Legal · Compliance

Data Processing Agreement

Last updated: 1 April 2026

When a care home or solicitor firm deploys Memoari, they are entrusting us with some of the most sensitive personal data their organisation holds. This page explains the legal framework governing how we handle that data — and how to obtain a formal DPA for your organisation.

A signed DPA is included in every pilot agreement
You do not need to negotiate a separate document before your pilot begins. A Data Processing Agreement is included as standard in all Memoari pilot and partnership agreements. If you need a copy in advance for internal review or procurement approval, request one at legal@memoari.co.uk.

1. What is a Data Processing Agreement — and why it matters

A Data Processing Agreement (DPA) is a legally binding contract required under Article 28 of the UK General Data Protection Regulation (UK GDPR) whenever a data controller engages a third party to process personal data on their behalf.

For care homes and solicitor firms using Memoari: your organisation is the data controller — you determine why and how your residents' or clients' data is processed. Memoari is the data processor — we process that data on your instruction, using systems and infrastructure you have engaged us to provide.

UK GDPR requires a DPA to be in place before any personal data processing begins. It is not optional. Organisations that engage data processors without a signed DPA are in breach of their own compliance obligations, regardless of the processor's conduct.

Memoari provides a standard DPA that satisfies the requirements of Article 28 UK GDPR. It is included in your pilot agreement — you do not need to source or negotiate a separate document.

Why care home directors and solicitors ask for this specifically
CQC inspections increasingly assess how care homes handle resident personal data, including third-party data processors. Law firms regulated by the SRA are required to have appropriate contracts with all suppliers processing client data. A signed DPA is the first document your compliance team or DPO will ask for.

2. Data controller vs data processor

These two roles carry distinct legal obligations under UK GDPR. The distinction matters because it determines who is responsible for what — and who is accountable to regulators and individuals if something goes wrong.

Your Organisation
Data Controller
Determines the purpose and means of processing. Responsible for obtaining lawful basis for processing resident or client data. Responsible for responding to data subject rights requests. Accountable to the ICO and to individuals for how their data is used. Must ensure any processor they engage provides sufficient guarantees of compliance.
Memoari
Data Processor
Processes personal data only on documented instructions from the controller. Must not process data for any purpose beyond providing the contracted service. Implements appropriate technical and organisational security measures. Assists the controller in responding to data subject rights requests. Notifies the controller of any personal data breach without undue delay.

3. What Memoari processes on behalf of partners

The following categories of personal data are processed by Memoari when the platform is deployed within a care home or solicitor practice. Processing occurs solely for the purpose of providing the vault and estate preparation service.

Identity data

Residents / clients

Full name, date of birth, address

Basis: Legitimate interest / contractual necessity

Contact data

Residents / clients / family members

Email addresses, phone numbers of family contacts and executors

Basis: Legitimate interest

Legal documents

Residents / clients

Will location references, solicitor details, LPA records

Basis: Contractual necessity

Financial asset data

Residents / clients

Bank account references, insurance policy numbers, investment account details

Basis: Contractual necessity

Digital asset data

Residents / clients

Account credentials, platform names, access instructions

Basis: Contractual necessity

Personal communications

Residents / clients

Personal messages, letters, and video notes recorded for beneficiaries

Basis: Explicit consent of the individual

Staff account data

Partner organisation staff

Name, work email, job title of authorised staff

Basis: Contractual necessity

4. Technical and organisational security measures

Article 28 UK GDPR requires processors to implement “appropriate technical and organisational measures” to protect personal data. Below is a summary of the measures Memoari maintains. Full technical detail is available in the DPA and security addendum.

AES-256 Encryption at Rest
All vault contents — documents, credentials, messages, and asset details — are encrypted with AES-256 before being written to the database. Memoari staff cannot access plaintext vault data.
TLS 1.2+ Encryption in Transit
All data transmitted between clients and Memoari servers is encrypted in transit using TLS 1.2 or higher. HTTPS is enforced across all endpoints via HSTS headers.
Row-Level Security (RLS)
Database access is governed by row-level security policies. Each authenticated session can access only the records it is explicitly permitted to read or write — enforced at the database layer, not the application layer.
Scoped Access Controls
Staff roles are assigned minimum necessary permissions. Executor and beneficiary access is read-only, time-limited, and scoped to specific vault sections. All access events are logged and timestamped.
Zero-Knowledge Credentials
Account credentials stored within vaults are encrypted client-side before transmission. Memoari receives only ciphertext and has no ability to recover stored passwords.
Audit Logging
All vault access events — who accessed which record, when, and from which authenticated session — are retained in immutable logs for 7 years for audit and legal purposes.
Separate Key Management
Encryption key material is stored separately from the data it protects, in accordance with security best practice. Keys are managed via Supabase's vault infrastructure.
Staff Access Controls
Memoari staff do not have routine access to partner vault data. Access to production systems requires a documented reason and is subject to review. Background checks are conducted for all staff with system access.

5. Data retention and deletion

Memoari retains partner data only for as long as required to provide the contracted service and to comply with applicable legal obligations.

During the agreement

All vault data is retained and accessible to authorised parties throughout the active pilot or partnership agreement.

90 days post-termination

Following termination of the agreement, vault data remains accessible for export for 90 days. The partner organisation should initiate data export within this window.

After 90 days

All vault contents, resident and client data, and organisational account data are permanently and irreversibly deleted from Memoari's systems. This deletion is certified in writing upon request.

Audit logs — 7 years

Access event logs (who accessed what, when) are retained for 7 years for legal and regulatory purposes. These logs do not contain vault contents.

Data export

Partner organisations may request a full export of their data at any time during the active agreement. Exports are provided in JSON format within 10 business days.

6. Sub-processors

Memoari engages a small number of sub-processors to operate the platform. Under UK GDPR, we obtain prior written consent from partner organisations before engaging or changing sub-processors. The current authorised sub-processors are:

Supabase

supabase.com

Database, file storage, and authentication

EU / UK

UK IDTA / EU SCCs

Resend

resend.com

Transactional email delivery

EU

EU SCCs

Vercel

vercel.com

Web application hosting and CDN

EU / UK

UK IDTA / EU SCCs

We will notify partner organisations of any intended changes to sub-processor arrangements no less than 30 days before the change takes effect, providing an opportunity to object.

7. Personal data breach notification

In the event of a personal data breach affecting partner data, Memoari will notify the affected partner organisation without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

Breach notifications will include, to the extent known at the time:

  • A description of the nature of the breach, including the categories and approximate number of individuals and records concerned
  • The name and contact details of our data protection contact
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach, including mitigation steps
Your notification obligations
As data controller, your organisation is responsible for notifying the ICO of a breach within 72 hours of becoming aware of it, and for notifying affected individuals where required. Memoari's notification to you starts that clock. Our DPA sets out the specific escalation and communication process for breach events.

8. Requesting your DPA

A signed Data Processing Agreement is included automatically in all Memoari pilot and partnership agreements. You do not need to request one separately once your pilot begins.

If you need a copy of our standard DPA in advance — for internal review, procurement approval, DPO sign-off, CQC preparation, or SRA compliance — contact us directly and we will provide a copy within two business days.

Request the DPA document

We respond to all DPA requests within two business days. Include your organisation name and role in your email and we will send the document for your review.

legal@memoari.co.uk →

Subject line: DPA Request · Response within 2 business days