Security

MemoryLake maintains compliance with the following industry standards and regulations: SOC 2 Type II Our systems and controls have been independently audited against the AICPA Trust Services Criteria. The SOC 2 Type II report covers security, availability, processing integrity, confidentiality, and privacy. Annual audits are conducted by accredited third-party auditors. ISO 27001 We maintain an ISO 27001-certified Information Security Management System (ISMS), demonstrating our systematic approach to managing sensitive company and customer information. Our certification covers the design, development, and operation of the MemoryLake platform. GDPR (General Data Protection Regulation) We are fully compliant with the EU General Data Protection Regulation. We provide data processing agreements (DPAs), support data subject rights (access, rectification, erasure, portability, restriction, objection), and maintain records of processing activities. We have appointed appropriate data protection roles and conduct regular Data Protection Impact Assessments (DPIAs). CCPA (California Consumer Privacy Act) We comply with the California Consumer Privacy Act and its amendments (CPRA). California residents can exercise their rights to know, delete, opt out of sale, and correct their personal information. We do not sell personal information. PDPA (Personal Data Protection Act — Singapore) As a Singapore-registered entity, we comply with the PDPA, including obligations related to consent, purpose limitation, notification, access, correction, accuracy, protection, retention limitation, transfer limitation, and accountability.

Data at Rest All data stored on the MemoryLake platform is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys), the gold standard for symmetric encryption used by governments and financial institutions worldwide. Encryption keys are managed through hardware security modules (HSMs) and rotated regularly. Data in Transit All data transmitted between your devices and our services is encrypted using TLS 1.3, the latest and most secure version of the Transport Layer Security protocol. We enforce HTTPS across all endpoints and do not support deprecated protocols. End-to-End Encryption (E2E) For enterprise customers, we offer optional end-to-end encryption where data is encrypted on the client side before being transmitted to our servers. In this mode, only you hold the decryption keys — our systems cannot read your data.

MemoryLake implements a proprietary triple-party key management architecture that ensures no single party — including MemoryLake itself — can unilaterally access your encrypted data. How It Works: - Key Shard 1 (User): held by the data owner (you or your organization), stored in your secure environment. - Key Shard 2 (MemoryLake): held by our platform infrastructure, stored in HSM-backed key vaults. - Key Shard 3 (Trusted Third Party): held by an independent, audited escrow service provider. Data decryption requires a quorum of at least two of the three key shards. This architecture provides: - Protection against insider threats at any single party - Cryptographic assurance that MemoryLake cannot access your data without your participation - Business continuity through the trusted third-party shard in case of key loss - Auditability with full key usage logging across all three parties

We understand that data sovereignty is critical for regulatory compliance. MemoryLake offers data residency options to ensure your data is stored and processed in your preferred geographic region. Available Regions: - Asia Pacific: Singapore, Tokyo, Sydney - Europe: Frankfurt, London, Amsterdam - North America: US East (Virginia), US West (Oregon), Canada (Montreal) Enterprise customers can configure data residency at the organization level, ensuring that all memory data, metadata, and backups remain within the designated region. Cross-region data transfer is disabled by default and requires explicit configuration.

Our infrastructure security measures include: - Network Security: multi-layer firewalls, DDoS protection, intrusion detection and prevention systems (IDS/IPS), and network segmentation with zero-trust architecture. - Access Control: role-based access control (RBAC), multi-factor authentication (MFA) for all internal systems, principle of least privilege, and regular access reviews. - Monitoring: 24/7 security monitoring, centralized logging with SIEM, automated anomaly detection, and real-time alerting. - Vulnerability Management: regular penetration testing by third-party security firms, automated vulnerability scanning, responsible disclosure program, and timely patch management. - Physical Security: data centers with SOC 2 and ISO 27001 certifications, biometric access controls, 24/7 surveillance, and environmental controls.

We maintain a comprehensive incident response plan that is tested and updated regularly: Detection: automated monitoring systems detect potential security incidents in real time, with alerts escalated to our on-call security team within minutes. Classification: incidents are classified by severity (Critical, High, Medium, Low) based on the nature, scope, and potential impact of the incident. Containment: immediate containment measures are implemented to limit the scope and impact of the incident, including isolating affected systems and revoking compromised credentials. Notification: affected customers are notified within 72 hours of confirming a data breach, in compliance with GDPR, PDPA, and other applicable regulations. Notifications include the nature of the incident, data affected, measures taken, and recommended actions. Recovery: root cause analysis is performed, affected systems are restored from verified backups, and additional safeguards are implemented to prevent recurrence. Post-Incident Review: a thorough post-mortem is conducted, lessons learned are documented, and improvements are made to our security controls and incident response procedures.

If you discover a security vulnerability or have security concerns, please contact us immediately: DataCloud Technology Pte. Ltd. Email: contact@data.cloud We take all security reports seriously and will respond promptly. We support responsible disclosure and will not take legal action against researchers who report vulnerabilities in good faith.