Version 1.0 - Effective Date: January 30, 2025
Download this Data Processing Agreement for your records:
Download PDF1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between TranslateConnect Pro ("Processor") and the Customer ("Controller") collectively referred to as the "Parties".
This DPA applies where and only to the extent that the Processor processes Personal Data on behalf of the Controller in the course of providing services under the Agreement and such Personal Data is subject to the Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland, and/or the United Kingdom.
2. Definitions
In this DPA:
- "Data Protection Laws" means the GDPR and any other applicable data protection legislation
- "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation)
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" means any operation performed on Personal Data
- "Sub-processor" means any third party engaged by the Processor to process Personal Data
- "Data Subject" means the individual to whom Personal Data relates
- "Controller" means the entity that determines the purposes and means of Processing
- "Processor" means the entity that processes Personal Data on behalf of the Controller
3. Details of Processing
3.1 Subject Matter
The Processor shall provide real-time phone call translation services, which involve processing voice data and related metadata as necessary to deliver the services.
3.2 Duration
The processing shall continue for the duration of the Agreement between the Parties.
3.3 Nature and Purpose
The nature of the processing includes:
- Real-time voice translation and transcription
- Voice synthesis and cloning (where enabled)
- Call management and routing
- Usage analytics and reporting
- Customer support services
3.4 Types of Personal Data
The types of Personal Data processed may include:
- Voice recordings and audio data
- Contact information (names, phone numbers, email addresses)
- User account data
- Call metadata (duration, participants, languages)
- IP addresses and device information
- Usage logs and analytics data
3.5 Categories of Data Subjects
The categories of Data Subjects may include:
- Controller's employees and staff
- Controller's customers and clients
- Call participants
- Authorized users of the service
4. Processor's Obligations
The Processor shall:
4.1 Compliance with Instructions
Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
4.2 Confidentiality
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Security Measures
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data in transit and at rest
- Ongoing confidentiality, integrity, availability, and resilience of systems
- Ability to restore availability and access to Personal Data in a timely manner
- Regular testing of security measures
- Pseudonymization where appropriate
4.4 Sub-processors
Not engage another processor without prior specific or general written authorization of the Controller. The current list of approved sub-processors is provided in Annex I.
4.5 Data Subject Rights
Assist the Controller by appropriate technical and organizational measures in fulfilling the Controller's obligations to respond to Data Subject requests.
4.6 Data Breach Notification
Notify the Controller without undue delay after becoming aware of a Personal Data breach, providing sufficient information to allow the Controller to meet any obligations to report the breach.
4.7 Data Protection Impact Assessment
Provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities.
4.8 Deletion or Return of Data
At the choice of the Controller, delete or return all Personal Data after the end of the provision of services and delete existing copies unless applicable law requires storage.
4.9 Audit Rights
Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections.
5. Controller's Obligations
The Controller shall:
- Comply with all applicable Data Protection Laws
- Have all necessary rights to provide Personal Data to the Processor
- Have obtained all necessary consents and provided all necessary notices
- Provide clear and lawful processing instructions
- Not knowingly provide Personal Data of individuals under the age of 18 without appropriate consent
6. Technical and Organizational Measures
The Processor implements the following security measures:
6.1 Physical Security
- Data centers with 24/7 security monitoring
- Biometric access controls
- Environmental controls and fire suppression
6.2 Network Security
- Firewalls and intrusion detection systems
- Regular security patching and updates
- Network segmentation and access controls
6.3 Application Security
- Secure development lifecycle practices
- Regular vulnerability assessments
- Input validation and output encoding
- Multi-factor authentication
6.4 Data Security
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Key management procedures
- Data minimization and retention policies
6.5 Organizational Measures
- Security awareness training for all staff
- Background checks for employees
- Incident response procedures
- Business continuity and disaster recovery plans
7. International Data Transfers
If Personal Data is transferred outside the EEA, UK, or Switzerland, the Processor shall ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions
- Other legally approved transfer mechanisms
The Processor primarily processes data in the United States and has implemented Standard Contractual Clauses for international transfers.
8. Data Breach Procedures
In the event of a Personal Data breach, the Processor shall:
- Notify the Controller within 72 hours of becoming aware
- Provide the following information:
- Nature of the breach
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of Personal Data records concerned
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Cooperate with the Controller in investigating the breach
- Take immediate steps to mitigate the effects
- Document all breaches and actions taken
9. Term and Termination
9.1 Duration
This DPA shall remain in effect for the duration of the Agreement.
9.2 Termination
Upon termination of the Agreement, the Processor shall, at the Controller's option:
- Return all Personal Data to the Controller in a commonly used format
- Securely delete all Personal Data
- Provide written certification of deletion
9.3 Survival
The obligations of confidentiality and security shall survive termination of this DPA.
10. Liability and Indemnification
Each Party's liability arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement.
Each Party shall indemnify the other against all damages, losses, and expenses arising from their breach of Data Protection Laws.
Annex I - List of Sub-processors
The Controller consents to the Processor's use of the following sub-processors:
| Sub-processor | Processing Activities | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and data storage | United States, EU |
| Google Cloud Platform | Machine learning and analytics | United States, EU |
| OpenAI | Translation and language processing | United States |
| ElevenLabs | Voice synthesis and cloning | United States |
| Stripe | Payment processing | United States, EU |
| SendGrid | Email notifications | United States |
| MongoDB Atlas | Database services | United States, EU |
The Processor may update this list with 30 days' notice. The Controller may object to new sub-processors on reasonable grounds.
Annex II - Technical and Organizational Measures
Access Control
- Multi-factor authentication required for all administrative access
- Role-based access control (RBAC) implementation
- Regular access reviews and privilege audits
- Automated de-provisioning for terminated employees
Data Protection
- End-to-end encryption for voice communications
- Encryption key rotation every 90 days
- Secure key management using hardware security modules
- Data loss prevention (DLP) policies
Incident Response
- 24/7 security operations center (SOC)
- Defined incident response procedures
- Regular incident response drills
- Forensic capabilities and evidence preservation
Compliance and Auditing
- Annual third-party security audits
- SOC 2 Type II certification
- ISO 27001 compliance
- Regular penetration testing
11. Contact Information
Data Protection Officer
TranslateConnect Pro has appointed a Data Protection Officer who can be contacted at:
Email: dpo@translateconnect.pro
Phone: +1-800-TRANSLATE
Address: 123 Innovation Drive, San Francisco, CA 94105
For Security Incidents
Email: security@translateconnect.pro
24/7 Hotline: +1-800-SEC-URITY
12. Agreement
By using the TranslateConnect Pro services, the Controller agrees to the terms of this Data Processing Agreement.
This DPA is incorporated by reference into the Terms of Service and becomes effective upon the Controller's acceptance of the Terms of Service.