Data Processing Agreement (DPA)

This DPA forms part of the SpeakFuse Terms of Service and governs our processing of personal data on your behalf.

Effective Date: 01-03-26

This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Service (“Terms”) between:

Processor: TryppleA, Omval 7, 1096AA Amsterdam, The Netherlands
Controller: The user accepting the Terms and using the Service.

By using the Service, Controller enters into this DPA.

1. Scope and Role of the Parties

1.1 This DPA applies where Controller uploads or submits Personal Data to the Service.

1.2 For such data:

  • Controller acts as Data Controller.
  • Processor acts as Data Processor under Article 28 GDPR.

1.3 This DPA does not apply where Processor acts as an independent Controller (e.g., account, billing, or website analytics data as described in the Privacy Policy).

2. Subject Matter and Duration

2.1 Subject Matter
Processing of audio files, transcripts, AI-generated outputs, and related data submitted by Controller.

2.2 Duration
Processing continues for the duration of the Service and until deletion in accordance with Section 10.

3. Nature and Purpose of Processing

Processing may include collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, transmission, restriction, and deletion of Personal Data.

Purpose of processing:

  • Providing transcription services
  • Providing AI-based analysis features
  • Storing and enabling retrieval of outputs
  • Ensuring system security, integrity, and technical maintenance
  • Preventing abuse, fraud, and unauthorized access

Processor shall:

  • Process Personal Data only on documented instructions from Controller
  • Not process Personal Data for its own independent purposes
  • Not sell, monetize, or commercially exploit Personal Data
  • Ensure processing is limited to what is necessary for Service provision

4. Categories of Data Subjects

May include:

  • Controller’s customers
  • Employees
  • Contractors
  • Business contacts
  • Individuals whose voices or personal data appear in uploaded content

5. Types of Personal Data

May include:

  • Voice recordings
  • Names
  • Contact details
  • Professional information
  • Conversations
  • Any Personal Data contained within uploaded files

Controller determines the categories and scope of data submitted.

6. Instructions

6.1 Processor shall process Personal Data only on documented instructions from Controller, as set out in:

  • This DPA
  • The Terms
  • Controller’s use of the Service functionality

6.2 Processor shall inform Controller if an instruction infringes applicable data protection law.

7. Confidentiality

Processor shall ensure that persons authorized to process Personal Data:

  • Are bound by contractual or statutory confidentiality obligations
  • Receive appropriate data protection training where applicable
  • Access Personal Data only as necessary to provide the Service

8. Security Measures

Processor shall implement appropriate technical and organizational measures pursuant to Article 32 GDPR, including:

  • Encryption in transit
  • Access control mechanisms
  • Role-based access limitation
  • Secure infrastructure
  • Monitoring and logging

Security measures may evolve in line with technological developments.

9. Subprocessors

9.1 Controller authorizes Processor to engage Subprocessors necessary for Service provision.

9.2 Processor shall:

  • Enter into written agreements imposing GDPR-compliant obligations
  • Remain responsible for Subprocessor compliance

9.3 A current list of Subprocessors shall be made available upon request.

10. International Transfers

Where Personal Data is transferred outside the EEA, Processor shall ensure lawful transfer mechanisms, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions

11. Assistance to Controller

Taking into account the nature of processing and information available to Processor, Processor shall provide reasonable assistance to Controller to fulfill its obligations under GDPR, including:

  • Data subject rights requests
  • Security obligations under Articles 32–36 GDPR
  • Data protection impact assessments
  • Prior consultation with supervisory authorities

Assistance shall be limited to data processed by Processor on behalf of Controller.

Where legally permissible, assistance beyond standard Service functionality may be subject to reasonable fees and reimbursement of costs.

12. Personal Data Breach

Processor shall notify Controller without undue delay after becoming aware of a confirmed Personal Data Breach affecting Controller Personal Data.

Notification shall include, to the extent available:

  • Description of the nature of the breach
  • Categories and approximate number of data subjects affected
  • Categories and approximate number of records concerned
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

Processor shall take appropriate remedial measures without undue delay.

Controller remains solely responsible for assessing notification obligations toward supervisory authorities and data subjects.

13. Deletion or Return of Data

Upon termination of the Service or upon Controller’s written request:

  • Personal Data shall be deleted or made inaccessible in accordance with standard retention cycles,
  • Unless EU or Member State law requires retention.

Controller is responsible for exporting data prior to termination.

Backup systems may retain copies for a limited period consistent with standard backup rotation schedules, after which deletion occurs automatically.

Upon written request, Processor may confirm deletion in writing.

14. Audit

14.1 Processor shall make available to Controller all information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA.

14.2 Audits:

  • Require reasonable prior written notice
  • May occur no more than once per 12-month period
  • Must not disrupt normal operations
  • Shall be conducted at Controller’s expense
  • Are subject to confidentiality obligations

Audits shall be limited to data processing activities relevant to Controller and shall not provide access to confidential information of other customers.

Independent third-party certifications or audit reports may satisfy audit requirements.

15. Controller Warranties

Controller represents and warrants that:

  • It has a lawful basis for processing Personal Data
  • It has provided required notices to data subjects
  • It complies with GDPR obligations applicable to Controllers

Processor is not responsible for unlawful or unauthorized data submitted by Controller.

16. Liability

Liability arising under this DPA shall be subject to the liability limitations set out in the Terms of Service.

Nothing in this DPA excludes liability where prohibited by applicable law.

17. Governing Law

This DPA shall be governed by the laws specified in the Terms, consistent with GDPR requirements.

18. No Independent Determination

Processor does not determine the purposes or means of processing Personal Data contained in uploaded content.

Controller remains solely responsible for:

  • Determining lawful basis
  • Defining retention periods
  • Responding to data subjects
  • Compliance with GDPR and other applicable laws