Note: This is a working draft for beta. Sections marked [to complete] require legal review and your specific details before production use.
1. Definitions
"Controller" means the customer entity that determines the purposes and means of processing personal data.
"Processor" means TDA Develop, which processes personal data on behalf of the Controller.
"Personal Data" has the meaning given in the GDPR and applicable data protection laws.
"Service" means the ScribX meeting intelligence platform at scribx.app.
2. Subject matter and duration
This DPA applies to the processing of Personal Data by TDA Develop in connection with the provision of the Service under the Terms of Service. It remains in force for the duration of the service agreement and terminates automatically upon account deletion.
3. Processing details
| Item | Details |
|---|---|
| Nature | Collection, storage, analysis (transcription, translation, summarization), retrieval and deletion of meeting audio and derived text data. |
| Purpose | Providing real-time transcription, AI translation, meeting notes, CMS storage and search as described in the Service. |
| Data types | Voice recordings (transient); transcript text; AI-generated summaries and action items; meeting metadata (date, duration, participants); account identifiers. |
| Data subjects | Meeting participants (employees, contractors and guests of the Controller). |
| Retention | Audio: deleted after processing. Transcripts and notes: for the life of the account. Audit logs: minimum 7 years. |
Meeting audio, video, transcripts and summaries are not stored by any third-party vendor after processing, are not accessed by any vendor once the service is completed, and are never used to train AI models. This is enforced by contract with every sub-processor.
4. Processor obligations
TDA Develop shall:
- Process Personal Data only on documented instructions from the Controller (i.e., as described in this DPA and the Terms of Service).
- Ensure that persons authorized to process the data are bound by appropriate confidentiality obligations.
- Implement the technical and organizational security measures described in Section 8.
- Not engage sub-processors without prior general authorization from the Controller (subject to Section 5).
- Assist the Controller in responding to data subject rights requests, to the extent reasonably possible.
- Delete or return all Personal Data upon termination of the service agreement.
- Provide the Controller with information necessary to demonstrate compliance with this DPA.
5. Sub-processors
The Controller provides general authorization for TDA Develop to engage the following categories of sub-processors. We will notify the Controller of any changes with at least 14 days' notice.
| Sub-processor | Purpose | Location |
|---|---|---|
| [Cloud infrastructure provider — to complete] | Hosting, storage, compute | [to complete] |
| [Speech-to-text provider — to complete] | Audio transcription | [to complete] |
| [AI / LLM provider — to complete] | Translation and summarization | [to complete] |
| [Analytics provider — to complete] | Product analytics (anonymized) | [to complete] |
| [Payment processor — to complete] | Billing and payments | [to complete] |
6. Data subject rights
If TDA Develop receives a data subject request relating to the Controller's data, it will promptly notify the Controller and take no action without the Controller's instruction, except as required by law. The Controller is responsible for responding to data subjects within applicable statutory timescales.
7. International data transfers
Where Personal Data is transferred outside the EEA, UK or other jurisdiction with adequacy decisions, TDA Develop will ensure appropriate safeguards are in place, including [to complete — Standard Contractual Clauses / adequacy decision / BCRs as applicable].
8. Technical and organizational security measures
- Encryption in transit: TLS 1.2 or higher for all data in transit.
- Encryption at rest: AES-256 for all stored data.
- Access control: Role-based access; multi-factor authentication for all administrative access.
- Audit logging: Comprehensive logs of data access and modifications, retained 7 years.
- Vulnerability management: Regular security testing and prompt patching of critical vulnerabilities.
- Incident response: A documented plan with defined response timescales.
- Employee training: Annual data protection and security awareness training for all staff with data access.
9. Data breach notification
In the event of a Personal Data breach, TDA Develop shall notify the Controller without undue delay and in any event within 72 hours of becoming aware. The notification will include the nature of the breach, data affected, likely consequences and measures taken or proposed.
10. Audit rights
The Controller may, on reasonable notice (minimum 30 days) and at its own cost, audit TDA Develop's compliance with this DPA, up to once per year. TDA Develop may satisfy this obligation by providing a current third-party audit report (e.g., SOC 2 Type II) [to complete — once available].
11. Biometric data (BIPA / CUBI compliance)
Where speaker identification features process voice characteristics that qualify as biometric identifiers under applicable law (including Illinois BIPA, Texas CUBI or similar), TDA Develop:
- Treats voiceprint data as sensitive personal data subject to heightened protection.
- Does not sell, lease, trade or profit from biometric identifiers or information.
- Destroys biometric data within the earlier of: (a) when the purpose for collection is fulfilled; or (b) 3 years from last interaction, unless a shorter period is required by law.
- Contractually prohibits all sub-processors from retaining biometric data after processing.
The Controller is responsible for obtaining all required consents and providing all required notices to data subjects before enabling speaker identification features.
12. Termination
Upon termination of the service agreement, TDA Develop shall, at the Controller's choice, delete or return all Personal Data within 30 days, and certify in writing that it has done so, unless retention is required by law.
13. Contact
Data Protection inquiries:
TDA Develop
Email: privacy@scribx.app
Address: [to complete]