// Trust & Security Report
Mem Labs, Inc.
Mem (also marketed as get.mem.ai) is a consumer/prosumer personal notes and AI thought-partner app (notes, meeting transcription, web capture, Q&A over your notes); single product line, no separate enterprise/API tier identified.
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.mem.ai“Mem exists to help you remember what matters. That only works if you trust us with your most important thinking. We take that responsibility seriously: SOC 2 Type II certified, end-to-end encryption, and a commitment to never selling your data. ... SOC 2 Type II Report”
Verify on get.mem.ai“SOC 2 Type II: Mem holds this compliance status, described as 'the gold standard for data security and operational integrity.' ... completed gray box penetration testing, which verified that our application has no exploitable vulnerabilities.”
> Show 8 unconfirmed / not-held certifications
source: trust.mem.aiNo public evidence. Neither trust.mem.ai nor get.mem.ai/pages/security mentions ISO 27001; only SOC 2 Type II is claimed on vendor-owned pages.
source: get.mem.aiNo public evidence. HIPAA is not mentioned on the Trust Center, the security page, or the privacy policy.
source: get.mem.aiNo public evidence. PCI is not mentioned on any Mem-owned page; Mem does not process payment cards directly (billing is handled via standard subscription checkout).
source: trust.mem.aiNo public evidence on any vendor-owned page.
source: trust.mem.aiNo public evidence. No AI-governance certification is referenced on the Trust Center, security page, or privacy policy.
source: trust.mem.aiNo public evidence on any vendor-owned page. FedRAMP applies to US federal cloud procurement and is not relevant to this consumer/SMB product.
source: get.mem.aiPolicy references GDPR rights for EEA residents (e.g. right to 'complain to your local data protection supervisory authority') but this is a legal posture, not a certifiable standard, so it is graded separately in the privacy section rather than as a held cert.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Hosted on Google Cloud Platform (United States); Trust Center subprocessor list shows Amplitude data processed in 'US and EU'. No dedicated EU-only or data-residency option is documented on vendor-owned pages.
Vendor privacy policy states: 'We do not use your personal information, notes, or the information we collect via third parties (e.g. Google Workspace APIs) to develop, improve, or train any generalized AI and/or ML models.' The Trust Center lists OpenAI, Google Cloud Platform, and Anthropic as subprocessors (i.e. Mem sends note content to these AI providers to power its features), but this is data processing to serve the product, not model training on customer data per Mem's own claim. No self-serve Data Processing Agreement (DPA) page was found on the vendor's own domain; enterprise customers would need to request one directly (support@mem.ai / hello@mem.ai). No tier-based training differences were found because Mem does not publicly document a separate enterprise tier.
// Security controls
Hosting infrastructure
Google Cloud Platform, cited for "industry-leading security practices"
get.mem.aiAccess control
Role-based access; "Only our SRE and the backend server team have access" to production machines; staff 2FA and strong-password requirements; documented offboarding/termination procedures
get.mem.aiPenetration testing
Completed gray box penetration testing; no exploitable vulnerabilities found
get.mem.aiBusiness continuity / disaster recovery
Continuity and Disaster Recovery plans established and tested (per SOC 2 control list)
trust.mem.aiSubprocessors disclosed
OpenAI (AI provider, US), Google Cloud Platform (Cloud/AI provider, US), Anthropic (AI provider, US), Amplitude (Data analytics, US and EU)
trust.mem.ai// Products & data scope
data: User notes, meeting transcripts/recordings, saved web content, voice memos, connected calendar/email data (via Google Workspace APIs)
Single consumer/prosumer product with Free and Pro tiers advertised on the pricing page; no separate documented enterprise/API SKU with distinct compliance posture was found.
// What to watch
- Third-party aggregator Nudge Security (security-profiles.nudgesecurity.com/app/mem-ai) lists Mem as 'PCI Compliant, HIPAA Compliant, SOC 2 Compliant, GDPR Compliant, ISO 27001 Compliant, FedRamp Compliant, and CSA Star Level 1 Compliant.' This is NOT corroborated by any vendor-owned page (trust.mem.ai and get.mem.ai/pages/security only claim SOC 2 Type II) and appears to be an over-claim or generic/inferred badge set from the aggregator, not Mem's own representation. Excluded from grading per hard rules; listed here as a flag only.
- Do not confuse this vendor (Mem / Mem Labs, Inc. / mem.ai / get.mem.ai, a personal notes app) with the similarly named 'Mem0' (mem0.ai), a separate company offering an AI memory layer for agents/apps that independently claims SOC 2 Type I and HIPAA-readiness. The two are unrelated entities.
- No explicit Data Processing Agreement (DPA) page was found on Mem's own domain; enterprise buyers requiring a signed DPA should confirm availability directly with Mem before purchase.
- GDPR is referenced only as a legal-rights posture for EEA users in the privacy policy, not as an independent certification; graded as such rather than as a held cert.
// At a glance
Pricing model
Freemium subscription (Free tier + Pro paid tier); no public enterprise contract tier documented
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Mem Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.mem.ai