TalkScribe

DRAFT - pending legal review

This document is a starter template that reflects TalkScribe's current technical posture. It has not yet been reviewed by qualified counsel and is not legally binding. We expect to publish a reviewed version before our first paid customer signup. If you need a binding agreement before then, contact hello@talkscribe.me.

Data Processing Agreement

The data-handling commitments TalkScribe makes to Business-tier customers.

Last updated: May 2, 2026

About this DPA

This Data Processing Agreement (“DPA”) supplements the TalkScribe Terms of Serviceand applies when TalkScribe processes Personal Data on behalf of a Business- tier customer (“Customer”) in connection with the TalkScribe Service.

It's designed to meet the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA), and similar data-protection laws.

Capitalized terms not defined here have the meanings given in the Terms of Service or the relevant data-protection law.

Definitions

  • Personal Data - any information relating to an identified or identifiable natural person, processed by TalkScribe on Customer's behalf in connection with the Service.
  • Processing - any operation performed on Personal Data, whether automated or manual.
  • Controller - the entity that determines the purposes and means of processing Personal Data.
  • Processor - an entity that processes Personal Data on behalf of the Controller.
  • Subprocessor - any third party engaged by TalkScribe to assist in providing the Service that processes Personal Data.
  • Data Subject - the natural person to whom the Personal Data relates.
  • Personal Data Breach - a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • Standard Contractual Clauses or SCCs - the European Commission's standard contractual clauses for the transfer of Personal Data to third countries (Decision 2021/914), as amended.

Roles and responsibilities

For Personal Data submitted by Customer or its end users to the Service:

  • Customer is the Controller.
  • TalkScribe is the Processor.

Customer is responsible for ensuring it has a lawful basis for the processing it instructs TalkScribe to carry out, including obtaining any necessary consents from Data Subjects (e.g., from meeting participants whose audio is being transcribed).

Scope of processing

Subject matter

Provision of the TalkScribe Service: transcription of audio, generation of polished text and structured insights, storage of transcripts (when Customer enables save-history), and delivery of those outputs via Customer-configured channels (dashboard, API, exports, webhooks).

Duration

For the term of the Service agreement between TalkScribe and Customer, plus the limited additional period required for return or deletion of Personal Data per Section Return and deletion.

Nature and purpose

Automated processing using AI models, plus the operational and security functions required to provide the Service (hosting, billing, audit logging).

Categories of Personal Data

  • Account information (name, email).
  • Audio content uploaded or recorded by users.
  • Transcripts and AI-generated artifacts derived from that audio (when save-history is enabled).
  • Usage metadata (minutes used, timestamps).
  • Technical metadata (IP address, user agent) for security and operations.

Categories of Data Subjects

  • Customer's end users (workspace members).
  • Individuals whose voices appear in audio submitted to the Service.
  • Individuals identified or referenced in transcripts.

Customer instructions

TalkScribe will process Personal Data only on Customer's documented instructions, including with regard to transfers outside the EEA / UK. The Service's configuration options (workspace settings, save-history, retention period, allowed email domains, etc.) constitute Customer's instructions. Customer may issue additional written instructions by emailing hello@talkscribe.me.

TalkScribe will inform Customer if, in its opinion, an instruction violates applicable data-protection law.

TalkScribe ensures that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.

Subprocessors

Customer authorizes TalkScribe to engage the subprocessors listed in our Privacy Policy. TalkScribe will:

  • Enter into a written contract with each subprocessor that imposes data-protection obligations no less protective than those in this DPA.
  • Remain liable for each subprocessor's performance to the same extent TalkScribe would be liable for its own.
  • Notify Customer of any new subprocessor or replacement at least 30 days before that subprocessor begins processing Customer Personal Data.

Customer may object to a new subprocessor on reasonable data-protection grounds within 14 days of the notice. If the parties can't resolve the objection in good faith, Customer may terminate the affected portion of the Service for cause.

Security measures

TalkScribe implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption in transit - all data transmitted between users, TalkScribe, and subprocessors is encrypted using TLS 1.2 or higher.
  • Encryption at rest - production database encryption is provided by our managed-database subprocessor.
  • Access controls - production system access is limited to authorized personnel using multi-factor authentication.
  • Credential hygiene - API keys and webhook signing secrets are stored as SHA-256 hashes, never plaintext.
  • Audit logging - workspace administrative actions are recorded in an append-only audit log Customer can export.
  • Webhook integrity - outbound webhooks are HMAC-SHA256-signed so Customer's receivers can verify authenticity.
  • Software hygiene - regular dependency updates, security patching, and vulnerability monitoring.
  • Vendor due diligence - we vet our subprocessors' security postures before engagement and on a recurring basis.
  • Incident response - documented procedures for detecting, containing, and reporting security incidents.

Specific technical and organizational measures are subject to evolution as the Service and threat landscape change. TalkScribe will not materially reduce the overall level of security provided.

Personal data breach notification

TalkScribe will notify Customer without undue delay (and in any event within 72 hours) of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known at the time:

  • The nature of the breach, including categories and approximate volumes of affected Personal Data and Data Subjects.
  • The likely consequences.
  • The measures taken or proposed to address the breach and mitigate its effects.
  • Contact information for follow-up.

TalkScribe will cooperate with Customer to investigate, mitigate, and document any Personal Data Breach. Notification of a breach is not an acknowledgment of fault or liability.

Data subject requests

Customer is responsible for responding to requests from Data Subjects exercising their rights under applicable data-protection law (access, rectification, erasure, restriction, portability, objection).

Where a Data Subject contacts TalkScribe directly with such a request relating to Customer's Personal Data, TalkScribe will, where possible, redirect the request to Customer.

Insofar as Customer cannot itself fulfill a Data Subject request through the Service's self-service tooling (dashboard, compliance-export endpoint, transcript deletion), TalkScribe will provide reasonable assistance, taking into account the nature of the processing.

International data transfers

TalkScribe is operated from the United States, and Personal Data may be processed in the United States and other jurisdictions where TalkScribe's subprocessors operate.

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country not deemed adequate by the relevant authority, the parties agree that the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) are incorporated into this DPA by reference and apply to such transfers, with the following selections:

  • Clause 7 (Docking Clause) - applies.
  • Clause 9 (Subprocessors) - Option 2 (general written authorization), with the 30-day notice period in Section Subprocessors.
  • Clause 11 (Redress) - option to opt for independent dispute resolution NOT selected.
  • Clause 17 (Governing Law) - to be specified in legal review.
  • Clause 18 (Jurisdiction) - to be specified in legal review.
  • Annex I (Description of Transfer) - as set out in Section Scope of processing.
  • Annex II (Technical and Organizational Measures) - as set out in Section Security measures.
  • Annex III (Subprocessors) - as listed in our Privacy Policy.

For UK transfers, the UK International Data Transfer Addendum to the EU SCCs (or the UK International Data Transfer Agreement) is incorporated. For Swiss transfers, references to GDPR in the SCCs are deemed to also refer to the Swiss Federal Act on Data Protection.

Audit rights

TalkScribe will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Where Customer reasonably believes that information is insufficient and that an audit is necessary, Customer (or its independent third-party auditor bound by appropriate confidentiality obligations) may, with at least 30 days' prior written notice and no more than once per year (except following a Personal Data Breach or where required by a regulator):

  • Request a written description of TalkScribe's applicable security controls.
  • Request copies of relevant third-party audit reports (e.g., SOC 2 Type II reports of TalkScribe's subprocessors), to the extent these exist and TalkScribe is permitted to share them.

On-site audits may be arranged where the above are insufficient, at Customer's expense, during business hours, and conducted in a manner that does not unreasonably interfere with TalkScribe's operations.

Return and deletion

On termination of the Service, Customer may export Personal Data held by TalkScribe via the dashboard and compliance-export endpoints for a period of 30 days following termination.

After that period, TalkScribe will delete or return all Customer Personal Data and copies thereof, unless EU or Member State law requires retention.

TalkScribe will certify the deletion to Customer on request.

Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the underlying Service agreement (Terms of Service), except where applicable law prohibits such limitation.

Term and termination

This DPA takes effect when Customer accepts it (e.g., by executing a separate signature page, by clicking a checkbox in the dashboard, or by continued use of Business-tier features after notification) and remains in effect for the duration of the underlying Service agreement plus any survival periods contemplated by Sections Return and deletion and Liability.

Changes to this DPA

We may modify this DPA from time to time as required by changes in data-protection law or our practices. Material changes will be communicated to active Business-tier customers at least 30 days before they take effect. Customer's continued use of Business-tier features after the effective date constitutes acceptance of the updated DPA.

Contact

For DPA-related inquiries, including subprocessor objections, Data Subject request escalations, or breach notifications, contact us at hello@talkscribe.me.