Data Processing Agreement
Last updated: March 27, 2026
Data Processing Agreement
This Data Processing Agreement ("Agreement") is entered into between the User ("Data Controller") and MB "Su Idėja" ("Company" or "Data Processor") for the purpose of setting the terms and conditions under which the Data Processor will process Personal Data on behalf of the Data Controller in connection with the VoiceCap platform and its associated services ("Services").
This Agreement governs all aspects of Data Processing carried out by the Data Processor on behalf of the Data Controller, as required under Article 28 of the EU General Data Protection Regulation (2016/679) ("GDPR"). The provisions of this Agreement are incorporated by reference into the Terms of Service and any other agreements between the Parties.
By using the Services, the Data Controller confirms that the Data Processor is authorized to process Personal Data in accordance set forth in this Agreement.
In the event of a conflict or any inconsistency between this Agreement and any other document or agreement governing the use of the Services, the terms of this Agreement shall prevail.
Definitions
Unless expressly stated otherwise in Terms of Service, terms used in this Agreement shall have the meanings set forth in the GDPR.
In the event of any conflict or ambiguity between definitions in the GDPR and those in the Terms of Service, the definitions provided in the GDPR shall prevail with respect to the processing of Personal Data.
Subject Matter
The Data Processor shall Process the Data only on documented instructions from the Data Controller, including with regard to transfers of Data to a third country or an international organization, unless required to do so by the EU or Member State law to which the Data Processor is subject. The instructions from the Data Controller to the Data Processor shall be enclosed to this Agreement as Annex 1.
3. Data Security
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, but not limited to, the minimal measures set out in Annex 2 to this Agreement. The Data Processor shall ensure that persons authorized to process the Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Other Data Processors
4.1. The Data Controller provides the Data Processor with a general written authorization to engage other data processors to process Data under this Agreement. Where the Data Processor engages another data processor to carry out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out in this Agreement are imposed on that other data processor by contract, in particular the obligation to provide sufficient assurance that appropriate technical and organizational measures will be put in place in such a way as to ensure that the processing of the Data complies with the requirements of the GDPR. Where that other data processor fails to comply with the data protection obligations, the Data Processor remains fully responsible to the Data Controller for the performance of the obligations of that other data processor.
5. Data Subject's Rights
The Data Processor, taking into account the nature of the processing, shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller's obligation to respond to requests for exercising the Data Subjects' rights laid down in the GDPR.
6. Assistance to the Data Controller
The Data Processor shall, taking into account the nature of the processing and the information available to it, assist the Data Controller in ensuring compliance with the obligations set out in Articles 32 ("Security of processing"), 33 ("Notification of a personal data breach to the supervisory authority"), 34 ("Communication of a personal data breach to the data subject"), 35 ("Data protection impact assessment"), and 36 ("Prior consultation") of the GDPR.
7. Compliance and Audits
The Data Processor shall provide the Data Controller with all information necessary to demonstrate compliance with the obligations laid down in this Agreement and shall enable and assist the Data Controller or any other auditor authorized by the Data Controller to carry out audits, including inspections.
8. Deletion and Return of Data
Upon completion of the provision of the services related to the processing of Data, the Data Processor shall, at the option of the Data Controller, erase or return to the Data Controller all the Data and delete existing copies of the Data, except where retention of the Data is required by law.
9. Term
The provisions of this Agreement shall apply to the extent the Data Processor processes Data on behalf of the Data Controller. The obligations of the Parties under Section 8 of the Agreement ("Deletion and Return of Data"), shall remain in effect after the expiration or termination of this Agreement.
10. Miscellaneous
This Agreement shall be governed by and construed in accordance with the substantive law of the Republic of Lithuania. All and any disputes or claims arising from this Agreement shall be settled in the courts of the Republic of Lithuania.
In case of discrepancies between this Agreement and any other agreements between the Parties governing the processing of Data, this Agreement shall prevail.
Instructions of the Data Controller to the Data Processor are attached as an annex to this Agreement and shall constitute an integral part of it.
Annex 1: Instructions of the Data Controller to the Data Processor
| Item | Description |
|---|---|
| Subject matter of the Processing | Provision of the VoiceCap platform and related services, including the upload, storage, transcription, summarization, retrieval, and deletion of audio recordings and related meeting content submitted by the Data Controller. |
| Nature and purpose of the Processing | The Processing consists of automated and user-initiated operations performed on Personal Data strictly for the purpose of enabling the Data Controller to: transcribe audio recordings of meetings and conversations; generate AI-assisted textual transcripts, summaries, and action items; store, search, review, share, export, and delete meeting content; manage access to recordings and outputs within the Data Controller's organization. |
| Categories of Data | Depending on the content of audio recordings uploaded by the Data Controller, the following categories of Personal Data may be processed: Audio data, including voice recordings of meeting participants; Transcription data, consisting of textual representations of spoken content; AI-generated outputs, such as summaries, action items, and structured meeting notes derived from transcripts; Identification data, such as names, roles, or other identifiers mentioned during recordings or associated with user accounts; Meeting metadata, including meeting titles, dates, times, duration, and participant information provided by the Data Controller; Account and usage data, including user identifiers, access logs, and service interaction data necessary for service operation and security. |
| Categories of Data Subjects | Employees, contractors, and representatives of the Data Controller; clients, business partners, or other third parties participating in or referenced during meetings; any other individuals whose voices or personal data are included in audio recordings uploaded to the VoiceCap platform at the sole discretion of the Data Controller. |
| Duration of the Processing | Personal Data shall be processed for the duration determined by the Data Controller, as configured within the VoiceCap platform, and in accordance with the Terms of Service. In particular: Account Data is processed for as long as the Data Controller maintains an active account and deleted within thirty (30) days following account termination, unless otherwise instructed or required by law. Audio Recordings are retained in accordance with the retention period configured by the Data Controller or deleted upon the Data Controller's instruction. Transcripts and AI-Generated Summaries are retained in accordance with the retention period configured by the Data Controller and deleted upon instruction or account termination. Usage and Technical Data are retained for up to twelve (12) months for security, integrity, and service reliability purposes, unless a longer retention period is required by applicable law. Upon termination of the Services, Personal Data shall be deleted or returned in accordance with Section 8 of the Agreement, unless retention is required by Union or Member State law. |
Other data processors:
Providers of IT tools and services, electronic communications services, archiving and other services, including:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Google Cloud EMEA Limited | AI audio and language processing, cloud infrastructure | Ireland (EU) | N/A (EU entity) |
| OpenAI OpCo, LLC | AI audio and language processing | USA | EU Standard Contractual Clauses |
| Groq, Inc. | AI audio and language processing | USA | EU Standard Contractual Clauses |
| Eleven Labs, Inc. | AI audio and language processing | USA | EU Standard Contractual Clauses |
| AssemblyAI Inc. | AI audio and language processing | USA | EU Standard Contractual Clauses |
| Amazon Europe Core SARL | Cloud infrastructure and IT services | EU | N/A (EU entity) |
| Neon, LLC | Managed database hosting provider | USA | EU Standard Contractual Clauses |
| Vercel Inc. | Application hosting and delivery | USA | EU Standard Contractual Clauses |
| Facebook (Meta) | Social media service provider | USA | EU Standard Contractual Clauses |
| Social media service provider | USA | EU Standard Contractual Clauses |
Annex 2: Technical and Organisational Data Security Measures
Data security policy and procedures
The Data Processor shall adequately document the security of the Data and its Processing as an integrated part of its information security policy. The Data Processor shall periodically review and, where necessary, update the security policy.
Roles and procedures
The Data Processor shall clearly define and allocate roles and responsibilities in relation to the Data Processing in accordance with the security policy. The Data Processor shall clearly define the revocation of the rights and obligations of employees by means of appropriate procedures for the transfer or delegation of roles and responsibilities (in the event of an internal organisational restructuring or redundancy of employees, change of functions).
Access management policy
The Data Processor shall assign specific access control rights to each role in relation to the Data Processing in accordance with the "need to know" principle.
IT resource register
The Data Processor shall maintain a register of information technology (IT) resources (list of hardware, software and network equipment). The IT resource register shall include at least the following information: type of IT resource (e.g. computer workstation), location (physical or electronic). The maintenance of the IT resource register is assigned by the Data Processor to a specific person, e.g. The IT resource manager shall assign the IT resource to a specific person, such as an IT specialist. The Data Processor shall regularly review and update the IT asset register.
Change monitoring
The Data Processor shall ensure that all substantial changes to IT systems are monitored and logged by a specific person (e.g. an IT or security professional). The Data Processor shall carry out software development in a dedicated environment that is not connected to the IT systems used to Process the Data. The Data Processor shall use test data to test systems. Where this is not possible, special procedures shall be in place to protect the Data used in the testing.
Personal data breaches and security incidents
The Data Processor shall establish a security incident response plan to ensure effective management of incidents related to the security of the Data. Data breaches shall be documented. They shall be reported immediately to management. Procedures shall be established for the notification of Data breaches to the supervisory authorities and the Data Subjects.
Business continuity
The Data Processor shall establish basic procedures to be followed in the event of a security incident or a Data security breach to ensure the necessary continuity and availability of the Data processing by IT systems.
Confidentiality of personnel
The Data Processor shall ensure that all employees understand their responsibilities and obligations regarding the Processing of Data. Roles and responsibilities shall be clearly outlined to the employee prior to the start of their assigned roles and tasks.
Training
The Data Processor shall ensure that all employees are adequately informed of the security requirements of the IT systems relevant to their everyday work. Employees involved in the Processing shall be trained in the relevant Data security requirements and legal obligations through regular trainings, awareness campaigns and instructions.
Access control and identification
The Data Processor shall implement an access control system applicable to all users of the IT system. The access control system shall allow the creation, validation, review and deletion of user accounts. The use of shared user accounts shall be avoided. Where a common user account is necessary, it shall be ensured that all users of the common account have the same rights and obligations. An authentication mechanism must be in place to allow access to the IT system. The minimum requirement for a user to access the IT system shall be a user login and password. The password shall be based on a certain level of complexity. The access control system shall be able to detect and prevent the use of passwords that do not meet a certain level of complexity. User passwords shall be stored using a hash form.
Technical log entries and monitoring
The Data Processor shall implement technical log entries for each IT system used to Process the Data. The technical log records shall show all possible access information to the Data. The technical log records shall be time-stamped and protected against possible damage, tampering or unauthorised access. Timekeeping mechanisms used in IT systems shall be synchronised to a common time reference source.
Protection of service stations, databases
The Data Processor shall configure databases and application servers to run under separate accounts with the lowest operating system (OS) privileges assigned. Databases and application service stations shall Process only those Data that are necessary for work functions that meet the purposes of the Data Processing.
Workstation security
Users shall not be able to disable or bypass security settings of IT systems. Antivirus applications and their virus information databases shall be updated at least weekly. Users shall not have privileges (rights) to install, remove, or administer unauthorized software. IT systems have a fixed session time, i.e., if the user is inactive in the system for the specified time, his session shall be terminated. Critical operating system security updates shall be deployed regularly and promptly.
Network and communication security
Whenever access is performed through the Internet, communication shall be encrypted through cryptographic protocols (TLS/SSL).
Back-ups
Backup and data recovery procedures shall be defined, documented and clearly linked to roles and responsibilities. Backup media shall have an appropriate level of physical safety of the environment and premises, depending on the stored Data. The backup process shall be monitored to ensure completeness. Full Data backups shall be done regularly.
Mobile, portable devices
Procedures for the administration of mobile, portable devices shall be established and documented, clearly describing the proper use of such devices. Mobile and portable devices that will be used to work with information systems shall be registered and authorized before use. Mobile, portable devices shall have a sufficient level of access control procedures, just like other equipment used to Process Data.
Software security
Software used in information systems (to manage Data) must comply with software security best practices, security best practices used in software development, software development structures (frameworks), standards (e.g. Agile, OWASP, etc.). Specific security requirements related to the specifics of the organization's operations shall be defined in the initial stages of software development. Data security programming standards and best practices shall be followed. After the development, testing and verification of the software, starting with the installation and operation of the system, the basic safety requirements shall already be met.
Data deletion, disposal
Before any Data storage medium is removed, all Data on it must be destroyed using dedicated software that supports reliable Data destruction algorithms. If this is not possible (e.g. DVD media), the physical destruction of the Data medium without the possibility of recovery must be carried out. Paper and portable Data media on which the Data were stored shall be destroyed with dedicated shredders or other mechanical means.
Physical security
The Data Processor shall implement the physical protection of the environment, premises containing the infrastructure of IT systems against unauthorized access.