection, retrieval-augmented generation, document processing |
| Communication | Chat interactions, voice features, notifications |
| Audit and compliance | Activity logging, security monitoring |
Categories of Personal Data
| Category | Examples |
|---|---|
| Identifiers | Name, email address, user ID |
| Professional information | Job title, department, team membership |
| Communication content | Messages, documents, meeting notes uploaded by users |
| Usage data | Platform interactions, feature usage, timestamps |
| Derived data | Knowledge atoms, AI-generated summaries, conflict analysis |
Data Subjects: Customer employees, contractors, stakeholders referenced in uploaded content, and third parties referenced in organizational knowledge.
3. Processor Obligations
Lawful Processing. Momental will:
- Process Personal Data only on documented instructions from Customer
- Not process Personal Data for any purpose other than providing the Services
- Inform Customer if an instruction infringes applicable data protection law
Confidentiality. All persons authorized to process Personal Data are bound by confidentiality obligations.
Security Measures
| Measure | Implementation |
|---|---|
| Encryption at rest | AES-256 |
| Encryption in transit | TLS 1.2+ (TLS 1.3 enabled) |
| Tenant isolation | Database-level and application-level controls ensure one team cannot access another team's data |
| Access control | Role-based access control (owner / admin / member / viewer / guest) |
| AI data handling | Anthropic automatically deletes API inputs and outputs within 30 days. No customer data used for model training. |
| Audit logging | Comprehensive event logging with immutable backup |
| Rate limiting | Distributed rate limiting (team / user / IP) |
| Token security | Secure token validation |
| Infrastructure | SOC 2 and ISO 27001 certified cloud infrastructure, United States |
4. Sub-processors
Momental engages the Sub-processors listed below to provide the Services. The current list is also published at momentalos.com/security.
| Sub-processor | Service | Data Categories | Location | Compliance |
|---|---|---|---|---|
| Anthropic, PBC | Claude AI models (chat, reasoning, coding) | Inputs and Outputs (transient, deleted within 30 days per Anthropic's API terms; never used for model training) | United States | SOC 2 Type II |
| Google LLC (Vertex AI & Google Cloud) | Gemini AI models, text embeddings, compute, Cloud SQL, Cloud Tasks, Cloud Storage, BigQuery | Inputs, Outputs, embeddings, hosted Customer Content, audit logs | United States | SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018 |
| OpenAI, OpCo, LLC | OpenAI models where configured for specific features | Inputs and Outputs (transient, not used for model training under API terms) | United States | SOC 2 Type II |
| X.AI Corp (Grok) | Grok reasoning models | Inputs and Outputs (transient, not used for training under enterprise terms) | United States | Vendor security controls |
| Google LLC (Firebase) | Authentication (Firebase Auth), real-time data (Firestore where used) | Identifiers, authentication tokens | United States | SOC 2 Type II, ISO 27001 |
| Stripe, Inc. | Payment processing and subscription billing | Billing contact details, payment instruments (tokenized — Momental never sees card numbers) | United States | PCI DSS Level 1 |
| Cloudflare, Inc. | DNS, CDN, edge network, DDoS protection | Network metadata (IP addresses, request headers) | Global edge (data routed through nearest POP; origin in US) | SOC 2 Type II, ISO 27001 |
| LiveKit, Inc. | Real-time voice/audio for voice-interview features | Voice audio streams (transient; transcripts stored in Customer workspace) | United States | SOC 2 Type II |
Momental will:
- Not engage a new Sub-processor without providing 30 days' prior written notice to workspace administrators (via email and in-app)
- Impose data protection obligations on each Sub-processor that are at least as protective as those in this DPA
- Remain liable to Customer for the acts and omissions of its Sub-processors
- Maintain the current Sub-processor list at momentalos.com/security
If Customer objects to a new Sub-processor within 30 days of notification, Momental will work with Customer to find an alternative. If no resolution is possible, Customer may terminate the affected Services with a pro-rata refund of prepaid fees for the unused term.
5. Data Subject Rights
Momental will assist Customer in responding to Data Subject requests:
- Access (Article 15) — Data export via platform or API
- Rectification (Article 16) — Users can edit data in-platform
- Erasure (Article 17) — Hard-delete endpoint removes all user data
- Portability (Article 20) — JSON export of all user data
- Restriction (Article 18) — Processing restriction upon verified request
- Objection (Article 21) — Cease processing upon verified objection
Momental will provide reasonable assistance to Customer with data protection impact assessments (Article 35) and prior consultations with supervisory authorities (Article 36) where required.
6. Data Breach Notification
Momental will:
- Notify Customer in writing without undue delay, and in any event within 72 hours of confirmation, upon becoming aware of a Data Breach affecting Customer Personal Data, by email to the workspace administrators and to the security contact Customer has provided
- Provide: the nature of the Data Breach, the categories and approximate number of Data Subjects affected, the categories and approximate volume of Personal Data records affected, the likely consequences, and the measures taken or proposed to address the Data Breach and mitigate its effects
- Provide updates as additional facts are confirmed, and cooperate with Customer's reasonable investigation and remediation requests
Customer's responsibility for downstream notification. Customer is the Controller of the Personal Data and is solely responsible for: (a) determining whether the Data Breach requires notification to Data Subjects, supervisory authorities, attorneys general, or other regulators under applicable law, including the General Data Protection Regulation (Articles 33 and 34), the California Consumer Privacy Act and California Civil Code §1798.82 (as amended by SB 446 effective January 1, 2026, setting a 30-day outer limit for individual notification), other U.S. state breach-notification statutes, and sectoral laws; (b) preparing and delivering those notifications; and (c) maintaining a designated security contact in workspace settings so Momental can reach Customer promptly. Momental will provide commercially reasonable cooperation, including the information described above and additional information Customer reasonably requires to meet its notification timelines.
7. International Transfers
Personal Data is processed in the United States. For transfers from the EEA/UK, Momental relies on:
- EU Standard Contractual Clauses (Module 2: Controller to Processor)
- UK International Data Transfer Agreement (IDTA)
- Supplementary measures as documented in our Transfer Impact Assessment
In the event of a government request for Customer Personal Data, Momental will notify Customer (unless legally prohibited), challenge overbroad requests, and provide only the minimum data legally required.
8. Audits
Customer may audit compliance with this DPA by:
- Reviewing security documentation and certifications
- Requesting completion of a security questionnaire
- Conducting or commissioning an audit (30 days' notice, during business hours, no more than once per year)
9. Untrusted Inputs and Prompt-Injection Acknowledgment
Customer acknowledges that the Services may process data from sources outside Customer's organization (including emails, web pages, documents, third-party tool outputs, and user-supplied content). Such data may contain adversarial instructions intended to manipulate AI agent behavior, exfiltrate Customer Content across tenants, or escalate agent privileges. Momental implements industry-standard mitigations (output validation, prompt-injection detection on flagged classes of input, tool-call scoping). Customer agrees to follow the safety practices set out in the Usage Policy, including using least-privilege scopes for agents processing untrusted inputs and enabling human-in-the-loop review for destructive actions. The parties' respective liability for damages arising from a prompt-injection attack is governed by the Agreement, including its cap and exclusions; the cap does not apply where the damages result from a party's failure to maintain commercially reasonable security or comply with this DPA.
10. Litigation Hold and Compelled Disclosure
If Momental receives a subpoena, court order, government demand, or other legal process seeking Customer Personal Data, Momental will, unless legally prohibited from doing so: (a) promptly notify Customer; (b) provide Customer with a copy of the demand and a reasonable opportunity to seek a protective order, intervene, or assert objections; (c) limit any required disclosure to the minimum scope legally compelled; and (d) preserve attorney-client and work-product protections to the extent applicable. If Customer instructs Momental in writing to place a litigation hold on specified Customer Personal Data, Momental will use commercially reasonable efforts to suspend deletion of that data for the duration of the hold, at Customer's cost for any extraordinary preservation requirements.
11. Retention and Deletion
| Data Type | Retention |
|---|---|
| Active workspace data | Duration of Agreement |
| Audit logs | 7 years (regulatory compliance requirements) |
| Session tokens | 30 days |
| Deleted user data | Hard-deleted upon request |
Upon termination, Momental will:
- Return or delete all Customer Personal Data within 30 days, at Customer's election
- Provide a final data export upon request (before deletion)
- Certify deletion in writing upon request
Audit logs may be retained for up to 7 years for compliance purposes.
12. Liability
Liability under this DPA is subject to the limitations set out in the Agreement, including the supercap carve-outs in Section L of the Terms of Service for breach of confidentiality, indemnification, AUP violations, fraud, willful misconduct, gross negligence, and violations of law.
13. Governing Law
This DPA is governed by the laws governing the Agreement, unless required otherwise by applicable data protection law.
14. Execution
This DPA is effective upon Customer's acceptance of the Terms of Service. No separate signature is required. Customer may request a countersigned copy by contacting [email protected].
Contact
Avery Intelligence, Inc.
1300 El Camino Real, Suite 100 #66
Menlo Park, CA 94025
Contact: [email protected] — all data protection, DPA execution, and security inquiries.