Data Processing Agreement
Applied to Speech Safari Technologies, LLC
Effective Date 12/23/2025
This Data Processing Agreement (the "DPA") is an addendum to the Terms & Conditions (the "Agreement") between Speech Safari Technologies ("Processor" or "we," "us," or "our") and the Client ("Controller" or "you"). This DPA applies to the processing of Personal Data (as defined below) by the Processor on behalf of the Controller in connection with the Services provided under the Agreement.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").
"Controller" means the Client who determines the purposes and means of the processing of Personal Data.
"Processor" means Speech Safari Technologies who processes Personal Data on behalf of the Controller.
"EEA" means the European Economic Area.
"GDPR" means the General Data Protection Regulation (EU) 2016/679.
"CCPA" means the California Consumer Privacy Act of 2018, as amended by the CPRA (California Privacy Rights Act).
"PIPEDA" means the Personal Information Protection and Electronic Documents Act (Canada).
"PDPA" means the Personal Data Protection Act 2012 (Singapore).
"APPI" means the Act on the Protection of Personal Information (Japan).
2. Roles and Responsibilities
The Client acts as the Data Controller and is responsible for determining the purposes and means of the processing of Personal Data. Speech Safari Technologies acts as the Data Processor and will process Personal Data only on the documented instructions of the Controller, as outlined in the Agreement and this DPA, and in compliance with applicable data protection laws.
3. Processing of Personal Data
Subject Matter of the Processing: The processing of Personal Data by the Processor on behalf of the Controller will be for the purpose of providing the Services as described in the Agreement, primarily for billing and accounting purposes related to invoices.
Categories of Personal Data: The categories of Personal Data processed may include basic contact information (such as name, email address, and billing address) provided by the Client for invoicing purposes.
Duration of the Processing: The processing will continue for the duration of the Agreement and as necessary for post-termination obligations (such as retaining records for legal and accounting purposes).
4. Processor Obligations
The Processor shall:
Process Personal Data only on the documented instructions of the Controller, unless required to do so by Union, Member State, or other applicable law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Assist the Controller in ensuring compliance with the Controller's obligations pursuant to Articles 32 to 36 of the GDPR and similar obligations under other applicable data protection laws.
Assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR (Articles 12-23) and similar rights under other applicable data protection laws, such as access and correction rights under the PDPA and APPI.
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, in accordance with applicable laws.
Inform the Controller if, in its opinion, an instruction infringes the GDPR, other Union or Member State data protection provisions, or other applicable data protection laws.
Ensure that any sub-processor it engages also meets the requirements of Article 28 of the GDPR and similar requirements under other applicable data protection laws. The Processor will inform the Controller of any intended changes concerning the addition or replacement of other processors.
5. Controller Obligations
The Controller warrants that it has all necessary rights and consents to provide the Personal Data to the Processor for processing in accordance with this DPA and all applicable data protection laws.
6. Data Subject Rights
The Processor will assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable data protection laws, including but not limited to the rights provided under GDPR, CCPA/CPRA, PDPA (such as access and correction), and APPI (such as disclosure, correction, and suspension of use).
7. Data Security
The Processor will implement and maintain reasonable and industry-standard technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, in accordance with the requirements of applicable data protection laws.
8. Data Breach Notification
The Processor will notify the Controller without undue delay after becoming aware of a Personal Data breach, in compliance with the notification requirements of applicable data protection laws.
9. Cross-border Data Transfers
Any transfer of Personal Data outside the EEA will be conducted in accordance with the safeguards provided for in Chapter V of the GDPR. The Processor will also consider the requirements for cross-border data transfers under other applicable laws, such as the APPI's restrictions on transfers to third countries.
10. CCPA/CPRA Considerations
For Clients who are California residents, Speech Safari Technologies acknowledges the rights provided under the CCPA/CPRA, including the right to know, the right to delete, and the right to opt-out of the sale of personal information (though Speech Safari Technologies does not sell personal information).
11. PDPA Considerations
For Clients whose personal data is subject to the PDPA, Speech Safari Technologies will adhere to the principles outlined in the Act, including consent, purpose limitation, notification, protection, and accountability.
12. APPI Considerations
For Clients whose personal information is subject to the APPI, Speech Safari Technologies will respect the obligations regarding the purpose of use, proper acquisition, data security measures, restrictions on providing personal information to third parties, and responding to requests for disclosure, correction, and suspension of use.
13. Term and Termination
This DPA shall remain in effect for the duration of the Agreement. Upon termination of the Agreement, the Processor will, at the choice of the Controller, either delete or return all Personal Data to the Controller, unless required to retain such data by Union, Member State, or other applicable law.
14. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the Governing Jurisdiction of the USA, unless otherwise required by applicable data protection laws.
