Plain-English summary: When voibly processes data on your behalf, you stay in control. We act as your processor, follow your written instructions, lock the data down with strong technical and organizational measures, only use vetted sub-processors, and help you respond to data-subject requests. We notify you of any breach within 72 hours.
1. Definitions
Capitalized terms not defined here have the meaning given in the Terms of Service or in applicable Data Protection Laws (including GDPR, UK GDPR, Swiss FADP, and CCPA/CPRA).
- “Personal Data” means any information relating to an identified or identifiable natural person that voibly processes on Customer's behalf.
- “Data Subject” means the individual to whom Personal Data relates.
- “Sub-processor” means a third party engaged by voibly to process Personal Data.
- “Standard Contractual Clauses” means the EU Commission's 2021 SCCs (Module Two, controller-to-processor) and the UK International Data Transfer Addendum, as applicable.
2. Roles & scope
For Personal Data processed on Customer's behalf, Customer is the Controller and voibly is the Processor. Where Customer's end users (e.g., enterprise users in Customer's workspace) input data, Customer remains responsible for the lawful basis of processing.
The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are set out below.
| Subject matter | Provision of the voibly voice-to-text service. |
|---|---|
| Duration | For the term of the Customer's subscription, plus the retention periods set out in section 11. |
| Nature & purpose | Transcription, formatting, snippet management, account administration, and support. |
| Types of Personal Data | Account identifiers (email, name); audio submitted in cloud-mode; transcribed text; usage telemetry; IP address; device identifiers. |
| Categories of Data Subjects | Customer's users, employees, contractors, and any individuals whose voice or content is captured by Customer in the course of using voibly. |
3. Processing instructions
voibly will process Personal Data only on Customer's documented instructions, including those set out in the Terms, this DPA, and any reasonable subsequent written instruction from Customer. voibly will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.
4. Confidentiality
voibly ensures that personnel authorized to process Personal Data are bound by a duty of confidentiality (contractually and through onboarding training).
5. Security measures
voibly implements appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including those described in our Security page:
- On-device-first transcription as the default mode.
- TLS 1.3 in transit; AES-256 at rest; per-tenant key wrapping.
- SSO with hardware-key MFA, just-in-time access, and quarterly access reviews.
- Static analysis, dependency scanning, and quarterly third-party penetration testing.
- 24/7 monitoring with documented incident-response procedures.
voibly will not materially diminish the overall security of the service during the subscription term.
6. Sub-processors
Customer authorizes voibly to engage Sub-processors to process Personal Data, subject to the conditions in this DPA. The current list of Sub-processors is:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure for opt-in cloud features | US, EU |
| Stripe | Payment processing | US, EU |
| Postmark | Transactional email | US |
| Sentry | Anonymized error reporting | US, EU |
| Plausible | Privacy-preserving website analytics | EU |
voibly will give Customer at least 30 days' prior notice of any new or replacement Sub-processor by email and via an in-app notice. Customer may object to such changes for documented data-protection reasons; if the parties cannot resolve the objection, Customer may terminate the affected Service for material breach.
voibly remains liable to Customer for the acts and omissions of Sub-processors as if they were voibly's own.
7. Data subject rights
Taking into account the nature of the processing, voibly will assist Customer through appropriate technical and organizational measures, insofar as reasonably possible, to fulfill Customer's obligation to respond to Data Subject requests under Data Protection Laws.
If voibly receives a request from a Data Subject directly, it will refer them to Customer (and let Customer know) unless Data Protection Laws require voibly to respond.
8. Personal data breaches
voibly will notify Customer of any Personal Data Breach without undue delay, and in any event within 72 hours of becoming aware. Notification will include, to the extent then known: nature of the breach, categories and approximate volume of data and individuals affected, likely consequences, and remediation measures taken or planned.
9. Audits
voibly will make available all information reasonably necessary to demonstrate compliance with this DPA. On request, voibly will provide:
- Its most recent SOC 2 Type II report (under NDA).
- Summary results of its most recent penetration test.
- Written responses to a reasonable security questionnaire (max once per 12 months).
If those materials don't satisfy a Customer's regulatory audit obligation, the parties will agree on the scope, timing, and reasonable expense of an on-site audit, conducted no more frequently than once a year.
10. International transfers
Where Personal Data originating in the EEA, UK, or Switzerland is transferred to a country not deemed adequate, the parties agree the EU Standard Contractual Clauses (Module Two) and, where applicable, the UK International Data Transfer Addendum, are incorporated into this DPA by reference. Customer is the data exporter; voibly is the data importer. The optional clauses for docking and Option 1 in Clause 17 (governing law) apply.
11. Return & deletion
On termination of the subscription, voibly will, at Customer's choice, return or delete Personal Data within 30 days, unless retention is required by applicable law. Backups are deleted on the standard rotation schedule (35 days).
12. Liability
The limitations and exclusions of liability set out in the Terms of Service apply to claims arising under or in connection with this DPA.
13. Term & termination
This DPA takes effect on the start of Customer's subscription and remains in force for as long as voibly processes Personal Data on Customer's behalf.
14. Contact
Data protection inquiries:
support@voibly.app
voibly Inc., 1234 Mission Street, San Francisco, CA 94103, USA
EU Representative: voibly EU UG, Friedrichstraße 68, 10117 Berlin, Germany