Data Processing Agreement

Zombie Brains — The Cognitive OS for AI
Last updated: April 13, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between you and Zombie Brains for the use of our services. By using Zombie Brains, you agree to this DPA. If you are accepting on behalf of an organization, you represent that you have the authority to bind that organization.

1. Definitions

“Controller” means the entity that determines the purposes and means of processing Personal Data — this is you, the customer.

“Processor” means the entity that processes Personal Data on behalf of the Controller — this is Zombie Brains.

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Zombie Brains in connection with the services.

“Sub-processor” means any third party engaged by Zombie Brains to process Personal Data on behalf of the Controller.

“Data Protection Laws” means all applicable laws relating to data protection and privacy, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and any other applicable data protection legislation.

“Services” means the Zombie Brains platform, including MCP server, REST API, web dashboard, and all related features.

2. Scope and Roles

This DPA applies when Zombie Brains processes Personal Data on your behalf in the course of providing the Services. You are the Controller of any Personal Data submitted to the Services. Zombie Brains acts as the Processor.

Zombie Brains will process Personal Data only in accordance with your documented instructions, which include the instructions provided through your use of the Services (storing memories, configuring brains, connecting data sources) and any additional written instructions agreed upon by both parties.

3. Details of Processing

Element	Description
Purpose	Providing persistent memory, knowledge management, and training data services as described in the service documentation at mcp.zombie.codes/docs
Categories of Data Subjects	End users of the Services; individuals whose data is stored in memories or ingested via connected data sources
Types of Personal Data	Account information (name, email, authentication identifiers); memory content (natural language text stored by the user’s AI); session metadata (timestamps, session summaries); embedded vector representations of memory content; documents uploaded or ingested via connectors; training data compiled from memories
Processing Activities	Storage and retrieval of memories; generation of semantic embeddings; full-text indexing; knowledge graph construction and traversal; background consolidation (duplicate detection, activation decay, edge strengthening); training data compilation and export; auto-ingestion from connected data sources
Duration	For the duration of the service agreement, plus the retention period described in Section 10

4. Obligations of Zombie Brains

Zombie Brains will:

Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law, in which case Zombie Brains will inform the Controller (unless legally prohibited).
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement and maintain the technical and organizational security measures described in Section 6.
Respect the conditions for engaging Sub-processors as described in Section 5.
Assist the Controller in responding to requests from data subjects exercising their rights under Data Protection Laws, taking into account the nature of the processing.
Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of the processing and the information available to Zombie Brains.
At the Controller’s choice, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless applicable law requires storage.
Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in Section 9.

5. Sub-processors

The Controller provides general authorization for Zombie Brains to engage Sub-processors. Zombie Brains will inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes.

Current Sub-processors

Sub-processor	Purpose	Data Processed	Location
Railway	Cloud hosting and database infrastructure (SOC 2 Type II)	All service data (memories, accounts, sessions, documents)	United States
Cohere	Semantic embedding generation for retrieval	Memory and document content text (used to generate vector representations; not stored by Cohere beyond processing)	United States
Auth0 (Okta)	Authentication and identity management	Email address, name, authentication provider identifiers	United States
Resend	Transactional and lifecycle email delivery	Email address, name	United States
Stripe	Payment processing and billing	Email address, payment method details (handled directly by Stripe, not stored by Zombie Brains)	United States

Zombie Brains will notify the Controller at least 30 days before adding or replacing a Sub-processor by updating this page and, where the Controller has subscribed to notifications, by email. If the Controller objects to a new Sub-processor on reasonable grounds relating to data protection, Zombie Brains will use reasonable efforts to make available to the Controller a change in the Services or recommend a commercially reasonable alternative.

6. Security Measures

Zombie Brains implements and maintains the following technical and organizational measures to protect Personal Data:

Infrastructure Security

All data is hosted on Railway, which is SOC 2 Type II certified (see trust.railway.com).
Data is encrypted in transit using TLS 1.2+ on all endpoints.
Data is encrypted at rest via Railway’s managed PostgreSQL encryption.
All custom domains enforce HTTPS with valid certificates.

Application Security

Authentication via OAuth 2.0 with Dynamic Client Registration, powered by Auth0.
Project-level tenant isolation: all database queries are scoped to specific brain identifiers. Memories from one brain cannot be accessed from another without explicit access grants.
Role-based access control (admin, editor, viewer) on all team brains.
Comprehensive audit logging of all tool calls, including user identity, action type, brain identifier, and timestamp.
API keys are stored as salted hashes, never in plaintext.
Sensitive configuration (database credentials, API keys, secrets) stored as environment variables, never in code or memory content.

Operational Security

No Zombie Brains personnel access customer memory content in the ordinary course of business. Access to production databases is restricted and logged.
The AI tool descriptions explicitly instruct connected AI models to never store passwords, API keys, tokens, or other credentials as memory content.
No LLM inference is performed on Zombie Brains’ infrastructure. Memory content is not used to train any third-party AI models. Semantic embeddings are the only AI-adjacent processing, performed by Cohere’s embedding API (not a generative model).

7. Data Subject Rights

Zombie Brains will assist the Controller in fulfilling its obligations to respond to data subject requests under Data Protection Laws. The Services provide the following capabilities to support this:

Access: Memories, session history, and account data can be retrieved via the MCP tools or REST API.
Rectification: Memories can be updated or superseded through normal service usage.
Erasure: Account deletion and full data erasure can be requested by contacting privacy@zombie.codes. This includes removal of all memories, sessions, embeddings, audit logs, and account records.
Portability: Memory data can be exported in JSON format via the REST API. Training data can be exported in JSONL format.
Restriction & Objection: Processing can be restricted by suspending the account. Specific memories can be superseded to lower their retrieval ranking to near-zero without deletion, preserving audit history.

8. Personal Data Breach Notification

Zombie Brains will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting the Controller’s data. The notification will include:

A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned.
The name and contact details of the point of contact for further information.
A description of the likely consequences of the breach.
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

9. Audits

Zombie Brains will make available to the Controller, on request, all information reasonably necessary to demonstrate compliance with this DPA. Zombie Brains will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

The Controller will provide at least 30 days’ written notice of any audit request.
Audits will be conducted during normal business hours and will not unreasonably disrupt Zombie Brains’ operations.
The Controller will bear its own costs for any audit. If the audit requires material involvement of Zombie Brains’ personnel beyond providing existing documentation, the parties will agree on reasonable compensation in advance.
Audit findings and any information obtained will be treated as confidential.

Where Zombie Brains obtains independent third-party certifications or audit reports (such as SOC 2), these may be provided to the Controller as an alternative to an on-site audit, to the extent they address the Controller’s reasonable audit requirements.

10. Data Retention and Deletion

Zombie Brains retains Personal Data for the duration of the service agreement. Upon termination or expiration of the Services:

The Controller may export their data using the REST API or MCP tools for a period of 30 days following termination.
After the 30-day export window, Zombie Brains will delete all Personal Data from active systems within 30 additional days (60 days total from termination).
Backup copies, if any, will be deleted in accordance with the backup rotation schedule, not to exceed 90 days from termination.
Audit logs may be retained for up to 12 months following termination to fulfill legal and compliance obligations.

The Controller may request immediate deletion of all Personal Data at any time by contacting privacy@zombie.codes.

11. International Data Transfers

The Services are hosted in the United States. Where Personal Data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, Zombie Brains relies on the following transfer mechanisms:

Standard Contractual Clauses (SCCs) as adopted by the European Commission, which are incorporated into this DPA by reference.
The UK International Data Transfer Addendum, where applicable.
Any successor framework or adequacy decision recognized by the relevant data protection authority.

Each Sub-processor that processes Personal Data outside the EEA is subject to equivalent transfer safeguards.

12. Limitation of Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the underlying service agreement. This DPA does not limit either party’s liability to data subjects or data protection authorities under applicable Data Protection Laws.

13. Term

This DPA takes effect when the Controller begins using the Services and remains in effect for as long as Zombie Brains processes Personal Data on behalf of the Controller. The obligations of Zombie Brains under this DPA will survive for as long as Zombie Brains retains any Personal Data.

14. Changes to This DPA

Zombie Brains may update this DPA from time to time to reflect changes in our processing practices, Sub-processors, or applicable law. We will notify the Controller of material changes by updating the “Last updated” date and, for significant changes, by email or through the Services. Continued use of the Services after the effective date of changes constitutes acceptance of the updated DPA.

15. Contact

For questions, requests, or concerns about this DPA or our data processing practices:

Email: privacy@zombie.codes
Data Protection Contact: Robert Sellman, Founder