This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the customer (“Controller”) and VoxChron Ltd (“Processor”). It applies whenever the Processor processes personal data on behalf of the Controller under UK GDPR, EU GDPR (Art. 28), and applicable data protection laws. By using the VoxChron service, the Controller accepts the terms of this DPA.
1. Definitions
- Controller means the customer (individual or entity) determining the purposes and means of processing.
- Processor means VoxChron Ltd, processing personal data on behalf of the Controller.
- Personal Data has the meaning in UK/EU GDPR Art. 4(1).
- Sub-processor means any third party engaged by the Processor to process personal data.
- Applicable Law means UK GDPR, EU GDPR, the Data Protection Act 2018, and any other applicable data protection legislation.
2. Subject Matter & Duration
The subject matter of processing is the captioning and transcription of audio and video content uploaded to the VoxChron service. Processing continues for the duration of the customer agreement and any subsequent retention period set out in the Privacy Policy.
3. Nature & Purpose of Processing
The Processor performs automated speech recognition, non-verbal sound detection, speaker diarization, translation, and caption file generation. Processing is strictly limited to delivering the captioning service requested by the Controller.
4. Categories of Data & Data Subjects
Categories of personal data processed may include:
- Voice recordings and audio content (potentially containing personal data)
- Names and other identifiers mentioned in audio content
- Account data (email, name, company name, billing details)
- Usage metadata (upload timestamps, file sizes, IP addresses)
Categories of data subjects may include:
- Speakers in uploaded audio/video
- Individuals mentioned in uploaded content
- Customer account holders and their end users
5. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, including with regard to international transfers.
- Ensure persons authorized to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational measures as described in Section 9.
- Respect the conditions for engaging sub-processors set out in Section 7.
- Assist the Controller in responding to data subject rights requests.
- Assist the Controller with DPIAs and prior consultations with supervisory authorities.
- Return or delete personal data at the end of the service, subject to legal retention requirements.
- Make available all information necessary to demonstrate compliance with Art. 28 GDPR.
6. Controller Obligations
The Controller warrants that:
- It has a lawful basis under Art. 6 GDPR (and Art. 9 if special-category data) for processing the personal data contained in uploaded content.
- It has provided appropriate notices to data subjects and, where required, obtained their consent.
- It will not upload content containing personal data it is not authorized to process.
- Its instructions to the Processor comply with applicable law.
7. Sub-processors
The Controller grants general authorization for the Processor to engage sub-processors, subject to prior notification of new sub-processors and the right to object on reasonable data protection grounds. The current list of sub-processors includes:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud object storage provider | Encrypted file storage | EU (default) |
| ML inference provider | Speech recognition & sound detection | EU / US |
| Stripe | Payment processing | EU / US |
| Resend | Transactional email delivery | EU / US |
All sub-processors are bound by written contracts containing obligations equivalent to those in this DPA. An up-to-date list is available on request from privacy@voxchron.com.
8. International Transfers
Where personal data is transferred outside the UK or EEA, the Processor relies on appropriate safeguards including UK International Data Transfer Agreements, UK Addendum to EU Standard Contractual Clauses, or EU Standard Contractual Clauses (2021/914/EU), and applies supplementary technical and organizational measures where required.
9. Security Measures
The Processor implements the following technical and organizational measures:
- Encryption in transit: TLS 1.3 for all data transfers
- Encryption at rest: AES-256 for stored files and backups
- Access controls: Role-based access, least-privilege principle, MFA for administrative access
- Network security: VPC isolation, firewalls, DDoS protection
- Logging & monitoring: Security event logging with alerting
- Automatic deletion: Source files deleted after processing; only exports retained
- Staff training: Mandatory annual data protection and security training
- Incident response: Documented procedures with defined response times
- Business continuity: Regular backups and tested recovery procedures
Full details are available in our Security overview.
10. Personal Data Breach Notification
The Processor will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
11. Data Subject Rights
The Processor will assist the Controller, by appropriate technical and organizational measures, in fulfilling obligations to respond to data subject rights requests (access, rectification, erasure, portability, restriction, and objection) under GDPR Chapter III.
12. Audit Rights
The Controller may audit the Processor’s compliance with this DPA once per year on reasonable prior notice. The Processor may fulfil audit obligations by providing third-party attestations (e.g., SOC 2, ISO 27001) where applicable. Costs of any audit initiated by the Controller are borne by the Controller.
13. Return & Deletion of Data
Upon termination of the service, the Processor will, at the Controller’s choice, return or delete all personal data unless Applicable Law requires continued storage. Source files (uploaded media) are deleted automatically on job completion. Exported captions remain available while the customer account is active.
14. Liability
Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service, except where those limitations are prohibited by Applicable Law.
15. Governing Law
This DPA is governed by the laws of England and Wales. Disputes are subject to the exclusive jurisdiction of the courts of England and Wales, save that nothing in this DPA limits the jurisdiction of supervisory authorities under GDPR.
16. Contact
For data protection matters, or to request a countersigned copy of this DPA, contact our Data Protection Officer at privacy@voxchron.com.
VoxChron Ltd is registered in England and Wales (Company No. [XXXXXXXX]). Registered office: [Registered Address], England.