Data Processing Agreement — Sigmoid Creativity SRL (Cleanvoice)
This Data Processing Agreement ("Agreement") is concluded by and between:
- The natural or legal person who accesses and uses the Product (as defined below) for the editing podcasts ("Client"); and
- Sigmoid Creativity SRL, a company incorporated and functioning under the laws of Romania, having its headquarters at 25 Argentina Street, District 1, Bucharest, Romania, tax code 44318031, registered with the Trade Registry under no. J40/8970/2021 ("Cleanvoice").
Hereinafter, collectively, referred to as "Parties", and, individually, referred to as "Party".
WHEREAS
- Cleanvoice offers a software product to be used for podcast transcription, summarization, audio and video enhancement, and analysis services, either through the platform available at https://cleanvoice.ai/ or through an API integration ("Product");
- The Client wishes to use the Product in accordance with the general terms and conditions of the Product or other agreement concluded by the Parties ("Principal Agreement").
- For the performance of the Principal Agreement, the Parties process personal data as controller and processor, or as a processor and a subprocessor (as the case might be, depending on how the Client uses the Product);
- The Parties have decided to regulate the processing of personal data in order to meet the obligations relating to the protection of personal data imposed by the applicable legislation.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1 Capitalized terms and expressions used in this Agreement shall have the following meaning:
- "Agreement" means this Data Processing Agreement and all Annexes;
- "Applicable Legislation" means GDPR, any relevant law implementing GDPR or regulating the protection of Personal Data, and any guidelines, codes of practice or other documents issued by the competent authorities;
- "Client Personal Data" means any Personal Data Processed by Cleanvoice on behalf of the Client pursuant to or in connection with the Principal Agreement;
- "EEA" means the European Economic Area;
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
- "Services" means the podcast transcription, summarization, audio and video enhancement, and analysis services Cleanvoice provides.
- "Subcontractor" or "Subprocessor" means any person appointed by or on behalf Cleanvoice to Process Personal Data.
1.2 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing", "Processor" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
1.3 Any other capitalized term shall have the meaning as defined in the Agreement.
2. Processing of Client Personal Data
2.1 In Processing the Client Personal Data:
- The Client acts as a Controller or as a Processor of the users of its product (where the users are the Controllers);
- Cleanvoice acts as a Processor or a Subprocessor of the Client (depending on the Client's capacity in relation to the Client Personal Data, as well as on the relationship between the Client and the users of its product - Controller or Processor).
2.2 Cleanvoice Processes the Client Personal Data of the Data Subjects only for the purposes set out in Annex 1. Cleanvoice Processes the Personal Data only based on documented instructions from the Client, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by the European Union or member state law to which the Cleanvoice is subject. In such a case, Cleanvoice shall inform the Client of that legal requirement before Processing.
2.3 The Client instructs Cleanvoice and authorizes Cleanvoice to instruct each Subcontractor to Process Relevant Personal Data and to transfer Relevant Personal Data to any third country, as necessary for the provision of the Services and the performance of the Agreement, in compliance with the provisions of this Agreement concerning the use of the Subcontractors and the transfer of the Personal Data.
3. Cleanvoice Personnel
3.1 Cleanvoice shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Client Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Client Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to Cleanvoice, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Cleanvoice shall in relation to the Client Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 In assessing the appropriate level of security, Cleanvoice shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
4.3 Cleanvoice has implemented and will maintain appropriate technical and organizational security measures to protect Personal Data from a Personal Data Breach and to preserve the security and confidentiality of the Personal Data, in accordance with the Cleanvoice's security standards described in Annex 2 and industry standard security measures.
5. Subprocessing
5.1 The Client authorizes Cleanvoice to use, in connection with the Processing of the Client Personal Data and under the conditions set out in this Agreement, the Subcontractors listed in Annex 3. Cleanvoice shall inform the Client in writing of any intended changes to the list in Annex 3.
5.2 The Client shall be entitled to object on reasonable grounds to the addition or replacement of a Subcontractor, by sending its objections to Cleanvoice within 10 (ten) calendar days of the notification received from Cleanvoice. Cleanvoice shall provide the Client, at the latter's written request, with the information it needs to exercise its right to object. If the Client fails to raise objections within the specified time limit, the Client shall be deemed to have agreed to the change notified by Cleanvoice.
5.3 In using a new Subcontractor, Cleanvoice shall take into account criteria such as the warranties in terms of technical and organizational measures offered by the Subcontractor, its expertise, reliability and resources.
5.4 Cleanvoice shall ensure that each Subcontractor is able to ensure the level of protection of the Client Personal Data as required by this Agreement. Cleanvoice shall enter into a contract with each Subcontractor and shall include therein obligations similar to those set out in this Agreement for Cleanvoice. At the Client's request, Cleanvoice shall provide the Client with a copy of the subcontracting agreements (regarding the Processing of Personal Data) and any subsequent amendments thereto, subject to confidentiality obligations.
6. Data Subject Rights
6.1 Taking into account the nature of the Processing, Cleanvoice shall assist the Client by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client's obligations to respond to requests to exercise Data Subject rights under the Applicable Legislation.
6.2 Cleanvoice shall:
a) promptly notify the Client if it receives a request from a Data Subject under any Applicable Legislation in respect of Client Personal Data; and
b) ensure that it does not respond to that request except on the documented instructions of the Client or as required by Applicable Legislation to which Cleanvoice is subject, in which case Cleanvoice shall to the extent permitted by Applicable Legislation inform the Client of that legal requirement before Cleanvoice responds to the request.
7. Personal Data Breach
7.1 Cleanvoice shall notify the Client without undue delay, but no later than 72 hours after Cleanvoice becomes aware of a Personal Data Breach affecting Client Personal Data, providing the Client with sufficient information to allow the Client to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Legislation.
7.2 Cleanvoice shall co-operate with the Client and take reasonable commercial steps as are directed by the Client to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation
8.1 Cleanvoice shall provide reasonable assistance to the Client with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Client reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Applicable Legislation, in each case solely in relation to Processing of Client Personal Data by, and taking into account the nature of the Processing and information available to Cleanvoice.
9. Deletion or return of Client Personal Data
9.1 Subject to sections 9.2 and 9.3, Cleanvoice shall promptly and in any event within 14 business days of the date of cessation of any Services involving the Processing of Client Personal Data ("Cessation Date"), delete and procure the deletion of all copies of those Client Personal Data.
9.2 Subject to section 9.3, the Client may in its absolute discretion by written notice to Cleanvoice within 14 business days of the Cessation Date require Cleanvoice to (a) return a complete copy of all Client Personal Data to the Client by secure file transfer in such format as is reasonably notified by the Client to Cleanvoice; and (b) delete and procure the deletion of all other copies of Client Personal Data Processed by Cleanvoice. Cleanvoice shall comply with any such written request within 14 business days of the Cessation Date.
9.3 Cleanvoice may retain Client Personal Data to the extent required by Applicable Legislation and only to the extent and for such period as required by Applicable Legislation and always provided that Cleanvoice shall ensure the confidentiality of all such Client Personal Data and shall ensure that such Client Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Legislation requiring its storage and for no other purpose.
10. Audit rights
10.1 Subject to section 10.2, Cleanvoice shall make available to the Client on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Client or an auditor mandated by the Client in relation to the Processing of the Client Personal Data by Cleanvoice.
10.2 The Client undertaking an audit shall give Cleanvoice reasonable notice of any audit or inspection to be conducted under section 10.1 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to Cleanvoice's premises, equipment, personnel and business while its personnel are in the course of such an audit or inspection. Cleanvoice need not give access to its premises for the purposes of such an audit or inspection:
a) to any individual unless he or she produces reasonable evidence of identity and authority;
b) outside normal business hours at those premises; or
c) for the purposes of more than one audit or inspection, in respect of Cleanvoice, in any calendar year, except for any additional audits or inspections which: i) the Client undertaking an audit reasonably considers necessary because of genuine concerns as to the Cleanvoice's compliance with this Agreement; or ii) the Client is required or requested to carry out such an audit under the Applicable Legislation, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Applicable Legislation.
10.3 Cleanvoice shall inform the Client if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
11. Personal Data Transfers Outside the EU/EEA
11.1 Cleanvoice may transfer and process Client Personal Data to and in other locations outside of the EU/EEA as necessary to provide the Services.
11.2 Any transfer of Client Personal Data made subject to this Clause 11 must be made in compliance with applicable Applicable Legislation based on valid transfer mechanisms.
11. Governing Law and Jurisdiction
11.1 This Agreement is governed by the laws of Romania.
11.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Bucharest, Romania.
12. MISCELLANEOUS
12.1 Where there is a discrepancy between the provisions of this Agreement and any other agreement between the Parties, including the provisions of the Principal Agreement, this Agreement shall prevail in respect of matters relating to the data protection obligations.
12.2 Where the obligations of the Parties need to be amended as a result of changes in the Applicable Legislation or as a result of the issuance by the Commission or the Supervisory Authority of standard contractual clauses, including in case of modification or adoption of new standard contractual clauses on international transfers, the Parties undertake to amend this Agreement accordingly.
Annex 1: Details of Processing of Client Personal Data
This Annex 1 includes certain details of the Processing of Client Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Client Personal Data:
- Client Personal Data will be Processed during the existence of the Principal Agreement or as otherwise specified in the Principal Agreement;
- Thereafter, the Client Personal Data will be stored for a period of time necessary to fulfil the legal obligations and legitimate interests of Cleanvoice.
The nature and purpose of the Processing of Client Personal Data:
- The provision of Services, including:
- Podcast, audio and video content transcription: Converting spoken words in audio and video files into written text.
- Content summarization: Creating concise summaries of transcribed content.
- Audio and video enhancement: Improving the quality of audio and video files through noise reduction, equalization, and other techniques.
The types of Client Personal Data to be Processed
- Any Personal Data of any natural persons contained in the podcast.
The categories of Data Subject to whom the Client Personal Data relates:
- Natural persons whose Personal Data is contained in the podcasts, or whose Personal Data is processed by Cleanvoice (as Processor / Subprocessor) as a result of the integration of its Product by the Client.
Processing operations
- Cleanvoice will store the Client Personal Data;
- Cleanvoice will process the Client Personal Data in any other way necessary for the provision of the Services.
Annex 2 - Technical and organizational measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, as well as the risk with varying degrees of likelihood and severity to the rights and freedoms of the Data Subjects, Cleanvoice implements the following technical and organizational measures in order to ensure a level of security appropriate to this risk:
- pseudonymization and encryption measures for Personal Data;
- measures to ensure confidentiality, integrity, availability and continuous resilience of the Processing systems and services;
- measures to ensure the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident;
- processes to regularly test, evaluate and assess the effectiveness of technical and organizational measures to ensure the security of the Processing;
- user identification and authorization measures;
- measures to ensure the protection of Personal Data during transmission;
- measures to ensure the protection of Personal Data during storage;
- measures to ensure event logging;
- measures for the governance and management of internal information systems and information security;
- measures to ensure compliance with the GDPR principles for processing Personal Data
Annex 3: List of Subprocessors
The following Subprocessors shall be considered approved by the Client at the time of entering into this Agreement:
Annex 3: List of Subprocessors
The following Subprocessors shall be considered approved by the Client at the time of entering into this Agreement:
Digital Ocean
| Category | Details |
|---|---|
| Name | DigitalOcean, LLC |
| Address | New York, 101 6th Ave, United States |
| Website | digitalocean.com |
| Data Location | Germany |
| Purpose | Infrastructure and storage |
| Data Processed | Video/Audio content |
Hetzner
| Category | Details |
|---|---|
| Name | Hetzner Online GmbH |
| Address | Industriestr. 25, 91710 Gunzenhausen, Germany |
| Website | hetzner.com |
| Data Location | Germany |
| Purpose | Infrastructure and storage |
| Data Processed | Technical IDs, Contact, Device, Video/Audio content, Behaviour |
Cloudflare
| Category | Details |
|---|---|
| Name | Cloudflare, Inc. |
| Address | 101 Townsend St, San Francisco, CA 94107, USA |
| Website | cloudflare.com |
| Data Location | European Economic Area |
| Purpose | Storage, content delivery and DDoS protection |
| Data Processed | Technical IDs, Traffic data, Video/Audio content |
Bunny
| Category | Details |
|---|---|
| Name | BunnyWay d.o.o. |
| Address | Dunajska cesta 165, 1000 Ljubljana, Slovenia |
| Website | bunny.net |
| Data Location | European Economic Area |
| Purpose | Storage and content delivery |
| Data Processed | Technical IDs, Traffic data, Video/Audio content |
Runpod
| Category | Details |
|---|---|
| Name | RunPod Inc. |
| Address | 102 Lakeland Avenue, Dover, DE 19901, United States |
| Website | runpod.io |
| Data Location | European Economic Area |
| Purpose | Cloud computing |
| Data Processed | Video/Audio Content |
Mixedbread.ai
| Category | Details |
|---|---|
| Name | Mixedbread Ai Inc. |
| Address | Berlin, Berlin 13335, Germany |
| Website | mixedbread.ai |
| Data Location | European Economic Area |
| Purpose | AI-powered processing |
| Data Processed | User queries, Processing results |
Anthropic
| Category | Details |
|---|---|
| Name | Anthropic PBC |
| Address | 398 11th Street, San Francisco, CA 94103, USA |
| Website | anthropic.com |
| Data Location | Global |
| Purpose | AI-powered processing |
| Data Processed | User queries, Processing results |