Last updated: June 22, 2026 Effective: June 22, 2026
This Data Processing Addendum ("DPA") forms part of, and is incorporated by
reference into, the GoodMem Cloud Terms of Service (the "Agreement")
between PAIR Systems, Inc. ("PAIR Systems," "we," "Processor") and
the customer that accepted the Agreement ("Customer," "you,"
"Controller"). It applies to PAIR Systems' Processing of Customer Personal Data
in connection with the GoodMem Cloud hosted service at cloud.goodmem.ai (the
"Service"). Capitalized terms not defined here have the meanings given in the
Agreement.
Scope — hosted service only. This DPA applies only to the GoodMem Cloud hosted service. It does not apply to self-managed or self-hosted GoodMem deployments, where you (not PAIR Systems) operate the software and act as the controller and, in effect, the processor of your own data.
If there is a conflict between this DPA and the rest of the Agreement regarding the Processing of Customer Personal Data, this DPA controls. A separately signed data processing agreement between the parties supersedes this DPA.
2.1 Roles. As to Customer Personal Data, Customer is the Controller (or a Processor acting on behalf of a third-party controller) and PAIR Systems is the Processor. Where Customer is itself a Processor, PAIR Systems is a Sub-processor and Customer warrants it has the third-party controller's authority to engage PAIR Systems on the terms of this DPA.
2.2 Details of Processing. The subject matter, duration, nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.
2.3 Customer obligations. Customer is responsible for the accuracy and legality of Customer Personal Data and for having a lawful basis to provide it to, and have it Processed by, PAIR Systems. Customer's instructions must comply with Applicable Data Protection Law.
3.1 PAIR Systems will Process Customer Personal Data only on Customer's documented instructions, including the Agreement, this DPA, and Customer's configuration and use of the Service, unless required by law (in which case PAIR Systems will, where legally permitted, inform Customer of that requirement before Processing).
3.2 PAIR Systems will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law (without obligation to provide legal advice).
3.3 No training; no sale. PAIR Systems does not use Customer Personal Data to train, fine-tune, or develop machine-learning or AI models, does not sell or share Customer Personal Data, and does not retain, use, or disclose it for any purpose other than providing the Service and the limited purposes permitted by this DPA and the CCPA.
PAIR Systems ensures that personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations and Process such data only as necessary to provide the Service.
PAIR Systems implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against a Personal Data Breach, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of Processing. A description of these measures is set out in Annex II. PAIR Systems may update its security measures from time to time provided they do not materially degrade overall protection.
6.1 General authorization. Customer provides general authorization for PAIR Systems to engage Sub-processors to Process Customer Personal Data. A current list of Sub-processors is available at https://trust.pairsys.ai (see Annex III).
6.2 Obligations. PAIR Systems will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains responsible for each Sub-processor's performance.
6.3 Changes and objection. PAIR Systems will provide a mechanism to be notified of new Sub-processors (for example, by subscribing to updates to the list above) and will give reasonable prior notice before a new Sub-processor begins Processing. Customer may object on reasonable data-protection grounds within thirty (30) days of notice; the parties will work in good faith to resolve the objection, and if they cannot, Customer may terminate the affected Service as its exclusive remedy.
Taking into account the nature of the Processing, PAIR Systems will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to Data Subject requests to exercise their rights under Applicable Data Protection Law. If PAIR Systems receives such a request directly, it will, where permitted, promptly forward it to Customer and not respond except on Customer's instructions or as legally required.
PAIR Systems will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to help Customer meet its breach-notification obligations. PAIR Systems will take reasonable steps to mitigate and remediate the breach. PAIR Systems' notification is not an acknowledgement of fault or liability.
Taking into account the nature of Processing and information available to PAIR Systems, PAIR Systems will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities that Customer is required to carry out under Applicable Data Protection Law.
10.1 PAIR Systems Processes Customer Personal Data in the United States and may transfer it to, and Process it in, other countries through itself and its Sub-processors.
10.2 SCCs. Where Customer Personal Data subject to the EU GDPR, UK GDPR, or FADP is transferred to PAIR Systems or a Sub-processor in a country that does not ensure an adequate level of protection, the Standard Contractual Clauses are incorporated into this DPA by reference and apply to that transfer. The module and option selections are set out in the Appendix (Standard Contractual Clauses). By entering into this DPA, each party is deemed to have signed the SCCs.
10.3 If the SCCs or another transfer mechanism is invalidated or changed, the parties will work in good faith to implement an alternative lawful transfer mechanism.
Upon termination or expiry of the Agreement, PAIR Systems will delete or return Customer Personal Data in accordance with the data export and deletion provisions of the Agreement (a 30-day export window, then deletion within 30 days), except to the extent retention is required by law. Backup copies are deleted in the ordinary course of PAIR Systems' backup rotation.
PAIR Systems will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates. The parties agree that audits are satisfied first by PAIR Systems providing then-current third-party certifications, audit reports, or a completed security questionnaire; on-site audits, where genuinely required, will be conducted no more than once per year (absent a Personal Data Breach or Supervisory Authority requirement), on reasonable prior notice, during business hours, without unreasonable disruption, and subject to confidentiality.
To the extent PAIR Systems Processes Personal Data of California residents on Customer's behalf, PAIR Systems acts as a service provider. PAIR Systems will not: (a) sell or share such Personal Data; (b) retain, use, or disclose it for any purpose other than the business purposes specified in the Agreement, including outside the direct business relationship; or (c) combine it with Personal Data from other sources except as permitted by the CCPA. PAIR Systems certifies that it understands and will comply with these restrictions.
14.1 Liability. Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement.
14.2 Term. This DPA takes effect when the Agreement is accepted and continues until PAIR Systems has deleted or returned all Customer Personal Data as described above.
14.3 Governing law. This DPA is governed by the law and subject to the courts specified in the Agreement, except where Applicable Data Protection Law or the SCCs require otherwise.
A. Parties.
B. Description.
C. Competent Supervisory Authority. Determined in accordance with the EU GDPR based on Customer's EU establishment or EU representative; for UK transfers, the UK Information Commissioner's Office.
The current list of Sub-processors, with processing purpose and (where available) hosting region, is maintained at https://trust.pairsys.ai. As of the effective date this includes, among others:
(Google and GitHub act as identity providers at the Data Subject's/Customer's direction for SSO.)