// Trust & Security Report

    Mem Labs, Inc. logo

    Mem Labs, Inc.

    Mem (also marketed as get.mem.ai) is a consumer/prosumer personal notes and AI thought-partner app (notes, meeting transcription, web capture, Q&A over your notes); single product line, no separate enterprise/API tier identified.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Mem exists to help you remember what matters. That only works if you trust us with your most important thinking. We take that responsibility seriously: SOC 2 Type II certified, end-to-end encryption, and a commitment to never selling your data. ... SOC 2 Type II Report

    Verify on trust.mem.ai
    SOC 2 Type II (corroborating source)
    HELD

    SOC 2 Type II: Mem holds this compliance status, described as 'the gold standard for data security and operational integrity.' ... completed gray box penetration testing, which verified that our application has no exploitable vulnerabilities.

    Verify on get.mem.ai
    > Show 8 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence. Neither trust.mem.ai nor get.mem.ai/pages/security mentions ISO 27001; only SOC 2 Type II is claimed on vendor-owned pages.

    source: trust.mem.ai
    HIPAA
    NOT CONFIRMED

    No public evidence. HIPAA is not mentioned on the Trust Center, the security page, or the privacy policy.

    source: get.mem.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence. PCI is not mentioned on any Mem-owned page; Mem does not process payment cards directly (billing is handled via standard subscription checkout).

    source: get.mem.ai
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence on any vendor-owned page.

    source: trust.mem.ai
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    No public evidence. No AI-governance certification is referenced on the Trust Center, security page, or privacy policy.

    source: trust.mem.ai
    CSA STAR
    NOT CONFIRMED

    No public evidence on any vendor-owned page.

    source: trust.mem.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence on any vendor-owned page. FedRAMP applies to US federal cloud procurement and is not relevant to this consumer/SMB product.

    source: trust.mem.ai
    GDPR (posture, not a certification)
    NOT CONFIRMED

    Policy references GDPR rights for EEA residents (e.g. right to 'complain to your local data protection supervisory authority') but this is a legal posture, not a certifiable standard, so it is graded separately in the privacy section rather than as a held cert.

    source: get.mem.ai

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Hosted on Google Cloud Platform (United States); Trust Center subprocessor list shows Amplitude data processed in 'US and EU'. No dedicated EU-only or data-residency option is documented on vendor-owned pages.

    Vendor privacy policy states: 'We do not use your personal information, notes, or the information we collect via third parties (e.g. Google Workspace APIs) to develop, improve, or train any generalized AI and/or ML models.' The Trust Center lists OpenAI, Google Cloud Platform, and Anthropic as subprocessors (i.e. Mem sends note content to these AI providers to power its features), but this is data processing to serve the product, not model training on customer data per Mem's own claim. No self-serve Data Processing Agreement (DPA) page was found on the vendor's own domain; enterprise customers would need to request one directly (support@mem.ai / hello@mem.ai). No tier-based training differences were found because Mem does not publicly document a separate enterprise tier.

    // Security controls

    Encryption in transit

    128-bit TLS encryption for all application communication

    get.mem.ai

    Encryption at rest

    "We encrypt all user content in transit and at rest."

    get.mem.ai

    Hosting infrastructure

    Google Cloud Platform, cited for "industry-leading security practices"

    get.mem.ai

    Access control

    Role-based access; "Only our SRE and the backend server team have access" to production machines; staff 2FA and strong-password requirements; documented offboarding/termination procedures

    get.mem.ai

    Penetration testing

    Completed gray box penetration testing; no exploitable vulnerabilities found

    get.mem.ai

    Business continuity / disaster recovery

    Continuity and Disaster Recovery plans established and tested (per SOC 2 control list)

    trust.mem.ai

    Cybersecurity insurance

    Cybersecurity insurance maintained (per SOC 2 control list)

    trust.mem.ai

    Subprocessors disclosed

    OpenAI (AI provider, US), Google Cloud Platform (Cloud/AI provider, US), Anthropic (AI provider, US), Amplitude (Data analytics, US and EU)

    trust.mem.ai

    // Products & data scope

    Mem (get.mem.ai)Personal notes / AI thought-partner app

    data: User notes, meeting transcripts/recordings, saved web content, voice memos, connected calendar/email data (via Google Workspace APIs)

    Single consumer/prosumer product with Free and Pro tiers advertised on the pricing page; no separate documented enterprise/API SKU with distinct compliance posture was found.

    // What to watch

    • Third-party aggregator Nudge Security (security-profiles.nudgesecurity.com/app/mem-ai) lists Mem as 'PCI Compliant, HIPAA Compliant, SOC 2 Compliant, GDPR Compliant, ISO 27001 Compliant, FedRamp Compliant, and CSA Star Level 1 Compliant.' This is NOT corroborated by any vendor-owned page (trust.mem.ai and get.mem.ai/pages/security only claim SOC 2 Type II) and appears to be an over-claim or generic/inferred badge set from the aggregator, not Mem's own representation. Excluded from grading per hard rules; listed here as a flag only.
    • Do not confuse this vendor (Mem / Mem Labs, Inc. / mem.ai / get.mem.ai, a personal notes app) with the similarly named 'Mem0' (mem0.ai), a separate company offering an AI memory layer for agents/apps that independently claims SOC 2 Type I and HIPAA-readiness. The two are unrelated entities.
    • No explicit Data Processing Agreement (DPA) page was found on Mem's own domain; enterprise buyers requiring a signed DPA should confirm availability directly with Mem before purchase.
    • GDPR is referenced only as a legal-rights posture for EEA users in the privacy policy, not as an independent certification; graded as such rather than as a held cert.

    // At a glance

    Pricing model

    Freemium subscription (Free tier + Pro paid tier); no public enterprise contract tier documented

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Mem Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.mem.ai

    > Browse all vendor trust reports