Data Processing Agreement

This DPA reflects the parties' commitments under the EU/UK GDPR Article 28, the Australian Privacy Act 1988, and any equivalent applicable data-protection law, in relation to Transcribr's processing of personal data on behalf of the Customer.

“Customer” means the entity that has agreed to our Terms of Service.
“Personal Data”, “Data Subject”, “Processing”, “Controller”, and “Processor” have the meanings given to them under the GDPR.
“Sub-processor” means a third party engaged by Transcribr to process Customer Personal Data.
“Standard Contractual Clauses” means the EU SCCs adopted by Commission Implementing Decision (EU) 2021/914.

Transcribr acts as a Processor on behalf of the Customer when processing Personal Data contained in audio files, transcripts, and AI-generated artefacts derived from them. The Customer is the Controller of that data.

Subject matter: automated speech-to-text transcription and optional AI-generated artefacts.
Duration: for the term of the Terms of Service, plus retention windows set by the Customer or required by law.
Categories of Data Subjects: any person whose voice or personal information appears in audio uploaded by the Customer (interviewees, meeting attendees, podcast guests, etc.).
Categories of Personal Data: voice recordings, identifiers, contact details, and any other personal data Customer chooses to upload — potentially including special categories under Art. 9 GDPR (health, racial/ethnic origin, etc.) if present in the source audio.

Transcribr will:

• process Customer Personal Data only on documented instructions from the Customer (the Terms of Service and the Customer's use of the service constitute those instructions);
• ensure that personnel authorised to process Personal Data are bound by confidentiality;
• implement and maintain the technical and organisational measures described in section 8;
• assist the Customer with Data Subject requests, breach notifications, and data-protection impact assessments to the extent reasonably required;
• delete or return all Customer Personal Data after termination of services, except where retention is required by law.

The Customer warrants that:

• it has a lawful basis to process the Personal Data and to engage Transcribr as a Processor;
• it has provided all necessary notices to and obtained all necessary consents from Data Subjects, including under any applicable wiretap or surveillance laws;
• its instructions to Transcribr (including via the user interface and API) comply with applicable data-protection law;
• it will configure retention, AI features, and access controls in line with its own legal obligations.

The Customer authorises Transcribr to engage the sub-processors listed in our Security overview. We will give Customer at least 30 days' advance notice (by email and in-app) before adding or replacing a sub-processor. Customer may object on reasonable data-protection grounds within that notice period; if the parties cannot reach a resolution, Customer may terminate the affected service for material breach with a pro-rated refund of pre-paid fees.

We remain liable to Customer for the acts and omissions of our sub-processors as if they were our own.

Transcribr is incorporated in Australia. Personal Data may be transferred to and processed in countries that provide a different level of data protection from the Customer's jurisdiction.

Where the GDPR applies and the destination is not covered by an adequacy decision, the Standard Contractual Clauses (Module 2: Controller-to-Processor and, where relevant, Module 3: Processor-to-Processor) are incorporated into this DPA by reference. The parties agree that Transcribr is the “data importer” in respect of EU Data Subjects' Personal Data.

Where the UK GDPR applies, the UK International Data Transfer Addendum to the SCCs applies, with the relevant docking-clause selections made in Customer's favour.

The technical and organisational measures we implement are described in detail in our Security overview, and at minimum include:

• encryption of Personal Data in transit (TLS 1.2+) and at rest;
• access control on production systems following least privilege;
• passwordless authentication for end-users; SHA-256-hashed API keys;
• audit logging of privileged actions;
• regular review of sub-processor security postures;
• incident-response procedures, including notification under section 9.

We will notify the Customer of any Personal Data Breach affecting Customer Personal Data without undue delay and in any event within 72 hours of becoming aware of it. The notification will include the information required by Art. 33(3) GDPR to the extent it is then known, and updates as new information becomes available.

For Customers covered by the Australian Notifiable Data Breaches scheme, we will additionally provide reasonable assistance to Customer in determining whether the breach is “eligible” and in fulfilling any notification obligations to the OAIC and affected individuals.

Where reasonably possible, Transcribr provides self-service tools that let Customer fulfil Data Subject requests directly: account export, transcript deletion, audio retention controls, and an account-deletion path that wipes Customer Personal Data within 30 days.

Where a Data Subject contacts us directly, we will refer them to Customer rather than respond, except where we're legally required to act otherwise.

On reasonable written notice and no more than once per twelve-month period (unless required following a Personal Data Breach), Customer may audit Transcribr's compliance with this DPA, either through (a) a written questionnaire, (b) review of the most-recent third-party security report we hold, or (c) on-site or remote audit at Customer's expense, subject to reasonable scope agreed in advance.

This DPA takes effect on the later of (a) the date the Customer accepts our Terms of Service or (b) the date both parties have signed this DPA, and continues for the term of those Terms. Termination of the Terms automatically terminates this DPA, but the obligations relating to deletion, breach reporting, and confidentiality survive termination.

This DPA is governed by the laws of New South Wales, Australia, except that, where the Standard Contractual Clauses apply, those clauses are governed by the law specified within them and Customer's and Transcribr's respective Member-State or UK law rights are preserved.